Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp836386pxb; Thu, 30 Sep 2021 19:24:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxFKJ6LkHy2T4eT4f1DzZIpJ8KdkMYWTqimvl1cwJNzaD8NEw3NALkPRrQIrhLz4vN7f3M0 X-Received: by 2002:a17:906:60c2:: with SMTP id f2mr3168450ejk.531.1633055048172; Thu, 30 Sep 2021 19:24:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633055048; cv=none; d=google.com; s=arc-20160816; b=qqfDhHLNF9r5f/58RhUOA0GM33iw2PFUtJL1SybzZ1eCPd0jxpLkEYaM3C4IpkaSfO Gw/8lI6msvDczdvftepZp9yzhQvEUh72yGMdP/stpFA9i+LukINsTUjB518qCKgAMGta oAcVPqEjictLQOq1Vy28fGbYnMbYVe0LjeAVas9zPs2lIgeJ4PTBXrAumixOrpXG88iN a4RR6R4w98R+7YtP+5kJmvWRxeUeh10QxIv2bbGcNWU9W/KmNQ/Nph2k1OoWze+nK1jM TWwqFvtZmUzCV8s7JG0/V97ZL4ZRcuJcCR+IUX+hsZoo2eYsrYvWf/yDISBYxadI1Oqc w9Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=H1v7bfhbOYS9QQdwJ+dS1BX8nNt2lEyswi+C4uaCxgo=; b=qMqfWoQHzZiWbV3Yr0xxNmJMhXwAbWoLulZlMNTzRTmZRRp+Bu7CPvBTdNznvE0Bnq 9iUQrT5NveINP9TUDbfFkG7xtsIHCpvALMQlO6/cHvqMLYMR3x1ULeaNU3Ll38FsQssO A/sPKqkFZS2kvhJAbuTRETXU2KsrICS3m9/ogZUmHcxK1wyysWbN7uqqMQdsiz21gUED C59kB2yTP115dIm8S9VcJabVIIgiBrip5lRQdgd+hT4PB2Zc/JmcnBOvAtcOrj06SiTt RyjwUlv8JJIpnhz3l7iPdfZQGVr12JOID7LC55oYKgzheemVedybO4qG0V6pe//+QG9i TOqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20210112.gappssmtp.com header.s=20210112 header.b=MCfltqqp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cc25si5926461edb.495.2021.09.30.19.23.41; Thu, 30 Sep 2021 19:24:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20210112.gappssmtp.com header.s=20210112 header.b=MCfltqqp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351441AbhJACV7 (ORCPT + 99 others); Thu, 30 Sep 2021 22:21:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57110 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230260AbhJACV6 (ORCPT ); Thu, 30 Sep 2021 22:21:58 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B1A0C06176A for ; Thu, 30 Sep 2021 19:20:15 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id k23so5527624pji.0 for ; Thu, 30 Sep 2021 19:20:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=H1v7bfhbOYS9QQdwJ+dS1BX8nNt2lEyswi+C4uaCxgo=; b=MCfltqqpgRZMipzrqKNzE4TCzkTYOE432mzaARuP6ZAPdOOvgGLlpUvdiffi7khzpY r5ytcuFoPT7QP1M4OkD8d4AAlvn+vL0MyimnfkqRJhaR81vcmlu24dPrEc+YtKAlQybA 7uURmtuUtHfa/Nr7Epu3ozIGiZBUv0ryceNZpKerlCXqf9QNQpSj9B83sEeRR3HGje2V ccammWBDCWeMLsP2DpIOuH4BWPqRZiqqTRMGUl6o6QVUfFIn9+Kh4TihdfnVd9FVq5xA pfY/wl98KGZ2b/jqHOnCN5/hR5tIVmL9HTa0U3Dihde1AMTPm61wVlHLUYFEkJnvJlU6 RSGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=H1v7bfhbOYS9QQdwJ+dS1BX8nNt2lEyswi+C4uaCxgo=; b=MuyNUIaOFeiHgBWfnp3V4hEs+Z6+zU9D3PSQ46Ldhr8yiwi0Xw3KjCHMjap9bO9OFR xkqCs5oGS+MYYKMtY57LLF7ww9yXp0gEWWSLxmyTRKS11VvVSta01AzjTrsM4aJmVrST 4q3Zu0nbeHpdTbGzUpT4OLjgmQKzhrZ6zHVnXnoncISFSiIXrNuzcknsWD6DBtmREJTk PB6Idw+ufqacrEmv+iRgdL7ch7Q0BNdd67PYPA58zLh0LtbTj4Y/yekTvwqAqp/nbXHQ oeHIsf4O68hK+56IGyh7iyk0Zzz7WDZLjqyFVvyjoQ3RpVfz1Cc+W5IjbUygPS8yRiud 4UJw== X-Gm-Message-State: AOAM530l5+XwH8b6Iv+/5BQwJJVJRD7D3tkABxIkBjRzDZ3+gi1rgttW GepNzGJvxPKP4JSxBUrh3nHRhtmd9gqNpKAoyNzBRg== X-Received: by 2002:a17:902:8a97:b0:13e:6e77:af59 with SMTP id p23-20020a1709028a9700b0013e6e77af59mr5975436plo.4.1633054814608; Thu, 30 Sep 2021 19:20:14 -0700 (PDT) MIME-Version: 1.0 References: <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104924-mutt-send-email-mst@kernel.org> <20210930153509.GF464826@rowland.harvard.edu> <20210930115243-mutt-send-email-mst@kernel.org> <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> <20210930204447.GA482974@rowland.harvard.edu> <20211001014114.GB489012@rowland.harvard.edu> In-Reply-To: <20211001014114.GB489012@rowland.harvard.edu> From: Dan Williams Date: Thu, 30 Sep 2021 19:20:04 -0700 Message-ID: Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices To: Alan Stern Cc: Andi Kleen , "Michael S. Tsirkin" , Greg Kroah-Hartman , Kuppuswamy Sathyanarayanan , Borislav Petkov , X86 ML , Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux PCI , USB list , virtualization@lists.linux-foundation.org, "Reshetova, Elena" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 30, 2021 at 6:41 PM Alan Stern wrote: > > On Thu, Sep 30, 2021 at 01:52:59PM -0700, Dan Williams wrote: > > On Thu, Sep 30, 2021 at 1:44 PM Alan Stern wrote: > > > > > > On Thu, Sep 30, 2021 at 12:23:36PM -0700, Andi Kleen wrote: > > > > > > > > > I don't think the current mitigations under discussion here are about > > > > > keeping the system working. In fact most encrypted VM configs tend to > > > > > stop booting as a preferred way to handle security issues. > > > > > > > > Maybe we should avoid the "trusted" term here. We're only really using it > > > > because USB is using it and we're now using a common framework like Greg > > > > requested. But I don't think it's the right way to think about it. > > > > > > > > We usually call the drivers "hardened". The requirement for a hardened > > > > driver is that all interactions through MMIO/port/config space IO/MSRs are > > > > sanitized and do not cause memory safety issues or other information leaks. > > > > Other than that there is no requirement on the functionality. In particular > > > > DOS is ok since a malicious hypervisor can decide to not run the guest at > > > > any time anyways. > > > > > > > > Someone loading an malicious driver inside the guest would be out of scope. > > > > If an attacker can do that inside the guest you already violated the > > > > security mechanisms and there are likely easier ways to take over the guest > > > > or leak data. > > > > > > > > The goal of the device filter mechanism is to prevent loading unhardened > > > > drivers that could be exploited without them being themselves malicious. > > > > > > If all you want to do is prevent someone from loading a bunch of > > > drivers that you have identified as unhardened, why not just use a > > > modprobe blacklist? Am I missing something? > > > > modules != drivers (i.e. multi-driver modules are a thing) and builtin > > modules do not adhere to modprobe policy. > > > > There is also a desire to be able to support a single kernel image > > across hosts and guests. So, if you were going to say, "just compile > > all unnecessary drivers as modules" that defeats the common kernel > > image goal. For confidential computing the expectation is that the > > necessary device set is small. As you can see in the patches in this > > case it's just a few lines of PCI ids and a hack to the virtio bus to > > achieve the goal of disabling all extraneous devices by default. > > > > If your goal is to prevent some unwanted _drivers_ from operating -- > or all but a few desired drivers, as the case may be -- why extend > the "authorized" API to all _devices_? Why not instead develop a > separate API (but of similar form) for drivers? > > Wouldn't that make more sense? It corresponds a lot more directly > with what you say you want to accomplish. This was v1. v1 was NAKd [1] [2]: [1]: https://lore.kernel.org/all/YQwpa+LAYt7YZ5dh@kroah.com/ [2]: https://lore.kernel.org/all/YQzDqm6FOezM6Rnu@kroah.com/ > What would you do in the theoretical case where two separate drivers > can manage the same device, but one of them is desired (or hardened) > and the other isn't? Allow for user override, just like we do today for new_id, remove_id, bind, and unbind when default driver policy is insufficient. echo 1 > /sys/bus/$bus/devices/$device/authorized echo $device > /sys/bus/$bus/drivers/$desired_driver/bind The device filter is really only necessary to bootstrap until you can run override policy scripts. The driver firewall approach was overkill in that regard.