Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180716101337.GA30279@gmail.com>
Date: Mon, 16 Jul 2018 12:13:38 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Alexander Popov <alex.popov@...ux.com>
Cc: Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Pax Team <pageexec@...email.hu>,
	Brad Spengler <spender@...ecurity.net>,
	Andrew Lutomirski <luto@...nel.org>,
	Tycho Andersen <tycho@...ho.ws>, Laura Abbott <labbott@...hat.com>,
	Mark Rutland <mark.rutland@....com>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Borislav Petkov <bp@...en8.de>,
	Richard Sandiford <richard.sandiford@....com>,
	Thomas Gleixner <tglx@...utronix.de>, Peter Anvin <hpa@...or.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	"Dmitry V. Levin" <ldv@...linux.org>,
	Emese Revfy <re.emese@...il.com>, Jonathan Corbet <corbet@....net>,
	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
	Thomas Garnier <thgarnie@...gle.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Alexei Starovoitov <ast@...nel.org>, Josef Bacik <jbacik@...com>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	Nick Piggin <npiggin@...il.com>, Al Viro <viro@...iv.linux.org.uk>,
	David Miller <davem@...emloft.net>,
	dingtianhong <dingtianhong@...wei.com>,
	David Woodhouse <dwmw@...zon.co.uk>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Steven Rostedt <rostedt@...dmis.org>,
	Dominik Brodowski <linux@...inikbrodowski.net>,
	Jürgen Groß <jgross@...e.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Dan Williams <dan.j.williams@...el.com>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Mathias Krause <minipli@...glemail.com>,
	Vikas Shivappa <vikas.shivappa@...ux.intel.com>,
	Kyle Huey <me@...ehuey.com>,
	Dmitry Safonov <dsafonov@...tuozzo.com>,
	Will Deacon <will.deacon@....com>, Arnd Bergmann <arnd@...db.de>,
	Florian Weimer <fweimer@...hat.com>,
	Boris Lukashev <blukashev@...pervictus.com>,
	Andrey Konovalov <andreyknvl@...gle.com>,
	the arch/x86 maintainers <x86@...nel.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v14 0/6] Introduce the STACKLEAK feature and a test for it


* Alexander Popov <alex.popov@...ux.com> wrote:

> On 16.07.2018 01:44, Ingo Molnar wrote:
> > 
> > * Kees Cook <keescook@...omium.org> wrote:
> > 
> >> On Thu, Jul 12, 2018 at 2:22 PM, Alexander Popov <alex.popov@...ux.com> wrote:
> >>> On 12.07.2018 23:50, Ingo Molnar wrote:
> >>>> Let's make sure informed users have an easy runtime way out
> >>>> from the worst of the overhead that doesn't involve "recompile your distro
> >>>> kernel". Also, make it easier to measure and fingerpoint the overhead...
> >>>
> >>> Would you like the following solution?
> >>>
> >>> I'll create the CONFIG_STACKLEAK_RUNTIME_DISABLE config option, which would be
> >>> similar to CONFIG_SECURITY_SELINUX_DISABLE. That option will provide a sysctl
> >>> switch disabling stackleak_erase(), which provides the most of performance penalty.
> >>
> >> I don't think CONFIG/sysctl is the way to go. I'd recommend making it
> >> a boot arg and using a static key, similar to what's happening to
> >> hardened_usercopy:
> > 
> > Why no sysctl? It's a PITA to reboot systems just to turn a stupid knob off.
> > 
> > Also, it's _much_ easier to measure performance impact when there's a sysctl.
> 
> Yes, you are right.
> 
> But I looked carefully and now see the troubles which sysctl would bring us.
> Each 'task_struct' has 'lowest_stack', which must be initialized before enabling
> STACKLEAK. So runtime enabling via sysctl is not plain and may bring race
> conditions.

Firstly, a sysctl could still allow it to be *disabled*, once - which is the most 
important usecase of the sysctl anyway.

Secondly, in the first iteration this could be kept included unconditionally:

	current->lowest_stack = current_top_of_stack() - THREAD_SIZE/64;

... which would keep it initialized and wouldn't be racy, right?

I.e. only the most expensive part of the function, the scanning, would be turned 
off via the sysctl. I submit that this will avoid all measurable aspects of the 1% 
kbuild performance overhead.

A more involved approach can be done in the future if warranted, and the feature 
could be disabled/enabled more thoroughly - but the runtime sysctl would be 
acceptable for me for now, as a first iteration.

> On the other hand, a boot param + static key that can only disable STACKLEAK 
> during __init are much more robust. I'm preparing the patch and performance 
> measurements.

A boot parameter does *not* address the concern I outlined. Why force admins 
reboot a box just to disable something that causes overhead?

Thanks,

	Ingo

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.