From: Paul Mackerras <paulus@samba.org>
To: Ingo Molnar <mingo@elte.hu>
Cc: "Avi Kivity" <avi@redhat.com>,
"Pekka Enberg" <penberg@cs.helsinki.fi>,
"Tom Zanussi" <tzanussi@gmail.com>,
"Frédéric Weisbecker" <fweisbec@gmail.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Arnaldo Carvalho de Melo" <acme@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
linux-perf-users@vger.kernel.org,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: disabling group leader perf_event
Date: Wed, 8 Sep 2010 11:44:09 +1000 [thread overview]
Message-ID: <20100908014409.GA17010@brick.ozlabs.ibm.com> (raw)
In-Reply-To: <20100907034417.GA14046@elte.hu>
On Tue, Sep 07, 2010 at 05:44:17AM +0200, Ingo Molnar wrote:
> No, it's machine code. It's 'safe x86 bytecode executed natively by the
> kernel as a function'.
I'm curious - how are you going to prove that addresses for the MOV
instruction are safe, using just a static pre-execution scan of the
code? If you only allow things that you can prove are safe, then
either you'll have a very large and complex verifier, or you'll end up
disallowing interesting and useful cases.
The other alternative is to do runtime verification of addressses,
which is much more straightforward (and it's also much easier to prove
it's secure). But it does mean that you can't run the code as-is.
> It needs a verification pass (because the code can come from untrusted
> apps) so that we can copy, verify and trust it (so obviously it's not
> _arbitrary_ x86 machine code - a safe subset of x86) - maybe with a sha1
> based cache for already-verified snippets (or a fast verifier).
>
> > x86 is quite unpleasant.
>
> Any machine code that is fast and compact is unpleasant almost by
> definition: it's a rather non-obvious Huffman encoding embedded in an
> instruction architecture.
>From the point of view of having to emulate or translate x86 code (as
we would have to do on powerpc), it's not the compactness that's
unpleasant, it's things like not being able to tell whether the
condition codes set by an instruction are ever going to be used. Many
x86 instructions set the condition codes but for most instructions the
condition codes that are set are never used. So when emulating or
translating, you either waste time computing condition code values
that are never used, or you have to do complex lifetime analysis to
work out which instructions do need to compute the condition codes.
> We start with trivial (and useless) special case of something like:
>
> #define MAX_BYTECODE_SIZE 256
>
> int x86_bytecode_verify(char *opcodes, unsigned int len)
> {
>
> if (len-1 > MAX_BYTECODE_SIZE-1)
> return -EINVAL;
>
> if (opcodes[0] != 0xc3) /* RET instruction */
> return -EINVAL;
>
> return 0;
> }
>
> ... and then we add checks for accepted/safe x86 patterns of
> instructions step by step - always keeping it 100% correct.
So... I would be interested to see you add the case for the MOV
instruction. :)
Paul.
next prev parent reply other threads:[~2010-09-08 1:44 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-06 9:12 disabling group leader perf_event Avi Kivity
2010-09-06 11:24 ` Peter Zijlstra
2010-09-06 11:34 ` Avi Kivity
2010-09-06 11:54 ` Peter Zijlstra
2010-09-06 11:58 ` Avi Kivity
2010-09-06 12:29 ` Peter Zijlstra
2010-09-06 12:40 ` Ingo Molnar
2010-09-06 13:16 ` Steven Rostedt
2010-09-06 16:42 ` Tom Zanussi
2010-09-07 12:53 ` Steven Rostedt
2010-09-07 14:16 ` Tom Zanussi
2010-09-06 12:49 ` Avi Kivity
2010-09-06 12:43 ` Ingo Molnar
2010-09-06 12:45 ` Avi Kivity
2010-09-06 12:59 ` Ingo Molnar
2010-09-06 13:41 ` Pekka Enberg
2010-09-06 13:54 ` Ingo Molnar
2010-09-06 14:57 ` Avi Kivity
2010-09-06 15:30 ` Alan Cox
2010-09-06 15:20 ` Avi Kivity
2010-09-06 15:48 ` Alan Cox
2010-09-06 17:50 ` Avi Kivity
2010-09-06 15:47 ` Ingo Molnar
2010-09-06 17:55 ` Avi Kivity
2010-09-07 3:44 ` Ingo Molnar
2010-09-07 8:33 ` Stefan Hajnoczi
2010-09-07 9:13 ` Avi Kivity
2010-09-07 22:43 ` Ingo Molnar
2010-09-07 15:55 ` Alan Cox
2010-09-08 1:44 ` Paul Mackerras [this message]
2010-09-08 6:16 ` Pekka Enberg
2010-09-08 6:44 ` Ingo Molnar
2010-09-08 7:30 ` Peter Zijlstra
2010-09-08 19:30 ` Frank Ch. Eigler
2010-09-09 7:38 ` Ingo Molnar
2010-09-08 6:19 ` Avi Kivity
2010-09-06 20:31 ` Pekka Enberg
2010-09-06 20:37 ` Pekka Enberg
2010-09-07 4:03 ` Ingo Molnar
2010-09-07 9:30 ` Pekka Enberg
2010-09-07 22:27 ` Ingo Molnar
2010-09-07 10:57 ` KOSAKI Motohiro
2010-09-07 12:14 ` Pekka Enberg
2010-09-07 13:35 ` Steven Rostedt
2010-09-07 13:47 ` Avi Kivity
2010-09-07 16:02 ` Steven Rostedt
2010-09-12 6:46 ` Pavel Machek
2010-09-12 17:54 ` Avi Kivity
2010-09-12 18:48 ` Ingo Molnar
2010-09-12 19:14 ` Pavel Machek
2010-09-12 20:32 ` Ingo Molnar
2010-09-12 21:06 ` Pavel Machek
2010-09-12 22:19 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100908014409.GA17010@brick.ozlabs.ibm.com \
--to=paulus@samba.org \
--cc=acme@redhat.com \
--cc=avi@redhat.com \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=penberg@cs.helsinki.fi \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tzanussi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.