Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp114109pxb; Mon, 8 Feb 2021 17:05:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJxBNtLUpAgWsv+w8AvbJYoWoOEspYx7GeTv1M3NEgxXxxeXngNRc0EgVENaJR1r0cNa/ff8 X-Received: by 2002:a17:907:da3:: with SMTP id go35mr11708464ejc.26.1612832747371; Mon, 08 Feb 2021 17:05:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612832747; cv=none; d=google.com; s=arc-20160816; b=k6qDlb44v6upwNk9UK4nKhYbv4KIP4vPUEb12rDFb+DoMkMQ1HaKL8miJCRh3yhF+h qX1gS0YE2K1KheLehgDj8/6eTGOIw82owfKyjMm8QfMlw448h59h/4F1RWmiX0yU16Vf phZMcAk3mMciuMUZk++CWzsckdEU6HXvA3y6rAD6JbL9BWz4sK9Cp1XKJaZxnf9E1IpR 2oePPJg54hg/75/jEm6LQON8xNot15UWkqli2Yl3ShqCdz6YUJKMebx9pxvNm9MFF3sp iDAOWlEOh95jstrLeiE0nUzMfFl8PinlmGEgBJs5scSsVgqNE7VFVXJuQlYbP+Qwkr9x ym0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=fHdIpxdCQ1PLtC8RCv6m44jQdcXIE1TuMoRRkTZi7uE=; b=MgrpPEUB7FwMhY3vTNn70f9gQ/gmXlY1IWF1hK4XEDsyrxUph9FMTs86ARtEaqy0ql aQEQ6jQ/VuGJU/STE9VJOkqrgILaSbjpSsPDHZFoQM+rVjtM6LIr1HoRoLkL3o5ApFBI a0dFXONucFBrsSkdBELkHvfdbOEO6xHcy54KoAY52TOpYclIFcsixBDs4cNrvfo3fiPO FfgEy+3+7qD+6pkwDDoROez+k2URkLXlHeLbTZkNxd0WDa8G5fkuuUW3+2QVWRFao3Rz Z1M6com8NejNk6AhsstdMM20vim8Ev+6tcyHWRxCH5Rc1Vefv5WCbU8XN8XfYfxqzINZ untg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=qwv0t5E5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r15si12460155ejj.134.2021.02.08.17.05.24; Mon, 08 Feb 2021 17:05:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=qwv0t5E5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229721AbhBIBE1 (ORCPT + 99 others); Mon, 8 Feb 2021 20:04:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229729AbhBIBEU (ORCPT ); Mon, 8 Feb 2021 20:04:20 -0500 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B7EFC06178B for ; Mon, 8 Feb 2021 17:03:39 -0800 (PST) Received: by mail-ed1-x52a.google.com with SMTP id s26so15721453edt.10 for ; Mon, 08 Feb 2021 17:03:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fHdIpxdCQ1PLtC8RCv6m44jQdcXIE1TuMoRRkTZi7uE=; b=qwv0t5E5aZrjpce35wVglshp4JBxu39PIdgj4xdUOlLAEakgzg4b3FJbfq2HN/qqou 9LQfGzniImvjDNMBkBJnrX1ntP72ogrewjQ2gKYoCh1o/le4FRKVGjaJxv3rSN7ZZBGU ND29aEvm0jt1j7a3IPInOsXrIfqP/YDjyAHvbHVpAfIfge/RjtSbj3EMVgUml+GLtD8A s4+rSINdnXAV0Xh58nVxnqiimSO2mDtGL34UGKW0uyWIrbcD0eh7LweXk4UOOBJfHn1d k46kyxjQC6/FOxYghxGOEZpmpCQBxx/22/B4ofVC4Hm3q5GScDOeGmVhJc6rCD4ZEY91 XuRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fHdIpxdCQ1PLtC8RCv6m44jQdcXIE1TuMoRRkTZi7uE=; b=hzohG8mNGLCgdPChZUxxS2iqiEyh2lYO5zHRvnMssyPfG9DVz2HI+42rKecNnTdUz4 yR3CywXEMVoFQ04vBZEOZ/oiOQuu52e6P88MaYAXom1lB9scBq2D9eGQUlHqiJTe7+qr iTrldDBWJ5f5aocclZyuT6XoH4o1q6tS1LgMTtu7Y005YsVULBVV6xnJeFgdtWKDUURy 33bJZwAKN3Fug1kg9pAjq9V/TnkaBRWOLL+rcQNIQoBc9D94CGZrETXyjA6iECJZdtav 8Khh7CmfOEvNqIXjTfzodW5Tkj5NOema/jnzbNYosKGrIThVmVxSMXc9m/gUWmslEkE+ 5p4Q== X-Gm-Message-State: AOAM531UWFOaP05ZU5b59wwZbnlHuAHqEiDSSHbqGjgqqL2B1lmr97L4 ARQU1SmQbYEPAbobM3InSAMR+AE4FMwA6fSn7e3wyQ== X-Received: by 2002:aa7:ca13:: with SMTP id y19mr20091433eds.300.1612832617860; Mon, 08 Feb 2021 17:03:37 -0800 (PST) MIME-Version: 1.0 References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-9-ben.widawsky@intel.com> <202102081406.CDE33FB8@keescook> In-Reply-To: From: Dan Williams Date: Mon, 8 Feb 2021 17:03:25 -0800 Message-ID: Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access To: Kees Cook Cc: Jonathan Corbet , linux-cxl@vger.kernel.org, Ben Widawsky , Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 8, 2021 at 3:36 PM Dan Williams wrote: > > On Mon, Feb 8, 2021 at 2:09 PM Kees Cook wrote: > > > > On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote: > > > [ add Jon Corbet as I'd expect him to be Cc'd on anything that > > > generically touches Documentation/ like this, and add Kees as the last > > > person who added a taint (tag you're it) ] > > > > > > Jon, Kees, are either of you willing to ack this concept? > > > > > > Top-posting to add more context for the below: > > > > > > This taint is proposed because it has implications for > > > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices > > > implement memory like DDR would, but unlike DDR there are > > > administrative / configuration commands that demand kernel > > > coordination before they can be sent. The posture taken with this > > > taint is "guilty until proven innocent" for commands that have yet to > > > be explicitly allowed by the driver. This is different than NVME for > > > example where an errant vendor-defined command could destroy data on > > > the device, but there is no wider threat to system integrity. The > > > taint allows a pressure release valve for any and all commands to be > > > sent, but flagged with WARN_TAINT_ONCE if the driver has not > > > explicitly enabled it on an allowed list of known-good / kernel > > > coordinated commands. > > > > > > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky wrote: > > > > > > > > For drivers that moderate access to the underlying hardware it is > > > > sometimes desirable to allow userspace to bypass restrictions. Once > > > > userspace has done this, the driver can no longer guarantee the sanctity > > > > of either the OS or the hardware. When in this state, it is helpful for > > > > kernel developers to be made aware (via this taint flag) of this fact > > > > for subsequent bug reports. > > > > > > > > Example usage: > > > > - Hardware xyzzy accepts 2 commands, waldo and fred. > > > > - The xyzzy driver provides an interface for using waldo, but not fred. > > > > - quux is convinced they really need the fred command. > > > > - xyzzy driver allows quux to frob hardware to initiate fred. > > > > - kernel gets tainted. > > > > - turns out fred command is borked, and scribbles over memory. > > > > - developers laugh while closing quux's subsequent bug report. > > > > But a taint flag only lasts for the current boot. If this is a drive, it > > could still be compromised after reboot. It sounds like this taint is > > really only for ephemeral things? "vendor shenanigans" is a pretty giant > > scope ... > > > > That is true. This is more about preventing an ecosystem / cottage > industry of tooling built around bypassing the kernel. So the kernel > complains loudly and hopefully prevents vendor tooling from > propagating and instead directs that development effort back to the > native tooling. However for the rare "I know what I'm doing" cases, > this tainted kernel bypass lets some experimentation and debug happen, > but the kernel is transparent that when the capability ships in > production it needs to be a native implementation. > > So it's less, "the system integrity is compromised" and more like > "you're bypassing the development process that ensures sanity for CXL > implementations that may take down a system if implemented > incorrectly". For example, NVME reset is a non-invent, CXL reset can > be like surprise removing DDR DIMM. > > Should this be more tightly scoped to CXL? I had hoped to use this in > other places in LIBNVDIMM, but I'm ok to lose some generality for the > specific concerns that make CXL devices different than other PCI > endpoints. As I type this out it strikes me that plain WARN already does TAINT_WARN and meets the spirit of what is trying to be achieved. Appreciate the skeptical eye Kees, we'll drop this one.