From: Alan Stern <stern@rowland.harvard.edu>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Borislav Petkov <bp@alien8.de>,
x86@kernel.org, Bjorn Helgaas <bhelgaas@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Andreas Noever <andreas.noever@gmail.com>,
Michael Jamet <michael.jamet@intel.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>,
Jason Wang <jasowang@redhat.com>,
Dan Williams <dan.j.williams@intel.com>,
Andi Kleen <ak@linux.intel.com>,
Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org,
linux-usb@vger.kernel.org,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
Date: Thu, 30 Sep 2021 11:32:41 -0400 [thread overview]
Message-ID: <20210930153241.GE464826@rowland.harvard.edu> (raw)
In-Reply-To: <20210930104640-mutt-send-email-mst@kernel.org>
On Thu, Sep 30, 2021 at 10:48:54AM -0400, Michael S. Tsirkin wrote:
> On Thu, Sep 30, 2021 at 10:43:05AM -0400, Alan Stern wrote:
> > I don't see any point in talking about "untrusted drivers". If a
> > driver isn't trusted then it doesn't belong in your kernel. Period.
> > When you load a driver into your kernel, you are implicitly trusting
> > it (aside from limitations imposed by security modules). The code
> > it contains, the module_init code in particular, runs with full
> > superuser permissions.
> >
> > What use is there in loading a driver but telling the kernel "I don't
> > trust this driver, so don't allow it to probe any devices"? Why not
> > just blacklist it so that it never gets modprobed in the first place?
> >
> > Alan Stern
>
> When the driver is built-in, it seems useful to be able to block it
> without rebuilding the kernel. This is just flipping it around
> and using an allow-list for cases where you want to severly
> limit the available functionality.
Does this make sense?
The only way to tell the kernel to block a built-in driver is by
using some boot-command-line option. Otherwise the driver's init
code will run before you have a chance to tell the kernel anything at
all.
So if you change your mind about whether a driver should be blocked,
all you have to do is remove the blocking option from the command
line and reboot. No kernel rebuild is necessary.
Alan Stern
WARNING: multiple messages have this Message-ID
From: Alan Stern <stern@rowland.harvard.edu>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Michael Jamet <michael.jamet@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
x86@kernel.org, virtualization@lists.linux-foundation.org,
Yehezkel Bernat <YehezkelShB@gmail.com>,
Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
linux-kernel@vger.kernel.org,
Andreas Noever <andreas.noever@gmail.com>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
linux-pci@vger.kernel.org, Bjorn Helgaas <bhelgaas@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-usb@vger.kernel.org,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Dan Williams <dan.j.williams@intel.com>
Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
Date: Thu, 30 Sep 2021 11:32:41 -0400 [thread overview]
Message-ID: <20210930153241.GE464826@rowland.harvard.edu> (raw)
In-Reply-To: <20210930104640-mutt-send-email-mst@kernel.org>
On Thu, Sep 30, 2021 at 10:48:54AM -0400, Michael S. Tsirkin wrote:
> On Thu, Sep 30, 2021 at 10:43:05AM -0400, Alan Stern wrote:
> > I don't see any point in talking about "untrusted drivers". If a
> > driver isn't trusted then it doesn't belong in your kernel. Period.
> > When you load a driver into your kernel, you are implicitly trusting
> > it (aside from limitations imposed by security modules). The code
> > it contains, the module_init code in particular, runs with full
> > superuser permissions.
> >
> > What use is there in loading a driver but telling the kernel "I don't
> > trust this driver, so don't allow it to probe any devices"? Why not
> > just blacklist it so that it never gets modprobed in the first place?
> >
> > Alan Stern
>
> When the driver is built-in, it seems useful to be able to block it
> without rebuilding the kernel. This is just flipping it around
> and using an allow-list for cases where you want to severly
> limit the available functionality.
Does this make sense?
The only way to tell the kernel to block a built-in driver is by
using some boot-command-line option. Otherwise the driver's init
code will run before you have a chance to tell the kernel anything at
all.
So if you change your mind about whether a driver should be blocked,
all you have to do is remove the blocking option from the command
line and reboot. No kernel rebuild is necessary.
Alan Stern
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-09-30 15:33 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-30 1:05 [PATCH v2 0/6] Add device filter support Kuppuswamy Sathyanarayanan
2021-09-30 1:05 ` [PATCH v2 1/6] driver core: Move the "authorized" attribute from USB/Thunderbolt to core Kuppuswamy Sathyanarayanan
2021-09-30 1:42 ` Alan Stern
2021-09-30 1:42 ` Alan Stern
2021-09-30 1:55 ` Dan Williams
2021-09-30 1:55 ` Dan Williams
2021-09-30 2:38 ` Kuppuswamy, Sathyanarayanan
2021-09-30 4:59 ` Dan Williams
2021-09-30 4:59 ` Dan Williams
2021-09-30 9:05 ` Rafael J. Wysocki
2021-09-30 9:05 ` Rafael J. Wysocki
2021-09-30 14:59 ` Alan Stern
2021-09-30 14:59 ` Alan Stern
2021-09-30 15:25 ` Dan Williams
2021-09-30 15:25 ` Dan Williams
2021-09-30 11:19 ` Yehezkel Bernat
2021-09-30 15:28 ` Dan Williams
2021-09-30 15:28 ` Dan Williams
2021-09-30 18:25 ` Yehezkel Bernat
2021-09-30 19:04 ` Dan Williams
2021-09-30 19:04 ` Dan Williams
2021-09-30 19:50 ` Kuppuswamy, Sathyanarayanan
2021-09-30 20:23 ` Dan Williams
2021-09-30 20:23 ` Dan Williams
2021-09-30 1:05 ` [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices Kuppuswamy Sathyanarayanan
2021-09-30 10:59 ` Michael S. Tsirkin
2021-09-30 10:59 ` Michael S. Tsirkin
2021-09-30 13:52 ` Greg Kroah-Hartman
2021-09-30 13:52 ` Greg Kroah-Hartman
2021-09-30 14:38 ` Michael S. Tsirkin
2021-09-30 14:38 ` Michael S. Tsirkin
2021-09-30 14:49 ` Greg Kroah-Hartman
2021-09-30 14:49 ` Greg Kroah-Hartman
2021-09-30 15:00 ` Michael S. Tsirkin
2021-09-30 15:00 ` Michael S. Tsirkin
2021-09-30 15:22 ` Greg Kroah-Hartman
2021-09-30 15:22 ` Greg Kroah-Hartman
2021-09-30 17:17 ` Andi Kleen
2021-09-30 17:17 ` Andi Kleen
2021-09-30 17:23 ` Greg Kroah-Hartman
2021-09-30 17:23 ` Greg Kroah-Hartman
2021-09-30 19:15 ` Andi Kleen
2021-09-30 19:15 ` Andi Kleen
2021-10-01 6:29 ` Greg Kroah-Hartman
2021-10-01 6:29 ` Greg Kroah-Hartman
2021-10-01 15:51 ` Alan Stern
2021-10-01 15:51 ` Alan Stern
2021-10-01 15:56 ` Andi Kleen
2021-10-01 15:56 ` Andi Kleen
2021-09-30 14:43 ` Alan Stern
2021-09-30 14:43 ` Alan Stern
2021-09-30 14:48 ` Michael S. Tsirkin
2021-09-30 14:48 ` Michael S. Tsirkin
2021-09-30 15:32 ` Alan Stern [this message]
2021-09-30 15:32 ` Alan Stern
2021-09-30 15:52 ` Michael S. Tsirkin
2021-09-30 15:52 ` Michael S. Tsirkin
2021-09-30 14:58 ` Michael S. Tsirkin
2021-09-30 14:58 ` Michael S. Tsirkin
2021-09-30 15:35 ` Alan Stern
2021-09-30 15:35 ` Alan Stern
2021-09-30 15:59 ` Michael S. Tsirkin
2021-09-30 15:59 ` Michael S. Tsirkin
2021-09-30 19:23 ` Andi Kleen
2021-09-30 19:23 ` Andi Kleen
2021-09-30 20:44 ` Alan Stern
2021-09-30 20:44 ` Alan Stern
2021-09-30 20:52 ` Dan Williams
2021-09-30 20:52 ` Dan Williams
2021-10-01 1:41 ` Alan Stern
2021-10-01 1:41 ` Alan Stern
2021-10-01 2:20 ` Dan Williams
2021-10-01 2:20 ` Dan Williams
2021-09-30 21:12 ` Andi Kleen
2021-09-30 21:12 ` Andi Kleen
2021-09-30 1:05 ` [PATCH v2 3/6] driver core: Allow arch to initialize the authorized attribute Kuppuswamy Sathyanarayanan
2021-09-30 1:05 ` [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Kuppuswamy Sathyanarayanan
2021-09-30 11:03 ` Michael S. Tsirkin
2021-09-30 11:03 ` Michael S. Tsirkin
2021-09-30 13:36 ` Dan Williams
2021-09-30 13:36 ` Dan Williams
2021-09-30 13:49 ` Greg Kroah-Hartman
2021-09-30 13:49 ` Greg Kroah-Hartman
2021-09-30 15:18 ` Kuppuswamy, Sathyanarayanan
2021-09-30 15:20 ` Michael S. Tsirkin
2021-09-30 15:20 ` Michael S. Tsirkin
2021-09-30 15:23 ` Kuppuswamy, Sathyanarayanan
2021-09-30 15:23 ` Greg Kroah-Hartman
2021-09-30 15:23 ` Greg Kroah-Hartman
2021-09-30 19:04 ` Kuppuswamy, Sathyanarayanan
2021-09-30 19:16 ` Kuppuswamy, Sathyanarayanan
2021-09-30 19:30 ` Andi Kleen
2021-09-30 19:30 ` Andi Kleen
2021-09-30 19:40 ` Kuppuswamy, Sathyanarayanan
2021-10-01 7:03 ` Greg Kroah-Hartman
2021-10-01 7:03 ` Greg Kroah-Hartman
2021-10-01 15:49 ` Andi Kleen
2021-10-01 15:49 ` Andi Kleen
2021-10-02 11:04 ` Michael S. Tsirkin
2021-10-02 11:04 ` Michael S. Tsirkin
2021-10-02 11:14 ` Greg Kroah-Hartman
2021-10-02 11:14 ` Greg Kroah-Hartman
2021-10-02 14:20 ` Andi Kleen
2021-10-02 14:20 ` Andi Kleen
2021-10-02 14:44 ` Greg Kroah-Hartman
2021-10-02 14:44 ` Greg Kroah-Hartman
2021-10-02 18:40 ` Michael S. Tsirkin
2021-10-02 18:40 ` Michael S. Tsirkin
2021-10-03 6:40 ` Greg Kroah-Hartman
2021-10-03 6:40 ` Greg Kroah-Hartman
2021-10-04 21:04 ` Dan Williams
2021-10-04 21:04 ` Dan Williams
2021-10-01 16:13 ` Dan Williams
2021-10-01 16:13 ` Dan Williams
2021-10-01 16:45 ` Alan Stern
2021-10-01 16:45 ` Alan Stern
2021-10-01 18:09 ` Dan Williams
2021-10-01 18:09 ` Dan Williams
2021-10-01 19:00 ` Alan Stern
2021-10-01 19:00 ` Alan Stern
2021-10-01 19:45 ` Kuppuswamy, Sathyanarayanan
2021-10-01 19:57 ` Dan Williams
2021-10-01 19:57 ` Dan Williams
2021-10-04 5:16 ` Mika Westerberg
2021-10-05 22:33 ` Dan Williams
2021-10-05 22:33 ` Dan Williams
2021-10-06 5:45 ` Greg Kroah-Hartman
2021-10-06 5:45 ` Greg Kroah-Hartman
2021-09-30 19:25 ` Andi Kleen
2021-09-30 19:25 ` Andi Kleen
2021-09-30 1:05 ` [PATCH v2 5/6] x86/tdx: Add device filter support for x86 TDX guest platform Kuppuswamy Sathyanarayanan
2021-09-30 1:05 ` [PATCH v2 6/6] PCI: Initialize authorized attribute for confidential guest Kuppuswamy Sathyanarayanan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210930153241.GE464826@rowland.harvard.edu \
--to=stern@rowland.harvard.edu \
--cc=YehezkelShB@gmail.com \
--cc=ak@linux.intel.com \
--cc=andreas.noever@gmail.com \
--cc=bhelgaas@google.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=knsathya@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=michael.jamet@intel.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mingo@redhat.com \
--cc=mst@redhat.com \
--cc=rafael@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=tglx@linutronix.de \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
--subject='Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.