Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760629AbcLAQGt (ORCPT ); Thu, 1 Dec 2016 11:06:49 -0500 Received: from mx2.suse.de ([195.135.220.15]:49512 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754577AbcLAQGr (ORCPT ); Thu, 1 Dec 2016 11:06:47 -0500 Message-ID: <1480608404.21573.68.camel@chaos.suse> Subject: Re: [PATCH 09/39] Annotate hardware config module parameters in drivers/i2c/ From: Jean Delvare To: David Howells Cc: minyard@acm.org, linux-kernel@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Wolfram Sang , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-i2c@vger.kernel.org Date: Thu, 01 Dec 2016 17:06:44 +0100 In-Reply-To: <23573.1480601572@warthog.procyon.org.uk> References: <1480600052.21573.60.camel@chaos.suse> <148059537897.31612.9461043954611464597.stgit@warthog.procyon.org.uk> <148059544784.31612.17605303556663485588.stgit@warthog.procyon.org.uk> <23573.1480601572@warthog.procyon.org.uk> Organization: Suse Linux Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1982 Lines: 47 On jeu., 2016-12-01 at 14:12 +0000, David Howells wrote: > Jean Delvare wrote: > > > > Note that we do still need to do the module initialisation because some > > > drivers have viable defaults set in case parameters aren't specified and > > > some drivers support automatic configuration (e.g. PNP or PCI) in addition > > > to manually coded parameters. > > > > Initializing the driver when you are not able to honor the user request > > looks wrong to me. I don't see how some drivers having sane defaults > > justifies that. Using the defaults when no parameters are passed is one > > thing (good), still using the defaults when parameters are passed is > > another (bad), and you should be able to differentiate between these two > > cases. > > Corey Minyard argues the other way: > > This would prevent any IPMI interface from working if any address was > given on the kernel command line. I'm not sure what the best policy > is, but that sounds like a possible DOS to me. > > Your preference allows someone to prevent a driver from initialising - which > could also be bad. The problem is that I don't think there's any way to do > both. I'm not sure what is your threat model, but I'm afraid that if the attacker can change the kernel command line, he/she has so many ways to screw up the machine, that removing one won't make a difference. >> (...) > > And maybe the following ones, but I'm not sure if forcibly enabling a > > device is part of what you need to prevent: > > > > i2c-piix4.c:module_param (force, int, 0); > > i2c-sis630.c:module_param(force, bool, 0); > > i2c-viapro.c:module_param(force, bool, 0); > > I don't know either. One could argue it *should* be locked down because its > need appears to reflect a BIOS bug. Indeed. OTOH if you remove all kernel code that is there solely due to BIOS bugs, then you can rename Secure Boot to No Boot. Well that's certainly one way to be secure ;-) -- Jean Delvare SUSE L3 Support