By: Linus Torvalds (torvalds.delete@this.linux-foundation.org), September 24, 2021 10:45 am
Room: Moderated Discussions
gpd (gpderetta.delete@this.gmail.com) on September 24, 2021 3:59 am wrote:
> Linus Torvalds (torvalds.delete@this.linux-foundation.org) on September 23, 2021 12:01 pm wrote:
> > The fact is, the whole notion of passing magic pointers and trying to associate random state with
> > them between two random untrusted but somehow cooperative entities is pure BS. And I claim that
> > no amount of segmentation - whatever you call it - will make it anything else.
>
> They seem useful in a post-spectre world to run potentially hostile (but otherwise memory safe) code in process,
> for example a web browser that wants to isolate different JS VMs. Software boundary checking doesn't cut it anymore
> and separate processes (the current solution) has overhead. This assumes that segments handling does not have
> meltdown-like vulnerabilities (which is not a given, but it seems possible to implement correctly).
>
> The kernel could use it to isolate BPF programs for example.
It's one of those things that you can always make up examples for.
And then 99.9% of all code doesn't want it, because most memory accesses by far are perfectly normal loads and stores from regular local sources with absolutely no reason to worry about data leaks.
But if you make it about security and make your architecture all about capability pointers, then all memory accesses have to be checked. So you're taking a big cost for that very rare case.
Once you notice that, you then add the "regular memory accesses" back, and make it about special checking memory ops.
So then you say that untrusted code has to be compiled with a trusted compiler, and you add the checks only to the places that the compiler determines needs it. And then you end up with most software not using it at all, because they don't believe they need it and it is too costly in performance (and it probably only worked on special microarchitectures anyway, since the architecture that tried to force it on people failed), and you're back to square one.
Just don't go down a path that is guaranteed to fail. Again. Like it did last time.
Linus
> Linus Torvalds (torvalds.delete@this.linux-foundation.org) on September 23, 2021 12:01 pm wrote:
> > The fact is, the whole notion of passing magic pointers and trying to associate random state with
> > them between two random untrusted but somehow cooperative entities is pure BS. And I claim that
> > no amount of segmentation - whatever you call it - will make it anything else.
>
> They seem useful in a post-spectre world to run potentially hostile (but otherwise memory safe) code in process,
> for example a web browser that wants to isolate different JS VMs. Software boundary checking doesn't cut it anymore
> and separate processes (the current solution) has overhead. This assumes that segments handling does not have
> meltdown-like vulnerabilities (which is not a given, but it seems possible to implement correctly).
>
> The kernel could use it to isolate BPF programs for example.
It's one of those things that you can always make up examples for.
And then 99.9% of all code doesn't want it, because most memory accesses by far are perfectly normal loads and stores from regular local sources with absolutely no reason to worry about data leaks.
But if you make it about security and make your architecture all about capability pointers, then all memory accesses have to be checked. So you're taking a big cost for that very rare case.
Once you notice that, you then add the "regular memory accesses" back, and make it about special checking memory ops.
So then you say that untrusted code has to be compiled with a trusted compiler, and you add the checks only to the places that the compiler determines needs it. And then you end up with most software not using it at all, because they don't believe they need it and it is too costly in performance (and it probably only worked on special microarchitectures anyway, since the architecture that tried to force it on people failed), and you're back to square one.
Just don't go down a path that is guaranteed to fail. Again. Like it did last time.
Linus
| Topic | Posted By | Date |
|---|---|---|
| POWER10 SAP SD benchmark | anon2 | 2021/09/06 03:36 PM |
| POWER10 SAP SD benchmark | Daniel B | 2021/09/07 02:31 AM |
| "Cores" (and SPEC) | Rayla | 2021/09/07 07:51 AM |
| "Cores" (and SPEC) | anon | 2021/09/07 03:56 PM |
| POWER10 SAP SD benchmark | Anon | 2021/09/07 03:24 PM |
| POWER10 SAP SD benchmark | Anon | 2021/09/07 03:27 PM |
| Virtually tagged L1-caches | sr | 2021/09/08 05:49 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/08 08:22 AM |
| Virtually tagged L1-caches | sr | 2021/09/08 08:56 AM |
| Virtually tagged L1-caches | Hugo Décharnes | 2021/09/08 08:58 AM |
| Virtually tagged L1-caches | sr | 2021/09/08 10:09 AM |
| Virtually tagged L1-caches | Hugo Décharnes | 2021/09/08 10:46 AM |
| Virtually tagged L1-caches | sr | 2021/09/08 11:35 AM |
| Virtually tagged L1-caches | Hugo Décharnes | 2021/09/08 12:23 PM |
| Virtually tagged L1-caches | sr | 2021/09/08 12:40 PM |
| Virtually tagged L1-caches | anon | 2021/09/09 03:16 AM |
| Virtually tagged L1-caches | Konrad Schwarz | 2021/09/10 05:19 AM |
| Virtually tagged L1-caches | Hugo Décharnes | 2021/09/10 06:59 AM |
| Virtually tagged L1-caches | anon | 2021/09/14 03:17 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/14 09:34 AM |
| Or use a PLB (NT) | Paul A. Clayton | 2021/09/14 09:45 AM |
| Or use a PLB | Linus Torvalds | 2021/09/14 03:27 PM |
| Or use a PLB | anon | 2021/09/15 12:15 AM |
| Or use a PLB | Michael S | 2021/09/15 03:21 AM |
| Or use a PLB | dmcq | 2021/09/15 03:42 PM |
| Or use a PLB | Konrad Schwarz | 2021/09/16 04:24 AM |
| Or use a PLB | Michael S | 2021/09/16 10:13 AM |
| Or use a PLB | --- | 2021/09/16 01:02 PM |
| PLB reference | Paul A. Clayton | 2021/09/18 02:35 PM |
| PLB reference | Michael S | 2021/09/18 04:14 PM |
| Demand paging/translation orthogonal | Paul A. Clayton | 2021/09/19 07:33 AM |
| Demand paging/translation orthogonal | Michael S | 2021/09/19 09:10 AM |
| PLB reference | Carson | 2021/09/20 10:19 PM |
| PLB reference | sr | 2021/09/20 06:02 AM |
| PLB reference | Michael S | 2021/09/20 07:03 AM |
| PLB reference | Linus Torvalds | 2021/09/20 12:10 PM |
| Or use a PLB | sr | 2021/09/20 04:32 AM |
| Or use a PLB | sr | 2021/09/21 09:36 AM |
| Or use a PLB | Linus Torvalds | 2021/09/21 10:04 AM |
| Or use a PLB | sr | 2021/09/21 10:48 AM |
| Or use a PLB | Linus Torvalds | 2021/09/21 01:55 PM |
| Or use a PLB | sr | 2021/09/22 06:55 AM |
| Or use a PLB | rwessel | 2021/09/22 07:09 AM |
| Or use a PLB | Linus Torvalds | 2021/09/22 11:50 AM |
| Or use a PLB | sr | 2021/09/22 01:00 PM |
| Or use a PLB | dmcq | 2021/09/22 04:07 PM |
| Or use a PLB | Etienne Lorrain | 2021/09/23 08:50 AM |
| Or use a PLB | anon2 | 2021/09/22 04:09 PM |
| Or use a PLB | dmcq | 2021/09/23 02:35 AM |
| Or use a PLB | ⚛ | 2021/09/23 09:37 AM |
| Or use a PLB | Linus Torvalds | 2021/09/23 12:01 PM |
| Or use a PLB | gpd | 2021/09/24 03:59 AM |
| Or use a PLB | Linus Torvalds | 2021/09/24 10:45 AM |
| Or use a PLB | dmcq | 2021/09/24 12:43 PM |
| Or use a PLB | sr | 2021/09/25 10:19 AM |
| Or use a PLB | Linus Torvalds | 2021/09/25 10:44 AM |
| Or use a PLB | sr | 2021/09/25 11:11 AM |
| Or use a PLB | Linus Torvalds | 2021/09/25 11:31 AM |
| Or use a PLB | sr | 2021/09/25 11:52 AM |
| Or use a PLB | Linus Torvalds | 2021/09/25 12:05 PM |
| Or use a PLB | sr | 2021/09/25 12:23 PM |
| Or use a PLB | rwessel | 2021/09/25 03:29 PM |
| Or use a PLB | sr | 2021/10/01 12:22 AM |
| Or use a PLB | rwessel | 2021/10/01 06:19 AM |
| Or use a PLB | David Hess | 2021/10/01 10:35 AM |
| Or use a PLB | rwessel | 2021/10/02 04:47 AM |
| Or use a PLB | sr | 2021/10/02 11:16 AM |
| Or use a PLB | rwessel | 2021/10/02 11:53 AM |
| Or use a PLB | Linus Torvalds | 2021/09/25 11:57 AM |
| Or use a PLB | sr | 2021/09/25 12:07 PM |
| Or use a PLB | Linus Torvalds | 2021/09/25 12:21 PM |
| Or use a PLB | sr | 2021/09/25 12:40 PM |
| Or use a PLB | nksingh | 2021/09/27 09:07 AM |
| Or use a PLB | ⚛ | 2021/09/27 09:02 AM |
| Or use a PLB | Linus Torvalds | 2021/09/27 10:20 AM |
| Or use a PLB | Linus Torvalds | 2021/09/27 12:58 PM |
| Or use a PLB | dmcq | 2021/09/28 10:59 AM |
| Or use a PLB | sr | 2021/09/25 10:34 AM |
| Or use a PLB | rwessel | 2021/09/25 03:44 PM |
| Or use a PLB | sr | 2021/10/01 01:04 AM |
| Or use a PLB | rwessel | 2021/10/01 06:33 AM |
| I386 segmentation highlights | sr | 2021/10/04 07:53 AM |
| I386 segmentation highlights | Adrian | 2021/10/04 09:53 AM |
| I386 segmentation highlights | sr | 2021/10/04 10:19 AM |
| I386 segmentation highlights | rwessel | 2021/10/04 04:57 PM |
| I386 segmentation highlights | sr | 2021/10/05 11:16 AM |
| I386 segmentation highlights | Michael S | 2021/10/05 12:27 PM |
| I386 segmentation highlights | rwessel | 2021/10/05 04:20 PM |
| Or use a PLB | JohnG | 2021/09/25 10:18 PM |
| Or use a PLB | ⚛ | 2021/09/27 07:37 AM |
| Or use a PLB | Heikki Kultala | 2021/09/28 03:53 AM |
| Or use a PLB | rwessel | 2021/09/28 07:29 AM |
| Or use a PLB | David Hess | 2021/09/23 06:00 PM |
| Or use a PLB | Adrian | 2021/09/24 01:21 AM |
| Or use a PLB | dmcq | 2021/09/25 12:41 PM |
| Or use a PLB | blaine | 2021/09/26 11:19 PM |
| Or use a PLB | David Hess | 2021/09/27 11:35 AM |
| Or use a PLB | blaine | 2021/09/27 05:19 PM |
| Or use a PLB | Adrian | 2021/09/27 10:40 PM |
| Or use a PLB | Adrian | 2021/09/27 10:59 PM |
| Or use a PLB | dmcq | 2021/09/28 07:45 AM |
| Or use a PLB | rwessel | 2021/09/28 07:45 AM |
| Or use a PLB | David Hess | 2021/09/28 12:50 PM |
| Or use a PLB | Etienne Lorrain | 2021/09/30 01:25 AM |
| Or use a PLB | David Hess | 2021/10/01 10:40 AM |
| MMU privileges | sr | 2021/09/21 11:07 AM |
| MMU privileges | Linus Torvalds | 2021/09/21 01:49 PM |
| Virtually tagged L1-caches | Konrad Schwarz | 2021/09/16 04:18 AM |
| Virtually tagged L1-caches | Carson | 2021/09/16 01:12 PM |
| Virtually tagged L1-caches | anon2 | 2021/09/16 05:16 PM |
| Virtually tagged L1-caches | rwessel | 2021/09/16 06:29 PM |
| Virtually tagged L1-caches | sr | 2021/09/20 04:20 AM |
| Virtually tagged L1-caches | --- | 2021/09/08 02:28 PM |
| Virtually tagged L1-caches | anonymou5 | 2021/09/08 08:28 PM |
| Virtually tagged L1-caches | anonymou5 | 2021/09/08 08:34 PM |
| Virtually tagged L1-caches | --- | 2021/09/09 10:14 AM |
| Virtually tagged L1-caches | anonymou5 | 2021/09/09 10:44 PM |
| Multi-threading? | David Kanter | 2021/09/09 09:32 PM |
| Multi-threading? | --- | 2021/09/10 09:19 AM |
| Virtually tagged L1-caches | sr | 2021/09/11 01:19 AM |
| Virtually tagged L1-caches | sr | 2021/09/11 01:36 AM |
| Virtually tagged L1-caches | --- | 2021/09/11 09:53 AM |
| Virtually tagged L1-caches | sr | 2021/09/12 12:43 AM |
| Virtually tagged L1-caches | Linus Torvalds | 2021/09/12 11:10 AM |
| Virtually tagged L1-caches | sr | 2021/09/12 11:57 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/13 08:31 AM |
| Virtually tagged L1-caches | sr | 2021/09/20 04:11 AM |
| Virtually tagged L1-caches | sr | 2021/09/11 02:49 AM |
| Virtually tagged L1-caches | Linus Torvalds | 2021/09/08 12:34 PM |
| Virtually tagged L1-caches | dmcq | 2021/09/09 02:46 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/09 02:58 AM |
| Virtually tagged L1-caches | sr | 2021/09/11 01:29 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/11 08:59 AM |
| Virtually tagged L1-caches | sr | 2021/09/12 12:57 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/12 08:44 AM |
| Virtually tagged L1-caches | sr | 2021/09/12 09:48 AM |
| Virtually tagged L1-caches | dmcq | 2021/09/12 01:22 PM |
| Virtually tagged L1-caches | sr | 2021/09/20 04:40 AM |
| Where do you see this information? (NT) | anon2 | 2021/09/09 02:45 AM |
| Where do you see this information? | sr | 2021/09/11 01:40 AM |
| Where do you see this information? | anon2 | 2021/09/11 01:53 AM |
| Where do you see this information? | sr | 2021/09/11 02:08 AM |
| Thank you (NT) | anon2 | 2021/09/11 04:31 PM |
