Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp109900pxt; Thu, 5 Aug 2021 19:48:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+LraULgs3loZo2O4Yz6l+j/unxG52RHpbZpjHvOPVFforU7BuJyD2/pyuNdA+ine3nGq7 X-Received: by 2002:a17:906:cb96:: with SMTP id mf22mr7794976ejb.50.1628218128429; Thu, 05 Aug 2021 19:48:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628218128; cv=none; d=google.com; s=arc-20160816; b=QoTCVsi+yYXV6bWw45BZfmh8ErtProMxrlsfYitoEdCBDCMDmsIldLlGORSer31gFu zwy/rjg0IR00Rl4eBRLMjAxjGV1QDrdoHuDOpnGaMafwOGR5ZWHl3WoP0u0fUIDptefS mmgUhw1BdlS7u6S7pW3nZPe980dKs7Gb0qzLU2k7UhpEEe0OK5izh8e4N6m28xSAV0Pn acMqnTl/w1LFBmXrfj0Zlyg5+u3Va+8JkU1E0KMoL0LgycRoCht+MrKWpeYXq6nUoonu 3TabPNxTwi5wq2oRjxlBUd8GZPjyqhYR0Eo8LSuGvAr1rq7r5jh6zjUVtTjV360lyruA GZYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=h7IDk0OOcPz9sjDYMNk5T/RupZIK0JqXEvQggcu39zs=; b=EDd6KTk2cM53ZWYvc/hNlX3pDeKfy69Le2jlKRZd/W3a2pS5HqOcsQUFXZ2+AHgeQ4 spfwqPHORAJ1/kWjOfhDK+nCSdSoO/CjejgUg66O1R6jwyUD9kXeGUdLXegXS0Bnd18j LugupbINX/JKTy7u9FllXIsbapirmGaCs6M6ygQ/hw0IopWmAMW+p5sDK1K5iHn1Df14 gT/6d1cRl1UUHjiMAjt3cm+nGcBDlEgfCCG//pXpr3TUZ+Gfn26g361YXORRrYYJti7T x9TA2kr5jnZc2btw6kq44s8PRdX5m0yzxe6R52nXqq6QViuO4vJTuk2CAdvnWttt8cyr psTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=1pZjWJu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s17si7930228ejz.554.2021.08.05.19.48.24; Thu, 05 Aug 2021 19:48:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=1pZjWJu4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232902AbhHFBAw (ORCPT + 99 others); Thu, 5 Aug 2021 21:00:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241665AbhHFBAv (ORCPT ); Thu, 5 Aug 2021 21:00:51 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C01C4C061798 for ; Thu, 5 Aug 2021 18:00:36 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id ca5so13192371pjb.5 for ; Thu, 05 Aug 2021 18:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h7IDk0OOcPz9sjDYMNk5T/RupZIK0JqXEvQggcu39zs=; b=1pZjWJu4hLZMNv5w60zzSykGHHIynNfYnmKW0wuP7QWWiZNkQGAwrcrlgTmKqaX1Od l2TiIXCxznuo7KCeshlQks4ieeWTYkuq0prskhjY5uPB7DMLA0Q5hedgvJbNdlWEC1X4 D6/bUGTwlZZEBhbMfggEfD4Ul/Zh73js7m2rs1sA+mmWt4Qod0s/aWEIicv5LoOd5oj/ zMCjazOXZKyko/1KnawIOtyGIXG9u98Xz771VDgJBRbMSTDh01yqs93xSJxbF1/0wa7M 4+yrs7V9CEUTA+cdCB4lMKnS+YzKDBa9jF401Z1k/1mi+yhYGuhkWS3XQRlqeT9MhTsR FNiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h7IDk0OOcPz9sjDYMNk5T/RupZIK0JqXEvQggcu39zs=; b=GymUYdI8a96tifkOoKPLfLZlHzrayKKbg0NkKN1INJaCb59KFG8H0ojI5oSc74dW4n opn9vbtaMZT+EKBazuEnhYAz5yIaf5z/d/ceT2N3/pEOuE1+xVK79EY8kpXqt+xiHM8D SpWCLISxL00NwwIa/vtNSiHbqj8//bQvdLtx6ekS75rvKHGK2HJVDc2MBFDyUkNnTEdM 3SjajwuGLpSyHR+FpOd9hsa5V3rWXyVOzNcRhS2FrlT8Ls4LkyIWvYW0aiWnpo3oOHbP R3rLxAKBHVkKaecCEK8HABDvcwOOPqS5+sXlxzG27RY9jLUwe2Eh1Ghi7dj3THki5iqg a1ew== X-Gm-Message-State: AOAM533RSFXpTSqKVFUq3vYQ2cTMFfQsjnAXW5tAMZaLSbutwLRPx3r6 rs95OKJjKupnhGUmNCciZ3rgL57bvmIBi/9L/bh0vA== X-Received: by 2002:a17:90b:3810:: with SMTP id mq16mr10441923pjb.168.1628211636334; Thu, 05 Aug 2021 18:00:36 -0700 (PDT) MIME-Version: 1.0 References: <20210804174322.2898409-1-sathyanarayanan.kuppuswamy@linux.intel.com> <21db8884-5aa1-3971-79ef-f173a0a95bef@linux.intel.com> <1e0967ee-c41e-fd5d-f553-e4d7ab88838c@linux.intel.com> <9b2956f5-3acf-e798-ff0f-002d2d5254db@linux.intel.com> In-Reply-To: <9b2956f5-3acf-e798-ff0f-002d2d5254db@linux.intel.com> From: Dan Williams Date: Thu, 5 Aug 2021 18:00:25 -0700 Message-ID: Subject: Re: [PATCH v1] driver: base: Add driver filter support To: Andi Kleen Cc: Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , "Rafael J . Wysocki" , Jonathan Corbet , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux Doc Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 5, 2021 at 2:10 PM Andi Kleen wrote: > > > On 8/5/2021 12:01 PM, Dan Williams wrote: > > >> That's why I think the builtin allow list hook is still needed. Thoughts? > > I see nothing that prevents a built-in allow list to augment the > > driver-core default. Is there a gap I'm missing? > > > Okay so you're suggesting to build the builtin allow list on top of the > existing framework? > > I thought Greg's suggestion was to only rely on user space only. > > But if we have a way to change the authorized defaults by device (not > just bus) from inside the kernel at early boot that could well work. The default usb authorization is set at device creation time inherited from controller policy, which is in turn inherited from usbcore policy. So appending a built-in way to augment that policy further seems doable. > Doing it only on the bus level I suspect wouldn't work though. I think /sys/devices/.../$dev/authorized attribute can be used generically as the override interface, not that the TDX use case cares about user overrides, but that was the bulk of the unnecessary reinvention. That also addresses the ABI confusion so tools like usbguard don't need to look in 2 places to find a device is not authorized. That said, per-device authorization is a little bit different than per-driver trust. Driver trust is easy to reason about for a built-in policy, while per-device authorization is easy for userspace to reason about for "why is this device not talking to its driver?". So a strawman (I'm willing to watch go up in flames like driver-filter) is an arch overridable callback in driver_sysfs_add() as a central location where a device could have its authorization state set if it has not been previously changed from its initialization value. That callback could then consider device-name, bus-name, and/or driver-name for the default authorization. driver_sysfs_add() should also catch drivers that are manually bound without a bus.