Thread (5 messages) 5 messages, 2 authors, 2020-07-15

Re: [PATCH v3] powerpc/perf: Use SIER_USER_MASK while updating SPRN_SIER for EBB events

From: Michael Ellerman <mpe@ellerman.id.au>
Date: 2020-07-14 06:08:25 

Athira Rajeev [off-list ref] writes:
quoted
On 19-Mar-2020, at 4:22 PM, Michael Ellerman [off-list ref] wrote:

Hi Athira,

Athira Rajeev [off-list ref] writes:
quoted
Sampled Instruction Event Register (SIER), is a PMU register,
                                                              ^
                                                              that
quoted
captures architecture state for a given sample. And sier_user_mask
          ^                                          ^
          don't think we need "architecture"         SIER_USER_MASK
quoted
defined in commit 330a1eb7775b ("powerpc/perf: Core EBB support for 64-bit
book3s") defines the architected bits that needs to be saved from the SPR.
Not quite, it defines the bits that are visible to userspace.

And I think it's true that for EBB events the bits we need/want to save
are only the user visible bits.
quoted
Currently all of the bits from SIER are saved for EBB events. Patch fixes
this by ANDing the "sier_user_mask" to data from SIER in ebb_switch_out().
This will force save only architected bits from the SIER.
s/architected/user visible/


But, why does it matter? The kernel saves the user visible bits, as well
as the kernel-only bits into the thread struct. And then later the
kernel restores that value into the hardware before returning to
userspace.

But the hardware enforces the visibility of the bits, so userspace can't
observe any bits that it shouldn't.

Or is there some other mechanism whereby userspace can see those bits? ;)

If there was, what would the security implications of that be?
Hi Michael,

Thanks for your comments. 

In ebb_switch_in, we set PMCC bit [MMCR0 44:45 ] to 10 which means
SIER ( Group B ) register is readable in problem state. Hence the
intention of the patch was to make sure we are not exposing the bits
which the userspace shouldn't be reading.

But following your comment about "hardware enforcing the visibility of
bits", I did try an "ebb" experiment which showed that reading
SPRN_SIER didn't expose any bits other than the user visible bits.
Sorry for the confusion here.
That's OK. Thanks for following my trail of clues :)

In that case, Can we drop the existing definition of SIER_USER_MASK if
it is no more needed ?
I think it is still needed, and I think this change to use it is good, because
SIER is visible via ptrace.

What we need to do, is look at what information in SIER we are currently
exposing to userspace via ptrace, and what the security implications (if
any) of that are.

cheers
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help