From: joeyli <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org,
gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, jforbes@redhat.com
Subject: Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down
Date: Fri, 20 Oct 2017 14:42:26 +0800 [thread overview]
Message-ID: <20171020064226.GR3285@linux-l9pv.suse> (raw)
In-Reply-To: <150842470945.7923.134066103094708461.stgit@warthog.procyon.org.uk>
On Thu, Oct 19, 2017 at 03:51:49PM +0100, David Howells wrote:
> From: Matthew Garrett <matthew.garrett@nebula.com>
>
> Any hardware that can potentially generate DMA has to be locked down in
> order to avoid it being possible for an attacker to modify kernel code,
> allowing them to circumvent disabled module loading or module signing.
> Default to paranoid - in future we can potentially relax this for
> sufficiently IOMMU-isolated devices.
>
> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: Bjorn Helgaas <bhelgaas@google.com>
I have reviewed this patch. Please feel free to add:
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Thanks a lot!
Joey Lee
> cc: linux-pci@vger.kernel.org
> ---
>
> drivers/pci/pci-sysfs.c | 9 +++++++++
> drivers/pci/proc.c | 9 ++++++++-
> drivers/pci/syscall.c | 3 ++-
> 3 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index 1eecfa301f7f..e1a3b0e765c2 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -881,6 +881,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
> loff_t init_off = off;
> u8 *data = (u8 *) buf;
>
> + if (kernel_is_locked_down("Direct PCI access"))
> + return -EPERM;
> +
> if (off > dev->cfg_size)
> return 0;
> if (off + count > dev->cfg_size) {
> @@ -1175,6 +1178,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
> enum pci_mmap_state mmap_type;
> struct resource *res = &pdev->resource[bar];
>
> + if (kernel_is_locked_down("Direct PCI access"))
> + return -EPERM;
> +
> if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
> return -EINVAL;
>
> @@ -1255,6 +1261,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
> struct bin_attribute *attr, char *buf,
> loff_t off, size_t count)
> {
> + if (kernel_is_locked_down("Direct PCI access"))
> + return -EPERM;
> +
> return pci_resource_io(filp, kobj, attr, buf, off, count, true);
> }
>
> diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
> index 098360d7ff81..a6c53d855daa 100644
> --- a/drivers/pci/proc.c
> +++ b/drivers/pci/proc.c
> @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
> int size = dev->cfg_size;
> int cnt;
>
> + if (kernel_is_locked_down("Direct PCI access"))
> + return -EPERM;
> +
> if (pos >= size)
> return 0;
> if (nbytes >= size)
> @@ -195,6 +198,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
> #endif /* HAVE_PCI_MMAP */
> int ret = 0;
>
> + if (kernel_is_locked_down("Direct PCI access"))
> + return -EPERM;
> +
> switch (cmd) {
> case PCIIOC_CONTROLLER:
> ret = pci_domain_nr(dev->bus);
> @@ -236,7 +242,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
> struct pci_filp_private *fpriv = file->private_data;
> int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM;
>
> - if (!capable(CAP_SYS_RAWIO))
> + if (!capable(CAP_SYS_RAWIO) ||
> + kernel_is_locked_down("Direct PCI access"))
> return -EPERM;
>
> if (fpriv->mmap_state == pci_mmap_io) {
> diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
> index 9bf993e1f71e..afa01cc3ceec 100644
> --- a/drivers/pci/syscall.c
> +++ b/drivers/pci/syscall.c
> @@ -92,7 +92,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
> u32 dword;
> int err = 0;
>
> - if (!capable(CAP_SYS_ADMIN))
> + if (!capable(CAP_SYS_ADMIN) ||
> + kernel_is_locked_down("Direct PCI access"))
> return -EPERM;
>
> dev = pci_get_bus_and_slot(bus, dfn);
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-efi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-20 6:42 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 14:50 [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-19 14:50 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image David Howells
2017-10-20 23:19 ` James Morris
2017-10-19 14:50 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown David Howells
2017-10-19 17:20 ` Randy Dunlap
2017-10-19 22:12 ` David Howells
2017-11-07 17:39 ` Thiago Jung Bauermann
2017-11-07 22:56 ` David Howells
2017-10-19 14:50 ` [PATCH 03/27] Enforce module signatures if the kernel is locked down David Howells
2017-10-20 6:33 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-27 18:48 ` Mimi Zohar
2017-10-30 17:00 ` David Howells
2017-10-30 17:52 ` Mimi Zohar
2017-11-02 17:22 ` David Howells
2017-11-02 19:13 ` Mimi Zohar
2017-11-02 21:30 ` David Howells
2017-11-02 21:41 ` Mimi Zohar
2017-11-02 22:01 ` David Howells
2017-11-02 22:18 ` Mimi Zohar
2017-10-19 14:51 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when " David Howells
2017-10-20 6:37 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-19 14:51 ` [PATCH 05/27] kexec: Disable at runtime if " David Howells
2017-10-20 6:38 ` joeyli
2017-10-20 23:22 ` James Morris
2017-10-19 14:51 ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-10-20 23:26 ` James Morris
2017-10-23 15:54 ` Mimi Zohar
2017-10-26 7:42 ` joeyli
2017-10-26 14:17 ` Mimi Zohar
2017-10-27 19:30 ` Mimi Zohar
2017-10-27 19:32 ` Mimi Zohar
2017-10-28 8:34 ` joeyli
2017-10-29 22:26 ` Mimi Zohar
2017-10-30 9:00 ` David Howells
2017-10-30 12:01 ` Mimi Zohar
2017-10-26 15:02 ` David Howells
2017-10-26 15:46 ` Mimi Zohar
2017-10-30 15:49 ` David Howells
2017-10-30 16:43 ` Mimi Zohar
2017-11-02 17:00 ` David Howells
2017-10-26 14:51 ` David Howells
2017-11-02 17:29 ` David Howells
2017-10-19 14:51 ` [PATCH 08/27] hibernate: Disable when the kernel is locked down David Howells
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 09/27] uswsusp: " David Howells
2017-10-20 6:41 ` joeyli
2017-10-20 23:29 ` James Morris
2017-10-19 14:51 ` [PATCH 10/27] PCI: Lock down BAR access " David Howells
2017-10-20 6:42 ` joeyli [this message]
2017-10-19 14:51 ` [PATCH 11/27] x86: Lock down IO port " David Howells
2017-10-20 6:43 ` joeyli
2017-10-19 14:52 ` [PATCH 12/27] x86/msr: Restrict MSR " David Howells
2017-10-20 6:43 ` joeyli
2017-10-20 18:09 ` Alan Cox
2017-10-20 20:48 ` David Howells
2017-10-21 4:39 ` joeyli
2017-10-23 14:49 ` David Howells
2017-10-25 14:03 ` joeyli
2017-10-19 14:52 ` [PATCH 13/27] asus-wmi: Restrict debugfs interface " David Howells
2017-10-20 6:44 ` joeyli
2017-10-19 14:52 ` [PATCH 14/27] ACPI: Limit access to custom_method " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " David Howells
2017-10-20 6:46 ` joeyli
2017-10-19 14:52 ` [PATCH 17/27] acpi: Disable APEI error injection " David Howells
2017-10-20 6:47 ` joeyli
2017-10-19 14:52 ` [PATCH 18/27] bpf: Restrict kernel image access functions when " David Howells
2017-10-19 22:18 ` Alexei Starovoitov
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee
2017-10-20 23:00 ` Alexei Starovoitov
2017-10-23 14:51 ` David Howells
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee
2017-10-23 14:53 ` David Howells
2017-10-25 7:07 ` joeyli
2017-10-19 22:48 ` David Howells
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
2017-10-19 14:52 ` [PATCH 19/27] scsi: Lock down the eata driver David Howells
2017-10-19 14:53 ` [PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 21/27] Lock down TIOCSSERIAL David Howells
2017-10-19 14:53 ` [PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-10-19 14:53 ` [PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-10-19 14:53 ` [PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 25/27] Lock down /proc/kcore David Howells
2017-10-21 2:11 ` James Morris
2017-10-23 14:56 ` David Howells
2017-10-19 14:53 ` [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
2017-10-21 2:19 ` James Morris
2017-10-23 14:58 ` David Howells
2017-10-19 14:53 ` [PATCH 27/27] efi: Lock down the kernel if booted in " David Howells
2017-10-19 22:39 ` [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-23 14:34 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
2017-10-24 10:48 ` Ethan Zhao
2017-10-24 14:56 ` David Howells
2017-11-02 22:01 ` [PATCH 00/27] security, efi: Add kernel lockdown Mimi Zohar
2017-11-02 22:04 ` Firmware signing -- " David Howells
2017-11-02 22:10 ` Mimi Zohar
2017-11-07 23:07 ` Luis R. Rodriguez
2017-11-08 6:15 ` AKASHI, Takahiro
2017-11-08 19:46 ` Luis R. Rodriguez
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 2:17 ` Mimi Zohar
2017-11-09 4:46 ` AKASHI, Takahiro
2017-11-10 13:37 ` Mimi Zohar
2017-11-11 2:32 ` Alan Cox
2017-11-13 11:49 ` Mimi Zohar
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 21:08 ` Alan Cox
2017-12-04 19:51 ` Luis R. Rodriguez
2017-12-07 15:32 ` Alan Cox
2017-11-13 21:44 ` David Howells
2017-11-13 22:09 ` Linus Torvalds
2017-11-14 0:20 ` Alan Cox
2017-11-14 12:21 ` Mimi Zohar
2017-11-14 12:38 ` Greg Kroah-Hartman
2017-11-14 13:17 ` Mimi Zohar
2017-11-14 17:34 ` Linus Torvalds
2017-11-14 19:58 ` Matthew Garrett
2017-11-14 20:18 ` Linus Torvalds
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:35 ` Linus Torvalds
2017-11-14 20:37 ` Matthew Garrett
2017-11-14 20:50 ` Luis R. Rodriguez
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 22:14 ` James Bottomley
2017-11-14 22:17 ` Matthew Garrett
2017-11-14 22:31 ` James Bottomley
2017-11-14 22:34 ` Matthew Garrett
2017-11-15 11:49 ` Mimi Zohar
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 19:56 ` Mimi Zohar
2017-11-15 20:46 ` Luis R. Rodriguez
2017-11-16 0:05 ` Mimi Zohar
2017-12-05 10:27 ` Pavel Machek
2017-12-07 23:02 ` Luis R. Rodriguez
2017-12-08 17:11 ` Alan Cox
2017-11-10 1:46 ` Luis R. Rodriguez
2017-11-10 13:45 ` Mimi Zohar
2017-11-13 18:50 ` Luis R. Rodriguez
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-08 20:01 ` Mimi Zohar
2017-11-08 20:09 ` Luis R. Rodriguez
2019-03-25 22:09 [PULL REQUEST] Lockdown patches for 5.2 Matthew Garrett
2019-03-25 22:09 ` [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171020064226.GR3285@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jforbes@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).