Date: Thu, 7 Feb 2019 16:30:19 +0300 From: Alexey Budankov <alexey.budankov@...ux.intel.com> To: Jonatan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org> Cc: Jann Horn <jannh@...gle.com>, Arnaldo Carvalho de Melo <acme@...nel.org>, Jiri Olsa <jolsa@...hat.com>, Namhyung Kim <namhyung@...nel.org>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Andi Kleen <ak@...ux.intel.com>, Mark Rutland <mark.rutland@....com>, Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: [PATCH v2 2/4] perf-security: document collected perf_events/Perf data categories Document and categorize system and performance data into groups that can be captured by perf_events/Perf and explicitly indicate the group that can contain process sensitive data. Signed-off-by: Alexey Budankov <alexey.budankov@...ux.intel.com> --- Changes in v2: - applied comments on v1 --- Documentation/admin-guide/perf-security.rst | 32 +++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/perf-security.rst b/Documentation/admin-guide/perf-security.rst index 3915f07b9dea..e6eb7e1ee5ad 100644 --- a/Documentation/admin-guide/perf-security.rst +++ b/Documentation/admin-guide/perf-security.rst @@ -11,8 +11,34 @@ impose a considerable risk of leaking sensitive data accessed by monitored processes. The data leakage is possible both in scenarios of direct usage of perf_events system call API _ and over data files generated by Perf tool user mode utility (Perf) _ , _ . The risk depends on the nature of data that -perf_events performance monitoring units (PMU) _ collect and expose for -performance analysis. Having that said perf_events/Perf performance monitoring +perf_events performance monitoring units (PMU) _ and Perf collect and expose +for performance analysis. Collected system and performance data may be split into +several categories: + +1. System hardware and software configuration data, for example: a CPU model and + its cache configuration, an amount of available memory and its topology, used + kernel and Perf versions, performance monitoring setup including experiment + time, events configuration, Perf command line parameters, etc. + +2. User and kernel module paths and their load addresses with sizes, process and + thread names with their PIDs and TIDs, timestamps for captured hardware and + software events. + +3. Content of kernel software counters (e.g., for context switches, page faults, + CPU migrations), architectural hardware performance counters (PMC) _ and + machine specific registers (MSR) _ that provide execution metrics for + various monitored parts of the system (e.g., memory controller (IMC), interconnect + (QPI/UPI) or peripheral (PCIe) uncore counters) without direct attribution to any + execution context state. + +4. Content of architectural execution context registers (e.g., RIP, RSP, RBP on + x86_64), process user and kernel space memory addresses and data, content of + various architectural MSRs that capture data from this category. + +Data that belong to the fourth category can potentially contain sensitive process +data. If PMUs in some monitoring modes capture values of execution context registers +or data from process memory then access to such monitoring capabilities requires +to be ordered and secured properly. So, perf_events/Perf performance monitoring is the subject for security access control management _ . perf_events/Perf access control @@ -128,6 +154,8 @@ Bibliography ..  `<https://www.kernel.org/doc/html/latest/security/credentials.html>`_ ..  `<http://man7.org/linux/man-pages/man7/capabilities.7.html>`_ ..  `<http://man7.org/linux/man-pages/man2/ptrace.2.html>`_ +..  `<https://en.wikipedia.org/wiki/Hardware_performance_counter>`_ +..  `<https://en.wikipedia.org/wiki/Model-specific_register>`_ ..  `<http://man7.org/linux/man-pages/man2/getrlimit.2.html>`_ ..  `<http://man7.org/linux/man-pages/man5/limits.conf.5.html>`_
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.