From: Rajat Jain <rajatja@google.com>
To: Jesse Barnes <jsbarnes@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Rajat Jain <rajatxjain@gmail.com>,
Bjorn Helgaas <helgaas@kernel.org>,
"Raj, Ashok" <ashok.raj@intel.com>,
"Krishnakumar,
Lalithambika" <lalithambika.krishnakumar@intel.com>,
Bjorn Helgaas <bhelgaas@google.com>,
linux-pci <linux-pci@vger.kernel.org>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Jean-Philippe Brucker <jean-philippe@linaro.org>,
Prashant Malani <pmalani@google.com>,
Benson Leung <bleung@google.com>, Todd Broch <tbroch@google.com>,
Alex Levin <levinale@google.com>,
Mattias Nissler <mnissler@google.com>,
Zubin Mithra <zsm@google.com>,
Bernie Keany <bernie.keany@intel.com>,
Aaron Durbin <adurbin@google.com>,
Diego Rivas <diegorivas@google.com>,
Duncan Laurie <dlaurie@google.com>,
Furquan Shaikh <furquan@google.com>,
Christian Kellner <christian@kellner.me>,
Alex Williamson <alex.williamson@redhat.com>,
Joerg Roedel <joro@8bytes.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers
Date: Mon, 8 Jun 2020 11:41:19 -0700 [thread overview]
Message-ID: <CACK8Z6GZprVZMM=JQ-9zjosYQ6OLpifp_g8RmSTa3HwWWTB8Lw@mail.gmail.com> (raw)
In-Reply-To: <CAJmaN=mvnrLLkJC=6ddO_Rj+1FpRHoQzWFo9W3AZmsW_qS5CYQ@mail.gmail.com>
Hi Jesse and Greg,
On Mon, Jun 8, 2020 at 11:30 AM Jesse Barnes <jsbarnes@google.com> wrote:
>
> > > I think your suggestion to disable driver binding once the initial
> > > bus/slot devices have been bound will probably work for this
> > > situation. I just wanted to be clear that without some auditing,
> > > fuzzing, and additional testing, we simply have to assume that drivers
> > > are *not* secure and avoid using them on untrusted devices until we're
> > > fairly confident they can handle them (whether just misbehaving or
> > > malicious), in combination with other approaches like IOMMUs of
> > > course. And this isn't because we don't trust driver authors or
> > > kernel developers to dtrt, it's just that for many devices (maybe USB
> > > is an exception) I think driver authors haven't had to consider this
> > > case much, and so I think it's prudent to expect bugs in this area
> > > that we need to find & fix.
> >
> > For USB, yes, we have now had to deal with "untrusted devices" lieing
> > about their ids and sending us horrible data. That's all due to the
> > fuzzing tools that have been written over the past few years, and now we
> > have some of those in the kernel tree itself to help with that testing.
This is great to hear! I tried to look up but didn't find anything
else in-kernel, except the kcov support to export coverage info for
userspace fuzzers. Can you please give us some pointers for in-kernel
fuzzing tools?
> >
> > For PCI, heh, good luck, those assumptions about "devices sending valid
> > data" are everywhere, if our experience with USB is any indication.
> >
> > But, to take USB as an example, this is exactly what the USB
> > "authorized" flag is there for, it's a "trust" setting that userspace
> > has control over. This came from the wireless USB spec, where it was
> > determined that you could not trust devices. So just use that same
> > model here, move it to the driver core for all busses to use and you
> > should be fine.
> >
> > If that doesn't meet your needs, please let me know the specifics of
> > why, with patches :)
>
> Yeah will do for sure. I don't want to carry a big infra for this on our own!
>
> > Now, as to you all getting some sort of "Hardware flag" to determine
> > "inside" vs. "outside" devices, hah, good luck! It took us a long time
> > to get that for USB, and even then, BIOSes lie and get it wrong all the
> > time. So you will have to also deal with that in some way, for your
> > userspace policy.
>
> I think that's inherently platform specific to some extent. We can do
> it with our coreboot based firmware, but there's no guarantee other
> vendors will adopt the same approach. But I think at least for the
> ChromeOS ecosystem we can come up with something that'll work, and
> allow us to dtrt in userspace wrt driver binding.
Agree, we can work with our firmware teams to get that right, and then
expose it from kernel to userspace to help it implement the policy we
want.
Thanks & Best Regards,
Rajat
>
> Thanks,
> Jesse
next prev parent reply other threads:[~2020-06-08 18:42 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 23:07 [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers Rajat Jain
2020-05-04 11:47 ` Jean-Philippe Brucker
2020-05-04 11:59 ` Jean-Philippe Brucker
2020-05-04 19:17 ` Rajat Jain
2020-05-05 12:33 ` Mika Westerberg
2020-05-06 18:51 ` Rajat Jain
2020-05-11 20:31 ` Rajat Jain
2020-05-13 15:19 ` Bjorn Helgaas
2020-05-13 21:26 ` Rajat Jain
2020-05-14 13:42 ` Mika Westerberg
2020-05-14 19:12 ` Raj, Ashok
2020-05-15 2:18 ` Rajat Jain
2020-05-26 16:30 ` Rajat Jain
2020-06-01 23:25 ` Bjorn Helgaas
2020-06-02 5:06 ` Greg Kroah-Hartman
2020-06-03 2:27 ` Rajat Jain
2020-06-03 6:07 ` Greg Kroah-Hartman
2020-06-03 11:51 ` Rajat Jain
2020-06-03 12:16 ` Greg Kroah-Hartman
2020-06-03 12:57 ` Rajat Jain
2020-06-03 13:29 ` Greg Kroah-Hartman
2020-06-04 19:38 ` Rajat Jain
2020-06-05 8:02 ` Greg Kroah-Hartman
2020-06-06 1:08 ` Rajat Jain
2020-06-07 11:36 ` Greg Kroah-Hartman
2020-06-08 17:03 ` Jesse Barnes
2020-06-08 17:50 ` Greg Kroah-Hartman
2020-06-08 18:29 ` Jesse Barnes
2020-06-08 18:41 ` Rajat Jain [this message]
2020-06-09 9:54 ` Greg Kroah-Hartman
2020-06-30 21:46 ` Pavel Machek
2020-06-09 5:57 ` Greg Kroah-Hartman
2020-06-30 21:45 ` Pavel Machek
2020-07-01 6:54 ` Greg Kroah-Hartman
2020-07-01 8:47 ` Pavel Machek
2020-07-01 10:57 ` Greg Kroah-Hartman
2020-07-01 11:08 ` Pavel Machek
2020-06-09 21:04 ` Bjorn Helgaas
2020-06-09 23:23 ` Rajat Jain
2020-06-10 0:04 ` Bjorn Helgaas
2020-06-10 0:30 ` Rajat Jain
2020-06-10 20:17 ` Rajat Jain
2020-06-10 23:09 ` Bjorn Helgaas
2020-06-10 23:01 ` Bjorn Helgaas
2020-06-10 23:46 ` Rajat Jain
2020-06-10 7:13 ` Greg Kroah-Hartman
2020-06-10 1:34 ` Oliver O'Halloran
2020-06-10 19:57 ` Rajat Jain
2020-06-16 1:24 ` Rajat Jain
2020-06-10 7:12 ` Greg Kroah-Hartman
2020-05-15 12:44 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACK8Z6GZprVZMM=JQ-9zjosYQ6OLpifp_g8RmSTa3HwWWTB8Lw@mail.gmail.com' \
--to=rajatja@google.com \
--cc=adurbin@google.com \
--cc=alex.williamson@redhat.com \
--cc=ashok.raj@intel.com \
--cc=bernie.keany@intel.com \
--cc=bhelgaas@google.com \
--cc=bleung@google.com \
--cc=christian@kellner.me \
--cc=diegorivas@google.com \
--cc=dlaurie@google.com \
--cc=furquan@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=helgaas@kernel.org \
--cc=jean-philippe@linaro.org \
--cc=joro@8bytes.org \
--cc=jsbarnes@google.com \
--cc=lalithambika.krishnakumar@intel.com \
--cc=levinale@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=mnissler@google.com \
--cc=pmalani@google.com \
--cc=rajatxjain@gmail.com \
--cc=tbroch@google.com \
--cc=zsm@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).