Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2900216ybd; Mon, 24 Jun 2019 15:01:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqwMGh+0wSLok8UjYlt306g/NxWYwET3esVz5Yy/NFfOZGIJPmUyPFsjr2S1Q0mEwPGkyNY6 X-Received: by 2002:a63:5151:: with SMTP id r17mr2489005pgl.34.1561413684263; Mon, 24 Jun 2019 15:01:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561413684; cv=none; d=google.com; s=arc-20160816; b=z4S7Eo0ZSGDJ+JZ96xxfzX07Dlr6mFvxISebpzpNNfhUOkqofm3MTqLqYXtfKPZ0k7 IbGuqmSNTKifWX6j5Ss9VrOIjIOeMwSYMzv0kGsVut2DBtPhhhKai1jBL8ecTfdBWL2J qbL4SDkPhQ3VjwzJqu+2CytmpP+1Gj8/8tic9LAtcKHKyz/vAw6gjAUO5G92kX7MpWS2 hecgaEWkFob4Z1kCQwYkRkTCgtONhyJ32lJAK0mdeda3yWsYkoPagqus5tps9nG/OgZZ od1TfhNu4bp+DGNWSppzHCyHDgCxRGD3VfNx4rGVAetq45KSWfnKZprr8mfUAa15l5xg Tk3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YCg/MjFmfZjibFv1+zfjJ/08w0AqICIa/H9ziec7kII=; b=j5qaVyn42/7W9V70CHp41km0WfThB2u9nbhcayLXLOtE0MMhPbAOgOjepXOdd2gWFb nZnlJx1MupShAEL+nFS8Jv9yVHxVof/SOypQAmLrTx8+NWGz/egnr+sSwMBftX2KSxss KDmzjeM8GYNpf12GxGKY6K6TrONztUAHg2vM7t0GMmnL4WsPMv32LMLekcroG1XitGG/ i9FJ0mV5UZUBDZdzgqW7wEz61C+0x2S45Rs4IclKV6QRuSpNzcGGOAYbv7pC2Jzk4lrr SCvzD6Awv3EWdyNZX0R79LoAKgAegLTfMuDYR2HmRRgdEXVauciWZBFFS6NhDbjDBzSB TASA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=T5bgSuFF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s187si11338809pgb.49.2019.06.24.15.01.08; Mon, 24 Jun 2019 15:01:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=T5bgSuFF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729054AbfFXTyN (ORCPT + 99 others); Mon, 24 Jun 2019 15:54:13 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:35582 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729639AbfFXTyM (ORCPT ); Mon, 24 Jun 2019 15:54:12 -0400 Received: by mail-io1-f67.google.com with SMTP id m24so1043719ioo.2 for ; Mon, 24 Jun 2019 12:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YCg/MjFmfZjibFv1+zfjJ/08w0AqICIa/H9ziec7kII=; b=T5bgSuFF2J0SClg2TX96KcIkt8PMoAR1G3u6wAV9ZlHT11IjSJBWqyLCR87fxH+c29 LTufoMIaOaS5RzlQZdhwIhVGqFpXAIChtxNsI8BWjtM0tF2pFRYeHCKuLi5czhKl6iw/ Kh4t45FA7uaBdu+cxYKWG6S4qqD66Wb7/01m2fvDCCMbfZCFA4qJWtcmCxfFo0R0UJYn 9RwhYjanjDxnX37mmFLMatT8eDcY+4IhBRCV/7mN+h5oZP/SOk7UlIo3kxh2grH6N1Aq nB2By88uwy0THJJ3z/Iol2KMXK0mq8grrgUkxODb07Yba6xPmycLbGleHl0GH6KQvt/o 4a/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YCg/MjFmfZjibFv1+zfjJ/08w0AqICIa/H9ziec7kII=; b=S3dd33qtYDW8vQE0qiwqA2sjgbwhBMs8yrFV1dvMhg8yne2SRqN5R2WXrjA16tdqdh VtyMcnpVP61ufaH95WUGsVEq//Y71VypSZSfCoWhpuS12lTcFW529Tse9cfISTU7esUo PbeYS9gL9qeLBnxcvQ1NujXvYI5ZgxHLsFESmbaINavjoIsG2VOuQsn5UC7055Dp/3W9 AjkGdrMCvgBi8BkBJ13zxSogn0zQq93s23s8Bt+mL2ynPWrSqdrRk4TbwtwYXkbHGbKk Gujx04JbztJWCkSzalS5jhJ5jZxDcabsKSBfFKKUHqFOs+2JjKM/zo4HAqetJhpcjsnt 0tJA== X-Gm-Message-State: APjAAAVYvgOBxQ5ghQCGv7sNyFyKKetq6yhdsHsR8/w4LKIkI0y+GCYg 0LIqRpdayg9/yEUphaKQQVDHSf4OrQLjavOCsMW41A== X-Received: by 2002:a05:6638:3d3:: with SMTP id r19mr30442055jaq.53.1561406051539; Mon, 24 Jun 2019 12:54:11 -0700 (PDT) MIME-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-24-matthewgarrett@google.com> <739e21b5-9559-d588-3542-bf0bc81de1b2@iogearbox.net> In-Reply-To: <739e21b5-9559-d588-3542-bf0bc81de1b2@iogearbox.net> From: Matthew Garrett Date: Mon, 24 Jun 2019 12:54:00 -0700 Message-ID: Subject: Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode To: Daniel Borkmann Cc: James Morris , LSM List , Linux Kernel Mailing List , Linux API , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Jann Horn , bpf@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 8:37 AM Daniel Borkmann wrote: > > On 06/22/2019 02:03 AM, Matthew Garrett wrote: > > From: David Howells > > > > There are some bpf functions can be used to read kernel memory: > > Nit: that Fixed. > > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > > Please explain how bpf_probe_write_user reads kernel memory ... ?! Ha. > > private keys in kernel memory (e.g. the hibernation image signing key) to > > be read by an eBPF program and kernel memory to be altered without > > ... and while we're at it, also how they allow "kernel memory to be > altered without restriction". I've been pointing this false statement > out long ago. Yup. How's the following description: bpf: Restrict bpf when kernel lockdown is in confidentiality mode There are some bpf functions that can be used to read kernel memory and exfiltrate it to userland: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These could be abused to (eg) allow private keys in kernel memory to be leaked. Disable them if the kernel has been locked down in confidentiality mode. > This whole thing is still buggy as has been pointed out before by > Jann. For helpers like above and few others below, error conditions > must clear the buffer ... Sorry, yes. My fault.