From: Alexey Budankov <alexey.budankov@linux.intel.com>
To: Jann Horn <jannh@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Mark Rutland <mark.rutland@arm.com>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andi Kleen <ak@linux.intel.com>,
tursulin@ursulin.net, kernel list <linux-kernel@vger.kernel.org>,
tvrtko.ursulin@linux.intel.com,
the arch/x86 maintainers <x86@kernel.org>,
"H . Peter Anvin" <hpa@zytor.com>,
acme@kernel.org, alexander.shishkin@linux.intel.com,
jolsa@redhat.com, namhyung@kernel.org, maddy@linux.vnet.ibm.com
Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)
Date: Thu, 4 Oct 2018 20:11:28 +0300 [thread overview]
Message-ID: <fe49c9b5-88fb-c827-9262-1931bcf80b6c@linux.intel.com> (raw)
In-Reply-To: <CAG48ez3y7Q0DCkVH6PgGncwEKuD-OHLp7pTBNb=S1OXYhte-Nw@mail.gmail.com>
Hi,
On 03.10.2018 20:01, Jann Horn wrote:
> On Mon, Oct 1, 2018 at 10:53 PM Alexey Budankov
> <alexey.budankov@linux.intel.com> wrote:
<SNIP>
>> 3. Every time an event for ${PMU} is created over perf_event_open():
>> a) the calling thread's euid is checked to belong to ${PMU}_users group
>> and if it does then the event's fd is allocated;
>> b) then traditional checks against perf_event_pranoid content are applied;
>> c) if the file doesn't exist the access is governed by global setting
>> at /proc/sys/kernel/perf_even_paranoid;
>
> You'll also have to make sure that this thing in kernel/events/core.c
> doesn't have any bad effect:
>
> /*
> * Special case software events and allow them to be part of
> * any hardware group.
> */
>
> As in, make sure that you can't smuggle in arbitrary software events
> by attaching them to a whitelisted hardware event.
Yes, makes sense. Please see and comment below.
>
<SNIP>
>> Security analysis for uncore IMC, QPI/UPI, PCIe PMUs is still required
>> to be enabled for fine grain control.
>
> And you can't whitelist anything that permits using sampling events
> with arbitrary sample_type.
>
It appears that there is a dependency on the significance of data that PMUs captures
for later analysis. Currently there are following options for data being captured
(please correct or extend if something is missing from the list below):
1) Monitored process details:
- system information on a process as a container (of threads, memory data and
IDs (e.g. open fds) from process specific namespaces and etc.);
- system information on threads as containers (of execution context details);
2) Execution context details:
- memory addresses;
- memory data;
- calculation results;
- calculation state in HW;
3) Monitored process and execution context telemetry data, used for building
various performance metrics and can come from:
- user mode code and OS kernel;
- various parts of HW e.g. core, uncore, peripheral and etc.
Group 2) is the potential leakage source of sensitive process data so if a PMU,
at some mode, samples execution context details then the PMU, working in that mode,
is the subject for *access* and *scope* control.
On the other hand if captured data contain only the monitored process details
and/or associated execution telemetry, there is probably no sensitive data leakage
thru that captured data.
For example, if cpu PMU samples PC addresses overtime, e.g. for providing
hotspots-by-function profile, then this requires to be controlled as from access as
from scope perspective, because PC addresses is execution context details that
can contain sensitive data.
However, if cpu PMU does counting of some metric value, or if software PMU reads
value of thread active time from the OS, possibly overtime, for later building some
rating profile, or reading of some HW counter value without attribution to any
execution context details, that is probably not that risky as in the case of
PC address sampling.
Uncore PMUs e.g. memory controller (IMC), interconnect (QPI/UPI) and peripheral (PCIe)
currently only read counters values that are captured system wide by HW, and provide
no attribution to any specific execution context details, thus, sensitive process data.
Based on that,
A) paranoid knob is required for a PMU if it can capture data from group 2)
B) paranoid knob limits scope of capturing sensitive data:
-3 - *scope* is defined by some high level setting
-2 - disabled - no allowed *scope*
-1 - no restrictions - max *scope*
0 - system wide
1 - process user and kernel space
2 - process user space only
C) paranoid knob has to be checked every time the PMU is going to start
capturing sensitive data to avoid capturing beyond the allowed scope.
PMU *access* semantics is derived from fs ACLs and could look like this:
r - read PMU architectural and configuration details, read PMU *access* settings
w - modify PMU *access* settings
x - modify PMU configuration and collect data
So levels of *access* to PMU could look like this:
root=rwx, ${PMU}_users=r-x, other=r--.
Possible examples of *scope* control settings could look like this:
1) system wide user+kernel mode CPU sampling with context switches
and uncore counting:
/proc/sys/kernel/perf_event_paranoid (-2, 2): 0
SW.paranoid (-3, 2):(root=rwx, SW_users=r-x,other=r--): -3
CPU.paranoid (-3, 2):(root=rwx,CPU_users=r-x,other=r--): -3
IMC.paranoid (-3,-1):(root=rwx,IMC_users=r-x,other=r--): -3
UPI.paranoid (-3,-1):(root=rwx,UPI_users=r-x,other=r--): -3
PCI.paranoid (-3,-1):(root=rwx,PCI_users=r-x,other=r--): -3
2) per-process CPU sampling with context switches and uncore counting:
/proc/sys/kernel/perf_event_paranoid (-2, 2): 1|2
SW.paranoid (-3, 2):(root=rwx, SW_users=r-x,other=r--): -3
CPU.paranoid (-3, 2):(root=rwx,CPU_users=r-x,other=r--): -3
IMC.paranoid (-3,-1):(root=rwx,IMC_users=r-x,other=r--): -1
UPI.paranoid (-3,-1):(root=rwx,UPI_users=r-x,other=r--): -1
PCI.paranoid (-3,-1):(root=rwx,PCI_users=r-x,other=r--): -1
3) per-process user mode CPU sampling allowed to specific ${PMU}_groups only:
/proc/sys/kernel/perf_event_paranoid (-2, 2): -2
SW.paranoid (-3, 2):(root=rwx, SW_users=r-x,other=r--): 2
CPU.paranoid (-3, 2):(root=rwx,CPU_users=r-x,other=r--): 2
IMC.paranoid (-3,-1):(root=rwx,IMC_users=r-x,other=r--): -3
UPI.paranoid (-3,-1):(root=rwx,UPI_users=r-x,other=r--): -3
PCI.paranoid (-3,-1):(root=rwx,PCI_users=r-x,other=r--): -3
4) uncore HW counters monitoring, possibly overtime:
/proc/sys/kernel/perf_event_paranoid (-2, 2): -2
SW.paranoid (-3, 2):(root=rwx, SW_users=r-x,other=r--): -3
CPU.paranoid (-3, 2):(root=rwx,CPU_users=r-x,other=r--): -3
IMC.paranoid (-3,-1):(root=rwx,IMC_users=r-x,other=r--): -1
UPI.paranoid (-3,-1):(root=rwx,UPI_users=r-x,other=r--): -1
PCI.paranoid (-3,-1):(root=rwx,PCI_users=r-x,other=r--): -1
Please share more thought so that it eventually could go into
Documentation/admin-guide/perf-security.rst.
Thanks,
Alexey
next prev parent reply other threads:[~2018-10-04 17:14 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-19 12:27 Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 1/5] perf: Move some access checks later in perf_event_open Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 2/5] perf: Pass pmu pointer to perf_paranoid_* helpers Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 3/5] perf: Allow per PMU access control Tvrtko Ursulin
2018-09-27 20:15 ` Andi Kleen
2018-09-28 8:57 ` Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 4/5] perf Documentation: Document the per PMU perf_event_paranoid interface Tvrtko Ursulin
2018-09-19 12:27 ` [RFC 5/5] tools/perf: Add support for per-PMU access control Tvrtko Ursulin
2018-09-28 10:26 ` [RFC 0/5] perf: Per PMU access controls (paranoid setting) Thomas Gleixner
2018-09-28 13:22 ` Tvrtko Ursulin
2018-09-28 14:02 ` Thomas Gleixner
2018-09-28 14:56 ` Tvrtko Ursulin
2018-09-28 15:23 ` Thomas Gleixner
2018-09-28 15:45 ` Alexey Budankov
2018-09-28 18:20 ` Thomas Gleixner
2018-09-28 20:45 ` Andi Kleen
2018-09-29 6:19 ` Thomas Gleixner
2018-10-01 6:25 ` Alexey Budankov
2018-09-28 15:12 ` Jann Horn
2018-09-28 22:02 ` Jann Horn
2018-10-01 6:27 ` Alexey Budankov
2018-09-28 16:41 ` Mark Rutland
2018-09-28 17:23 ` Andi Kleen
2018-09-28 17:40 ` Mark Rutland
2018-09-28 20:49 ` Andi Kleen
2018-09-28 20:54 ` Jann Horn
2018-09-28 20:59 ` Andi Kleen
2018-09-28 21:22 ` Jann Horn
2018-09-28 21:27 ` Andi Kleen
2018-10-01 6:25 ` Alexey Budankov
2018-10-01 16:11 ` Thomas Gleixner
2018-10-01 16:15 ` Jann Horn
2018-10-01 20:51 ` Alexey Budankov
2018-10-02 6:40 ` Thomas Gleixner
2018-10-02 11:44 ` Alexey Budankov
2018-10-03 17:01 ` Jann Horn
2018-10-04 17:11 ` Alexey Budankov [this message]
2018-09-29 6:30 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe49c9b5-88fb-c827-9262-1931bcf80b6c@linux.intel.com \
--to=alexey.budankov@linux.intel.com \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=jolsa@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maddy@linux.vnet.ibm.com \
--cc=mark.rutland@arm.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tursulin@ursulin.net \
--cc=tvrtko.ursulin@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome