Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp25644pxb; Mon, 8 Feb 2021 14:06:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJxCXIqNAzMm42tE8kU62J2ZD2is1po8hFrFw7WCBoedEluAuhzJdgQjF5VP9Ji970pbJ0Zg X-Received: by 2002:aa7:d2c7:: with SMTP id k7mr12322100edr.374.1612822009519; Mon, 08 Feb 2021 14:06:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612822009; cv=none; d=google.com; s=arc-20160816; b=axQtb2Dm+Wlxs1PhocR/PQo0RpM12xQkDWjvbZ0laW8gaP/DBSkCCj9O9U6GWkPW9k JRpP45AHdKumIYt1tEjvtmhGKQZdgK4psRjT4rVs0AHUds2Gn9NozX0y669RbnXJbDHn FvscGrh7ajn2KUeJ1FWfLXn1+j7MxlX5EKO8PE8GvpfGpTKdhLDZufXMpm6AHgXms3/0 DrqytcmnFwN65WsRz/EHomn+DmF6NUABFERnZz+Z4/oFyxWmS59CfF+MOT8b9KkREm5K j39iqCEUnCmSs89/zpab1jJIq8lq+etcBbDHuLJ6FESDSE9dukyL4y+lmd14PikSXgXn ZM0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=r89J6l710rUUDBhc44yP9Tx7/jektan0rwuh5uDDLWM=; b=AAEZ4TetGGjBq6D/4fY0N4aKQBGnEGhME/MzYQ3TroUm3OaTN9zU2CUmzPc0552I1c /5xc0ouhqFxf+kZpyHqnAiz32wmuZcnU1V/eZ+0q14CnhljCupUyt1037AvphBHyAKSM h5sb8tAPrhl34bEHl5jYQb/4Otx5zX2SksgrFnrzl5P9gHLWYuZQz0YlF2CatZ+CwYIL YYJ7whL/wSIrqoASLdlTlycRx/RlIFsNDN807GDJCTs/1Rvr7kWFw+2xXm/D3NUxiULB 0/GdaRGZJTw+SehHqPMbhZB9FlTtHUc5hE9LCOz7A0my/su+F18vLCT2f2eFMR1eWKxM rAhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=dsSy7+QI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e6si14921092edz.98.2021.02.08.14.06.13; Mon, 08 Feb 2021 14:06:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=dsSy7+QI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231307AbhBHWBp (ORCPT + 99 others); Mon, 8 Feb 2021 17:01:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231466AbhBHWB1 (ORCPT ); Mon, 8 Feb 2021 17:01:27 -0500 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9A24C06178B for ; Mon, 8 Feb 2021 14:00:46 -0800 (PST) Received: by mail-ed1-x535.google.com with SMTP id s3so20946989edi.7 for ; Mon, 08 Feb 2021 14:00:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r89J6l710rUUDBhc44yP9Tx7/jektan0rwuh5uDDLWM=; b=dsSy7+QIlUg5fJpnCw9Jd2tbEIKMm1oBaH+E8Z+UF+9JNrqf0vnWP99MMBXL4Dj6qJ 2cNYA+BKdops1ogWwVks3MoYZa2xMVCy/zAx5/NTrJ3ewbvfS/t5fWZxYGw0+RmygcmF hI5ZEcIJZEK4e3zu0GJiHhW92iNKeo+ke7GCsPCmqOYeREGE40sC7zXYKpJvr4dLw3J4 g9GwkNA0sl5H9aJ8Bqz1l3mKvnuBRSaIAzfLobI1s08Xgm1ev0bRxErIZxgjG4w1w5ck fSvWmtuMpa01tpXV0wjl7CYUpZKjXc8K6BhI98L8FuS1cUFdUkkEnqGJA92N4/7fSB3N yttg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r89J6l710rUUDBhc44yP9Tx7/jektan0rwuh5uDDLWM=; b=LJy6UiJKfWO75SEploAUMzMVlcNOP9dUMPdo1amhcPe57wys0Znt7We3XXLyZe59yJ 0oxvfjuelWD9py91A3OAuXvU6UOwer7L8UUfa5E4FwyPbQuDnVGEbZgSPwVT3xV+Y8nf M3P72rBT0fhK8ITcHPIsBGiSWNHDy+Z39NzC5Q+uCPM/cUKlW/zqqvEAi0AqSk1dYXtg CmXBUQMMucWLPZccN3c9cV1H9ouIA6WKLvirf+Bg1Vp1KlvSVkNSBxQZ4lBU+yN2AMjj W2ftwFHnAZSpYV9SLu4iFOAMpmGP2NTtplLhuWlZIaPoYEtlyq4iVkUNLpPjU8nJ+aPO YMMQ== X-Gm-Message-State: AOAM530CnNP89lMK1hfIQVAVe/BIr7hVyYeP99NMyl+g46NXRa0mD0mF 35rqTua/RKZdULCAwhRirXILDLvsq0xRalpmif3K6w== X-Received: by 2002:a05:6402:5107:: with SMTP id m7mr19262106edd.52.1612821645375; Mon, 08 Feb 2021 14:00:45 -0800 (PST) MIME-Version: 1.0 References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-9-ben.widawsky@intel.com> In-Reply-To: <20210130002438.1872527-9-ben.widawsky@intel.com> From: Dan Williams Date: Mon, 8 Feb 2021 14:00:33 -0800 Message-ID: Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access To: Jonathan Corbet , Kees Cook Cc: linux-cxl@vger.kernel.org, Ben Widawsky , Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ add Jon Corbet as I'd expect him to be Cc'd on anything that generically touches Documentation/ like this, and add Kees as the last person who added a taint (tag you're it) ] Jon, Kees, are either of you willing to ack this concept? Top-posting to add more context for the below: This taint is proposed because it has implications for CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices implement memory like DDR would, but unlike DDR there are administrative / configuration commands that demand kernel coordination before they can be sent. The posture taken with this taint is "guilty until proven innocent" for commands that have yet to be explicitly allowed by the driver. This is different than NVME for example where an errant vendor-defined command could destroy data on the device, but there is no wider threat to system integrity. The taint allows a pressure release valve for any and all commands to be sent, but flagged with WARN_TAINT_ONCE if the driver has not explicitly enabled it on an allowed list of known-good / kernel coordinated commands. On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky wrote: > > For drivers that moderate access to the underlying hardware it is > sometimes desirable to allow userspace to bypass restrictions. Once > userspace has done this, the driver can no longer guarantee the sanctity > of either the OS or the hardware. When in this state, it is helpful for > kernel developers to be made aware (via this taint flag) of this fact > for subsequent bug reports. > > Example usage: > - Hardware xyzzy accepts 2 commands, waldo and fred. > - The xyzzy driver provides an interface for using waldo, but not fred. > - quux is convinced they really need the fred command. > - xyzzy driver allows quux to frob hardware to initiate fred. > - kernel gets tainted. > - turns out fred command is borked, and scribbles over memory. > - developers laugh while closing quux's subsequent bug report. > > Signed-off-by: Ben Widawsky > --- > Documentation/admin-guide/sysctl/kernel.rst | 1 + > Documentation/admin-guide/tainted-kernels.rst | 6 +++++- > include/linux/kernel.h | 3 ++- > kernel/panic.c | 1 + > 4 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst > index 1d56a6b73a4e..3e1eada53504 100644 > --- a/Documentation/admin-guide/sysctl/kernel.rst > +++ b/Documentation/admin-guide/sysctl/kernel.rst > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports. > 32768 `(K)` kernel has been live patched > 65536 `(X)` Auxiliary taint, defined and used by for distros > 131072 `(T)` The kernel was built with the struct randomization plugin > +262144 `(H)` The kernel has allowed vendor shenanigans > ====== ===== ============================================================== > > See :doc:`/admin-guide/tainted-kernels` for more information. > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst > index ceeed7b0798d..ee2913316344 100644 > --- a/Documentation/admin-guide/tainted-kernels.rst > +++ b/Documentation/admin-guide/tainted-kernels.rst > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned > script, but if you need something quick you can use this shell command to check > which bits are set:: > > - $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done > + $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done > > Table for decoding tainted state > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > @@ -100,6 +100,7 @@ Bit Log Number Reason that got the kernel tainted > 15 _/K 32768 kernel has been live patched > 16 _/X 65536 auxiliary taint, defined for and used by distros > 17 _/T 131072 kernel was built with the struct randomization plugin > + 18 _/H 262144 kernel has allowed vendor shenanigans > === === ====== ======================================================== > > Note: The character ``_`` is representing a blank in this table to make reading > @@ -175,3 +176,6 @@ More detailed explanation for tainting > produce extremely unusual kernel structure layouts (even performance > pathological ones), which is important to know when debugging. Set at > build time. > + > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make > + any guarantees about the stability of the device or driver. > diff --git a/include/linux/kernel.h b/include/linux/kernel.h > index f7902d8c1048..bc95486f817e 100644 > --- a/include/linux/kernel.h > +++ b/include/linux/kernel.h > @@ -443,7 +443,8 @@ extern enum system_states { > #define TAINT_LIVEPATCH 15 > #define TAINT_AUX 16 > #define TAINT_RANDSTRUCT 17 > -#define TAINT_FLAGS_COUNT 18 > +#define TAINT_RAW_PASSTHROUGH 18 > +#define TAINT_FLAGS_COUNT 19 > #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1) > > struct taint_flag { > diff --git a/kernel/panic.c b/kernel/panic.c > index 332736a72a58..dff22bd80eaf 100644 > --- a/kernel/panic.c > +++ b/kernel/panic.c > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = { > [ TAINT_LIVEPATCH ] = { 'K', ' ', true }, > [ TAINT_AUX ] = { 'X', ' ', true }, > [ TAINT_RANDSTRUCT ] = { 'T', ' ', true }, > + [ TAINT_RAW_PASSTHROUGH ] = { 'H', ' ', true }, > }; > > /** > -- > 2.30.0 >