Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp706868pxb; Thu, 30 Sep 2021 15:37:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2klIiwm1H11di4m82G2pdzxyeqG5CIipDGdduTyPGblT7TE/5xtqe350vP6xQyIuvu31a X-Received: by 2002:a17:906:c014:: with SMTP id e20mr2201136ejz.166.1633041420049; Thu, 30 Sep 2021 15:37:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633041420; cv=none; d=google.com; s=arc-20160816; b=BjqMrHHr0EMLplnjd60DCr5suHHjn9AWGDtmciYqmKpi6IshYntka4isKfEElfpqmj jrfQzrvuIFD6aM29xIXYOn7AShi1Pr97ZT5QsJro61WWZCk1IvZRnemXnyqcsPOAhGMB QRfpg8JuVIs2jQPJWOgDSxU1paPj+DFQIlwPY+9NtD8uhlkdCsYFxURntDFTiibriY6P izYe0lI3MkOti/cYQ1REi/7fYvFXbWwjSzPUpxPp1MHpLbXpHi1iMkQdksdRHPIuy6OU TvDS9TU9aM4LoHDF1159ajg12RsRzoD7B1IoPRzpRdmu5xsupMWMtNiVl4zZwE//v9ke bKNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=EegLg7G6oX0mg09xAofUB5J9qlzlBIL7Z/hw/S5V7qs=; b=0YCtUT4mOx2B9s9eFV5Zja1aN8lCNGtig8B425j5H0lZbkzIUuuDG3EylGTzNJQ56T OwoafyMAcXscNvz513Q7rvTLI+Mf28EzWblB8sUzJOwLR8B1gI/A4gXN375h6jUIgXNB FY1f6le8GXKnjj4VqFyIoxIpIZr4AA43+PrCD4pyk8I7s8TmVD7ul/Zb8WzMByRzI19N fCS2F+8UH9KxCNa0My8awIbhsDh4swI98quR5B71F/PYN6jwsgp7rB02Yarzpl6WnTmp itpPSwnpeUyJqjjfecWGQlRXv3JLaevBJ14zAVmtP7jdQ8I6gkjiJ06vvifR0jPwicWH m+Lw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dc6si1682919ejb.152.2021.09.30.15.36.33; Thu, 30 Sep 2021 15:37:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229929AbhI3Uqb (ORCPT + 99 others); Thu, 30 Sep 2021 16:46:31 -0400 Received: from netrider.rowland.org ([192.131.102.5]:39341 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S229948AbhI3Uqb (ORCPT ); Thu, 30 Sep 2021 16:46:31 -0400 Received: (qmail 483354 invoked by uid 1000); 30 Sep 2021 16:44:47 -0400 Date: Thu, 30 Sep 2021 16:44:47 -0400 From: Alan Stern To: Andi Kleen Cc: "Michael S. Tsirkin" , Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , Borislav Petkov , x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org, "Reshetova, Elena" Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices Message-ID: <20210930204447.GA482974@rowland.harvard.edu> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104924-mutt-send-email-mst@kernel.org> <20210930153509.GF464826@rowland.harvard.edu> <20210930115243-mutt-send-email-mst@kernel.org> <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 30, 2021 at 12:23:36PM -0700, Andi Kleen wrote: > > > I don't think the current mitigations under discussion here are about > > keeping the system working. In fact most encrypted VM configs tend to > > stop booting as a preferred way to handle security issues. > > Maybe we should avoid the "trusted" term here. We're only really using it > because USB is using it and we're now using a common framework like Greg > requested. But I don't think it's the right way to think about it. > > We usually call the drivers "hardened". The requirement for a hardened > driver is that all interactions through MMIO/port/config space IO/MSRs are > sanitized and do not cause memory safety issues or other information leaks. > Other than that there is no requirement on the functionality. In particular > DOS is ok since a malicious hypervisor can decide to not run the guest at > any time anyways. > > Someone loading an malicious driver inside the guest would be out of scope. > If an attacker can do that inside the guest you already violated the > security mechanisms and there are likely easier ways to take over the guest > or leak data. > > The goal of the device filter mechanism is to prevent loading unhardened > drivers that could be exploited without them being themselves malicious. If all you want to do is prevent someone from loading a bunch of drivers that you have identified as unhardened, why not just use a modprobe blacklist? Am I missing something? Alan Stern