Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp409759pxb; Thu, 30 Sep 2021 08:36:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyussQgp++4dg6egEv0ixMvIiimyEOe6cimwgs4SEXBgZPjU7BWG4ncBq/DXvPMOCnCpJHU X-Received: by 2002:a62:7c17:0:b0:44c:bd0:1109 with SMTP id x23-20020a627c17000000b0044c0bd01109mr541725pfc.31.1633016192193; Thu, 30 Sep 2021 08:36:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633016192; cv=none; d=google.com; s=arc-20160816; b=KZkeyrExI283g976jzLFxCOwPqmRmwAd2ZCkLnN0IDkNJWb5Dd2SUbtSvEUqVtStcv 8TPLQp1GeRjXBsuug9A4FaiB9tCsf7AFd/pspZ2V8+MPCDGSMpff2QJkM5e/DDzLncKH TN8YxPB+6mmlUnW8RUEoZCxdOJL6w5ARm4AShPwRwnnWxZkf9z17mWLz0uFlhij2yI+C K2ZYx863125ZurzxeGbITzGWcl5jv+827Iy7l0AllPG72Qagn2LTHveuGOAY96iy76ms /Er49RYmxNk78uzAHhpcwud0+uS7ytcMsbA6inbZ3BfHXJWM9k90ox2o+HwVo9eccqIJ 7/iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=pppfPAdJocNV+i+2zyVK8kbXlSakwZnE6RJXmW5JCdc=; b=hd1iN3HVkfRLPbPqPN/P0bE28obgifw0llAP/QkANzWpoB9rsv5w6pFoFki2WOjjeT MHWq/Pl355rTTcOwrpbRGW8+Z8Dzq7GDg3Yazuj3ByDMo5EeFmomuOtQLUcu+EkkYw7C iv6xwwDZD2Rs7rnLvriKdXhRYHec5XBIXR0UuFQVDJJWWaj64eOWxL2Nj26ILbvcaCLa ku4cxUZMLAEMyCLL5BTcXBHkXJuSIUlm9+wnwyC5y0fdHgpzE1RQ0WfqvhJuHEbFo24+ AZdur9c1ot3HC/DVFpPBOFTsNqRDHkKI2c6LQqXzQyVs9D5bUQ6ZLMlX6Khv2QhvKAVe IRqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d23si3616965pgv.55.2021.09.30.08.36.19; Thu, 30 Sep 2021 08:36:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344502AbhI3Pej (ORCPT + 99 others); Thu, 30 Sep 2021 11:34:39 -0400 Received: from netrider.rowland.org ([192.131.102.5]:45569 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1344431AbhI3PeY (ORCPT ); Thu, 30 Sep 2021 11:34:24 -0400 Received: (qmail 472797 invoked by uid 1000); 30 Sep 2021 11:32:41 -0400 Date: Thu, 30 Sep 2021 11:32:41 -0400 From: Alan Stern To: "Michael S. Tsirkin" Cc: Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , Borislav Petkov , x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices Message-ID: <20210930153241.GE464826@rowland.harvard.edu> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104640-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210930104640-mutt-send-email-mst@kernel.org> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 30, 2021 at 10:48:54AM -0400, Michael S. Tsirkin wrote: > On Thu, Sep 30, 2021 at 10:43:05AM -0400, Alan Stern wrote: > > I don't see any point in talking about "untrusted drivers". If a > > driver isn't trusted then it doesn't belong in your kernel. Period. > > When you load a driver into your kernel, you are implicitly trusting > > it (aside from limitations imposed by security modules). The code > > it contains, the module_init code in particular, runs with full > > superuser permissions. > > > > What use is there in loading a driver but telling the kernel "I don't > > trust this driver, so don't allow it to probe any devices"? Why not > > just blacklist it so that it never gets modprobed in the first place? > > > > Alan Stern > > When the driver is built-in, it seems useful to be able to block it > without rebuilding the kernel. This is just flipping it around > and using an allow-list for cases where you want to severly > limit the available functionality. Does this make sense? The only way to tell the kernel to block a built-in driver is by using some boot-command-line option. Otherwise the driver's init code will run before you have a chance to tell the kernel anything at all. So if you change your mind about whether a driver should be blocked, all you have to do is remove the blocking option from the command line and reboot. No kernel rebuild is necessary. Alan Stern