Re: [patch] let CONFIG_SECCOMP default to n

From: Andrew Morton
Date: Wed Jul 12 2006 - 21:53:40 EST

Next message: Linus Torvalds: "Re: [patch] let CONFIG_SECCOMP default to n"
Previous message: Andrew Morton: "Re: [PATCH] tpm: Add force device probe option"
In reply to: andrea: "Re: [patch] let CONFIG_SECCOMP default to n"
Next in thread: Linus Torvalds: "Re: [patch] let CONFIG_SECCOMP default to n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 12 Jul 2006 23:07:32 +0200
Ingo Molnar <mingo@xxxxxxx> wrote:

> Despite good resons to apply the patch, it has not been applied yet,
> with no explanation.

I queued the below. Andrea claims that it'll reduce seccomp overhead to
literally zero.

But looking at it, I think it's a bit confused. The patch needs
s/DISABLE_TSC/ENABLE_TSC/ to make it right.

From: Andrea Arcangeli <andrea@xxxxxxxxxxxx>

Make the TSC disable purely paranoid feature optional, so by default seccomp
returns absolutely zerocost.

Signed-off-by: Andrea Arcangeli <andrea@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

arch/i386/Kconfig | 12 ++++++++++++
arch/i386/kernel/process.c | 2 ++
arch/x86_64/Kconfig | 12 ++++++++++++
arch/x86_64/kernel/process.c | 31 +++++++++++++++++++++++++++++++
4 files changed, 57 insertions(+)

diff -puN arch/i386/Kconfig~add-seccomp_disable_tsc-config-option arch/i386/Kconfig
--- a/arch/i386/Kconfig~add-seccomp_disable_tsc-config-option
+++ a/arch/i386/Kconfig
@@ -737,6 +737,18 @@ config SECCOMP

If unsure, say Y. Only embedded should say N here.

+config SECCOMP_DISABLE_TSC
+ bool "Disable the TSC for seccomp tasks"
+ depends on SECCOMP
+ default n
+ help
+ This feature mathematically prevents covert channels
+ for tasks running under SECCOMP. This can generate
+ a minuscule overhead in the scheduler.
+
+ If you care most about performance say N. Say Y only if you're
+ paranoid about covert channels.
+
config VGA_NOPROBE
bool "Don't probe VGA at boot" if EMBEDDED
default n
diff -puN arch/i386/kernel/process.c~add-seccomp_disable_tsc-config-option arch/i386/kernel/process.c
--- a/arch/i386/kernel/process.c~add-seccomp_disable_tsc-config-option
+++ a/arch/i386/kernel/process.c
@@ -572,6 +572,7 @@ handle_io_bitmap(struct thread_struct *n
static inline void disable_tsc(struct task_struct *prev_p,
struct task_struct *next_p)
{
+#ifdef CONFIG_SECCOMP_DISABLE_TSC
struct thread_info *prev, *next;

/*
@@ -590,6 +591,7 @@ static inline void disable_tsc(struct ta
has_secure_computing(next))
write_cr4(read_cr4() | X86_CR4_TSD);
}
+#endif
}

/*
diff -puN arch/x86_64/Kconfig~add-seccomp_disable_tsc-config-option arch/x86_64/Kconfig
--- a/arch/x86_64/Kconfig~add-seccomp_disable_tsc-config-option
+++ a/arch/x86_64/Kconfig
@@ -526,6 +526,18 @@ config SECCOMP

If unsure, say Y. Only embedded should say N here.

+config SECCOMP_DISABLE_TSC
+ bool "Disable the TSC for seccomp tasks"
+ depends on SECCOMP
+ default n
+ help
+ This feature mathematically prevents covert channels
+ for tasks running under SECCOMP. This can generate
+ a minuscule overhead in the scheduler.
+
+ If you care most about performance say N. Say Y only if you're
+ paranoid about covert channels.
+
source kernel/Kconfig.hz

config REORDER
diff -puN arch/x86_64/kernel/process.c~add-seccomp_disable_tsc-config-option arch/x86_64/kernel/process.c
--- a/arch/x86_64/kernel/process.c~add-seccomp_disable_tsc-config-option
+++ a/arch/x86_64/kernel/process.c
@@ -494,6 +494,35 @@ out:
}

/*
+ * This function selects if the context switch from prev to next
+ * has to tweak the TSC disable bit in the cr4.
+ */
+static inline void disable_tsc(struct task_struct *prev_p,
+ struct task_struct *next_p)
+{
+#ifdef CONFIG_SECCOMP_DISABLE_TSC
+ struct thread_info *prev, *next;
+
+ /*
+ * gcc should eliminate the ->thread_info dereference if
+ * has_secure_computing returns 0 at compile time (SECCOMP=n).
+ */
+ prev = prev_p->thread_info;
+ next = next_p->thread_info;
+
+ if (has_secure_computing(prev) || has_secure_computing(next)) {
+ /* slow path here */
+ if (has_secure_computing(prev) &&
+ !has_secure_computing(next)) {
+ write_cr4(read_cr4() & ~X86_CR4_TSD);
+ } else if (!has_secure_computing(prev) &&
+ has_secure_computing(next))
+ write_cr4((read_cr4() | X86_CR4_TSD) & ~X86_CR4_PCE);
+ }
+#endif
+}
+
+/*
* This special macro can be used to load a debugging register
*/
#define loaddebug(thread,r) set_debugreg(thread->debugreg ## r, r)
@@ -622,6 +651,8 @@ __switch_to(struct task_struct *prev_p,
}
}

+ disable_tsc(prev_p, next_p);
+
/* If the task has used fpu the last 5 timeslices, just do a full
* restore of the math state immediately to avoid the trap; the
* chances of needing FPU soon are obviously high now
_

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: [patch] let CONFIG_SECCOMP default to n"
Previous message: Andrew Morton: "Re: [PATCH] tpm: Add force device probe option"
In reply to: andrea: "Re: [patch] let CONFIG_SECCOMP default to n"
Next in thread: Linus Torvalds: "Re: [patch] let CONFIG_SECCOMP default to n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]