Received: by 2002:a05:6512:3d0e:0:0:0:0 with SMTP id d14csp51836lfv; Tue, 12 Apr 2022 16:57:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCueZ/x3KS1MdCBLna5hOQQxFgISbE0QqaRQR/CoJjiqchaS3m+qVH/ttBwSxHHpnwi0V7 X-Received: by 2002:a17:90b:33c7:b0:1cb:e1f4:4601 with SMTP id lk7-20020a17090b33c700b001cbe1f44601mr6245365pjb.175.1649807846576; Tue, 12 Apr 2022 16:57:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649807846; cv=none; d=google.com; s=arc-20160816; b=vCsyNls0F6SPEa4CZhXbmzEWfQ98U0VcqS2EWQ46Krn0HBY0f1gnSns3PNT5+kZhfi 6GpPoYbrFqT3a/cns7QlpfafqZP0gSBlA2ELgXorWSmDtgQbQA+m7z6hkpGjJx9irLJJ jOs2bq5bEcFZw+NzDBu82GxxnObEAem8bDND80wstU6jWmoeo++iZLJs7hJ/lwKNblXt ejKMmSHr99KWgcEzNQw0Qq/8urJxSBITBDc16vRcELti656YgtR8QgV84mv8kVNvqKsQ FQQtT2g360TUnVt87fRraR45KAao1FhTSOzSzcgFKlxMXsfmsqPaS3vTFqKrB6CUUli/ j5NA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=o4OAO7nnZ8OX/KlCcPdZAiTQkP3Ef4YaiBMzQMe37GA=; b=CUU0GZ8M+OhPs+lfEXiDY8eRsrvvjeN9RTpkgmLve0899mDT0vSQ96PJO8xCT0bhUT L1Mk+zxgPQ/5MondqVZ6uvnREXv6XQqAete/qH5zhDiNcKrDdQ0DCXJtwoRcShX0iyHB MNwPcNEKhKgOtHKUXciU6DK/qOUDzWaIwEv4b8YavtDckdoNdVfvtXrIqRUIYBaM30+s eoZOT7nwKQIjb3WGPywVk4FilEnirXqE8NKjytKsEogdnCXF1R5S5GeCP/Nl11PmEXne 1GWKL5iUKuV2bTNRLzIGR257JWkwdHfNhRDvi6QpGqsvtbjCNCejyIZz2GjlN2ctkgJb B3RA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XHFbMCuk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id s12-20020a170902ea0c00b00153b2d16445si13731552plg.77.2022.04.12.16.57.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 16:57:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XHFbMCuk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 77CA1203A78; Tue, 12 Apr 2022 14:53:16 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382214AbiDLJ2I (ORCPT + 99 others); Tue, 12 Apr 2022 05:28:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1380805AbiDLIWl (ORCPT ); Tue, 12 Apr 2022 04:22:41 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E077E527D7 for ; Tue, 12 Apr 2022 00:51:17 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-2ec0bb4b715so63658847b3.5 for ; Tue, 12 Apr 2022 00:51:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=o4OAO7nnZ8OX/KlCcPdZAiTQkP3Ef4YaiBMzQMe37GA=; b=XHFbMCuk71uIwAmqpOLD+1cpGGkLISo3rmscX0zDWdVz+rawJMip57rBRdFqM564Ka IDEMXvaUDLMk4/MRFkETpelYTzl0BpQuKd+bOXpm3O7cpB1FTZS3E2tLJnv2mk1ezK+w jhWqehoogEsX+UvQnb8ZbQ2YHfQqKprWe6T0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=o4OAO7nnZ8OX/KlCcPdZAiTQkP3Ef4YaiBMzQMe37GA=; b=Yk5qpiEf2Mn2V6lzmjKx1AyekSQm5wslO9FV3P9rEQyfdhJLVfbpNOz3kDY5vE9eN1 mFG2Kxdhy1YGZBk3RyxffyXqTdNdSJyP1D0fdpFQ8EAZ0ju5cmIXFbnrcft+FJqBqiRZ ZiFZivAHOWLA0ahgGeuZ9KTlQN3vB4TLZtdyMuh54ul96U+hNgsMPNQO+za5Pv5eM/2u 0HjVsx1nLRBJ71Q9verNFKaCbTN4nAoGHqTtGp9eWVwsikVUxno6zBDEQFF6sdS/UowH 8/GKv/nugNzp1bOi+LgxMVhpSFCDeaVMB1jLNqj91erwsgZKhpxzd3Kw+DGCGLaXp9nZ Vqnw== X-Gm-Message-State: AOAM5321QNhOFoHIkagQNhe809p357oOtb/b9GeZkdLVTqfjRsgMOiUV mHpgoxHW8IIXG/BatUZ1zDiakqig+yw8UVL4+h408Q== X-Received: by 2002:a0d:c602:0:b0:2ec:472:5e32 with SMTP id i2-20020a0dc602000000b002ec04725e32mr9740269ywd.364.1649749877009; Tue, 12 Apr 2022 00:51:17 -0700 (PDT) MIME-Version: 1.0 References: <20220406071131.2930035-1-stevensd@google.com> <20220406131300.7pgdcpdhexwvczsb@pali> In-Reply-To: <20220406131300.7pgdcpdhexwvczsb@pali> From: David Stevens Date: Tue, 12 Apr 2022 16:51:06 +0900 Message-ID: Subject: Re: [RFC] PCI: sysfs: add bypass for config read admin check To: =?UTF-8?Q?Pali_Roh=C3=A1r?= Cc: Greg Kroah-Hartman , linux-pci@vger.kernel.org, Bjorn Helgaas , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 6, 2022 at 10:13 PM Pali Roh=C3=A1r wrote: > > On Wednesday 06 April 2022 10:09:33 Greg Kroah-Hartman wrote: > > On Wed, Apr 06, 2022 at 04:11:31PM +0900, David Stevens wrote: > > > From: David Stevens > > > > > > Add a moduleparam that can be set to bypass the check that limits use= rs > > > without CAP_SYS_ADMIN to only being able to read the first 64 bytes o= f > > > the config space. This allows systems without problematic hardware to= be > > > configured to allow users without CAP_SYS_ADMIN to read PCI > > > capabilities. > > > > > > Signed-off-by: David Stevens > > > --- > > > drivers/pci/pci-sysfs.c | 10 +++++++++- > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > > > index 602f0fb0b007..162423b3c052 100644 > > > --- a/drivers/pci/pci-sysfs.c > > > +++ b/drivers/pci/pci-sysfs.c > > > @@ -28,10 +28,17 @@ > > > #include > > > #include > > > #include > > > +#include > > > #include "pci.h" > > > > > > static int sysfs_initialized; /* =3D 0 */ > > > > > > +static bool allow_unsafe_config_reads; > > > +module_param_named(allow_unsafe_config_reads, > > > + allow_unsafe_config_reads, bool, 0644); > > > +MODULE_PARM_DESC(allow_unsafe_config_reads, > > > + "Enable full read access to config space without CAP_SYS= _ADMIN."); > > > > No, this is not the 1990's, please do not add system-wide module > > parameters like this. Especially ones that circumvent security > > protections. > > > > Also, where did you document this new option? > > > > Why not just add this to a LSM instead? > > > > > /* show configuration fields */ > > > #define pci_config_attr(field, format_string) = \ > > > static ssize_t = \ > > > @@ -696,7 +703,8 @@ static ssize_t pci_read_config(struct file *filp,= struct kobject *kobj, > > > u8 *data =3D (u8 *) buf; > > > > > > /* Several chips lock up trying to read undefined config space */ > > > - if (file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN)) > > > + if (allow_unsafe_config_reads || > > > + file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN)) > > > > This feels really dangerous. What benifit are you getting here by > > allowing an unpriviliged user to read this information? > > Hello! This is really dangerous. > > Nowadays operating systems are in progress to completely disallow PCI > config space access from userspace. So doing opposite thing and even > enable it for unprivileged users in Linux is hazard. > > For example NT kernel in Windows 11 already completely disallowed access > to PCI config space from userspace unless NT kernel is booted in mode > for local debugging with disabled UEFI secure boot. And access in this > case is only for highly privileged processes (debug privilege in access > token). > > So... should not we move into same direction like other operating system > and start disallowing access to PCI config space from userspace > completely too? For example when kernel lockdown feature is enabled? > > In PCI config space of some devices are stored also non-PCI registers > and accessing them was not really mean for userspace and for sure not > for unprivileged users. On AMD x86 platforms is into PCI config space of > some device mapped for example CPU MSR registers (at fixed offset, after > linked listed of capabilities). Probably in Intel x86 is something > similar too. On Synopsis Designware based PCIe HW is into PCI config > space of Root Port mapped large range of IP configuration registers. > > So "This allows systems without problematic hardware" means that such > system must be non-AMD, non-Designware and probably also non-Intel. It's interesting to hear that what seems to have been added 18 years ago as a safeguard against faulty hardware (i.e. "Several chips lock up trying to read undefined config space") has become a load bearing security check. I guess because that check is there, it wasn't worth adding a LOCKDOWN_PCI_ACCESS check to pci_read_config? Regardless, I've found that with a bit of work in userspace, vfio is sufficient for my use case. -David