Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp61385pxb; Mon, 8 Feb 2021 15:15:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJwORXIvx9KIoWNrSc+CIwLe51EfRzKc2/UvwkNWReYYwMWQGWaN/B6cWuf068+62Ia0sDey X-Received: by 2002:aa7:dd49:: with SMTP id o9mr19517670edw.14.1612826156388; Mon, 08 Feb 2021 15:15:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612826156; cv=none; d=google.com; s=arc-20160816; b=c4vO2a6XC00ojUpuhoDghXo3py+gL4hHtmy2WEXh+ih1IXWpVdEnI7spYZP1IApUMZ im0O39ydm0IIGzJin9xMPg7Z+VfIPNZo7I26rU+TuKIBx8s1Qpyfoy6aaU4wcQqHp07i aeYSuy8kzA/4ahqZ2B2XVpXAIhMTK1yfELktIXsOPNLzdOHh914AgEZHscjiPq8MVTu3 eNOs5DYYL+EoQc6w2vHIiEZFNVKmwFjVKVZOyX7o8f6KdZimcvRpbf01t8+VQUp3eqrn K4G9NpXoK+HPILy+D3keoGpfsOp82qKdzVyTbxpt3gIu/8stDP1PdI5t/ZICYzs6PdIa //rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:ironport-sdr :ironport-sdr; bh=2GW1XQkYP/otbyzOoETmaGiyJoZyLv/b3BO/AdeTKnY=; b=UCO8LJaqP4NOeso4J9YDdipnr0YBJ/z8IHCDfFWRcoH6Rz0PRQHHe4lYgCTLhhCD22 mlboOOMImoMdHJF4oSqzDopysHBHnUy1nBi2tZuz6Ot1kHHjCHvzigypDAkhvjcJ3b+A OI5BK1leXR7lgwQwjbbmthRslAKlDnfXqL0q9rxQFtANaAqXondpqgPT6jUcKpSE0+nX WFFtqqWRZ394fmIy2TG8I8MGzOAo2orsbeG784X/T+LTTHoZ0T8cNPz+OBGZBYZSCqLo fVxT5rAR2fSSCCfzVhndy4OoIirmCYiOt44782Kz9IHb/T8q4GLMw7G0R8JFcuobJx3W 1/bg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y25si11869312ejb.546.2021.02.08.15.15.33; Mon, 08 Feb 2021 15:15:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231485AbhBHXG3 (ORCPT + 99 others); Mon, 8 Feb 2021 18:06:29 -0500 Received: from mga12.intel.com ([192.55.52.136]:42431 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229554AbhBHXG0 (ORCPT ); Mon, 8 Feb 2021 18:06:26 -0500 IronPort-SDR: Ac6srf6szgDU9urgXTO5//h7lXwB69NwEkQgauulrWi6PtfCiB9qyvjw7WP+52h+Vko7XBK6nb v8DwdCDaadbQ== X-IronPort-AV: E=McAfee;i="6000,8403,9889"; a="160949495" X-IronPort-AV: E=Sophos;i="5.81,163,1610438400"; d="scan'208";a="160949495" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Feb 2021 15:05:45 -0800 IronPort-SDR: dZGsPb3PToeX1jGvq3Hjh+AuXcZBJNOGQocMMYrdNFTa2r3l93ZhZkx6Vf/2wpcBbRvauqsGhB 9hAmBWPuN1Fw== X-IronPort-AV: E=Sophos;i="5.81,163,1610438400"; d="scan'208";a="411328411" Received: from svetsa-mobl2.amr.corp.intel.com (HELO intel.com) ([10.252.133.103]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Feb 2021 15:05:43 -0800 Date: Mon, 8 Feb 2021 15:05:42 -0800 From: Ben Widawsky To: Kees Cook Cc: Dan Williams , Jonathan Corbet , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access Message-ID: <20210208230542.6qxga32zxxtit5hk@intel.com> References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-9-ben.widawsky@intel.com> <202102081406.CDE33FB8@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202102081406.CDE33FB8@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21-02-08 14:09:19, Kees Cook wrote: > On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote: > > [ add Jon Corbet as I'd expect him to be Cc'd on anything that > > generically touches Documentation/ like this, and add Kees as the last > > person who added a taint (tag you're it) ] > > > > Jon, Kees, are either of you willing to ack this concept? > > > > Top-posting to add more context for the below: > > > > This taint is proposed because it has implications for > > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices > > implement memory like DDR would, but unlike DDR there are > > administrative / configuration commands that demand kernel > > coordination before they can be sent. The posture taken with this > > taint is "guilty until proven innocent" for commands that have yet to > > be explicitly allowed by the driver. This is different than NVME for > > example where an errant vendor-defined command could destroy data on > > the device, but there is no wider threat to system integrity. The > > taint allows a pressure release valve for any and all commands to be > > sent, but flagged with WARN_TAINT_ONCE if the driver has not > > explicitly enabled it on an allowed list of known-good / kernel > > coordinated commands. > > > > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky wrote: > > > > > > For drivers that moderate access to the underlying hardware it is > > > sometimes desirable to allow userspace to bypass restrictions. Once > > > userspace has done this, the driver can no longer guarantee the sanctity > > > of either the OS or the hardware. When in this state, it is helpful for > > > kernel developers to be made aware (via this taint flag) of this fact > > > for subsequent bug reports. > > > > > > Example usage: > > > - Hardware xyzzy accepts 2 commands, waldo and fred. > > > - The xyzzy driver provides an interface for using waldo, but not fred. > > > - quux is convinced they really need the fred command. > > > - xyzzy driver allows quux to frob hardware to initiate fred. > > > - kernel gets tainted. > > > - turns out fred command is borked, and scribbles over memory. > > > - developers laugh while closing quux's subsequent bug report. > > But a taint flag only lasts for the current boot. If this is a drive, it > could still be compromised after reboot. It sounds like this taint is > really only for ephemeral things? "vendor shenanigans" is a pretty giant > scope ... > > -Kees > Good point. Any suggestions? > > > > > > Signed-off-by: Ben Widawsky > > > --- > > > Documentation/admin-guide/sysctl/kernel.rst | 1 + > > > Documentation/admin-guide/tainted-kernels.rst | 6 +++++- > > > include/linux/kernel.h | 3 ++- > > > kernel/panic.c | 1 + > > > 4 files changed, 9 insertions(+), 2 deletions(-) > > > > > > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst > > > index 1d56a6b73a4e..3e1eada53504 100644 > > > --- a/Documentation/admin-guide/sysctl/kernel.rst > > > +++ b/Documentation/admin-guide/sysctl/kernel.rst > > > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports. > > > 32768 `(K)` kernel has been live patched > > > 65536 `(X)` Auxiliary taint, defined and used by for distros > > > 131072 `(T)` The kernel was built with the struct randomization plugin > > > +262144 `(H)` The kernel has allowed vendor shenanigans > > > ====== ===== ============================================================== > > > > > > See :doc:`/admin-guide/tainted-kernels` for more information. > > > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst > > > index ceeed7b0798d..ee2913316344 100644 > > > --- a/Documentation/admin-guide/tainted-kernels.rst > > > +++ b/Documentation/admin-guide/tainted-kernels.rst > > > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned > > > script, but if you need something quick you can use this shell command to check > > > which bits are set:: > > > > > > - $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done > > > + $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done > > > > > > Table for decoding tainted state > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > @@ -100,6 +100,7 @@ Bit Log Number Reason that got the kernel tainted > > > 15 _/K 32768 kernel has been live patched > > > 16 _/X 65536 auxiliary taint, defined for and used by distros > > > 17 _/T 131072 kernel was built with the struct randomization plugin > > > + 18 _/H 262144 kernel has allowed vendor shenanigans > > > === === ====== ======================================================== > > > > > > Note: The character ``_`` is representing a blank in this table to make reading > > > @@ -175,3 +176,6 @@ More detailed explanation for tainting > > > produce extremely unusual kernel structure layouts (even performance > > > pathological ones), which is important to know when debugging. Set at > > > build time. > > > + > > > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make > > > + any guarantees about the stability of the device or driver. > > > diff --git a/include/linux/kernel.h b/include/linux/kernel.h > > > index f7902d8c1048..bc95486f817e 100644 > > > --- a/include/linux/kernel.h > > > +++ b/include/linux/kernel.h > > > @@ -443,7 +443,8 @@ extern enum system_states { > > > #define TAINT_LIVEPATCH 15 > > > #define TAINT_AUX 16 > > > #define TAINT_RANDSTRUCT 17 > > > -#define TAINT_FLAGS_COUNT 18 > > > +#define TAINT_RAW_PASSTHROUGH 18 > > > +#define TAINT_FLAGS_COUNT 19 > > > #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1) > > > > > > struct taint_flag { > > > diff --git a/kernel/panic.c b/kernel/panic.c > > > index 332736a72a58..dff22bd80eaf 100644 > > > --- a/kernel/panic.c > > > +++ b/kernel/panic.c > > > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = { > > > [ TAINT_LIVEPATCH ] = { 'K', ' ', true }, > > > [ TAINT_AUX ] = { 'X', ' ', true }, > > > [ TAINT_RANDSTRUCT ] = { 'T', ' ', true }, > > > + [ TAINT_RAW_PASSTHROUGH ] = { 'H', ' ', true }, > > > }; > > > > > > /** > > > -- > > > 2.30.0 > > > > > -- > Kees Cook