Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp670714pxb; Thu, 30 Sep 2021 14:37:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzlJlDWyYpcnLfE6j2KyeCz9WSrBW11JHciuJVC0gOnEP2b5rwa+9pNpgVg6VOhdi6ziTS X-Received: by 2002:a05:6402:50cc:: with SMTP id h12mr10272044edb.112.1633037834888; Thu, 30 Sep 2021 14:37:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633037834; cv=none; d=google.com; s=arc-20160816; b=XoF0QluzpsK5sC+eCUs88WBI88TRKelGGkb91blCX0ib7NWKNHRjkunrr9O98FCGSt Tx04a3T/QxDDvgKXqj2VPTBhwAGk2O4eDau89bVNpugzGEckX4oJI1hMYfTPXWnEfCkH tfnxX6+A/Gsrcs2u2iKcuWwCQ8gi3MacrR8w2YW2AunrKlmcn7Jq9t9Fuff8bsFpNp5F PbxV9QfIkSJwwWzj+hCuIbquDgM3pXH5PjP1M44V2on719ujU85FzR0d5JsiTXPg/E+q hRVjI49xqNf2n5RYXgBtn59OKE5Wo9GMBSD02XAuTsZNUQTe2yUqkJLseak9ZIM21Tin xdqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2qejnfdUY8QWELT35ESORodSvftZM3gHJyDt93Qq8uI=; b=YtGJgMvhaf6oRzwxRfDkXNtH9zB3XE2gBYS3oCE7oGnxLltcXsaaA4OrGt18CtOwBP fGZGXwacIrqHgZMK27ZnXlVmhqSbCm9fZjEE0dqK2xsItQhYzoG/BlWtngmLqoKodtX+ rpa8j3hmpcqkPmLm8KR348/VrDuwnjGOMpYz/2oq6Gjs4iUXJYkwzaSRcgh5kRIrhusy CG+14Ba/d2Z3cpNdf7kfSJCmtU/b2QTOol9QylzNk8XMyKmwAbJnWOBfURHHSGuaq0aY tQACpzL9Xb6y5LT3KVwxvk66NjsoXrORhqVIAMwvtMBaUDyNoEjHnZBqaYeNswf0Rqkm Ie3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20210112.gappssmtp.com header.s=20210112 header.b=CUV7eUpd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t2si5002021ejo.96.2021.09.30.14.36.37; Thu, 30 Sep 2021 14:37:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20210112.gappssmtp.com header.s=20210112 header.b=CUV7eUpd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344464AbhI3Uyx (ORCPT + 99 others); Thu, 30 Sep 2021 16:54:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346766AbhI3Uyw (ORCPT ); Thu, 30 Sep 2021 16:54:52 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED699C06176D for ; Thu, 30 Sep 2021 13:53:09 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id b22so4906195pls.1 for ; Thu, 30 Sep 2021 13:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2qejnfdUY8QWELT35ESORodSvftZM3gHJyDt93Qq8uI=; b=CUV7eUpdDe63xSCyeA5r9yN4N81HMfi00d9dCTu2g6Y1QDXRMIKSN7KVxpOpex4R4G pLTEfol+/8HIkj80GwEeD3mLgeXqDqiPvHeQ5l1tWfx0ImoZw0Zx2zcVEr8E0ZCjUzHM gvkScgFJ0p80ga65nSCzha0vGzMCgwbTmCtT3wuBUj9EB2kEgh1CtMcVUzGxVerYQF+U J8nlGmdESK2QB3GBZCKwqIMn7p3kXDe4lPSVvFYqLvvvYpa8hSwM3J9Ba6OfkoIKBIQH bqn4zl1Hz2+Ywd5H94eavdUwBAhhFF2uACxiWEWUL4gAFa0kAd+416a9ZlRoWtHW6Ll4 L1Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2qejnfdUY8QWELT35ESORodSvftZM3gHJyDt93Qq8uI=; b=Ab8kC8FFHcNCJTIv2t8kYVgYKxLo/ZF/LVa+2Dvpvrf5QY2J8kfoA5Tvnldv9IfR93 eifqa9/20Qi+OC/V974uuq2KECnh063TAT32nUxx4uB7qPmtL6hLUSduOiXH+pFIIiJY E5SEc74P/uzH1cnrdsf8REldrw8d69FLKLcLwH2nmSC1N+t4JIPfa/oiiBxsS6yDaUnM TbizXBCQdoWYfNBOF639l07sGLoDUGnvjFJWUgDkxuQSgqZ0ENfLXRgarT3MA2v9foo/ KO7aoYG6BQdQjZrbwfY1AyUpwjrva0/EU3kQTbC9ybMTLEPPwjZZlgwJZFhwVxdZJFgw hXYw== X-Gm-Message-State: AOAM530zQ+a/F1AIVh8E9swCPI60fq78xK2dXw2pTF9ZN4jZJ8D0J2ER cx4U8XXkAZQ64MKKoj/SG+jXEskGDHE1BaCYfHTpkw== X-Received: by 2002:a17:902:e80f:b0:13b:721d:f750 with SMTP id u15-20020a170902e80f00b0013b721df750mr6161717plg.18.1633035189290; Thu, 30 Sep 2021 13:53:09 -0700 (PDT) MIME-Version: 1.0 References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104924-mutt-send-email-mst@kernel.org> <20210930153509.GF464826@rowland.harvard.edu> <20210930115243-mutt-send-email-mst@kernel.org> <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> <20210930204447.GA482974@rowland.harvard.edu> In-Reply-To: <20210930204447.GA482974@rowland.harvard.edu> From: Dan Williams Date: Thu, 30 Sep 2021 13:52:59 -0700 Message-ID: Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices To: Alan Stern Cc: Andi Kleen , "Michael S. Tsirkin" , Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , Borislav Petkov , X86 ML , Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux PCI , USB list , virtualization@lists.linux-foundation.org, "Reshetova, Elena" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 30, 2021 at 1:44 PM Alan Stern wrote: > > On Thu, Sep 30, 2021 at 12:23:36PM -0700, Andi Kleen wrote: > > > > > I don't think the current mitigations under discussion here are about > > > keeping the system working. In fact most encrypted VM configs tend to > > > stop booting as a preferred way to handle security issues. > > > > Maybe we should avoid the "trusted" term here. We're only really using it > > because USB is using it and we're now using a common framework like Greg > > requested. But I don't think it's the right way to think about it. > > > > We usually call the drivers "hardened". The requirement for a hardened > > driver is that all interactions through MMIO/port/config space IO/MSRs are > > sanitized and do not cause memory safety issues or other information leaks. > > Other than that there is no requirement on the functionality. In particular > > DOS is ok since a malicious hypervisor can decide to not run the guest at > > any time anyways. > > > > Someone loading an malicious driver inside the guest would be out of scope. > > If an attacker can do that inside the guest you already violated the > > security mechanisms and there are likely easier ways to take over the guest > > or leak data. > > > > The goal of the device filter mechanism is to prevent loading unhardened > > drivers that could be exploited without them being themselves malicious. > > If all you want to do is prevent someone from loading a bunch of > drivers that you have identified as unhardened, why not just use a > modprobe blacklist? Am I missing something? modules != drivers (i.e. multi-driver modules are a thing) and builtin modules do not adhere to modprobe policy. There is also a desire to be able to support a single kernel image across hosts and guests. So, if you were going to say, "just compile all unnecessary drivers as modules" that defeats the common kernel image goal. For confidential computing the expectation is that the necessary device set is small. As you can see in the patches in this case it's just a few lines of PCI ids and a hack to the virtio bus to achieve the goal of disabling all extraneous devices by default.