linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
To: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: jmorris@namei.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
	David Howells <dhowells@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	x86@kernel.org
Subject: Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down
Date: Wed, 5 Jan 2022 18:05:26 +0800	[thread overview]
Message-ID: <CAAd53p6VcAo0MVMWerTag42cWFE2ifzdQ=AFmGd9a=2gFjgv5A@mail.gmail.com> (raw)
In-Reply-To: <20220105072010.GA31134@srcf.ucam.org>

On Wed, Jan 5, 2022 at 3:20 PM Matthew Garrett <mjg59@srcf.ucam.org> wrote:
>
> On Wed, Jan 05, 2022 at 02:57:57PM +0800, Kai-Heng Feng wrote:
>
> > The affected system from the customer has SecureBoot enabled (and
> > hence lockdown), and the kernel upgrade surprisingly broke ioperm()
> > usage.
>
> Which kernel was being used that was signed but didn't implement
> lockdown? That sounds, uh, bad.

It was upgraded from older distro release. Older kernels don't have lockdown.

>
> > The userspace program is proprietary so I can't share it here.
>
> Ok. Are you able to describe anything about what it does so we can
> figure out a better solution?
>
> > Basically this patch makes ioperm() a noop on SecureBoot enabled x86 systems.
> > If reverting is not an option, what else can we do to circumvent the regression?
>
> There's two main choices:
>
> 1) Disable secure boot on the system in question - if there's a need to
> run userland that can do arbitrary port IO then secure boot isn't
> providing any meaningful security benefit in any case.

How so?
Other security features are still incredible valuable, we don't want
to toss them out just because someone has to use ioperm().

>
> 2) Implement a kernel driver that abstracts the hardware access away
> from userland, and ensures that all the accesses are performed in a safe
> way.
>
> Doing port IO from userland is almost always a terrible idea - it
> usually involves indexed accesses (you write an address to one port and
> then write or read data from another), and if two processes are trying
> to do this simultaneously (either because SMP or because one process
> gets preempted after writing the address but before accessing the data
> register), and in that case you can end up with accesses to the wrong
> register as a result. You really want this sort of thing to be mediated
> by the kernel, both from a safety perspective and to ensure appropriate
> synchronisation.

Agree, let me start a discussion with them.

Kai-Heng

  reply	other threads:[~2022-01-05 10:05 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-20  0:17 [PATCH V40 00/29] Add kernel lockdown functionality Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 01/29] security: Support early LSMs Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 02/29] security: Add a "locked down" LSM hook Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 06/29] kexec_load: Disable at runtime if " Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-08-30 14:26   ` Philipp Rudo
2019-08-20  0:17 ` [PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 10/29] hibernate: Disable when " Matthew Garrett
2019-08-20 21:43   ` Rafael J. Wysocki
2019-08-25  9:51   ` Pavel Machek
2019-08-20  0:17 ` [PATCH V40 11/29] PCI: Lock down BAR access " Matthew Garrett
2019-08-20 19:45   ` Bjorn Helgaas
2019-08-20 21:04     ` Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 12/29] x86: Lock down IO port " Matthew Garrett
2022-01-05  6:25   ` Kai-Heng Feng
2022-01-05  6:48     ` Matthew Garrett
2022-01-05  6:57       ` Kai-Heng Feng
2022-01-05  7:20         ` Matthew Garrett
2022-01-05 10:05           ` Kai-Heng Feng [this message]
2022-01-05 10:14             ` Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 13/29] x86/msr: Restrict MSR " Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 14/29] ACPI: Limit access to custom_method " Matthew Garrett
2019-08-20 22:07   ` Rafael J. Wysocki
2019-08-20  0:17 ` [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-08-20 22:08   ` Rafael J. Wysocki
2019-08-20  0:17 ` [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-08-20 22:08   ` Rafael J. Wysocki
2019-08-20  0:17 ` [PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-08-20 16:39   ` Jessica Yu
2019-08-20  0:17 ` [PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 21/29] lockdown: Lock down /proc/kcore Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-08-20  0:17 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 24/29] lockdown: Lock down perf when " Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 27/29] tracefs: Restrict tracefs " Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett
2019-08-20  0:18 ` [PATCH V40 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-08-20  6:45 ` [PATCH V40 00/29] Add kernel lockdown functionality James Morris
2019-08-30 16:28 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM David Howells
2019-09-04 16:51   ` Matthew Garrett
2019-09-10 10:06     ` Matthew Garrett
2019-08-30 16:31 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down David Howells
2019-09-04 16:57   ` Matthew Garrett
2019-08-30 16:32 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAd53p6VcAo0MVMWerTag42cWFE2ifzdQ=AFmGd9a=2gFjgv5A@mail.gmail.com' \
    --to=kai.heng.feng@canonical.com \
    --cc=dhowells@redhat.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).