Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp815268pxb;
        Thu, 30 Sep 2021 18:43:30 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyEysESLKrm9eJ3FuK59Vg0M7NZO3+e94ugzYkkM05ceMisfOojnm1EaAqQB+hyopZYX5gC
X-Received: by 2002:a62:3383:0:b0:438:4b0d:e50e with SMTP id z125-20020a623383000000b004384b0de50emr7471954pfz.9.1633052610536;
        Thu, 30 Sep 2021 18:43:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1633052610; cv=none;
        d=google.com; s=arc-20160816;
        b=eFubhuF/dnvzxfqxsCJGQfw7Rn7k01B46HzUkRKn0ZjL3rT/dmCDTdFCN3Pf38kHFY
         W5oCbdyJl5PPEuo+g8I4S1x6zgUNMwOoVouE2gh/aZY0QMLRBE0YbUZyer1Q3L2WyHeb
         d5kQHJHt4v7H/uWQUtPmQvMf3St+QB3YizSjK2ia37d7KZtCeNvWDkIGrAXJp9JXr5o3
         7Fjw+weI4DCC8WXSPZnlUhEIbn9b/dGvd2C0JRnTl8r1pK4tcZfRJ4CLGSf/vgG7YZAO
         U9AcX5Ox59WJgqDoS/EBNT8CAzIx3PX3TXO7iPapCdATvPKB9Y6RahDa8r0LVfLd89aj
         m6qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=ql8ygcjWewXOEIQOy4/k6uq0ycdFLAJnbsa8FRMcyiY=;
        b=WM0dg5+jUTlBQIa+yE++5Tte2YK3jK9vgrAydsUbz/bDJd9v2sREnCUBk1OWZrNiMn
         2uN7taU/Y+tdqxMk5BJti8SW+5+2/yF+aS3vjIbb4B0FxDIa/u/FpzN68JT1EyU1DL6u
         PwRL5NhMEZBeu9y05SLpkKXFVh64lbxbGMDlJpoCFjkw7dkObmcL6k/W1AMhQ54QCSSb
         AfEopFROa4OhMdTeWR2geJ3t3LpaQUNuGG4Qz8wQDgkr+ev9C5ALKGLI8RMBEwTFNK/Z
         gSJr09BqQrNPnWpY5Emwt9/birPlLJ7s/blGTtyTcDjmRzigKwpGhE0+0fomhtP9JCwJ
         oPwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a10si5502655pll.352.2021.09.30.18.43.16;
        Thu, 30 Sep 2021 18:43:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230237AbhJABm7 (ORCPT <rfc822;longbowk@gmail.com> + 99 others);
        Thu, 30 Sep 2021 21:42:59 -0400
Received: from netrider.rowland.org ([192.131.102.5]:45903 "HELO
        netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S230224AbhJABm6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Sep 2021 21:42:58 -0400
Received: (qmail 489289 invoked by uid 1000); 30 Sep 2021 21:41:14 -0400
Date:   Thu, 30 Sep 2021 21:41:14 -0400
From:   Alan Stern <stern@rowland.harvard.edu>
To:     Dan Williams <dan.j.williams@intel.com>
Cc:     Andi Kleen <ak@linux.intel.com>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@linux.intel.com>,
        Borislav Petkov <bp@alien8.de>, X86 ML <x86@kernel.org>,
        Bjorn Helgaas <bhelgaas@google.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        Andreas Noever <andreas.noever@gmail.com>,
        Michael Jamet <michael.jamet@intel.com>,
        Yehezkel Bernat <YehezkelShB@gmail.com>,
        "Rafael J . Wysocki" <rafael@kernel.org>,
        Mika Westerberg <mika.westerberg@linux.intel.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Jason Wang <jasowang@redhat.com>,
        Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Linux PCI <linux-pci@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>,
        virtualization@lists.linux-foundation.org,
        "Reshetova, Elena" <elena.reshetova@intel.com>
Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for
 un-authorized devices
Message-ID: <20211001014114.GB489012@rowland.harvard.edu>
References: <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com>
 <20210930065807-mutt-send-email-mst@kernel.org>
 <YVXBNJ431YIWwZdQ@kroah.com>
 <20210930144305.GA464826@rowland.harvard.edu>
 <20210930104924-mutt-send-email-mst@kernel.org>
 <20210930153509.GF464826@rowland.harvard.edu>
 <20210930115243-mutt-send-email-mst@kernel.org>
 <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com>
 <20210930204447.GA482974@rowland.harvard.edu>
 <CAPcyv4j8DvsMYppRtm=+JQWc7nJGoXeAGGz9U150x0p_KekqcA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPcyv4j8DvsMYppRtm=+JQWc7nJGoXeAGGz9U150x0p_KekqcA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Sep 30, 2021 at 01:52:59PM -0700, Dan Williams wrote:
> On Thu, Sep 30, 2021 at 1:44 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Thu, Sep 30, 2021 at 12:23:36PM -0700, Andi Kleen wrote:
> > >
> > > > I don't think the current mitigations under discussion here are about
> > > > keeping the system working. In fact most encrypted VM configs tend to
> > > > stop booting as a preferred way to handle security issues.
> > >
> > > Maybe we should avoid the "trusted" term here. We're only really using it
> > > because USB is using it and we're now using a common framework like Greg
> > > requested. But I don't think it's the right way to think about it.
> > >
> > > We usually call the drivers "hardened". The requirement for a hardened
> > > driver is that all interactions through MMIO/port/config space IO/MSRs are
> > > sanitized and do not cause memory safety issues or other information leaks.
> > > Other than that there is no requirement on the functionality. In particular
> > > DOS is ok since a malicious hypervisor can decide to not run the guest at
> > > any time anyways.
> > >
> > > Someone loading an malicious driver inside the guest would be out of scope.
> > > If an attacker can do that inside the guest you already violated the
> > > security mechanisms and there are likely easier ways to take over the guest
> > > or leak data.
> > >
> > > The goal of the device filter mechanism is to prevent loading unhardened
> > > drivers that could be exploited without them being themselves malicious.
> >
> > If all you want to do is prevent someone from loading a bunch of
> > drivers that you have identified as unhardened, why not just use a
> > modprobe blacklist?  Am I missing something?
> 
> modules != drivers (i.e. multi-driver modules are a thing) and builtin
> modules do not adhere to modprobe policy.
> 
> There is also a desire to be able to support a single kernel image
> across hosts and guests. So, if you were going to say, "just compile
> all unnecessary drivers as modules" that defeats the common kernel
> image goal. For confidential computing the expectation is that the
> necessary device set is small. As you can see in the patches in this
> case it's just a few lines of PCI ids and a hack to the virtio bus to
> achieve the goal of disabling all extraneous devices by default.



If your goal is to prevent some unwanted _drivers_ from operating -- 
or all but a few desired drivers, as the case may be -- why extend 
the "authorized" API to all _devices_?  Why not instead develop a 
separate API (but of similar form) for drivers?

Wouldn't that make more sense?  It corresponds a lot more directly 
with what you say you want to accomplish.

What would you do in the theoretical case where two separate drivers 
can manage the same device, but one of them is desired (or hardened) 
and the other isn't?

Alan Stern