mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
	Tvrtko Ursulin <tursulin@ursulin.net>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
	Madhavan Srinivasan <maddy@linux.vnet.ibm.com>,
	Andi Kleen <ak@linux.intel.com>,
	Alexey Budankov <alexey.budankov@linux.intel.com>,
	Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>
Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)
Date: Fri, 28 Sep 2018 14:22:07 +0100	[thread overview]
Message-ID: <e89ec139-1a97-803e-343c-76eedf244d65@linux.intel.com> (raw)
In-Reply-To: <alpine.DEB.2.21.1809281151190.2004@nanos.tec.linutronix.de>


Hi,

On 28/09/2018 11:26, Thomas Gleixner wrote:
> Tvrtko,
> 
> On Wed, 19 Sep 2018, Tvrtko Ursulin wrote:
> 
> It would be very helpful if you cc all involved people on the cover letter
> instead of just cc'ing your own pile of email addresses. CC'ed now.

I accept it was by bad to miss adding Cc's on the cover letter, but my 
own email addresses hopefully should not bother you. It is simply a 
question of what I have in .gitconfig vs what I forgot to do manually.

>> For situations where sysadmins might want to allow different level of
>> access control for different PMUs, we start creating per-PMU
>> perf_event_paranoid controls in sysfs.
>>
>> These work in equivalent fashion as the existing perf_event_paranoid
>> sysctl, which now becomes the parent control for each PMU.
>>
>> On PMU registration the global/parent value will be inherited by each PMU,
>> as it will be propagated to all registered PMUs when the sysctl is
>> updated.
>>
>> At any later point individual PMU access controls, located in
>> <sysfs>/device/<pmu-name>/perf_event_paranoid, can be adjusted to achieve
>> fine grained access control.
>>
>> Discussion from previous posting:
>> https://lkml.org/lkml/2018/5/21/156
> 
> This is really not helpful. The cover letter and the change logs should
> contain a summary of that discussion and a proper justification of the
> proposed change. Just saying 'sysadmins might want to allow' is not useful
> at all, it's yet another 'I want a pony' thing.

Okay, for the next round I will expand the cover letter with at least 
one concrete example on how it is usable and summarize the discussion a bit.

> I read through the previous thread and there was a clear request to involve
> security people into this. Especially those who are deeply involved with
> hardware side channels. I don't see anyone Cc'ed on the whole series.

Who would you recommend I add? Because I really don't know..

> For the record, I'm not buying the handwavy 'more noise' argument at
> all. It wants a proper analysis and we need to come up with criteria which
> PMUs can be exposed at all.
> 
> All of this want's a proper documentation clearly explaining the risks and
> scope of these knobs per PMU. Just throwing magic knobs at sysadmins and
> then saying 'its their problem to figure it out' is not acceptable.

Presumably you see adding fine grained control as diminishing the 
overall security rather than raising it? Could you explain why? Because 
incompetent sysadmin will turn it off for some PMU, while without having 
the fine-grained control they wouldn't turn it off globally?

This feature was requested by the exact opposite concern, that in order 
to access the i915 PMU, one has to compromise the security of the entire 
system by allowing access to *all* PMU's.

Making this ability fine-grained sounds like a logical solution for 
solving this weakening of security controls.

Concrete example was that on video transcoding farms users want to 
monitor the utilization of GPU engines (like CPU cores) and they can do 
that via the i915 PMU. But for that to work today they have to dial down 
the global perf_event_paranoid setting. Obvious improvement was to allow 
them to only dial down the i915.perf_event_paranoid setting. As such, 
for this specific use case at least, the security is increased.

Regards,

Tvrtko

  reply	other threads:[~2018-09-28 13:22 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-19 12:27 Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 1/5] perf: Move some access checks later in perf_event_open Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 2/5] perf: Pass pmu pointer to perf_paranoid_* helpers Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 3/5] perf: Allow per PMU access control Tvrtko Ursulin
2018-09-27 20:15   ` Andi Kleen
2018-09-28  8:57     ` Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 4/5] perf Documentation: Document the per PMU perf_event_paranoid interface Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 5/5] tools/perf: Add support for per-PMU access control Tvrtko Ursulin
2018-09-28 10:26 ` [RFC 0/5] perf: Per PMU access controls (paranoid setting) Thomas Gleixner
2018-09-28 13:22   ` Tvrtko Ursulin [this message]
2018-09-28 14:02     ` Thomas Gleixner
2018-09-28 14:56       ` Tvrtko Ursulin
2018-09-28 15:23         ` Thomas Gleixner
2018-09-28 15:45       ` Alexey Budankov
2018-09-28 18:20         ` Thomas Gleixner
2018-09-28 20:45           ` Andi Kleen
2018-09-29  6:19             ` Thomas Gleixner
2018-10-01  6:25           ` Alexey Budankov
2018-09-28 15:12     ` Jann Horn
2018-09-28 22:02       ` Jann Horn
2018-10-01  6:27         ` Alexey Budankov
2018-09-28 16:41   ` Mark Rutland
2018-09-28 17:23     ` Andi Kleen
2018-09-28 17:40       ` Mark Rutland
2018-09-28 20:49         ` Andi Kleen
2018-09-28 20:54           ` Jann Horn
2018-09-28 20:59             ` Andi Kleen
2018-09-28 21:22               ` Jann Horn
2018-09-28 21:27                 ` Andi Kleen
2018-10-01  6:25                   ` Alexey Budankov
2018-10-01 16:11                     ` Thomas Gleixner
2018-10-01 16:15                       ` Jann Horn
2018-10-01 20:51                       ` Alexey Budankov
2018-10-02  6:40                         ` Thomas Gleixner
2018-10-02 11:44                           ` Alexey Budankov
2018-10-03 17:01                         ` Jann Horn
2018-10-04 17:11                           ` Alexey Budankov
2018-09-29  6:30               ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e89ec139-1a97-803e-343c-76eedf244d65@linux.intel.com \
    --to=tvrtko.ursulin@linux.intel.com \
    --cc=acme@kernel.org \
    --cc=ak@linux.intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=alexey.budankov@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=jannh@google.com \
    --cc=jolsa@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maddy@linux.vnet.ibm.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=tursulin@ursulin.net \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome