Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752419AbdFSW2S (ORCPT <rfc822;w@1wt.eu>);
        Mon, 19 Jun 2017 18:28:18 -0400
Received: from cavan.codon.org.uk ([93.93.128.6]:54472 "EHLO
        cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751022AbdFSW2R (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Jun 2017 18:28:17 -0400
X-Greylist: delayed 3841 seconds by postgrey-1.27 at vger.kernel.org; Mon, 19 Jun 2017 18:28:17 EDT
Date: Mon, 19 Jun 2017 22:24:01 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Darren Hart <dvhart@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Mario Limonciello <mario_limonciello@dell.com>,
        Pali =?iso-8859-1?Q?Roh=E1r?= <pali.rohar@gmail.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        Rafael Wysocki <rjw@rjwysocki.net>,
        Andy Lutomirski <luto@amacapital.net>,
        LKML <linux-kernel@vger.kernel.org>,
        platform-driver-x86@vger.kernel.org
Subject: Re: WMI and Kernel:User interface
Message-ID: <20170619212401.GA11774@srcf.ucam.org>
References: <20170509231639.GB11404@fury>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170509231639.GB11404@fury>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk
X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1357
Lines: 24

On Tue, May 09, 2017 at 04:16:39PM -0700, Darren Hart wrote:

> To address this, I have proposed [3] that exporting WMI be opt-in, only done at
> the request of and in collaboration with a vendor, with the kernel platform
> driver given the opportunity to filter requests. This filtering would need to be
> at the method and argument inspection level, such as checking for specific bits
> in the input buffer, and rejecting the request if they conflict with an in
> kernel usage (that's worst case, in some cases just GUID or method ID could be
> sufficient).

WMI calls generally end up triggering system management mode, and SMM is 
a mess of insecure code. People have been putting extensive effort into 
avoiding mechanisms that allow root to escalate to higher privilege 
levels - this is almost certainly the opposite of that. If the filtering 
is sufficient to guarantee that no invalid input will ever hit the 
firmware then that's not a problem, but that doesn't seem meaningfully 
less complicated than just writing a proper driver in the first place.

As things stand, I think this is functionality that would have to be 
disabled by the lockdown patchset, which means that it's functionality 
that wouldn't exist for the majority of non-server platforms (and an 
increasing number of server platforms).
-- 
Matthew Garrett | mjg59@srcf.ucam.org