Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp1353333rwl; Thu, 5 Jan 2023 12:17:23 -0800 (PST) X-Google-Smtp-Source: AMrXdXtDre5cw37+jAiROTs1mZ8JEeIuzVgeebyAz63jTKWmjlqF+bSBlLPEMNYyz+QClR8iIaPu X-Received: by 2002:a17:906:684b:b0:7c1:2fc2:6740 with SMTP id a11-20020a170906684b00b007c12fc26740mr45575927ejs.46.1672949843685; Thu, 05 Jan 2023 12:17:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672949843; cv=none; d=google.com; s=arc-20160816; b=d81A/p8e+Ygy+CsVNG7Uu337HP1io1uaM69frhDNTSThogwvJ8anyFL/0DokQcJPmk yj23kS7YnnzPwBnNwa6XSdMA4UwX5QrCKShIR0P2Xjeav1/ZvKuMRXuhUtX0TZUlY+mx 4DH17CYsrB70fA7w+4p0wsT5VnwJJfeQ0mOon4k0/rxyznkBusmA5IxwCQ5/QxI7JxxI qCtQ9sxxVmpyujP+3UO1DlgYd57Zp8l5BeXkpxfQVJbIKSrDT5JbzZDNKLkJlQbY6i6p o6OmD1U1MFTyD40orq2BR5MW+TyHTmVmAAxe7DJT1aa7q4ZKF4KHoAMWox+/cPZwSCQ7 WSTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:mime-version:dkim-signature; bh=G6MY7nruquscISG2PiN5KCqnGZMtc/2v+wrwlGfSPyg=; b=brXh/Cu4I60IuACB3NYG63cxv9IxMVmKKI2PLR6R2fqlE0/chI+owYVK6TZWvlbNew QUaDNMs0Qo22eJw3UPA8QLT7npgRamUNIhwjyrdunMV2pOQLQ6H1Nn2OUjyn0QR4IBdp 9YPDdQsmm5D8JHAbi9Skg7HETtFMQWxIMxFJdqDB3ShKBG3uEsVXzS/XLzze+iuCHRU2 nEGQWn4epmL1x2JED92/WNr9mOsoZic5aDGTtga7Rzao53PMl2cdV6FHpvNTInqPKsI9 WRIRt6V18E45AExx7n1Ginzs+5tPqytI16oNJQ9526CAi+QrdGiNhXIgCZHguAFBMpRG WPtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@atishpatra.org header.s=google header.b=tM+6O86w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id uj42-20020a170907c9aa00b0084c3ce2f3dasi23073688ejc.738.2023.01.05.12.17.10; Thu, 05 Jan 2023 12:17:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@atishpatra.org header.s=google header.b=tM+6O86w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235513AbjAET7m (ORCPT + 55 others); Thu, 5 Jan 2023 14:59:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235645AbjAET7h (ORCPT ); Thu, 5 Jan 2023 14:59:37 -0500 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7828F637A for ; Thu, 5 Jan 2023 11:59:36 -0800 (PST) Received: by mail-pj1-x1032.google.com with SMTP id w4-20020a17090ac98400b002186f5d7a4cso3105707pjt.0 for ; Thu, 05 Jan 2023 11:59:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atishpatra.org; s=google; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=G6MY7nruquscISG2PiN5KCqnGZMtc/2v+wrwlGfSPyg=; b=tM+6O86wCUABwOfRrnO10ks8jWIko+HiIU9L21smJibwScoqZGC6l9zhdG+9Q44WKD WQNSkucPngW4fkcR+C0rfo0p61eoEvJr3OC7i3RwVno5gXeWHWcPm6esol0/J4BHZtHM PqOSwfutM8YZsoqyKECRRBImJ805NqW1GsIz8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=G6MY7nruquscISG2PiN5KCqnGZMtc/2v+wrwlGfSPyg=; b=vu5ziSNOlgUYMgrfLsy1Td2DAWgRPY0ZcCs4PrnnCgd0iNfFjavMrNquffd2d9o3Yl FyQxwS5VRjncFWeKQzPzdIbET0lzYjSWUL/BHHvhy0ct4+M4HppO/rxaXDKa3ssEOArN /VWGfEdpsD3cbPy63Z7C6k6SSdSnSXbHv79ea9l1V8uIYgCi56h9BwOFpAnj5gtrZ/W1 RHZVIKAzGoNaz/18wA1zWt9IWBVvh/APJv3rBbFFDLOiBx7H1SgjhSzAGUyUMXTfZZio QyU6+sy7qwJysJZDVROg6/EGFroQ1F2eKLfvBmcw3nyO1JIOt9gZddgQFBhe34qudsKm cqAQ== X-Gm-Message-State: AFqh2kqas+3nS9jaxyo32wgTOWbhzTpTifCTgvuWwmg27E1nj6fHc//o zKnaKVDGTARpkU4mu9ZcFvh4279/9HtDmCKD9k5J X-Received: by 2002:a17:90a:bd0e:b0:225:cd98:1651 with SMTP id y14-20020a17090abd0e00b00225cd981651mr3768100pjr.93.1672948776000; Thu, 05 Jan 2023 11:59:36 -0800 (PST) MIME-Version: 1.0 From: Atish Patra Date: Thu, 5 Jan 2023 11:59:24 -0800 Message-ID: Subject: Expected rdpmc behavior during context swtich and a RISC-V conundrum To: linux-perf-users@vger.kernel.org Cc: "linux-kernel@vger.kernel.org List" , Peter Zijlstra , Mark Rutland , Arnaldo Carvalho de Melo , Alexander Shishkin , Will Deacon , Stephane Eranian , Andi Kleen , Palmer Dabbelt , Beeman Strong , Atish Patra , Kan Liang , Anup Patel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi All, There was a recent uabi update[1] for RISC-V that allows the users to read cycle and instruction count without any checks. We tried to restrict that behavior to address security concerns earlier but it resulted in breakage for some user space applications[2]. Thus, previous behavior was restored where a user on RISC-V platforms can directly read cycle or instruction count[3]. Comparison with other ISAs w.r.t user space access of counters: ARM64 -- Enabled/Disabled via (/proc/sys/kernel/perf_user_access) -- Only for task bound events configured via perf. X86 --- rdpmc instruction --- Enable/Disable via =E2=80=9C/sys/devices/cpu/rdpmc=E2=80=9D -- Before v4.0 -- any process (even without active perf event) rdpmc After v4.0 -- Default behavior changed to support only active events in a process=E2=80=99s context. -- Configured through perf similar to ARM64 -- Continue to maintain backward compatibility for unrestricted access by writing 2 to =E2=80=9C/sys/devices/cpu/rdpmc=E2=80=9D IMO, RISC-V should only enable user space access through perf similar to ARM64 and x86 (post v4.0). However, we do have to support the legacy behavior to avoid application breakage. As per my understanding a direct user space access can lead to the following problems: 1) There is no context switch support, so counts from other contexts are ex= posed 2) If a perf user is allocated one of these counters, the counter value will be written Looking at the x86 code as it continues to allow the above behavior, rdpmc_always_available_key is enabled in the above case. However, during the context switch (cr4_update_pce_mm) only dirty counters are cleared. It only prevents leakage from perf task to rdpmc task. How does the context switch of counters work for users who enable unrestricted access by writing 2 to =E2=80=9C/sys/devices/cpu/rdpmc=E2=80= =9D ? Otherwise, rdpmc users likely get noise from other applications. Is that expected ? This can be a security concern also where a rogue rdpmc user application can monitor other critical applications to initiate side channel attack. Am I missing something? Please correct my understanding of the x86 implementation if it is wrong. [1] https://lore.kernel.org/lkml/20221201135110.3855965-1-conor.dooley@micr= ochip.com/ [2] https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/REWcwYnzsKE?pli= =3D1 [3] https://lore.kernel.org/all/YxIzgYP3MujXdqwj@aurel32.net/T/ --=20 Regards, Atish