Received: by 10.213.65.68 with SMTP id h4csp2221462imn; Thu, 5 Apr 2018 11:02:11 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Ur2IwDE0YwqMR+G14wV1L2jK0k4J2/ZsMnMo+D4ISRzYD3dIebnsg83UOrojYBBiTAg+R X-Received: by 2002:a17:902:274a:: with SMTP id j10-v6mr23325077plg.28.1522951331749; Thu, 05 Apr 2018 11:02:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522951331; cv=none; d=google.com; s=arc-20160816; b=QqvBOTb87Jg3/CGeJO1w6igQRGS4bynUMr8kYOTjdpt35Skmk9BKXPa0sOyrn33mFG w7yzJlMUsX6+LcAPV8DfMkxt+pVvgXOlDceYWLOfWSUn2hbv/vINxJK3gGLFXiHvVkcS VmTAqkip56EQzTc1V4lbPks3EQ5rqv9G4L5GsCYOD0riK1N3/bPnZVD0FMqg1mJx3J6Z mYYbGi5XrvaJqw4xpEo+KLSNAn7kc/v+Gy+y4xIQVuDQQqq+pICtMJq9ypmV68+TbOcA p/5N/iIcyNbq12p/G8ZFeRzQ6waItBTGDw6DL7DK8jFsobcwW9rEq3pHMVMOC5NbwV4S FYUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=92kEXCUMe3Ihxt+O4Qzs7ystiKNDTZy/NTDTRfzJLDw=; b=vHY+qimlEyRrr4CCc2YHgsnZMd5wWS7KokmWTDYAEsE3vmG+wVEStWyf2mcXyQsgoQ dWtQYRqOK71Sq4crcGXFPGnMoWV++GgZlJPTW79nBLz4HzGM1LGAM4EBx1i7SCXdbYPo wiRMaM0ShNJgebb0j6R3dLpgJfrIe5/KlwD6TskfNSdUS/kcbi21FfH2pbkO9SCLyvtn +sAjAW2aMO5M5zf44qsAcNzBJGP7tDWlDiJC+pzcLPHQlY33UQR2u3MBHSedUoDnq8qe v9R1+ZqDEC+DRZCMv2w6w12q+1oEsXwWypj1ceygWYwzgjn5EqyBHzTlUwlYrqByRVAC UUuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33-v6si8627659pla.452.2018.04.05.11.01.56; Thu, 05 Apr 2018 11:02:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751886AbeDESAQ (ORCPT + 99 others); Thu, 5 Apr 2018 14:00:16 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:51566 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751318AbeDESAO (ORCPT ); Thu, 5 Apr 2018 14:00:14 -0400 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w35Hxnd8017732; Thu, 5 Apr 2018 18:59:50 +0100 Date: Thu, 5 Apr 2018 18:59:49 +0100 From: Alan Cox To: Matthew Garrett Cc: Linus Torvalds , luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot Message-ID: <20180405185949.309216bb@alans-desktop> In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > How? When there are random DMA-capable PCI devices that are driven by > userland tools that are mmap()ing the BARs out of sysfs, how do we > simultaneously avoid breaking those devices while also preventing the > majority of users from being vulnerable to an attacker just DMAing over the > kernel? VT-D