Re: Restricting rdtsc [was: kernel aslr]

[Alexander Nasonov]

Maxime Villard wrote:
> Le 29/03/2017 ? 00:49, Alexander Nasonov a ?crit :
> > I think this should be either all-or-nothing. You either have rdtsc as
> > a time source or you don't. Similar for rdpmc (and other performance
> > counters).
> 
> Well, the idea was to make the availability more fine-grained.
> 
> 
> Seeing the general skepticism that prevails, I guess we can just forget about
> this idea.

There are two more or less independent things: fine-grained time source
and userspace rdtsc. The latter is often used directly when vdso isn't
available. If we implement vdso, I assume that software that needs rdtsc
can be taught to call it via vdso.

With vdso implemented, we can have a flag that enables/disables
vdso globally as well as per process (paxctl?). Independetly,
the kernel can be configured to use either fine-grained or hackerproof
time source for regular (non-vdso) system calls.

Alex

Re: Restricting rdtsc [was: kernel aslr]

[Thor Lancelot Simon]

On Tue, Apr 04, 2017 at 05:39:35PM +0200, Maxime Villard wrote:
> sorry for the delay
> 
> Le 31/03/2017 ? 19:23, Andreas Gustafsson a ?crit :
> > It's ASLR that's broken, not rdtsc, and I strongly object to
> > restricting the latter just to that people can continue to gain
> > a false sense of security from the former.
> 
> For your information, side-channels are not only limited to aslr. It has
> been demonstrated too that cache latencies can be used to keylog a privileged
> process, and to steal cryptographic keys.

Time is a basic operating system service.  Lack of cheap precision time is
not an _advantage_ of NetBSD; it is a disadvantage.

As others have noted, our general intention has been to _reduce_ the cost
to an applicaiton of obtaining timestamps in general -- by providing a
commpage with a base value, and allowing libc to use the cycle counter
as a no-system-calls-required way to obtain an offset.  Other operating
systems do this and it is a real advantage for many applicaitons.  If we
block userland access to the cycle counters, this is a nonstarter.

Yes, the ability of malicious code to measure the behavior of critical
system components and facilities is a problem, but I tend to believe the
solution has to be in the implementation of those components and facilities,
not in removing the ability of non-malicious code to make precision
measurements.

We may not have applications in base that use use rdtsc to get quick
timestamps, but they're sure out there.  OpenSSL's MD code used to
use it -- has that changed? -- and I've seen it in database applications,
language runtimes, and numerous other places.  I really don't think it
would be a good idea to cause it to not work in the general case.

Thor

Re: Restricting rdtsc [was: kernel aslr]

[Maxime Villard]

sorry for the delay

Le 31/03/2017 à 19:23, Andreas Gustafsson a écrit :

It's ASLR that's broken, not rdtsc, and I strongly object to
restricting the latter just to that people can continue to gain
a false sense of security from the former.


For your information, side-channels are not only limited to aslr. It has
been demonstrated too that cache latencies can be used to keylog a privileged
process, and to steal cryptographic keys.

Le 28/03/2017 à 23:17, Mouse a écrit :

I suspect you aren't being imaginative enough. :-)

If I were to do this, I would first make (or arrange for) compiler
options so that all memory references - both data references and
jump/call targets - are done relative to a base register.  The kernel
is built that way.  Then, whenever we want to, we (a) fiddle the MMU
and (b) change that register.  Instant kernel relocation!


This is not part of being imaginative, it is called segmentation, and it was
abandoned twenty years ago. The principle was exactly what you are describing:
each memory reference would be indexed by a segment register (%cs %ds etc),
that had a base address and limit. Originally it was used to provide privilege
separation; later, when paging was introduced, each operating system switched
to the flat-memory model (base = 0, limit = maximum). Now, the amd64 hardware
does not enforce the base and limit on several segment registers.

If you remember the USER_LDT thread from a few weeks ago, the problem with our
amd64 is precisely that we expect segment registers to be useless, and therefore
we don't allow them to have different values than the static flat-memory ones.
The problem is, under netbsd32+USER_LDT, segment registers are useful.

Even if they were still available on amd64, there would be a number of different
workarounds to apply in order to maintain consistency with paging, which in
short may have an important performance impact.

Apart from segment registers, you won't find a simple way of indexing memory
references; so no, this is not workable.

Le 29/03/2017 à 01:17, Thor Lancelot Simon a écrit :

This will break a ton of stuff.  Code all over the place checks if it's
on x86 and uses rdtsc when it wants a quick timestamp.


There is no code "all over the place" that uses rdtsc; just look at NXR, we
don't have any program in base that uses it. It is like RWX pages and
pax_mprotect, or even mapping NULL; some programs need to be special-cased, but
apart from that it does not create a huge mess.

Le 29/03/2017 à 00:49, Alexander Nasonov a écrit :

I think this should be either all-or-nothing. You either have rdtsc as
a time source or you don't. Similar for rdpmc (and other performance
counters).


Well, the idea was to make the availability more fine-grained.


Seeing the general skepticism that prevails, I guess we can just forget about
this idea.

Workqueues on filesystems

[coypu]

Hi,

I'd like to tackle LFS issues. I've been running it as my root
filesystem to get some real world testing, and it often wedges, and this
with heavy use of KERNEL_LOCK (it's not marked MPSAFE).
I'm still getting to know it, and not there yet.

I don't feel comfortable with how it has its own implementation of
serialization etc, and would like to change it to use existing APIs
where they fit.

Playing with networking I used workqueue(9) which I think is perfect
for e.g. LFS writer daemon, but its use is currently limited to
networking code deferring work from interrupt handlers, that was the
original intention of it.

Is there a reason I shouldn't use it for LFS?

Thanks.

Re: Add a mountlist iterator (round 2)

[J. Hannken-Illjes]

Time to start a second round.  This time the iterator only, vfs_busy()
and friends deferred to a new thread once the iterator is done.

Changes from the previous proposal:

- Removed the "flags" argument from mountlist_iterator_next(), will
  add mountlist_iterator_trynext() and vfs_trybusy() when needed.

- Added "void mountlist_iterator_done(mount_iterator_t *)" to
  completely hide vfs_busy()/vfs_unbusy() from the API and make it
  possible to assert that every call to mountlist_iterator_next()
  gets accompanied by a call to mountlist_iterator_done().

- Use the existing lock "mountlist_lock".

A typical usage is:

mount_iterator_t *iter;

mountlist_iterator_init(&iter);
while ((mp = mountlist_iterator_next(iter)) != NULL) {
... 
mountlist_iterator_done(iter);
}
mountlist_iterator_destroy(iter);  

Diffs are here: https://www.netbsd.org/~hannken/ml_iterator2/

Comments or objections anyone?

--
J. Hannken-Illjes - hann...@eis.cs.tu-bs.de - TU Braunschweig (Germany)