[v2,05/15] lib: sbi: Disable m/scounteren & enable mcountinhibit

Currently, all bits in mcountern are enabled unconditionally at
boot time. With SBI PMU extension, this should enabled only during
performance monitoring for a particular event except the TM bit. However,
this is done only if mcountinhibit is implemented because the supervisor
mode can not start/stop any event without mcountinhibit.

Similarly, supervisor should take care enabling scounteren which allows
U-mode to access pmu counters. Disable all bits in scounteren in M-mode.

Reviewed-by: Anup Patel <anup.patel@wdc.com>
Signed-off-by: Atish Patra <atish.patra@wdc.com>
---
 lib/sbi/sbi_hart.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
> 
> Currently, all bits in mcountern are enabled unconditionally at
> boot time. With SBI PMU extension, this should enabled only during
> performance monitoring for a particular event except the TM bit. However,
> this is done only if mcountinhibit is implemented because the supervisor
> mode can not start/stop any event without mcountinhibit.
> 
> Similarly, supervisor should take care enabling scounteren which allows
> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.

Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
TM should be enabled in scounteren by default, this is just needlessly hostile.
IMO both mcounteren and scounteren should be initialised to 7 on boot.

Jess

On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>
> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
> >
> > Currently, all bits in mcountern are enabled unconditionally at
> > boot time. With SBI PMU extension, this should enabled only during
> > performance monitoring for a particular event except the TM bit. However,
> > this is done only if mcountinhibit is implemented because the supervisor
> > mode can not start/stop any event without mcountinhibit.
> >
> > Similarly, supervisor should take care enabling scounteren which allows
> > U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
>
> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
> TM should be enabled in scounteren by default, this is just needlessly hostile.

This happens only if the platform supports mcountinhibit. As per the
priv spec, no counter should run unless the corresponding bit in
mcountinhibit
is cleared. This patch just follows the spec.


> IMO both mcounteren and scounteren should be initialised to 7 on boot.
>
> Jess
>
>
> --
> opensbi mailing list
> opensbi@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/opensbi

On 27 May 2021, at 23:06, Atish Patra <atishp@atishpatra.org> wrote:
> 
> On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>> 
>> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
>>> 
>>> Currently, all bits in mcountern are enabled unconditionally at
>>> boot time. With SBI PMU extension, this should enabled only during
>>> performance monitoring for a particular event except the TM bit. However,
>>> this is done only if mcountinhibit is implemented because the supervisor
>>> mode can not start/stop any event without mcountinhibit.
>>> 
>>> Similarly, supervisor should take care enabling scounteren which allows
>>> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
>> 
>> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
>> TM should be enabled in scounteren by default, this is just needlessly hostile.
> 
> This happens only if the platform supports mcountinhibit. As per the
> priv spec, no counter should run unless the corresponding bit in
> mcountinhibit
> is cleared. This patch just follows the spec.

I don’t understand your reply. The privileged spec just says how the CSRs
behave, it doesn’t say that you need to make an SBI call (which isn’t part of
the privileged spec) for cycle and instret to count. Requiring that is
unnecessarily hostile; in practice, everything will want those two counters to
be enabled, because arbitrary userspace software wants to use them. They should
never be disabled by OpenSBI unless S-mode explicitly asks for them to be
disabled.

Jess

On Thu, May 27, 2021 at 3:15 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>
> On 27 May 2021, at 23:06, Atish Patra <atishp@atishpatra.org> wrote:
> >
> > On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
> >>
> >> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
> >>>
> >>> Currently, all bits in mcountern are enabled unconditionally at
> >>> boot time. With SBI PMU extension, this should enabled only during
> >>> performance monitoring for a particular event except the TM bit. However,
> >>> this is done only if mcountinhibit is implemented because the supervisor
> >>> mode can not start/stop any event without mcountinhibit.
> >>>
> >>> Similarly, supervisor should take care enabling scounteren which allows
> >>> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
> >>
> >> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
> >> TM should be enabled in scounteren by default, this is just needlessly hostile.
> >
> > This happens only if the platform supports mcountinhibit. As per the
> > priv spec, no counter should run unless the corresponding bit in
> > mcountinhibit
> > is cleared. This patch just follows the spec.
>
> I don’t understand your reply. The privileged spec just says how the CSRs
> behave, it doesn’t say that you need to make an SBI call (which isn’t part of
> the privileged spec) for cycle and instret to count. Requiring that is
> unnecessarily hostile; in practice, everything will want those two counters to
> be enabled, because arbitrary userspace software wants to use them.

That's a security risk. One rogue process can have access to cycle &
instructions of the entire kernel & M-mode firmware.
The counters should report a value only if it is being asked to
start/stop a userspace application (e.g. perf).

We can keep CY & IR bits enabled in OpenSBI but it must be disabled by
the Linux kernel PMU driver by default.
The effect will remain the same.

Once sscopmf is implemented, there is a plan to set MINH bit always so
that supervisor/userspace don't know how many cycles
are spent while running OpenSBI.

They should
> never be disabled by OpenSBI unless S-mode explicitly asks for them to be
> disabled.
>
> Jess
>

On 28 May 2021, at 16:45, Atish Patra <atishp@atishpatra.org> wrote:
> 
> On Thu, May 27, 2021 at 3:15 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>> 
>> On 27 May 2021, at 23:06, Atish Patra <atishp@atishpatra.org> wrote:
>>> 
>>> On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>>>> 
>>>> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
>>>>> 
>>>>> Currently, all bits in mcountern are enabled unconditionally at
>>>>> boot time. With SBI PMU extension, this should enabled only during
>>>>> performance monitoring for a particular event except the TM bit. However,
>>>>> this is done only if mcountinhibit is implemented because the supervisor
>>>>> mode can not start/stop any event without mcountinhibit.
>>>>> 
>>>>> Similarly, supervisor should take care enabling scounteren which allows
>>>>> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
>>>> 
>>>> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
>>>> TM should be enabled in scounteren by default, this is just needlessly hostile.
>>> 
>>> This happens only if the platform supports mcountinhibit. As per the
>>> priv spec, no counter should run unless the corresponding bit in
>>> mcountinhibit
>>> is cleared. This patch just follows the spec.
>> 
>> I don’t understand your reply. The privileged spec just says how the CSRs
>> behave, it doesn’t say that you need to make an SBI call (which isn’t part of
>> the privileged spec) for cycle and instret to count. Requiring that is
>> unnecessarily hostile; in practice, everything will want those two counters to
>> be enabled, because arbitrary userspace software wants to use them.
> 
> That's a security risk. One rogue process can have access to cycle &
> instructions of the entire kernel & M-mode firmware.
> The counters should report a value only if it is being asked to
> start/stop a userspace application (e.g. perf).
> 
> We can keep CY & IR bits enabled in OpenSBI but it must be disabled by
> the Linux kernel PMU driver by default.
> The effect will remain the same.
> 
> Once sscopmf is implemented, there is a plan to set MINH bit always so
> that supervisor/userspace don't know how many cycles
> are spent while running OpenSBI.

That side-channel will always exist by measuring time. This just breaks valid
use-cases in the name of “security”.

__builtin_readcyclecounter is a thing and needs to work otherwise you *will*
break software. At the end of the day I don’t care what you do in the Linux
kernel, but I do care what gets done in the platform firmware that breaks
existing 3rd-party userspace software on FreeBSD.

Jess

On Fri, May 28, 2021 at 12:46 PM Atish Patra <atishp@atishpatra.org> wrote:
>
> On Thu, May 27, 2021 at 3:15 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
> >
> > On 27 May 2021, at 23:06, Atish Patra <atishp@atishpatra.org> wrote:
> > >
> > > On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
> > >>
> > >> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
> > >>>
> > >>> Currently, all bits in mcountern are enabled unconditionally at
> > >>> boot time. With SBI PMU extension, this should enabled only during
> > >>> performance monitoring for a particular event except the TM bit. However,
> > >>> this is done only if mcountinhibit is implemented because the supervisor
> > >>> mode can not start/stop any event without mcountinhibit.
> > >>>
> > >>> Similarly, supervisor should take care enabling scounteren which allows
> > >>> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
> > >>
> > >> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
> > >> TM should be enabled in scounteren by default, this is just needlessly hostile.
> > >
> > > This happens only if the platform supports mcountinhibit. As per the
> > > priv spec, no counter should run unless the corresponding bit in
> > > mcountinhibit
> > > is cleared. This patch just follows the spec.
> >
> > I don’t understand your reply. The privileged spec just says how the CSRs
> > behave, it doesn’t say that you need to make an SBI call (which isn’t part of
> > the privileged spec) for cycle and instret to count. Requiring that is
> > unnecessarily hostile; in practice, everything will want those two counters to
> > be enabled, because arbitrary userspace software wants to use them.
>
> That's a security risk. One rogue process can have access to cycle &
> instructions of the entire kernel & M-mode firmware.

For the uninformed (me), can you elaborate on this risk?

> The counters should report a value only if it is being asked to
> start/stop a userspace application (e.g. perf).
>
> We can keep CY & IR bits enabled in OpenSBI but it must be disabled by
> the Linux kernel PMU driver by default.
> The effect will remain the same.
>
> Once sscopmf is implemented, there is a plan to set MINH bit always so
> that supervisor/userspace don't know how many cycles
> are spent while running OpenSBI.
>
> They should
> > never be disabled by OpenSBI unless S-mode explicitly asks for them to be
> > disabled.
> >
> > Jess
> >
>
>
> --
> Regards,
> Atish
>
> --
> opensbi mailing list
> opensbi@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/opensbi

On Fri, May 28, 2021 at 8:53 AM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>
> On 28 May 2021, at 16:45, Atish Patra <atishp@atishpatra.org> wrote:
> >
> > On Thu, May 27, 2021 at 3:15 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
> >>
> >> On 27 May 2021, at 23:06, Atish Patra <atishp@atishpatra.org> wrote:
> >>>
> >>> On Wed, May 26, 2021 at 5:36 PM Jessica Clarke <jrtc27@jrtc27.com> wrote:
> >>>>
> >>>> On 27 May 2021, at 01:30, Atish Patra <atish.patra@wdc.com> wrote:
> >>>>>
> >>>>> Currently, all bits in mcountern are enabled unconditionally at
> >>>>> boot time. With SBI PMU extension, this should enabled only during
> >>>>> performance monitoring for a particular event except the TM bit. However,
> >>>>> this is done only if mcountinhibit is implemented because the supervisor
> >>>>> mode can not start/stop any event without mcountinhibit.
> >>>>>
> >>>>> Similarly, supervisor should take care enabling scounteren which allows
> >>>>> U-mode to access pmu counters. Disable all bits in scounteren in M-mode.
> >>>>
> >>>> Turning off CY or IR seems like a bad idea to me. Similarly, all of CY, IR and
> >>>> TM should be enabled in scounteren by default, this is just needlessly hostile.
> >>>
> >>> This happens only if the platform supports mcountinhibit. As per the
> >>> priv spec, no counter should run unless the corresponding bit in
> >>> mcountinhibit
> >>> is cleared. This patch just follows the spec.
> >>
> >> I don’t understand your reply. The privileged spec just says how the CSRs
> >> behave, it doesn’t say that you need to make an SBI call (which isn’t part of
> >> the privileged spec) for cycle and instret to count. Requiring that is
> >> unnecessarily hostile; in practice, everything will want those two counters to
> >> be enabled, because arbitrary userspace software wants to use them.
> >
> > That's a security risk. One rogue process can have access to cycle &
> > instructions of the entire kernel & M-mode firmware.
> > The counters should report a value only if it is being asked to
> > start/stop a userspace application (e.g. perf).
> >
> > We can keep CY & IR bits enabled in OpenSBI but it must be disabled by
> > the Linux kernel PMU driver by default.
> > The effect will remain the same.
> >
> > Once sscopmf is implemented, there is a plan to set MINH bit always so
> > that supervisor/userspace don't know how many cycles
> > are spent while running OpenSBI.
>
> That side-channel will always exist by measuring time. This just breaks valid
> use-cases in the name of “security”.
>
> __builtin_readcyclecounter is a thing and needs to work otherwise you *will*
> break software. At the end of the day I don’t care what you do in the Linux
> kernel, but I do care what gets done in the platform firmware that breaks
> existing 3rd-party userspace software on FreeBSD.
>

Ahh okay. I didn't know about __builtin_readcyclecounter.
Ofcourse, we can't break userspace. I will revise the patch to enable CY & IR.

I will check if Linux user space has such a requirement too.

What about a setting MINH bit in sscofpmf extension[1] implementation?
Does __builtin_readcyclecounter expect to report the counter for all the modes ?

[1] https://lists.riscv.org/g/tech-privileged/message/452?p=,,,20,0,0,0::Created,,fast+track,20,2,20,80278800

> Jess
>

> What about a setting MINH bit in sscofpmf extension[1] implementation?

Sorry for getting late to the discussion. I think it needs to be
re-iterated that CY and IR are not part of Sscofpmf extension. There are
no corresponding mhpmevent registers for them. I asked Greg about this
in a private thread and if I understood it correctly, the reason for not
tackling CY and IR is that it would cause the extension to fall out of
the fast-track process.

So all in all, Sscofpmf will not be enough to tackle the sampling of
neither of those two. Unless there will be a copy of those counters in
mhpmcounters.

--
Best Regards,
Stan Kardach

> -----Original Message-----
> From: opensbi <opensbi-bounces@lists.infradead.org> On Behalf Of Stanislaw
> Kardach
> Sent: 05 June 2021 21:47
> To: Atish Patra <Atish.Patra@wdc.com>
> Cc: opensbi@lists.infradead.org
> Subject: [v2,05/15] lib: sbi: Disable m/scounteren & enable mcountinhibit
> 
> > What about a setting MINH bit in sscofpmf extension[1] implementation?
> 
> Sorry for getting late to the discussion. I think it needs to be re-iterated that
> CY and IR are not part of Sscofpmf extension. There are no corresponding
> mhpmevent registers for them. I asked Greg about this in a private thread and
> if I understood it correctly, the reason for not tackling CY and IR is that it
> would cause the extension to fall out of the fast-track process.
> 
> So all in all, Sscofpmf will not be enough to tackle the sampling of neither of
> those two. Unless there will be a copy of those counters in mhpmcounters.

Even if CY and IR are not part of Sscofpmf extension, we still have mechanism
to start/stop these counters via mcountinhibit so software (Kernel and
and Hypervisors) can use SBI PMU calls to start/stop these counters only
for Processes/Guest/VMs that have explicitly requested it.

To address this nature of CY and IR, the filter flags of SBI PMU config matching
call are defined as optional for the SBI implementation so these filter flags can
be ignored for CY and IR counters.

Regards,
Anup

> 
> --
> Best Regards,
> Stan Kardach
> 
> 
> --
> opensbi mailing list
> opensbi@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/opensbi