Re: [PATCH v5 2/2] powerpc/xmon: Restrict when kernel is locked down

From: Christopher M Riedl <cmr@informatik.wtf>
To: Daniel Axtens <dja@axtens.net>,
	linuxppc-dev@ozlabs.org, kernel-hardening@lists.openwall.com
Cc: ajd@linux.ibm.com
Subject: Re: [PATCH v5 2/2] powerpc/xmon: Restrict when kernel is locked down
Date: Thu, 29 Aug 2019 07:36:21 -0500 (CDT)	[thread overview]
Message-ID: <4809745.37851.1567082181205@privateemail.com> (raw)
In-Reply-To: <87d0gov2l5.fsf@dja-thinkpad.axtens.net>

> On August 29, 2019 at 2:43 AM Daniel Axtens <dja@axtens.net> wrote:
> 
> 
> Hi,
> 
> > Xmon should be either fully or partially disabled depending on the
> > kernel lockdown state.
> 
> I've been kicking the tyres of this, and it seems to work well:
> 
> Tested-by: Daniel Axtens <dja@axtens.net>
> 

Thank you for taking the time to test this!

>
> I have one small nit: if I enter confidentiality mode and then try to
> enter xmon, I get 32 messages about clearing the breakpoints each time I
> try to enter xmon:
>

Ugh, that's annoying. I tested this on a vm w/ 2 vcpus but should have
considered the case of more vcpus :(

> 
> root@dja-guest:~# echo confidentiality > /sys/kernel/security/lockdown 
> root@dja-guest:~# echo x >/proc/sysrq-trigger 
> [  489.585400] sysrq: Entering xmon
> xmon: Disabled due to kernel lockdown
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> ...
> 
> Investigating, I see that this is because my vm has 32 vcpus, and I'm
> getting one per CPU.
> 
> Looking at the call sites, there's only one other caller, so I think you
> might be better served with this:
> 
> diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
> index 94a5fada3034..fcaf1d568162 100644
> --- a/arch/powerpc/xmon/xmon.c
> +++ b/arch/powerpc/xmon/xmon.c
> @@ -3833,10 +3833,6 @@ static void clear_all_bpt(void)
>                 iabr = NULL;
>                 dabr.enabled = 0;
>         }
> -
> -       get_output_lock();
> -       printf("xmon: All breakpoints cleared\n");
> -       release_output_lock();
>  }
>  
>  #ifdef CONFIG_DEBUG_FS
> @@ -3846,8 +3842,13 @@ static int xmon_dbgfs_set(void *data, u64 val)
>         xmon_init(xmon_on);
>  
>         /* make sure all breakpoints removed when disabling */
> -       if (!xmon_on)
> +       if (!xmon_on) {
>                 clear_all_bpt();
> +               get_output_lock();
> +               printf("xmon: All breakpoints cleared\n");
> +               release_output_lock();
> +       }
> +
>         return 0;
>  }
>

Good point, I will add this to the next version, thanks!  

>
> Apart from that:
> Reviewed-by: Daniel Axtens <dja@axtens.net>
> 
> Regards,
> Daniel
>