Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp22808pxt; Thu, 5 Aug 2021 16:46:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBcUp7SHF/60JKZaXy7+FknpTrF2t+IUBBS8kucjl5VMUjqCQ0lgZLXwTCKEMOlWdw7fzQ X-Received: by 2002:a92:b111:: with SMTP id t17mr965274ilh.208.1628207218623; Thu, 05 Aug 2021 16:46:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628207218; cv=none; d=google.com; s=arc-20160816; b=yHTye2BShZwDlDw6XRCewypsAhpQQkafTEnjPdi5hfcCgzeoIoXAJ+NuqbAXjzp0j+ NfLyPZTj5z/f4WR4i/NKKw8/VXt7buCT3e+SmXMDlfQi3582QJNMzp2dMPTrvATL551k PY08B7aNWq+ssutKmh02t4IfWLFsK9dh1x2iNgbveHPi9ajpOPNZnxTnA9S64AQaWUub 1bJ7qisADfDHkMenZNxV4vPdWUuunGvlcz9JrtsJsI04XhGJRNI7Q1w3zTEyFJ+tIPUf CNdEZ1PEzpoPhoNMswAR/ilMtvZlYziWMqPbQAy3mzt7Hs9hDncuMs4oXYmePDAI9cf0 QTtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=nHgUZO+NR9HyQ6HwIYRO3Jx3H/YBIuu3vR06050wLVc=; b=SL/C6Bqbwx3DDEBZvKZuKBmK2reS415abl0HDDDL5QTypqLK+gNobTd8w4+CIAHPJ0 DSviTgRixZVHMAcjZJvLsc5V6hXzj9CWLHAc03QAgTLEjde32WXtG5+G+IAuFk0bRpiN 76iOpAg/YVhSinpJzX86u6ylC1dORt4XRv3D/sWkY83oURI6ZIlLayOdmZtBdd1ZHFmW V/eKHj50eo9N4vRyjsEix1KgFLttm/v0Bk090rJsWgVGbFF8hWdbdrdXkNxq5enzrrqI QZmthIglMyBpKcBtvAT5tID6Js3LsI9CPhwKSuZFN/HrDHsorkgCqzplRkpATGDAWKaD deJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si7873803iov.104.2021.08.05.16.46.45; Thu, 05 Aug 2021 16:46:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240775AbhHERw1 (ORCPT + 99 others); Thu, 5 Aug 2021 13:52:27 -0400 Received: from mga06.intel.com ([134.134.136.31]:36807 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236297AbhHERw0 (ORCPT ); Thu, 5 Aug 2021 13:52:26 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10067"; a="275263248" X-IronPort-AV: E=Sophos;i="5.84,296,1620716400"; d="scan'208";a="275263248" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Aug 2021 10:52:11 -0700 X-IronPort-AV: E=Sophos;i="5.84,296,1620716400"; d="scan'208";a="437873096" Received: from akleen-mobl1.amr.corp.intel.com (HELO [10.212.183.241]) ([10.212.183.241]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Aug 2021 10:52:11 -0700 Subject: Re: [PATCH v1] driver: base: Add driver filter support To: "Kuppuswamy, Sathyanarayanan" , Dan Williams , Greg Kroah-Hartman Cc: "Rafael J . Wysocki" , Jonathan Corbet , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux Doc Mailing List References: <20210804174322.2898409-1-sathyanarayanan.kuppuswamy@linux.intel.com> <1e9efeb3-4aef-68e2-6af3-cf6bb5decb38@linux.intel.com> From: Andi Kleen Message-ID: Date: Thu, 5 Aug 2021 10:52:10 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <1e9efeb3-4aef-68e2-6af3-cf6bb5decb38@linux.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/5/2021 10:25 AM, Kuppuswamy, Sathyanarayanan wrote: > > > On 8/5/21 9:37 AM, Dan Williams wrote: >> I overlooked the "authorized" attribute in usb and thunderbolt. The >> collision problem makes sense. Are you open to a core "authorized" >> attribute that buses like usb and thunderbolt would override in favor >> of their local implementation? I.e. similar to suppress_bind_attrs: > > Even if such overriding is allowed in default boot, it should not be > allowed in protected guest + driver_filter model. Allowing overriding would be acceptable, as long as nobody does it by default. In theory a (root) user program can already do other things that make the guest insecure. Still it's not clear to me how this proposal solves the builtin and platform drivers problem. AFAIK that needs a builtin allowlist in any case. And once we have that likely we don't need anything else for current TDX at least, because the allowlist is so small and there is no concept of hotplug or similar. Also another consideration is that we were trying to avoid relying too much on user space for this. One of the goals was to move an existing guest image to a confidential guest with only minor changes (new kernel / enable attestation). Complex changes for securing it would make that much harder. -Andi