Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1712673pxb; Mon, 11 Oct 2021 11:25:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzofcVFo2cLsF8VNbrReen4GEGCzL7r2DzBNJE5YctSZhO0Udwi4p20k+t9hcUyaytLA9w X-Received: by 2002:a17:90b:e07:: with SMTP id ge7mr622137pjb.75.1633976728287; Mon, 11 Oct 2021 11:25:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633976728; cv=none; d=google.com; s=arc-20160816; b=WCk5wgF30lj0v1xY7k6V5y1bMmuG2P0oEkpkEcLUWpA7jNf05tmRkpihX0o0Gn5niy cLYButHJVSQLmNEv5xnw3d9ea8ZYZJJ9DNEGbYJG97claVXim3T1xwSAo2gdJ2i/1zDj J9qsGboa+fMjjWT9V1nbeAUOuuJaFYZRsRyXrCzUHlg5lOfIhgm9UbZ44OxRzy453cUl Be8oDkK4eVJosh7XB7zMSjpfWQ0zf4j9tT9loDCXqHJmT/mHu1x4/2daeqfSUuZw1/fo LlPNUYPpAvy0rzYH2/rxx6N99QBVM6UhlLZ7UaGJt/rBcq8pCFMTmDFGxX8M5LohVTRO E5aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=dMNh2Z50mjXzYsw8NI8wyY+ikUuFKE6oW0fJI23ISWw=; b=p2aEmF3YE1Wy0ZEHuyl3EMNUnKiSm0TTyxpgJq+EWwBTecf81PJuCfQrqV3O0T/Sw/ IMOJ1NJqK0Sk5OeK/VcTgpjJysPwLTigwWSD1XlNj/1pTCOXZC/bLwb6KfLXEWijvY8F QqgmKDDgMFyB5l37OJxx8p8bw53g7TcLUycuEZxJMaMyDE3Os+yozotogfJE7liwrQl5 9Qf/ntQoufltRfD603SmxFlartTQ1Y86EXflPcsipnDno1nJBAo6BW/JvxOes4PHUKfY +eLFgkTDC6yORdVPYHCnIG9LWWL4fe0uzIZQdx3l/MTrKOkLxTQSnDqaG2KipduOZ9Zq /mAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fISYrrSJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t11si9049184pfl.288.2021.10.11.11.25.15; Mon, 11 Oct 2021 11:25:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fISYrrSJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234391AbhJKSYr (ORCPT + 99 others); Mon, 11 Oct 2021 14:24:47 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:59476 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234401AbhJKSYo (ORCPT ); Mon, 11 Oct 2021 14:24:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1633976563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dMNh2Z50mjXzYsw8NI8wyY+ikUuFKE6oW0fJI23ISWw=; b=fISYrrSJNh9ZzUprXO1YpfKegc7B9Qj+81C1tBjNjqnDq7uIFV0QC5vTNWL6fmuDzC/oUL GzepTAj17G/Br0CpfRQzdBSPZ+jrgivJkXcBIQAEvHM3hWf0UlcWAdN4JeJFv0fPeVhfDz apBKm7KWzqve5OWKqVG8qMp5lseaa/o= Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-20-u3vntvLvP4iWEALe8jyYHA-1; Mon, 11 Oct 2021 14:22:42 -0400 X-MC-Unique: u3vntvLvP4iWEALe8jyYHA-1 Received: by mail-ed1-f71.google.com with SMTP id t28-20020a508d5c000000b003dad7fc5caeso16594042edt.11 for ; Mon, 11 Oct 2021 11:22:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=dMNh2Z50mjXzYsw8NI8wyY+ikUuFKE6oW0fJI23ISWw=; b=LMrs2LzC9LovFsVHVowDK+9NOzPNpk6C5WVRw7zA3p2DwYJxkhnhrF0ANfGIeizf8l J4Pfu/8BfP7etcAe1R03+Xsc58IPxs63M23o7TyIQ+PW5HBJ/KCSutpxtMWD710FCQh+ m7koBQQzflDZfJmFo5Pgdc43+wEitgWXhwoK0ixpgWj67fPJ1TWkUQVijV9dTt7c1ERi cCOdsceB+H8eFoPUto5sWMUqJRWgBnwCkqA7OZoEXy2HdJpsx/1QgN/pm5y5Zhp4JOBr dybidJbFhJS8vZkz1uTGzCGDUGx7wO01/TdCYkiLGSTtUxJ880u5C1nhrAMVu+qPdWI3 VlvQ== X-Gm-Message-State: AOAM530kEyOfX8mQrMpANZvf4a3IYoIDwZzRZjA0unNG0D9NSEf2SKQB 5iYVTYgpxwCJT1GV5HeYFoi2IDEjcvr2dDJ608yp7Jzg1ZvXIjMLOAFgksBLE4FtjF7QAPOdPHC fexk/B5IJhC17Qk/++xSk2/nz X-Received: by 2002:aa7:c941:: with SMTP id h1mr44235670edt.128.1633976560834; Mon, 11 Oct 2021 11:22:40 -0700 (PDT) X-Received: by 2002:aa7:c941:: with SMTP id h1mr44235616edt.128.1633976560614; Mon, 11 Oct 2021 11:22:40 -0700 (PDT) Received: from redhat.com ([2.55.159.57]) by smtp.gmail.com with ESMTPSA id u2sm4623544eda.32.2021.10.11.11.22.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Oct 2021 11:22:39 -0700 (PDT) Date: Mon, 11 Oct 2021 14:22:33 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Cc: Kuppuswamy Sathyanarayanan , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , Bjorn Helgaas , Richard Henderson , Thomas Bogendoerfer , James E J Bottomley , Helge Deller , "David S . Miller" , Arnd Bergmann , Jonathan Corbet , Paolo Bonzini , David Hildenbrand , Andrea Arcangeli , Josh Poimboeuf , Peter H Anvin , Dave Hansen , Tony Luck , Dan Williams , Kirill Shutemov , Sean Christopherson , Kuppuswamy Sathyanarayanan , x86@kernel.org, linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-alpha@vger.kernel.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, sparclinux@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: Re: [PATCH v5 12/16] PCI: Add pci_iomap_host_shared(), pci_iomap_host_shared_range() Message-ID: <20211011141248-mutt-send-email-mst@kernel.org> References: <20211009003711.1390019-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20211009003711.1390019-13-sathyanarayanan.kuppuswamy@linux.intel.com> <20211009053103-mutt-send-email-mst@kernel.org> <20211011073614-mutt-send-email-mst@kernel.org> <78766e28-8353-acc8-19e2-033d4bbf3472@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <78766e28-8353-acc8-19e2-033d4bbf3472@linux.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 11, 2021 at 10:32:23AM -0700, Andi Kleen wrote: > > > Because it does not end with I/O operations, that's a trivial example. > > module unloading is famous for being racy: I just re-read that part of > > virtio drivers and sure enough we have bugs there, this is after > > they have presumably been audited, so a TDX guest is better off > > just disabling hot-unplug completely, and hotplug isn't far behind. > > These all shouldn't matter for a confidential guest. The only way it can be > attacked is through IO, everything else is protected by hardware. > > > Also it would all require doing something at the guest level, which we > assume is not malicious. > > > > Malicious filesystems can exploit many linux systems unless > > you take pains to limit what is mounted and how. > > That's expected to be handled by authenticated dmcrypt and similar. > Hardening at this level has been done for many years. It's possible to do it like this, sure. But that's not the only configuration, userspace needs to be smart about setting things up. Which is my point really. > > > Networking devices tend to get into the default namespaces and can > > do more or less whatever CAP_NET_ADMIN can. > > Etc. > > > Networking should be already hardened, otherwise you would have much worse > problems today. Same thing. NFS is pretty common, you are saying don't do it then. Fair enough but again, arbitrary configs just aren't going to be secure. > > > > hange in your subsystem here. > > Well I commented on the API patch, not the virtio patch. > > If it's a way for a driver to say "I am hardened > > and audited" then I guess it should at least say so. > > > This is handled by the central allow list. We intentionally didn't want each > driver to declare itself, but have a central list where changes will get > more scrutiny than random driver code. Makes sense. Additionally, distros can tweak that to their heart's content, selecting the functionality/security balance that makes sense for them. > But then there are the additional opt-ins for the low level firewall. These > are in the API. I don't see how it could be done at the driver level, unless > you want to pass in a struct device everywhere? I am just saying don't do it then. Don't build drivers that distro does not want to support into kernel. And don't load them when they are modules. > > > > How about creating a defconfig that makes sense for TDX then? > > > TDX can be used in many different ways, I don't think a defconfig is > > > practical. > > > > > > In theory you could do some Kconfig dependency (at the pain point of having > > > separate kernel binariees), but why not just do it at run time then if you > > > maintain the list anyways. That's much easier and saner for everyone. In the > > > past we usually always ended up with runtime mechanism for similar things > > > anyways. > > > > > > Also it turns out that the filter mechanisms are needed for some arch > > > drivers which are not even configurable, so alone it's probably not enough, > > > > I guess they aren't really needed though right, or you won't try to > > filter them? > > We're addressing most of them with the device filter for platform drivers. > But since we cannot stop them doing ioremap IO in their init code they also > need the low level firewall. > > Some others that cannot be addressed have explicit disables. > > > > So make them configurable? > > Why not just fix the runtime? It's much saner for everyone. Proposing to do > things at build time sounds like we're in Linux 0.99 days. > > -Andi Um. Tweaking driver code is not just build time, it's development time. At least with kconfig you don't need to patch your kernel. -- MST