Open Bug 1566191 Opened 5 years ago Updated 3 years ago

[meta] track not decoding certificate information in the content process(es)

Categories

(Core :: Security: PSM, task, P3)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Project Flags:
Fission Milestone Future

People

(Reporter: Gijs, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: [MemShrink:P2][psm-tracking])

Attachments

(8 obsolete files)

Per the discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1559878#c17, it seems that we currently decode certificates in both the parent and the child.

Off-hand, it's not entirely clear to me (or, afaict, Dana or JC) why the child would care about this information (except maaaaybe error pages, but they could have their own mechanism when we actually want the data, most of which is normally behind an expander anyway). Although we still need NSS for webcrypto, not decoding certs would potentially let us avoid:

  • loading NSS in the child until/unless there's an actual webcrypto call
  • using memory to do cert bookkeeping in the child
  • spending CPU decoding certs for every network connection

Where we do need decoded cert information, we could send for the information from the parent.

We don't currently have a good grasp of the potential memory/CPU savings here. Dana, on slack you said changing PSM to not create cert objects in the content process should be fairly straightforward; could you point to where such a change would want to be made?

Eric/Kris, is this something that you'd consider for memshrink efforts?

Flags: needinfo?(erahm)
Flags: needinfo?(dkeeler)

First step would be to update nsNSSCertificate and nsNSSCertList to have the default restriction of ParentProcessOnly here: https://searchfox.org/mozilla-central/rev/07f7390618692fa4f2a674a96b9b677df3a13450/security/manager/ssl/nsNSSModule.cpp#134 and see what breaks. If we're really lucky, nothing will. If we're slightly less lucky, we might have to bring back child-process-specific implementations of those two classes that stub out all of the functionality and just implement ::Read and ::Write (where ::Read won't actually create a certificate - it'll read and save the bytes of the certificate until ::Write gets called). If we're even less lucky, we'll have to take a closer look at what needs to change.

Flags: needinfo?(dkeeler)

Just from a binary perspective we're looking at something like 20K per process for unshared lib data (.data + .bss + .data.rel.ro) on Linux. That doesn't include anything that gets allocated during NSS initialization. We've also seen issues with loading the cert store (it's not clear to me if we'd avoid that here) that showed several megabytes of data being loaded by rkvstore (bug 1538093).

So yes, from a MemShrink perspective I'd give this a thumbs up.

Flags: needinfo?(erahm)
Priority: -- → P2
Whiteboard: [fxperf][memshrink][qf] → [fxperf][memshrink][qf][psm-backlog]

(In reply to Eric Rahm [:erahm] from comment #2)

Just from a binary perspective we're looking at something like 20K per process for unshared lib data (.data + .bss + .data.rel.ro) on Linux.

I doubt we're going to be able to improve that part. Even if we don't initialize NSS in every child process, we're still going to need to load it. We use way too many NSS symbols in way too many places to try to load it dynamically.

It would be good to know how much memory we can save by just not initializing it, though.

Whiteboard: [fxperf][memshrink][qf][psm-backlog] → [fxperf][memshrink][qf:p1:pageload][psm-backlog]
Whiteboard: [fxperf][memshrink][qf:p1:pageload][psm-backlog] → [memshrink][qf:p1:pageload][psm-backlog]
Assignee: nobody → sefeng
Blocks: memshrink-content
Whiteboard: [memshrink][qf:p1:pageload][psm-backlog] → [MemShrink:P2][qf:p1:pageload][psm-backlog]

Thanks Dana for the help, these are some updates to the bug.

Simply changing nsNSSCertificate and nsNSSCertList to be parent process only won't work because some code in content processes require nsITransportSecurityInfo to exist to check some of the properties, for example here would use mState and here requires the entire certificate to be existed.

As the next step, what I am currently working is instead of decoding the certificate and doing all the validity checks in the content process, we keep the certificate encoded in raw bytes and make the parent process to check all the validity.

Depends on D43267

Attachment #9087773 - Attachment is obsolete: true
Attachment #9087771 - Attachment is obsolete: true

Depends on D43494

Depends on D43495

Depends on D43496

Depends on D43497

Attachment #9088232 - Attachment description: Bug 1566191 - Remove nsNSSCertList/nsIX509CertList and update helper functions → Bug 1566191 - Remove nsNSSCertList/nsIX509CertList
Attachment #9088233 - Attachment description: Bug 1566191 - Convert getCerts, loadCertsFromCache and asPKCS7Blob → Bug 1566191 - Update some APIs to adapt new certList format
Attachment #9088234 - Attachment description: Bug 1566191 - Convert cert chains to use nsTArray<nsIX509Cert> → Bug 1566191 - Update certChains to use nsTArray<nsIX509Cert>
Attachment #9088236 - Attachment description: Bug 1566191 - Remove nsIX509CertList from PublicKeyPinningService → Bug 1566191 - Remove nsIX509CertList from some ssl services
Attachment #9088235 - Attachment description: Bug 1566191 - Remove nsIX509CertList From reputationservice → Bug 1566191 - Update signatureInfo to Array of Array of Bytes
Depends on: 1577836

The signatureInfo that has been used in ExternalHelperAppService and
ReputationService has been stored Array of nsIX509CertList, which
isn't necessary because only the raw bytes of the certs are required.
This patch intends to remove the usage of nsIX509CertList and store
the raw bytes directly.

Depends on D44242

Attachment #9088232 - Attachment is obsolete: true
Attachment #9088235 - Attachment is obsolete: true
Attachment #9088236 - Attachment is obsolete: true
Attachment #9088234 - Attachment is obsolete: true
Attachment #9088233 - Attachment is obsolete: true
Attachment #9089498 - Attachment description: Bug 1566191 - Update signatureInfo to Array of Array of Bytes → Bug 1566191 - Update signatureInfo to Array of Array of Bytes r=keeler

Comment on attachment 9089498 [details]
Bug 1566191 - Update signatureInfo to Array of Array of Bytes r=keeler

Revision D44243 was moved to bug 1577836. Setting attachment 9089498 [details] to obsolete.

Attachment #9089498 - Attachment is obsolete: true

Work in progress but targeting 72.

status-firefox70: affectedwontfix
status-firefox71: --- → affected
Depends on: 1580304
No longer depends on: 1577836
Assignee: sefeng → nobody
Blocks: 1513458
Priority: P2 → P3
Summary: Consider not decoding certificate information in the content process(es) → [meta] track not decoding certificate information in the content process(es)
Whiteboard: [MemShrink:P2][qf:p1:pageload][psm-backlog] → [MemShrink:P2][qf:p1:pageload][psm-tracking]
Whiteboard: [MemShrink:P2][qf:p1:pageload][psm-tracking] → [MemShrink:P2][psm-tracking]

The Fission team would like to fix this bug before we ship Fission MVP. We want to avoid loading NSS in content processes because, IIUC, we shouldn't need to read certs in content process.

Severity: normal → N/A
Fission Milestone: --- → M7a
See Also: → 1708488

I believe Randell said (during Fission bug triage today) that he would be able to do this himself.

Assignee: nobody → rjesup
Status: NEW → ASSIGNED

BTW, the memory hit I see for NSS init in Content Processes (right after RecvConstructBrowser) is ~1.5MB -- a LOT in fission

Note that NSS is responsible for more than just certificates. For instance, hashing data generally requires NSS (except when using rust) and webcrypto heavily relies on NSS. It would be great to separate those parts of NSS and make them statically available, but that would be a significant amount of work.

Fission Milestone: M7a → MVP

This work doesn't need to block Fission MVP, so moving to Fission Milestone Future.

Fission Milestone: MVP → Future
status-firefox70: wontfix → ---
status-firefox71: affected → ---
Assignee: rjesup → nobody
Status: ASSIGNED → NEW
See Also: → 1710869
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: