From: Christopher M Riedl <cmr@informatik.wtf>
To: Daniel Axtens <dja@axtens.net>,
linuxppc-dev@ozlabs.org, kernel-hardening@lists.openwall.com
Cc: ajd@linux.ibm.com
Subject: Re: [PATCH v5 2/2] powerpc/xmon: Restrict when kernel is locked down
Date: Thu, 29 Aug 2019 07:36:21 -0500 (CDT) [thread overview]
Message-ID: <4809745.37851.1567082181205@privateemail.com> (raw)
In-Reply-To: <87d0gov2l5.fsf@dja-thinkpad.axtens.net>
> On August 29, 2019 at 2:43 AM Daniel Axtens <dja@axtens.net> wrote:
>
>
> Hi,
>
> > Xmon should be either fully or partially disabled depending on the
> > kernel lockdown state.
>
> I've been kicking the tyres of this, and it seems to work well:
>
> Tested-by: Daniel Axtens <dja@axtens.net>
>
Thank you for taking the time to test this!
>
> I have one small nit: if I enter confidentiality mode and then try to
> enter xmon, I get 32 messages about clearing the breakpoints each time I
> try to enter xmon:
>
Ugh, that's annoying. I tested this on a vm w/ 2 vcpus but should have
considered the case of more vcpus :(
>
> root@dja-guest:~# echo confidentiality > /sys/kernel/security/lockdown
> root@dja-guest:~# echo x >/proc/sysrq-trigger
> [ 489.585400] sysrq: Entering xmon
> xmon: Disabled due to kernel lockdown
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> ...
>
> Investigating, I see that this is because my vm has 32 vcpus, and I'm
> getting one per CPU.
>
> Looking at the call sites, there's only one other caller, so I think you
> might be better served with this:
>
> diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
> index 94a5fada3034..fcaf1d568162 100644
> --- a/arch/powerpc/xmon/xmon.c
> +++ b/arch/powerpc/xmon/xmon.c
> @@ -3833,10 +3833,6 @@ static void clear_all_bpt(void)
> iabr = NULL;
> dabr.enabled = 0;
> }
> -
> - get_output_lock();
> - printf("xmon: All breakpoints cleared\n");
> - release_output_lock();
> }
>
> #ifdef CONFIG_DEBUG_FS
> @@ -3846,8 +3842,13 @@ static int xmon_dbgfs_set(void *data, u64 val)
> xmon_init(xmon_on);
>
> /* make sure all breakpoints removed when disabling */
> - if (!xmon_on)
> + if (!xmon_on) {
> clear_all_bpt();
> + get_output_lock();
> + printf("xmon: All breakpoints cleared\n");
> + release_output_lock();
> + }
> +
> return 0;
> }
>
Good point, I will add this to the next version, thanks!
>
> Apart from that:
> Reviewed-by: Daniel Axtens <dja@axtens.net>
>
> Regards,
> Daniel
>
prev parent reply other threads:[~2019-08-29 12:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 3:46 [PATCH v5 0/2] Restrict xmon when kernel is locked down Christopher M. Riedl
2019-08-28 3:46 ` [PATCH v5 1/2] powerpc/xmon: Allow listing and clearing breakpoints in read-only mode Christopher M. Riedl
2019-08-29 6:40 ` Daniel Axtens
2019-08-29 12:38 ` Christopher M Riedl
2019-08-28 3:46 ` [PATCH v5 2/2] powerpc/xmon: Restrict when kernel is locked down Christopher M. Riedl
2019-08-29 7:43 ` Daniel Axtens
2019-08-29 12:36 ` Christopher M Riedl [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4809745.37851.1567082181205@privateemail.com \
--to=cmr@informatik.wtf \
--cc=ajd@linux.ibm.com \
--cc=dja@axtens.net \
--cc=kernel-hardening@lists.openwall.com \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).