Re: [2.6 patch] let CONFIG_SECCOMP default to n

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 08 July 2006 05:23, Andrea Arcangeli wrote:
..
> (note that unless you sell cpu through CPUShare
> actively this overhead consists in two cacheline touches per context
> switch),

It's probably not worth the complication, but I suppose that could be
reduced to one cacheline by lazily enabling the TSC access.

...
> +	  This feature mathematically prevents covert channels
> +	  for tasks running under SECCOMP.

I disagree with this wording. First, for most users the worry isn't so
much covert channels, as it is side channels. In other words, the
worry is not so much that data is sent to the SECCOMP process
secretly, as that the data could be sensitive. Second, the feature
closes one only one type of side-channel; others may still exist. It's
quite possible for cpu bugs or undefined behaviour to reveal internal
cpu state (possibly affected by another process) without otherwise
being security risks. (In my uninformed opinion). I wouldn't worry
about such side channels myself, but they do likely exist.

Suggested wording as a patch against 2.6.18-rc1-mm1:
------

Change help text for SECCOMP_DISABLE_TSC to warn about
side channels (the larger concern) instead of covert channels.

signed-off-by: Andrew Wade <[email protected]>
---

diff -rupN a/arch/i386/Kconfig b/arch/i386/Kconfig
--- a/arch/i386/Kconfig	2006-07-10 21:00:37.000000000 -0400
+++ b/arch/i386/Kconfig	2006-07-10 21:37:12.000000000 -0400
@@ -748,12 +748,12 @@ config SECCOMP_DISABLE_TSC
 	depends on SECCOMP
 	default n
 	help
-	  This feature mathematically prevents covert channels
-	  for tasks running under SECCOMP. This can generate
-	  a minuscule overhead in the scheduler.
+	  This feature closes potential side channels for tasks
+	  running under SECCOMP. Enabling this can generate a
+	  miniscule overhead in the scheduler.
 
 	  If you care most about performance say N. Say Y only if you're
-	  paranoid about covert channels.
+	  paranoid about security.
 
 config VGA_NOPROBE
        bool "Don't probe VGA at boot" if EMBEDDED
diff -rupN a/arch/x86_64/Kconfig b/arch/x86_64/Kconfig
--- a/arch/x86_64/Kconfig	2006-07-10 21:00:40.000000000 -0400
+++ b/arch/x86_64/Kconfig	2006-07-10 21:44:59.000000000 -0400
@@ -537,12 +537,12 @@ config SECCOMP_DISABLE_TSC
 	depends on SECCOMP
 	default n
 	help
-	  This feature mathematically prevents covert channels
-	  for tasks running under SECCOMP. This can generate
-	  a minuscule overhead in the scheduler.
+	  This feature closes potential side channels for tasks
+	  running under SECCOMP. Enabling this can generate a
+	  miniscule overhead in the scheduler.
 
 	  If you care most about performance say N. Say Y only if you're
-	  paranoid about covert channels.
+	  paranoid about security.
 
 source kernel/Kconfig.hz
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux