Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp6730472rwl; Mon, 9 Jan 2023 12:14:00 -0800 (PST) X-Google-Smtp-Source: AMrXdXtD4YjrRQazKqD6/0h40y8TXY+3Vz4kT4/zr+7HLI0cmIA6nvz3Sus7GNBg/GarlPCsaRCw X-Received: by 2002:a05:6a21:999d:b0:9e:9685:f15e with SMTP id ve29-20020a056a21999d00b0009e9685f15emr99800664pzb.0.1673295239901; Mon, 09 Jan 2023 12:13:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673295239; cv=none; d=google.com; s=arc-20160816; b=LQbO8Bg2iz/JjSeTzTJxn0ml1JtgA+aw7ntqhH9M/ReWlfMc23iMmK3MMES+P7eidO B/nua3s44Mhx2j6VVBNCHIbxhYi8TZMB/POXIi4ddqLMXr0E76eMN8o+KNqS2AHvv7qY ri6Fbru88XTs+OTDabmhM1aO567koec6v+/1rlMHJDdcF3EAhwdnrqWxwYyVkVUpYTO6 AkpbyzXhST4TtK73z0+sReCp+5Y4m0keoVrdrg975Xfixk+TOxBwbjdSj6uG5CdI6AEj tBqUbYZ05Y/VBGpm6X8EWo5sfFtLEatJu97RDHx4foKjjhcmKwSEXwCyPiKIluEHBCFW ETKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ZJW757By3pyCr9WhEaqzFQ75DPB5RWkfBLPhZzSAskQ=; b=Ks29rIudjSRpGEL2p+y/5kEGkSdi53s5o+/LmoZKpJxwZCoFX2XMSFblsF2KKzDVG6 b0u4DnjQYbXgYgKGBluB6dD9YhZhMFx3tmsWRjLs+6toLQpLybu/3wNk+vMPlt7c4Pu6 5SfKgXnhE38olTQ7K81jZgl85pEube04DfTkHsLq6d59G/x/eaEuIo48gqfcMxj+CM1x B2jxdTtEo8Hh9k0OfpkdMw8DHLo33F/tviSQ0/jJ/BX1E3AO1hCnL362e8SEUpe9NUAv /NenO30eeUrcCx0SQzDnKzQJTmawxWEh6ykRqK6nZyhY/0acY2Py1hK2JA8dpQti8VZ3 bwmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@atishpatra.org header.s=google header.b="Uzz5Ku/P"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u11-20020a170902e80b00b00188e877e8ddsi10737071plg.139.2023.01.09.12.13.53; Mon, 09 Jan 2023 12:13:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@atishpatra.org header.s=google header.b="Uzz5Ku/P"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237526AbjAITia (ORCPT + 53 others); Mon, 9 Jan 2023 14:38:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237557AbjAITi3 (ORCPT ); Mon, 9 Jan 2023 14:38:29 -0500 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F055F777C6 for ; Mon, 9 Jan 2023 11:38:27 -0800 (PST) Received: by mail-pf1-x42a.google.com with SMTP id i65so3517901pfc.0 for ; Mon, 09 Jan 2023 11:38:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atishpatra.org; s=google; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ZJW757By3pyCr9WhEaqzFQ75DPB5RWkfBLPhZzSAskQ=; b=Uzz5Ku/PJw99Ny3hIDeY6FZm1/UfFL1eLjF+feC+LJbGzXwu7Ic3hBpQLmwcKmNHNc PV06/xC6Kba44i8gHfqWiQL8EwH5BcT64CTXA1inY9LeqGWx6PhjHZbCVPa/RAndDvNJ LNlegHSRZCYgM+v8GJdJfS4jWPYwj2fkm9KAU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZJW757By3pyCr9WhEaqzFQ75DPB5RWkfBLPhZzSAskQ=; b=yS1uZWLviykH1hqOojq9ZTxjlOMyW6RklfwXkLJSaKHBTGgyCYbkpZad7KGk0b/SS/ Djrv+wQ1Ke/PtN7x0UO5f5NGVc80wlZn/YWhSJ/7HGyY8zh08NX7ziN5/7xvplM17QtX AIWe25ixu0SyyMGErSnZVqq/HsjLaZPCghGZrls8O/YuBBOVDjbxdVW/MgBN4KFWnmWZ FuuJB8O5Qvv+SNE9PEk+DH5RwRReAaEVRtZvRPYOYn10/s1lL5qTtPx/K7Ca02bbtysi 5zZvY16rpTVewJsk+QxH2VCxoAFCv/IQ3vyPnpzeWZLMQOEss2mmXDqcv7RqmIg33+xC kJYg== X-Gm-Message-State: AFqh2kpNJG8ZYPu1RItbrhr3rbK6uEAy5+i5OPWva3G9d1vfpxCBhdT4 8K0CsXwQC6cGAwhQ2aZTrVksvQ0TWqzOTEbzL/3hLHm7Bfcocdg= X-Received: by 2002:aa7:9d1b:0:b0:580:a13b:366a with SMTP id k27-20020aa79d1b000000b00580a13b366amr3484931pfp.37.1673293107413; Mon, 09 Jan 2023 11:38:27 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Atish Patra Date: Mon, 9 Jan 2023 11:38:15 -0800 Message-ID: Subject: Re: Expected rdpmc behavior during context swtich and a RISC-V conundrum To: Mark Rutland Cc: linux-perf-users@vger.kernel.org, "linux-kernel@vger.kernel.org List" , Peter Zijlstra , Arnaldo Carvalho de Melo , Alexander Shishkin , Will Deacon , Stephane Eranian , Andi Kleen , Palmer Dabbelt , Beeman Strong , Atish Patra , Kan Liang , Anup Patel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 9, 2023 at 7:26 AM Mark Rutland wrote: > > On Mon, Jan 09, 2023 at 01:06:45AM -0800, Atish Patra wrote: > > On Fri, Jan 6, 2023 at 4:02 AM Mark Rutland wrot= e: > > > > > > On Thu, Jan 05, 2023 at 11:59:24AM -0800, Atish Patra wrote: > > > > Hi All, > > > > There was a recent uabi update[1] for RISC-V that allows the users = to > > > > read cycle and instruction count without any checks. > > > > We tried to restrict that behavior to address security concerns > > > > earlier but it resulted in breakage for some user space > > > > applications[2]. > > > > Thus, previous behavior was restored where a user on RISC-V platfor= ms > > > > can directly read cycle or instruction count[3]. > > > > > > > > Comparison with other ISAs w.r.t user space access of counters: > > > > ARM64 > > > > -- Enabled/Disabled via (/proc/sys/kernel/perf_user_access) > > > > -- Only for task bound events configured via perf. > > > > > > > > X86 > > > > --- rdpmc instruction > > > > --- Enable/Disable via =E2=80=9C/sys/devices/cpu/rdpmc=E2=80=9D > > > > -- Before v4.0 > > > > -- any process (even without active perf event) rdpmc > > > > After v4.0 > > > > -- Default behavior changed to support only active events in a > > > > process=E2=80=99s context. > > > > -- Configured through perf similar to ARM64 > > > > -- Continue to maintain backward compatibility for unrestricted acc= ess > > > > by writing 2 to =E2=80=9C/sys/devices/cpu/rdpmc=E2=80=9D > > > > > > > > IMO, RISC-V should only enable user space access through perf simil= ar > > > > to ARM64 and x86 (post v4.0). > > > > However, we do have to support the legacy behavior to avoid > > > > application breakage. > > > > As per my understanding a direct user space access can lead to the > > > > following problems: > > > > > > > > 1) There is no context switch support, so counts from other context= s are exposed > > > > 2) If a perf user is allocated one of these counters, the counter > > > > value will be written > > > > > > > > Looking at the x86 code as it continues to allow the above behavior= , > > > > rdpmc_always_available_key is enabled in the above case. However, > > > > during the context switch (cr4_update_pce_mm) > > > > only dirty counters are cleared. It only prevents leakage from perf > > > > task to rdpmc task. > > > > > > > > How does the context switch of counters work for users who enable > > > > unrestricted access by writing 2 to =E2=80=9C/sys/devices/cpu/rdpmc= =E2=80=9D ? > > > > Otherwise, rdpmc users likely get noise from other applications. Is > > > > that expected ? > > > > > > Regardless of leakage, they're also going to get random jumps in the = visible > > > values of the cycle count and instruction count as the task is contex= t-switched > > > (and/or if those values get reset across idle, as can happen on arm64= ), so > > > those aren't going to be useful unless a number of other constraints = apply. > > > > > > > Agreed. > > > > > AFAICT the affected package was actually a library of intrinsics; doe= s this > > > affect a real application, or was this just in tests? If it's the lat= ter there > > > might still be scope to properly lock this down... > > > > > > > Unfortunately, there are real applications In RISC-V started using > > cycle counters due to legacy reasons. > > > > Here is the short list from debian repo pointed out in [1] > > https://codesearch.debian.net/search?q=3D%22rdcycle+%250%22 > > The first of those is GRUB, when running bare metal. > > The second is this library again, which is not a whole application. > > I see that it's used in some benchmarks in real applications, e.g. firefo= x, > chrome. However, as above we know that's *broken* today. > > Is that code actually run? > > > Looking at aarch64 code in one of the application, it seems they rely > > on reading "pmccntr_el0" to read time > > https://sources.debian.org/src/chromium/108.0.5359.124-1/third_party/ff= mpeg/libavutil/aarch64/timer.h/ > > That part is under ifdefs for mac os: > > | #if defined(__APPLE__) > Yes. Sorry I missed that earlier. I checked few other application code which correctly use cntvct_el0 as you pointed out. > ... and it's nonsensical anyway, pmccntr_el0 is *not* a timer, and I don'= t know > if Mac OS would bother to context-switch the value, so it's very likely b= roken > anyhow. > > > AFAIK, any counter access from EL0 is disabled by default in > > reset_pmuserenr_el0 and should be enabled via the > > proc/sys/perf_user_access > > in armv8pmu_enable_user_access. Is that correct ? > > Yes, we *only* enable access for tasks doing self-monitoring via perf. > > No other useage makes sense, since the value is arbitrarily reset, and it= 's not > consistent across CPUs. It *cannot* be used as a timer. > Yes. That's what we were trying to convince the user space application maintainers too. > > I couldn't find any application actually enabling the access using > > perf_user_access. Maybe I am missing something? > > Otherwise, the above application would trap on access to pmccntr_el0. > > As above, that's on Mac OS, not Linux. > Yeah. My bad. Sorry for the noise :) > Thanks, > Mark. > > > > > [1] https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/REWcwYnzsKE= ?pli=3D1 > > > Thanks, > > > Mark. > > > > > > > This can be a security concern also where a rogue rdpmc user > > > > application can monitor other critical applications to initiate sid= e > > > > channel attack. > > > > > > > > Am I missing something? Please correct my understanding of the x86 > > > > implementation if it is wrong. > > > > > > > > [1] https://lore.kernel.org/lkml/20221201135110.3855965-1-conor.doo= ley@microchip.com/ > > > > [2] https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/REWcwYn= zsKE?pli=3D1 > > > > [3] https://lore.kernel.org/all/YxIzgYP3MujXdqwj@aurel32.net/T/ > > > > > > > > -- > > > > Regards, > > > > Atish > > > > > > > > -- > > Regards, > > Atish --=20 Regards, Atish