Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-18 Thread Pavel Machek
On Sat 2018-01-06 21:33:28, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-18 Thread Pavel Machek
On Sat 2018-01-06 21:33:28, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Casey Schaufler
On 1/6/2018 11:33 AM, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Casey Schaufler
On 1/6/2018 11:33 AM, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Theodore Ts'o
On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote: > > I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set. > > In a desktop system, only init retains CAP_PAYLOAD. > > On a server that runs one application (and some supporting processes), only > init and that one

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Theodore Ts'o
On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote: > > I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set. > > In a desktop system, only init retains CAP_PAYLOAD. > > On a server that runs one application (and some supporting processes), only > init and that one

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Willy Tarreau
On Sun, Jan 07, 2018 at 11:14:21AM +0200, Avi Kivity wrote: > CAP_RAWIO is like CAP_PAYLOAD in that both allow you to read stuff you > shouldn't have access to on a vulnerable CPU. But CAP_PAYLOAD won't give you > that access on a non-vulnerable CPU, so it's safer. But it's still a wider surface

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Willy Tarreau
On Sun, Jan 07, 2018 at 11:14:21AM +0200, Avi Kivity wrote: > CAP_RAWIO is like CAP_PAYLOAD in that both allow you to read stuff you > shouldn't have access to on a vulnerable CPU. But CAP_PAYLOAD won't give you > that access on a non-vulnerable CPU, so it's safer. But it's still a wider surface

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Willy Tarreau
On Sun, Jan 07, 2018 at 02:36:28PM +, Alan Cox wrote: > What I struggle to see is why I'd want to nominate specific processes for > this except in very special cases (like your packet generator). Even then > it would make me nervous as the packet generator if that trusted is > effectively

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Willy Tarreau
On Sun, Jan 07, 2018 at 02:36:28PM +, Alan Cox wrote: > What I struggle to see is why I'd want to nominate specific processes for > this except in very special cases (like your packet generator). Even then > it would make me nervous as the packet generator if that trusted is > effectively

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/07/2018 04:36 PM, Alan Cox wrote: I'm interested in participating to working on such a solution, given that haproxy is severely impacted by "pti=on" and that for now we'll have to run with "pti=off" on the whole system until a more suitable solution is found. I'm still trying to work

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/07/2018 04:36 PM, Alan Cox wrote: I'm interested in participating to working on such a solution, given that haproxy is severely impacted by "pti=on" and that for now we'll have to run with "pti=off" on the whole system until a more suitable solution is found. I'm still trying to work

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Alan Cox
> I'm interested in participating to working on such a solution, given > that haproxy is severely impacted by "pti=on" and that for now we'll > have to run with "pti=off" on the whole system until a more suitable > solution is found. I'm still trying to work out what cases there are for this. I

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Alan Cox
> I'm interested in participating to working on such a solution, given > that haproxy is severely impacted by "pti=on" and that for now we'll > have to run with "pti=off" on the whole system until a more suitable > solution is found. I'm still trying to work out what cases there are for this. I

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/07/2018 02:29 PM, Theodore Ts'o wrote: On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: I think capabilities will work just as well with cgroups. The container manager will set CAP_PAYLOAD to payload containers; and if those run an init system or a container manager

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/07/2018 02:29 PM, Theodore Ts'o wrote: On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: I think capabilities will work just as well with cgroups. The container manager will set CAP_PAYLOAD to payload containers; and if those run an init system or a container manager

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Ozgur
07.01.2018, 15:29, "Theodore Ts'o" : > On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: >>  I think capabilities will work just as well with cgroups. The container >>  manager will set CAP_PAYLOAD to payload containers; and if those run an init >>  system or a container

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Ozgur
07.01.2018, 15:29, "Theodore Ts'o" : > On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: >>  I think capabilities will work just as well with cgroups. The container >>  manager will set CAP_PAYLOAD to payload containers; and if those run an init >>  system or a container manager

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Theodore Ts'o
On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: > I think capabilities will work just as well with cgroups. The container > manager will set CAP_PAYLOAD to payload containers; and if those run an init > system or a container manager themselves, they'll drop CAP_PAYLOAD for all >

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Theodore Ts'o
On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: > I think capabilities will work just as well with cgroups. The container > manager will set CAP_PAYLOAD to payload containers; and if those run an init > system or a container manager themselves, they'll drop CAP_PAYLOAD for all >

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/06/2018 10:02 PM, Alan Cox wrote: I propose to create a new capability, CAP_PAYLOAD, that allows the system administrator to designate an application as the main workload in that system. Other processes (like sshd or monitoring daemons) exist to support it, and so it makes sense to protect

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/06/2018 10:02 PM, Alan Cox wrote: I propose to create a new capability, CAP_PAYLOAD, that allows the system administrator to designate an application as the main workload in that system. Other processes (like sshd or monitoring daemons) exist to support it, and so it makes sense to protect

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/06/2018 10:24 PM, Willy Tarreau wrote: Hi Avi, On Sat, Jan 06, 2018 at 09:33:28PM +0200, Avi Kivity wrote: Meltdown and Spectre mitigations focus on protecting the kernel from a hostile userspace. However, it's not a given that the kernel is the most important target in the system. It

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-07 Thread Avi Kivity
On 01/06/2018 10:24 PM, Willy Tarreau wrote: Hi Avi, On Sat, Jan 06, 2018 at 09:33:28PM +0200, Avi Kivity wrote: Meltdown and Spectre mitigations focus on protecting the kernel from a hostile userspace. However, it's not a given that the kernel is the most important target in the system. It

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Willy Tarreau
Hi Avi, On Sat, Jan 06, 2018 at 09:33:28PM +0200, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a >

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Willy Tarreau
Hi Avi, On Sat, Jan 06, 2018 at 09:33:28PM +0200, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a >

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Alan Cox
> I propose to create a new capability, CAP_PAYLOAD, that allows the > system administrator to designate an application as the main workload in > that system. Other processes (like sshd or monitoring daemons) exist to > support it, and so it makes sense to protect the rest of the system from >

Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Alan Cox
> I propose to create a new capability, CAP_PAYLOAD, that allows the > system administrator to designate an application as the main workload in > that system. Other processes (like sshd or monitoring daemons) exist to > support it, and so it makes sense to protect the rest of the system from >

Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Avi Kivity
Meltdown and Spectre mitigations focus on protecting the kernel from a hostile userspace. However, it's not a given that the kernel is the most important target in the system. It is common in server workloads that a single userspace application contains the valuable data on a system, and if it

Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

2018-01-06 Thread Avi Kivity
Meltdown and Spectre mitigations focus on protecting the kernel from a hostile userspace. However, it's not a given that the kernel is the most important target in the system. It is common in server workloads that a single userspace application contains the valuable data on a system, and if it