Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp593288pxb; Wed, 3 Feb 2021 12:33:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJyGlpNzSe4xAGGdym3bt5clW3SEXFtHycPnYHAT1vMcLmiBlf8YfonUis8YnddsS8z3SNwj X-Received: by 2002:a50:baaa:: with SMTP id x39mr4962327ede.37.1612384427464; Wed, 03 Feb 2021 12:33:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612384427; cv=none; d=google.com; s=arc-20160816; b=cPHeMHVUCb2o0eqvcGiSrFYAv1HNM/al9ymZyKdoSEufSl93vV2xeIiKNIMeGUn9TK rLfQEc4i6KIGZUlhS5yVIQAz73WbHutNCehk+bKy6JYTjRwy33gIehx3FSfvWlCNpcbU FVL1GQsPPa1m4apstZcdzDbdT8cB10CHfKTIPtl0t1NoLYMxQmeTVgdYVr81BdfDw4rG sxrTfYuk720MCty2+uWZRqaZ48g9J6jb92QgN2MfoignpwszlBnYPuCGrH74q7Gnj/XC FmYj3dFObfPm/YkLDosNlJW9K5QL2JzTWmIx1L/JgezCwB28VPcFqtB1Tf3t1qRlASlz pe6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=GCeEh1pG9896/MM4fasuikkjXXaTHWUxAsa3KXwRezg=; b=sO5srbnmSPXv1Ull4c2UTBc+GI1x1iAIGBDBW8P7elo5pCNTLZLfzcbtWQbDtqG4Ul KzNSvxOKu1xppz1WJfv1oF5cmGdUpkK2R67Cwd2FGtpxmUqvfUZRYofQAVy2VX/Amln5 s77G/5gLTQapSadV5Afde/E30iriiz5jTbxhPV9gdNUwqsIyHwY0Y9hixoI2qiFXsuYx AYFOD5FJ/Ivdg3l0RoBNHxK4ZrD6w/OmEh6jYu6yh+RJOWBH9ujHmahG5FcDRtQYUj3i vbJxTYUG+Z0bTlsc9G9lJvBp4r5jJURbubMrTYCaDpv5FklijOyflkjq4vLE5zYlrb8U 0vAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=0La1d6qX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e17si1806973ejr.533.2021.02.03.12.33.22; Wed, 03 Feb 2021 12:33:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=0La1d6qX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232133AbhBCUbr (ORCPT + 99 others); Wed, 3 Feb 2021 15:31:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232120AbhBCUbm (ORCPT ); Wed, 3 Feb 2021 15:31:42 -0500 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A1EAC061786 for ; Wed, 3 Feb 2021 12:31:02 -0800 (PST) Received: by mail-ed1-x52a.google.com with SMTP id df22so1300176edb.1 for ; Wed, 03 Feb 2021 12:31:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GCeEh1pG9896/MM4fasuikkjXXaTHWUxAsa3KXwRezg=; b=0La1d6qXruA5buPCLrkx5wbivEiT7/HFmGaUOllSjEMKIyQT9YVkp1RQEyMBYcFT2/ +Kqv/viUAlMZvMfoMaSpScFMhafTkNCzp07TbEq4BLcp04KfpEd1ziNwQVX0Fo7A8zJV csKmRJkMMTBamkqcaMqmV6AV9LHxqpR4K354UTNIs41/nuBY0DFZ+9aX52TWwswXT021 w5MNoWWPkfRekOFqFP5H8xMSwU5k+xYvcrbB78E31fgGt7B3S/G+nTkTUHZvKbYen+7H crT6Gxmq5B69swVwabSJtB9IA5JlUEtmWqc5gKHfQ9URxAxbHzgkL5QXKsK7fkRloi39 fCyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GCeEh1pG9896/MM4fasuikkjXXaTHWUxAsa3KXwRezg=; b=LOPBEfbsoddWjeE0qqChs/lIC84cPLd959n6o3f5AjjQSI6uwEqYfqBc7zX3g7pem5 5AnlAvWLLBCKoQCZlaCKH4cwWuopjwb4IQ2So06hcIzTDCpQRKBcVcnFOxKQJEiFK3l3 8quqJo/9kiAogjSYshuWZJOWsLlo1Z/MoYy5qdRy7CQ8V+FDpSlp5RDUaPVxfzAYQ+GI qlkko5zG4i+9hlsFGVujEr4u54kq8y/Cbfu6D+OzWXWaBv7x6pDOsUF5IvcL6OJiMdwJ KvZF3c6qdGqlalTFfIdaeb8I0QGJXh4M+hPcI5FHsdguY/TKmt02c6QXGYseVsoPi88t edzw== X-Gm-Message-State: AOAM532H+bDXzDCcPQChZwUw7jLnBiXOh8VDiqiFcgw4aByqxsLRp6Z9 bnKt/HYcbADaHiQhplcx1guT79yA0KCavbWSyMbX/A== X-Received: by 2002:a05:6402:3585:: with SMTP id y5mr4843766edc.97.1612384260671; Wed, 03 Feb 2021 12:31:00 -0800 (PST) MIME-Version: 1.0 References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-14-ben.widawsky@intel.com> <20210201182848.GL197521@fedora> <20210202235103.v36v3znh5tsi4g5x@intel.com> <20210203171610.2y2x4krijol5dvkk@intel.com> In-Reply-To: From: Dan Williams Date: Wed, 3 Feb 2021 12:31:00 -0800 Message-ID: Subject: Re: [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) To: Konrad Rzeszutek Wilk Cc: Ben Widawsky , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Christoph Hellwig , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 3, 2021 at 10:16 AM Konrad Rzeszutek Wilk wrote: > > On Wed, Feb 03, 2021 at 09:16:10AM -0800, Ben Widawsky wrote: > > On 21-02-02 15:57:03, Dan Williams wrote: > > > On Tue, Feb 2, 2021 at 3:51 PM Ben Widawsky wrote: > > > > > > > > On 21-02-01 13:28:48, Konrad Rzeszutek Wilk wrote: > > > > > On Fri, Jan 29, 2021 at 04:24:37PM -0800, Ben Widawsky wrote: > > > > > > The Get Log command returns the actual log entries that are advertised > > > > > > via the Get Supported Logs command (0400h). CXL device logs are selected > > > > > > by UUID which is part of the CXL spec. Because the driver tries to > > > > > > sanitize what is sent to hardware, there becomes a need to restrict the > > > > > > types of logs which can be accessed by userspace. For example, the > > > > > > vendor specific log might only be consumable by proprietary, or offline > > > > > > applications, and therefore a good candidate for userspace. > > > > > > > > > > > > The current driver infrastructure does allow basic validation for all > > > > > > commands, but doesn't inspect any of the payload data. Along with Get > > > > > > Log support comes new infrastructure to add a hook for payload > > > > > > validation. This infrastructure is used to filter out the CEL UUID, > > > > > > which the userspace driver doesn't have business knowing, and taints on > > > > > > invalid UUIDs being sent to hardware. > > > > > > > > > > Perhaps a better option is to reject invalid UUIDs? > > > > > > > > > > And if you really really want to use invalid UUIDs then: > > > > > > > > > > 1) Make that code wrapped in CONFIG_CXL_DEBUG_THIS_IS_GOING_TO..? > > > > > > > > > > 2) Wrap it with lockdown code so that you can't do this at all > > > > > when in LOCKDOWN_INTEGRITY or such? > > > > > > > > > > > > > The commit message needs update btw as CEL is allowed in the latest rev of the > > > > patches. > > > > > > > > We could potentially combine this with the now added (in a branch) CONFIG_RAW > > > > config option. Indeed I think that makes sense. Dan, thoughts? > > > > > > Yeah, unknown UUIDs blocking is the same risk as raw commands as a > > > vendor can trigger any behavior they want. A "CONFIG_RAW depends on > > > !CONFIG_INTEGRITY" policy sounds reasonable as well. > > > > What about LOCKDOWN_NONE though? I think we need something runtime for this. > > > > Can we summarize the CONFIG options here? > > > > CXL_MEM_INSECURE_DEBUG // no change > > CXL_MEM_RAW_COMMANDS // if !security_locked_down(LOCKDOWN_NONE) > > > > bool cxl_unsafe() > > Would it be better if this inverted? Aka cxl_safe().. > ? > > { > > #ifndef CXL_MEM_RAW_COMMANDS nit use IS_ENABLED() if this function lives in a C file, or provide whole alternate static inline versions in a header gated by ifdefs. > > return false; > > #else > > return !security_locked_down(LOCKDOWN_NONE); > > :thumbsup: > > (Naturally this would inverted if this was cxl_safe()). > > > > #endif > > } > > > > --- > > > > Did I get that right? > > :nods: Looks good which means it's time to bikeshed the naming. I'd call it cxl_raw_allowed(). As "safety" isn't the only reason for blocking raw, it's also to corral the userspace api. I.e. things like enforcing security passphrase material through the Linux keys api.