Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp605924pxb; Thu, 30 Sep 2021 12:57:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZ9kVAW4MOYB7b8NVCDx4r7KGP1HlWBNFzB7zYuU09SXloyrG3TApEWrp1jg1KtlZ8srHf X-Received: by 2002:a17:906:118f:: with SMTP id n15mr1366188eja.239.1633031828205; Thu, 30 Sep 2021 12:57:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633031828; cv=none; d=google.com; s=arc-20160816; b=UR41h6hVt1zuvQVz13wI1ArYafjRyot1FOq/WzFHalQaAGDuiyJvs57nGk1N3gWSAT KSDlC4uJdqyMhckqBytxppc0tuRUeUFVHYYc+slmkw7p+BOPNacIdJqSkAKmMa2eqMTl NweCEy/r8Eds/Wa99Rk+28tzWzt8XW+VrunILk6GE1CCzXatdX0GiYhT0NrM4/3RVhsY E/GsgYaQpzdfssGtBFCyz1pt62F/Bgddg+rJ0nnrPUOQOTdasFpt4+9V1o+JM5zrZ8FW 54Sh/2HC9d6kxZaG7kKoD8pf+gUpFgCYeotctgMqOk+SsKkBk+4BPHx/Qqlt9FRbmNzd l70g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=oEakz+Ggs5p0Nxd4qwgnsSlnnwL1LSB8hgEhh9WmoSw=; b=zM2r27hDnk3cyDobAFH8StBdsLuknZ+mnLBDnJdnaYRKVDdk3HerqcMCiEKPh6eOhM ijQgssRgHhjSLKuHN+dx4Uf4lvl1RMoq3e8HTiXQhGjZwKgVZnNgLovDE0zwPxjK7Cxk btQYUuTOw59XbO/iY12sx1pgF4SSIbYcg0xVR+zSvADa6ugT/Aq/CDaIABYm3rW38DZB dqcwjUd4BARVnv6MEc/HYS95TiNPzzdgni0tnVWW7pdJsfafiLe+MsDlEo8guXJlvYol ol4rhGh4/HDntwHpnfQ9qrevAUsz3E/Ync0stBFnU+EQPE9aFB0oPAv81iJiFIMhqXYJ DRUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x18si4647307edl.617.2021.09.30.12.56.37; Thu, 30 Sep 2021 12:57:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346878AbhI3TZZ (ORCPT + 99 others); Thu, 30 Sep 2021 15:25:25 -0400 Received: from mga11.intel.com ([192.55.52.93]:53651 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344294AbhI3TZV (ORCPT ); Thu, 30 Sep 2021 15:25:21 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10123"; a="222068292" X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="222068292" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:23:38 -0700 X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="438153232" Received: from akleen-mobl1.amr.corp.intel.com (HELO [10.252.134.229]) ([10.252.134.229]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:23:37 -0700 Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices To: "Michael S. Tsirkin" , Alan Stern Cc: Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , Borislav Petkov , x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org, "Reshetova, Elena" References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104924-mutt-send-email-mst@kernel.org> <20210930153509.GF464826@rowland.harvard.edu> <20210930115243-mutt-send-email-mst@kernel.org> From: Andi Kleen Message-ID: <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> Date: Thu, 30 Sep 2021 12:23:36 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <20210930115243-mutt-send-email-mst@kernel.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > I don't think the current mitigations under discussion here are about > keeping the system working. In fact most encrypted VM configs tend to > stop booting as a preferred way to handle security issues. Maybe we should avoid the "trusted" term here. We're only really using it because USB is using it and we're now using a common framework like Greg requested. But I don't think it's the right way to think about it. We usually call the drivers "hardened". The requirement for a hardened driver is that all interactions through MMIO/port/config space IO/MSRs are sanitized and do not cause memory safety issues or other information leaks. Other than that there is no requirement on the functionality. In particular DOS is ok since a malicious hypervisor can decide to not run the guest at any time anyways. Someone loading an malicious driver inside the guest would be out of scope. If an attacker can do that inside the guest you already violated the security mechanisms and there are likely easier ways to take over the guest or leak data. The goal of the device filter mechanism is to prevent loading unhardened drivers that could be exploited without them being themselves malicious. -Andi