Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2750898pxb; Mon, 19 Apr 2021 12:59:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxW0PMMuyTxkJuGoMlTSA2Rm0Cy46SQhySHY+CgVzCQ+eU5NDxAlovObWpDXi6Ao+xin48s X-Received: by 2002:aa7:c950:: with SMTP id h16mr27731692edt.381.1618862385472; Mon, 19 Apr 2021 12:59:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618862385; cv=none; d=google.com; s=arc-20160816; b=K0ejXfXxqA5XlwLMufbWc5QbyJfBkQIUSZZ09WpX0TCBomQhtESVWUeK1lez6zpdYU qLXhH+pUFznbNIsxRilcBGlg5ttdIC95RWnq93upCia22/KY+Tn4lQLm4/zikp9pS4/D Nd0h/KDD1Xq395/xExHvmaBO3HRh9eK2WYTBbZF/0RuGDsqAfBE3gaMgxtDYnYF9iysm 54zF96CpbfAte0WwWD4WAQl1mOiPGqP6A6veLCEE+Hp0+3glq3ifRKJm0WV8UTOBN0eE 5xVLRYiGxAf+3aHpipRfLCyyrhBE2MDHFW8sz8oysyKJGn5SOMXO7fLv/9S4k95nhQU0 2J4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=1zP1HioYKuMPtcQBEl47Jt52y+JDzjEtaq2ESw7/q+8=; b=Y9biGhnqkfNp11E243J53U94xRXjkU9QxO5rvZihBS+vcdg4vsPtShwx7q74TLAmNT g1OU8BpTT3m31q4mCsIYieYdJgGgJ4m6gspgQqOzR6wnsyRoEBmsatCfKyazcri16MO6 pnkK9XB2rApTuLpug1kHiXbEYrAK7xXjGRZVzfRXTN6NTEkk9OPK9XJktKrzpTB5fCHD 6951rjteL/rw9QblF7Oua10/YKcbWFq2dGwMOcHATAlCWFsVystP7eWOMmqBOXuwK8zG DLxW/DvgbUuct2AnONFXaaPrzoBtEbfZ5RF62o9ED+WAWRq9K1+ZQxHptsQmZDcXAGrg Wvhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YVA8t4a8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q8si13443413ejy.320.2021.04.19.12.59.22; Mon, 19 Apr 2021 12:59:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YVA8t4a8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233163AbhDSQPI (ORCPT + 99 others); Mon, 19 Apr 2021 12:15:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:42286 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232354AbhDSQPF (ORCPT ); Mon, 19 Apr 2021 12:15:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AD7A961246; Mon, 19 Apr 2021 16:14:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1618848875; bh=R0qX6zD3L/dyw/+Tco9R7q/X8chtUMBh6V7YBfFk1YU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YVA8t4a8+NhaysC7U3saV/2YYntmCJHB/9EI5YybvNWL8L74H3+8c953dFlPf0vx9 03IO175VuvVTG18bG4dnqLziIagpLllJl6wjWGXEMfLWtgKAlnxaNZUTgYItSNTm8L 8javIOMGkTo/b94z1IWii1GSxKo9ZNUi07ZHCdaGO7XcfWNKu6JRKGDl2up7P1YQY0 ma8nAqLcJgAdFqkaS7ZLU95N22JVWq0CHBLNbcqKPrLbPa7n+nfh0/8cCnx8vTR68Q /g7Sws7RYLW3xYqlwAOtt54vuo4vqTM6Vb7whEyqPoCRzkG0gCupzF7bFxsscjXXff jb5etUY+VMcFQ== Date: Mon, 19 Apr 2021 17:14:29 +0100 From: Will Deacon To: Rob Herring Cc: Mark Rutland , Catalin Marinas , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Jiri Olsa , Ian Rogers , Alexander Shishkin , Honnappa Nagarahalli , Zachary.Leaf@arm.com, Raphael Gault , Jonathan Cameron , Namhyung Kim , Itaru Kitayama , linux-arm-kernel , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v6 02/10] arm64: perf: Enable PMU counter direct access for perf event Message-ID: <20210419161429.GA30998@willie-the-truck> References: <20210311000837.3630499-1-robh@kernel.org> <20210311000837.3630499-3-robh@kernel.org> <20210330153125.GC6567@willie-the-truck> <20210331160059.GD7815@willie-the-truck> <20210407124437.GA15622@willie-the-truck> <20210408110800.GA32792@C02TD0UTHF1T.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 08, 2021 at 01:38:17PM -0500, Rob Herring wrote: > On Thu, Apr 8, 2021 at 6:08 AM Mark Rutland wrote: > > On Wed, Apr 07, 2021 at 01:44:37PM +0100, Will Deacon wrote: > > > On Thu, Apr 01, 2021 at 02:45:21PM -0500, Rob Herring wrote: > > > > On Wed, Mar 31, 2021 at 11:01 AM Will Deacon wrote: > > > I guess I'm just worried about exposing the counters to userspace after > > > the PMU driver (or perf core?) thinks that they're no longer exposed in > > > case we leak other events. > > > > IMO that's not practically different from the single-PMU case (i.e. > > multi-PMU isn't material, either we have a concern with leaking or we > > don't); more on that below. Well, maybe. It looks the single-PMU case is exposed to the same issue, but I think a solution needs to take into account the multi-PMU situation. > > While it looks odd to place this on the mm, I don't think it's the end > > of the world. > > > > > However, I'm not sure how this is supposed to work normally: what > > > happens if e.g. a privileged user has a per-cpu counter for a kernel > > > event while a task has a counter with direct access -- can that task > > > read the kernel event out of the PMU registers from userspace? > > > > Yes -- userspace could go read any counters even though it isn't > > supposed to, and could potentially infer information from those. It > > won't have access to the config registers or kernel data structures, so > > it isn't guaranteed to know what the even is or when it is > > context-switched/reprogrammed/etc. > > > > If we believe that's a problem, then it's difficult to do anything > > robust other than denying userspace access entirely, since disabling > > userspace access while in use would surprise applications, and denying > > privileged events would need some global state that we consult at event > > creation time (in addition to being an inversion of privilege). > > > > IIRC there was some fuss about this a while back on x86; I'll go dig and > > see what I can find, unless Peter has a memory... > > Maybe this one[1]. > > Rob > > [1] https://lore.kernel.org/lkml/20200730123815.18518-1-kan.liang@linux.intel.com/ Going through the archives and talking to Peter, it looks like this is still an active area of concern: - There are patches to clear "dirty" counters on context-switch. They were queued for 5.13 but broke -tip on Friday: https://lore.kernel.org/lkml/YHm%2FM4za2LpRYePw@hirez.programming.kicks-ass.net/ - Per-cpu events cannot be protected in software: https://lore.kernel.org/lkml/CALCETrVVPzUd_hQ8xoomHn_wWRQJUvROeCt2do4_D4ROZoAVMg@mail.gmail.com/ so without hardware support, we need a way to disable user access for people that care about this leakage x86 has an "rdpmc" file exposed for the PMU device in sysfs which allows access to be disabled. I don't think these patches add such a thing, and that's where the fun with multi-PMU machines would come into play. Will