From owner-freebsd-arch@freebsd.org Fri Oct 20 13:43:51 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E5BAE34C3B for ; Fri, 20 Oct 2017 13:43:51 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 1EA0776874 for ; Fri, 20 Oct 2017 13:43:51 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [10.207.101.115] (mobile-107-107-57-17.mycingular.net [107.107.57.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 2F3B6295F; Fri, 20 Oct 2017 13:43:44 +0000 (UTC) Date: Fri, 20 Oct 2017 09:43:41 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <82995.1508475951@kaos.jnpr.net> References: <44307.1508432567@kaos.jnpr.net> <56a95153-e970-990c-d3f1-453be4da7150@metricspace.net> <82995.1508475951@kaos.jnpr.net> MIME-Version: 1.0 Subject: Re: boot1.efi future To: "Simon J. Gerraty" CC: freebsd-arch@freebsd.org,sjg@juniper.net From: Eric McCorkle Message-ID: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2017 13:43:51 -0000 Keeping it short, I've got a bunch of plans in this area=2E I was actually = planning to finish off a paper and put it up for discussion this weekend=2E= I'll talk more about it elsewhere=2E=20 On October 20, 2017 1:05:51 AM EDT, "Simon J=2E Gerraty" wrote: >Eric McCorkle wrote: >> > I've implemented verification in the freebsd loader, along the >lines >> > previously mentioned, for us this pretty much closes the >secure-boot >> > gap - loader verifies kernel and its initial rootfs so init and >etc/rc=2E >> > Which then gets us to mac_veriexec=2E >>=20 >> Do I assume correctly that this is based on the NetBSD mac-based >> verification stuff? ie=2E Not the public-key crypto stuff I've talked >about? > >I didn't want to thread-jack=2E=2E=2E > >I've not looked at what's in NetBSD in this area for a decade at least, >but I ported the original veriexec from NetBSD to Junos about a dozen >years or so ago=2E More recently stevek re-implemented it for FreeBSD >10's MAC framework - the diffs (most of them anyway) have been sitting >in phabricator for a year or so=2E=2E=2E > >The loader implementation shares no code with the above, but uses the >same verification model and leverages the same signed manifests=2E >Thus it retains all the flexibility of using X=2E509 certificate chains >to >verify the signatures on the manifests=2E > >This is very important for us, because it allows a 10 year old binary >to >verify the latest signatures - provided that the RootCA certs have not >changed=2E For Junos the loader knows two RootCA's one for RSA and one >for >ECDSA - that's all it needs=2E > >We can tollerate more limited signing methods for the loader itself, to >fit in to various secure BIOS/boot environments, but from there we want >all the flexibility we can get=2E > >--sjg --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E From owner-freebsd-arch@freebsd.org Fri Oct 20 14:24:37 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 75838E37037 for ; Fri, 20 Oct 2017 14:24:37 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3125B7C9FC for ; Fri, 20 Oct 2017 14:24:37 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by mail-qt0-x22c.google.com with SMTP id p1so18650449qtg.2 for ; Fri, 20 Oct 2017 07:24:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CG1WSM6MNDJGOJxugw6ZxTfXFopfFW1i7LerckdbivI=; b=vc7CWgq9tnCiBmnmV30kBdbLZlKUVn54aAv32hK6ozzIyg8nWZZgD6aQ6wgC0rc47m 8Gk8cm1A35iqSXcKbg9jN5onI+OM1WWB0hWMbo+lYrurQD8F9SM40bHu3dQtbjphaHV2 wrlcJbCuY3kYg65lU0bkojHPHuhWAViFy2aQwx3ydCVl8wpIahdQCe3zxr9Z+5YwroL/ B+zfGrX9edhBP861GzyMTr1TIF1+uOnqDRPi+cQWbN8Ishe5mZ4hZCe0lu1kajfjsAIp bSE3f89VSU6PrgdZgB1tH/XqlUUY+QR03qbU1evrCVxK1b1HoKJI6/tKaEV68FFl1TJ8 Y89g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CG1WSM6MNDJGOJxugw6ZxTfXFopfFW1i7LerckdbivI=; b=LsWxq71rgc2Fzg+uLlKfRLLxV/JcN+cjQMQNMAOPkO5yTr1w7bMkHkzRQk/9U8z0vy R6dWREnJn0bFircTFLEV7XHg5pTINSvF/fyUItrbuwUtNba+9IS4yhjdEHSEbC/eWksq MuPlgoDudRG6zq5MV5hAjWrq6qAq2U4wkEe1D7COezz4meZzbUXzzlTiqrJHUaXcdUEr PRIF4L4aXPaIC+Ppq5VTyhEvvJ6AJ9yi42oD7VdmwoEARA0gKmXVS94ovY/lSCAPxFQi qO4ci0fyAZvzfptelkeNPAZTyeu6gYWLpKfr99P2CxxtujbUBy8WBiWA6h6pWxAYbZjm BZYA== X-Gm-Message-State: AMCzsaU/PIFoiLtIMUdarOvW3TT0E4KnRwXekzcMkV/OKlOCs9quVj/p lrkQqRQP+StHgJMzK5QBRLUdksJr9HFxqMK/5ME= X-Google-Smtp-Source: ABhQp+R2QRhEVqRgsa6V99mz64PB7+t48v9xfXJUI7KcUj3inDUBMypD1zT1VO+uOaE9cpZziJywlX2cSuFv8zC9ETg= X-Received: by 10.200.38.122 with SMTP id v55mr7384046qtv.134.1508509476377; Fri, 20 Oct 2017 07:24:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.237.53.186 with HTTP; Fri, 20 Oct 2017 07:24:35 -0700 (PDT) In-Reply-To: References: From: Ryan Stone Date: Fri, 20 Oct 2017 10:24:35 -0400 Message-ID: Subject: Re: PEBS support in hwpmc To: Bret Ketchum Cc: "freebsd-arch@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2017 14:24:37 -0000 On Fri, Oct 20, 2017 at 7:27 AM, Bret Ketchum wrote: > Without this support (or a VTune subscription) understanding > Front-End/Back-End bound applications running on Skylake/Kaby Lake > processors will be difficult at best I'm afraid that I don't know of any work related to PEBS in hwpmc. However, I'm curious as to why PEBS is so important on these architectures. My experience with hwpmc profiling has been that callchain information is frequently critical for understanding the performance characteristics and my understanding is that PEBS by design cannot capture that information.