tunables: Add IFUNC selection and cache sizes
Commit Message
On Wed, Jun 21, 2017 at 5:44 AM, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
> On Wednesday 21 June 2017 05:55 PM, H.J. Lu wrote:
>>> Why do you need these to be inherited by children of setuid processes?
>>> If not, then you should remove the SXID_IGNORE and let the default (i.e.
>>> SXID_ERASE) prevail so that setuid processes and their children do not
>>> see these tunables.
>>
>> I want to be conservative. The default ones should be good for 99.9%
>> of applications.
>
> The conservative (in terms of security) should be the default, i.e.
> disallow envvars to be read across setxid boundaries. If an escalation
> of privileges is required, there should be a specifically stated reason
> to do so. The current envvars need a thorough analysis too to figure
> out if they need to be read across setxid boundaries.
Done.
>>> Also you've specified these as size_t but the values seem to get stored
>>> in long int. Please fix them.
>>
>> tunables supports:
>>
>> TUNABLE_TYPE_INT_32,
>> TUNABLE_TYPE_UINT_64,
>> TUNABLE_TYPE_SIZE_T,
>> TUNABLE_TYPE_STRING
>>
>> There is no long and on x86, long == size_t:
>>
>> [hjl@gnu-tools-1 tmp]$ cat f.c
>> #include <unistd.h>
>>
>> int x [(sizeof (size_t) == sizeof (long)) ? 1 : -1];
>> [hjl@gnu-tools-1 tmp]$ gcc -S f.c -m64
>> [hjl@gnu-tools-1 tmp]$ gcc -S f.c -m32
>> [hjl@gnu-tools-1 tmp]$ gcc -S f.c -mx32
>> [hjl@gnu-tools-1 tmp]$
>
> Sure, but one is signed and the other isn't, which messes with
> validation of the tunable. If long is what you need, you could add
> ssize_t, but I don't see why the sizes should be negative. It seems
> like instead of making the tunables signed, you should be making the
> caches unsigned.
Done.
>> On x86, there are CPU features, like SSE, AVX, ... and ARCH features,
>> like slow bsf. X86 tunables allow users to disable AVX and slow bsf.
>> They don't change any CPU names.
>
> Ah OK then you're right, all of those should be hwcaps too and go into
> x86 - I thought you were suggesting something like the mtune options,
> i.e. corei7. I'll add the glibc.tune.cpu myself.
>
The supported x86 platforms are listed in sysdeps/x86/dl-procinfo.c.
x86 tunables will influence setting of dl_platform, which shouldn't set
arbitrarily.
>>> Since #name is going to be a constant stirng, you could just use the
>>> is_name from dl-tunables.c. Just pull it out into dl-tunables.h as a
>>> static inline.
>>
>> memcmp is used elsewhere in ld.so and it is much faster than
>> is_name in dl-tunables.c. I prefer to keep memcmp here.
>
> Fair enough.
>
I am testing this patch. OK for master if there are no regressions?
Comments
On Wednesday 21 June 2017 06:56 PM, H.J. Lu wrote:
> I am testing this patch. OK for master if there are no regressions?
>
Looks OK to me with one comment change which I missed the last time:
> Since all CPU/ARCH features are hardware optimizations without
> security implication, except for Prefer_MAP_32BIT_EXEC, which can
> - only be disabled, we check GLIBC_IFUNC for programs, including
> + only be disabled, we check glibc.tune.hwcaps for programs, including
> set*id ones.
This block is no longer valid since the tunables are not read for setxid
binaries. If you want to make a case for hwcaps to be read in setxid
binaries, then it should be made along with hwcap_mask since they're
essentially the same feature for different machines.
Siddhesh
From a724bae730245fe77bdd7ad280f24fbc00debe82 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Wed, 21 Jun 2017 05:38:03 -0700
Subject: [PATCH] x86: Rename glibc.tune.ifunc to glibc.tune.hwcaps
Rename glibc.tune.ifunc to glibc.tune.hwcaps and move it to
sysdeps/x86/dl-tunables.list since it is x86 specicifc. Also
change type of data_cache_size, data_cache_size and
non_temporal_threshold to unsigned long int to match size_t.
Remove usage DEFAULT_STRLEN from cpu-tunables.c.
* elf/dl-tunables.list (glibc.tune.ifunc): Removed.
* sysdeps/x86/dl-tunables.list (glibc.tune.hwcaps): New.
Remove security_level on all fields.
* manual/tunables.texi: Replace ifunc with hwcaps.
* sysdeps/x86/cpu-features.c (TUNABLE_CALLBACK (set_ifunc)):
Renamed to ..
(TUNABLE_CALLBACK (set_hwcaps)): This.
(init_cpu_features): Updated.
* sysdeps/x86/cpu-features.h (cpu_features): Change type of
data_cache_size, data_cache_size and non_temporal_threshold to
unsigned long int.
* sysdeps/x86/cpu-tunables.c (DEFAULT_STRLEN): Removed.
(TUNABLE_CALLBACK (set_ifunc)): Renamed to ...
(TUNABLE_CALLBACK (set_hwcaps)): This. Update comments. Don't
use DEFAULT_STRLEN.
---
elf/dl-tunables.list | 4 ----
manual/tunables.texi | 8 ++++----
sysdeps/x86/cpu-features.c | 4 ++--
sysdeps/x86/cpu-features.h | 6 +++---
sysdeps/x86/cpu-tunables.c | 28 +++++++++++++---------------
sysdeps/x86/dl-tunables.list | 6 +++---
6 files changed, 25 insertions(+), 31 deletions(-)
@@ -83,9 +83,5 @@ glibc {
env_alias: LD_HWCAP_MASK
default: HWCAP_IMPORTANT
}
- ifunc {
- type: STRING
- security_level: SXID_IGNORE
- }
}
}
@@ -198,8 +198,8 @@ is 8 times the number of cores online.
@cindex hardware capability tunables
@cindex hwcap tunables
@cindex tunables, hwcap
-@cindex ifunc tunables
-@cindex tunables, ifunc
+@cindex hwcaps tunables
+@cindex tunables, hwcaps
@cindex data_cache_size tunables
@cindex tunables, data_cache_size
@cindex shared_cache_size tunables
@@ -222,8 +222,8 @@ extensions available in the processor at runtime for some architectures. The
capabilities at runtime, thus disabling use of those extensions.
@end deftp
-@deftp Tunable glibc.tune.ifunc
-The @code{glibc.tune.ifunc=-xxx,yyy,-zzz...} tunable allows the user to
+@deftp Tunable glibc.tune.hwcaps
+The @code{glibc.tune.hwcaps=-xxx,yyy,-zzz...} tunable allows the user to
enable CPU/ARCH feature @code{yyy}, disable CPU/ARCH feature @code{xxx}
and @code{zzz} where the feature name is case-sensitive and has to match
the ones in @code{sysdeps/x86/cpu-features.h}.
@@ -25,7 +25,7 @@
# include <unistd.h> /* Get STDOUT_FILENO for _dl_printf. */
# include <elf/dl-tunables.h>
-extern void TUNABLE_CALLBACK (set_ifunc) (tunable_val_t *)
+extern void TUNABLE_CALLBACK (set_hwcaps) (tunable_val_t *)
attribute_hidden;
#endif
@@ -322,7 +322,7 @@ no_cpuid:
cpu_features->kind = kind;
#if HAVE_TUNABLES
- TUNABLE_GET (ifunc, tunable_val_t *, TUNABLE_CALLBACK (set_ifunc));
+ TUNABLE_GET (hwcaps, tunable_val_t *, TUNABLE_CALLBACK (set_hwcaps));
cpu_features->non_temporal_threshold
= TUNABLE_GET (x86_non_temporal_threshold, long int, NULL);
cpu_features->data_cache_size
@@ -217,12 +217,12 @@ struct cpu_features
unsigned int feature[FEATURE_INDEX_MAX];
/* Data cache size for use in memory and string routines, typically
L1 size. */
- long int data_cache_size;
+ unsigned long int data_cache_size;
/* Shared cache size for use in memory and string routines, typically
L2 or L3 size. */
- long int shared_cache_size;
+ unsigned long int shared_cache_size;
/* Threshold to use non temporal store. */
- long int non_temporal_threshold;
+ unsigned long int non_temporal_threshold;
};
/* Used from outside of glibc to get access to the CPU features
@@ -31,16 +31,12 @@
# if defined USE_MULTIARCH && !defined SHARED
# ifdef __x86_64__
# define DEFAULT_MEMCMP __memcmp_sse2
-# define DEFAULT_STRLEN __strlen_sse2
# else
# define DEFAULT_MEMCMP __memcmp_ia32
-# define DEFAULT_STRLEN strlen
# endif
extern __typeof (memcmp) DEFAULT_MEMCMP;
-extern __typeof (strlen) DEFAULT_STRLEN;
# else
# define DEFAULT_MEMCMP memcmp
-# define DEFAULT_STRLEN strlen
# endif
# define CHECK_GLIBC_IFUNC_CPU_OFF(f, cpu_features, name, len) \
@@ -112,22 +108,25 @@ extern __typeof (strlen) DEFAULT_STRLEN;
attribute_hidden
void
-TUNABLE_CALLBACK (set_ifunc) (tunable_val_t *valp)
+TUNABLE_CALLBACK (set_hwcaps) (tunable_val_t *valp)
{
/* The current IFUNC selection is based on microbenchmarks in glibc.
It should give the best performance for most workloads. But other
choices may have better performance for a particular workload or on
the hardware which wasn't available when the selection was made.
- The environment variable, GLIBC_IFUNC=-xxx,yyy,-zzz...., can be
- used to enable CPU/ARCH feature yyy, disable CPU/ARCH feature yyy
- and zzz, where the feature name is case-sensitive and has to match
- the ones in cpu-features.h. It can be used by glibc developers to
- tune for a new processor or override the IFUNC selection to improve
- performance for a particular workload.
+ The environment variable:
+
+ GLIBC_TUNABLES=glibc.tune.hwcaps=-xxx,yyy,-zzz,....
+
+ can be used to enable CPU/ARCH feature yyy, disable CPU/ARCH feature
+ yyy and zzz, where the feature name is case-sensitive and has to
+ match the ones in cpu-features.h. It can be used by glibc developers
+ to tune for a new processor or override the IFUNC selection to
+ improve performance for a particular workload.
Since all CPU/ARCH features are hardware optimizations without
security implication, except for Prefer_MAP_32BIT_EXEC, which can
- only be disabled, we check GLIBC_IFUNC for programs, including
+ only be disabled, we check glibc.tune.hwcaps for programs, including
set*id ones.
NOTE: the IFUNC selection may change over time. Please check all
@@ -135,7 +134,6 @@ TUNABLE_CALLBACK (set_ifunc) (tunable_val_t *valp)
const char *p = valp->strval;
struct cpu_features *cpu_features = &GLRO(dl_x86_cpu_features);
- const char *end = p + DEFAULT_STRLEN (p);
size_t len;
do
@@ -145,7 +143,7 @@ TUNABLE_CALLBACK (set_ifunc) (tunable_val_t *valp)
size_t nl;
for (c = p; *c != ','; c++)
- if (c >= end)
+ if (*c == '\0')
break;
len = c - p;
@@ -325,6 +323,6 @@ TUNABLE_CALLBACK (set_ifunc) (tunable_val_t *valp)
}
p += len + 1;
}
- while (p < end);
+ while (*p != '\0');
}
#endif
@@ -18,17 +18,17 @@
glibc {
tune {
+ hwcaps {
+ type: STRING
+ }
x86_non_temporal_threshold {
type: SIZE_T
- security_level: SXID_IGNORE
}
x86_data_cache_size {
type: SIZE_T
- security_level: SXID_IGNORE
}
x86_shared_cache_size {
type: SIZE_T
- security_level: SXID_IGNORE
}
}
}
--
2.9.4