Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp458156pxb; Wed, 3 Feb 2021 09:19:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyxFOZC5QH6WWJaKa3X+Xdg07DYc+Dqyp1sHGfA1s/O/c+o0W3kYYr8UgPcoSZVkhJzhiIv X-Received: by 2002:a17:906:cc5d:: with SMTP id mm29mr4304501ejb.183.1612372748008; Wed, 03 Feb 2021 09:19:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612372747; cv=none; d=google.com; s=arc-20160816; b=UfM4kuL+e64TpVkOo7qRnngfbAhvc8Y1+3Kc0rz1q6wqeik5GEsvC7CTQZ3/Rt8EGF HlJRnHIxP9Rr5HwuoN0ZQnOJzjfqZ1WOxCHb7rXjbJr/nSMc8efCih5J0Z9DZVlHWeEv r2KhLrm/6fwL3WGq+fgh+pdbiwHISCuyT+gP4eso1gdMhOTW4TU0ErKQ3O2cLUTs3Ywi CHOLl4wuWeSnTcmejXeLF6+222DpgGpGdYApO8IbQ42+CnlpGKVmaEPnKrr9p0H7fT2w QVZVgf+yitP2I9mkmadDBpakRJmRV+SXIt8cN4OgrqtRCKXTosGSnD/guuyDMRRsP4YZ BCLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:ironport-sdr :ironport-sdr; bh=/iFit5s9i5qIaBEZZQnMCNsHYSp6+ZX/s/k9+aehtbw=; b=iSOojeO8Kut/zGug8umrI/c/bHZt63hrR+sn0bdPOyqK4X2wvG+7z7b0DEPk6FWM7M Yz8zbzcQWUstrmyuRFDJCcE3D2nSp0T6LcYnwkRD4H7sfTF1ofvjGFvIhYg8v9WP23rJ QmzDYSl55ZIzWhGnS2zkXLZ+vbyIrTbYm59XAjxZ7MmJ9xIHcn+I0uIcauH0eXKlfXQe /R90mno6YQirTPXOz+ox/KhILu1YC5ODMaAMsp+KHpMSpgP7KvAuesO2bsHpioJGj9kE TIH+MZdabo7/W3/W2CHXNAWaEXzwyaFi4xRQiDfELdRwmwLNUYu6wSf9RuxYIS4XZ8To TnEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si1964551ejd.572.2021.02.03.09.18.41; Wed, 03 Feb 2021 09:19:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232107AbhBCRQ4 (ORCPT + 99 others); Wed, 3 Feb 2021 12:16:56 -0500 Received: from mga18.intel.com ([134.134.136.126]:19332 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231794AbhBCRQx (ORCPT ); Wed, 3 Feb 2021 12:16:53 -0500 IronPort-SDR: pnXZrjrBTEkyD7ChDcnOdpHCiy1/Zal0oGummYcTfYB4DgojkKHtl4ousjbhsgt2pgM8PA/Y3G W2HLRiEazzug== X-IronPort-AV: E=McAfee;i="6000,8403,9884"; a="168761297" X-IronPort-AV: E=Sophos;i="5.79,399,1602572400"; d="scan'208";a="168761297" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2021 09:16:12 -0800 IronPort-SDR: kRBAlNWa/d0or8aMCNCiw4lcmGHwaVitVviGAbiEXOCLh21PNebMsCUDBPD4l5Wt+xpTd8MMkB kSdrJB4e6+WQ== X-IronPort-AV: E=Sophos;i="5.79,399,1602572400"; d="scan'208";a="433497230" Received: from lrenaud-mobl1.amr.corp.intel.com (HELO intel.com) ([10.252.131.246]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2021 09:16:11 -0800 Date: Wed, 3 Feb 2021 09:16:10 -0800 From: Ben Widawsky To: Dan Williams Cc: Konrad Rzeszutek Wilk , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Christoph Hellwig , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Subject: Re: [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) Message-ID: <20210203171610.2y2x4krijol5dvkk@intel.com> References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-14-ben.widawsky@intel.com> <20210201182848.GL197521@fedora> <20210202235103.v36v3znh5tsi4g5x@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21-02-02 15:57:03, Dan Williams wrote: > On Tue, Feb 2, 2021 at 3:51 PM Ben Widawsky wrote: > > > > On 21-02-01 13:28:48, Konrad Rzeszutek Wilk wrote: > > > On Fri, Jan 29, 2021 at 04:24:37PM -0800, Ben Widawsky wrote: > > > > The Get Log command returns the actual log entries that are advertised > > > > via the Get Supported Logs command (0400h). CXL device logs are selected > > > > by UUID which is part of the CXL spec. Because the driver tries to > > > > sanitize what is sent to hardware, there becomes a need to restrict the > > > > types of logs which can be accessed by userspace. For example, the > > > > vendor specific log might only be consumable by proprietary, or offline > > > > applications, and therefore a good candidate for userspace. > > > > > > > > The current driver infrastructure does allow basic validation for all > > > > commands, but doesn't inspect any of the payload data. Along with Get > > > > Log support comes new infrastructure to add a hook for payload > > > > validation. This infrastructure is used to filter out the CEL UUID, > > > > which the userspace driver doesn't have business knowing, and taints on > > > > invalid UUIDs being sent to hardware. > > > > > > Perhaps a better option is to reject invalid UUIDs? > > > > > > And if you really really want to use invalid UUIDs then: > > > > > > 1) Make that code wrapped in CONFIG_CXL_DEBUG_THIS_IS_GOING_TO..? > > > > > > 2) Wrap it with lockdown code so that you can't do this at all > > > when in LOCKDOWN_INTEGRITY or such? > > > > > > > The commit message needs update btw as CEL is allowed in the latest rev of the > > patches. > > > > We could potentially combine this with the now added (in a branch) CONFIG_RAW > > config option. Indeed I think that makes sense. Dan, thoughts? > > Yeah, unknown UUIDs blocking is the same risk as raw commands as a > vendor can trigger any behavior they want. A "CONFIG_RAW depends on > !CONFIG_INTEGRITY" policy sounds reasonable as well. What about LOCKDOWN_NONE though? I think we need something runtime for this. Can we summarize the CONFIG options here? CXL_MEM_INSECURE_DEBUG // no change CXL_MEM_RAW_COMMANDS // if !security_locked_down(LOCKDOWN_NONE) bool cxl_unsafe() { #ifndef CXL_MEM_RAW_COMMANDS return false; #else return !security_locked_down(LOCKDOWN_NONE); #endif } --- Did I get that right?