Received: by 2002:a05:7208:13c3:b0:82:bbfa:f723 with SMTP id r3csp1140316rbe; Tue, 14 May 2024 12:50:33 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWDb+7RK0XczY4LB+UHzGnSWrGCLvjbHDAauMWgAfTA6HdIpt+JlCzAiCAJcY/ZM82AM6L20HE4oWgnjGRZqAzNGNmEzcLIubeMhx+pFQ== X-Google-Smtp-Source: AGHT+IHdB3RxhWyJTSZeWFElN4dAd2VsbYlnNsVkIZ9UG5DnueS6kh5/VQlKqWMeGnyuVkYku+at X-Received: by 2002:a05:6214:4381:b0:6a0:cb42:993d with SMTP id 6a1803df08f44-6a168167e0emr169439556d6.23.1715716232933; Tue, 14 May 2024 12:50:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715716232; cv=pass; d=google.com; s=arc-20160816; b=vswrfUyQt0YvYKrBtf6zvoOm4hydmQrjpoVEqCDdYFdPMCHz5dHQ9qYLnn+CPj31rZ r/hQMe8Et/0xF8ypC2cQnCfQYg5xtOp0sMN+5w8JYSvGdYorMKKbmoZwIoZQGi0zUUDL qlDEJm05KBnr/BsEoLgc2gVKPZSxIqWq2O1VxWdoNQUalaQKECKOZF2idm5SXY5fUNKX aBhpOUe5fwCmwQMB9FPHxEf/BxwuP9XWfRgNzf+kGnTSMlkkjczoafeq7AP0E6qrbDyN 0H6Uf83L2guUo57raPsBZp6GMJsMIcqOivC8Ve0ZH+L/JmijEVGSEv7VRZ4f4LHk/X6h XdVw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=lkp4I1/EP34xCsXz894jXcfOHu9Xc+3+8P13l0GVrxE=; fh=HrLCUZgFUpva6ht3vCILGf4jvHoHvxxYaVe4FKtG7cs=; b=uWrtMV3vEFtwtvDr9jiD+vAKSV18fl4y1R3JDCmjUxNC7alsd0KKlqENg8Xkakd0/R SZpAKsu4MoJYMz9rJEdzYEK7CQYRgChbpJwgstGYDOEkPRoKEYTUrgXAcO04ebZYAVd+ SyhqKehdsb07vuRdLcU36/84GjpuMlfwWOt1W3PuSJFORouGK1n6NtuV2v4RSmrCwTAr cKhHwYzBOyipNs2iskhnS/pFZAAlilWq0QSFpCmZ7BCUCF3sRok1l0ZbD6og84ehx4EK KI/a2+zfvIIxrpYarkg210s0TCJluL5/+1o2mFkmac2JNd2TfUFk5eow1Teo4JRsqQ4b OL1g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=JF+Zbwi4; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-179111-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179111-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 6a1803df08f44-6a15f1d82adsi128530516d6.52.2024.05.14.12.50.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 12:50:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-179111-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=JF+Zbwi4; arc=pass (i=1 spf=pass spfdomain=paul-moore.com dkim=pass dkdomain=paul-moore.com dmarc=pass fromdomain=paul-moore.com); spf=pass (google.com: domain of linux-kernel+bounces-179111-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179111-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A7CEB1C21662 for ; Tue, 14 May 2024 19:50:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 26996181331; Tue, 14 May 2024 19:50:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="JF+Zbwi4" Received: from mail-yb1-f182.google.com (mail-yb1-f182.google.com [209.85.219.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9E2418131F for ; Tue, 14 May 2024 19:50:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715716223; cv=none; b=EwHVwvHUlPvMk6F8b5hap0xp6S47oaxTuYE3ByIxnrntAzgxLACHlwJ7Jwm+aDcN8MpnNaPlwrCzhfSGT1nVZ7yWOBqbklsdIA/QHjkpD5M+hFCR5VzSoOTuCh9rbgeoI+xw+jD4FxO75OXDIFfnns7Ma3/2jSMUUxDjERgj1+A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715716223; c=relaxed/simple; bh=xCGobSiEZZKVIGvtlb17VkXzrJav2cpynpYO5pxHsTg=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=jY7+YcrEigRexTOkQbNiWzM35hjTSsEUL5LpaO5BrjqKcu/xkYWGMk7z8+i58nykC8Tml0vUbfLYb+wpeK9RcKCpckpMkSgczrJZjk8tZkVwaOfG3sdRxwdl9P+6OHRxXXLP8pc6n2MF3h2OhNS+WYVPf88/jJdhkdEBYKHcx9g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=JF+Zbwi4; arc=none smtp.client-ip=209.85.219.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Received: by mail-yb1-f182.google.com with SMTP id 3f1490d57ef6-de4665b4969so6196342276.2 for ; Tue, 14 May 2024 12:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1715716220; x=1716321020; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lkp4I1/EP34xCsXz894jXcfOHu9Xc+3+8P13l0GVrxE=; b=JF+Zbwi4A37UVjOELqyuSxI5XF16PnHoy/clBUi83jiG+YRodmecFW52qZKz4Kq726 4PTOrHIBMXKsd7NPB6GCHO6oGJCvxjHHJaMw38WnlU+B/cm4WbJETzVMZ2TafdoTfo4X rBPSV09s7/igRv/0AE1D7RnilAUdFI2LXQQWFeHNyDVUgFRiRFPHAJLU+iEB4N2/widJ cASIqHwqPxifXEwwXws+q0QEDlDblFWXqGYAXJmXfXw3VXV1KCegxMxVhRx0XCksA/sB 1VxkK02/WpwjROj2m5sVqBTGjVDYmmzXsDovMQ2t1pd4IrqPTv+jT8xruRy07h+w1pWB IsxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715716220; x=1716321020; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lkp4I1/EP34xCsXz894jXcfOHu9Xc+3+8P13l0GVrxE=; b=hG2W4N+Snf+J4Cb2yJtTEp9dgFpUfGED1USb9VP2sppEg9otDVS2E3WadgfgtIJUVP P6Id+b28IK2jFyqKWkhvgR5Er4ZOS+KFZW56ERaK4nf9sZI5l0C2LkkJg9VTotIBmwx8 7VH12iTIOxXYXFpNAu14W0yjOAeg1A9DDjqLYIw/7Tpr2uOL9Skx6oVIjEml29iJvwrC 64tAxS8/73XepGdwEYiHFOqS/JAb7eWtk10Kp/2q/qccrceu6Yb7sOAB/chSt8M6hdzl 8yDjioSDqj7LLTnq/6DOSvAqd+Iih7AlRnfQECum35Bb4X73kc2+1zSOseJkc0dUWiy6 kvaw== X-Forwarded-Encrypted: i=1; AJvYcCXUHvAimWses3XgUTi/Ch6pEyaUyny4pEhPlXWvlBKT1FSLujkuxUDyRnaTB8/e6ELH11JRskttdb1WcEEX2JcNYnTDZSkMDAyQVew5 X-Gm-Message-State: AOJu0YwzvBUXqX5bDMHf+mgwvhxrOiEgmlO3KywhiAPbdug0YFSWV84T e59/17wG/9b/SSVGUFu+Zkvp67tdCQaYNDonbHsBzvzG4oe8zVpw/wI198aXoE3RjE3Qfc4SnAr Xu6nUhoIfN3DOnGhr49nyw3XGq2yO1gzIUnZD X-Received: by 2002:a05:6902:218f:b0:dee:8da8:aeb7 with SMTP id 3f1490d57ef6-dee8da8b092mr8719461276.25.1715716220678; Tue, 14 May 2024 12:50:20 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <1714775551-22384-1-git-send-email-wufan@linux.microsoft.com> <1714775551-22384-21-git-send-email-wufan@linux.microsoft.com> In-Reply-To: From: Paul Moore Date: Tue, 14 May 2024 15:50:09 -0400 Message-ID: Subject: Re: [PATCH v18 20/21] Documentation: add ipe documentation To: Fan Wu Cc: Bagas Sanjaya , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, fsverity@lists.linux.dev, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org, Deven Bowers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, May 4, 2024 at 4:13=E2=80=AFPM Fan Wu w= rote: > On 5/4/2024 1:04 AM, Bagas Sanjaya wrote: > > On Fri, May 03, 2024 at 03:32:30PM -0700, Fan Wu wrote: > >> +IPE does not mitigate threats arising from malicious but authorized > >> +developers (with access to a signing certificate), or compromised > >> +developer tools used by them (i.e. return-oriented programming attack= s). > >> +Additionally, IPE draws hard security boundary between userspace and > >> +kernelspace. As a result, IPE does not provide any protections agains= t a > >> +kernel level exploit, and a kernel-level exploit can disable or tampe= r > >> +with IPE's protections. > > > > So how to mitigate kernel-level exploits then? > > One possible way is to use hypervisor to protect the kernel integrity. > https://github.com/heki-linux is one project on this direction. Perhaps > I should also add this link to the doc. I wouldn't spend a lot of time on kernel exploits in the IPE documentation as it is out of scope for IPE. In face, I would say just that in the last sentence in the paragraph above: "As a result, kernel-level exploits are considered outside the scope of IPE and mitigation is left to other mechanisms." (or something similar) --=20 paul-moore.com