From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Kai-Heng Feng <kai.heng.feng@canonical.com>
Cc: jmorris@namei.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
David Howells <dhowells@redhat.com>,
Kees Cook <keescook@chromium.org>,
x86@kernel.org
Subject: Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down
Date: Wed, 5 Jan 2022 07:20:10 +0000 [thread overview]
Message-ID: <20220105072010.GA31134@srcf.ucam.org> (raw)
In-Reply-To: <CAAd53p5A9ajyP=8edXW20MB1eLRAF3SsmXfdnkA2isBJD2Bd+w@mail.gmail.com>
On Wed, Jan 05, 2022 at 02:57:57PM +0800, Kai-Heng Feng wrote:
> The affected system from the customer has SecureBoot enabled (and
> hence lockdown), and the kernel upgrade surprisingly broke ioperm()
> usage.
Which kernel was being used that was signed but didn't implement
lockdown? That sounds, uh, bad.
> The userspace program is proprietary so I can't share it here.
Ok. Are you able to describe anything about what it does so we can
figure out a better solution?
> Basically this patch makes ioperm() a noop on SecureBoot enabled x86 systems.
> If reverting is not an option, what else can we do to circumvent the regression?
There's two main choices:
1) Disable secure boot on the system in question - if there's a need to
run userland that can do arbitrary port IO then secure boot isn't
providing any meaningful security benefit in any case.
2) Implement a kernel driver that abstracts the hardware access away
from userland, and ensures that all the accesses are performed in a safe
way.
Doing port IO from userland is almost always a terrible idea - it
usually involves indexed accesses (you write an address to one port and
then write or read data from another), and if two processes are trying
to do this simultaneously (either because SMP or because one process
gets preempted after writing the address but before accessing the data
register), and in that case you can end up with accesses to the wrong
register as a result. You really want this sort of thing to be mediated
by the kernel, both from a safety perspective and to ensure appropriate
synchronisation.
next prev parent reply other threads:[~2022-01-05 7:20 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 0:17 [PATCH V40 00/29] Add kernel lockdown functionality Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 01/29] security: Support early LSMs Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 02/29] security: Add a "locked down" LSM hook Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 06/29] kexec_load: Disable at runtime if " Matthew Garrett
2019-08-20 0:17 ` Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-08-20 0:17 ` Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-08-20 0:17 ` Matthew Garrett
2019-08-30 14:26 ` Philipp Rudo
2019-08-30 14:26 ` Philipp Rudo
2019-08-20 0:17 ` [PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-08-20 0:17 ` Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 10/29] hibernate: Disable when " Matthew Garrett
2019-08-20 21:43 ` Rafael J. Wysocki
2019-08-25 9:51 ` Pavel Machek
2019-08-20 0:17 ` [PATCH V40 11/29] PCI: Lock down BAR access " Matthew Garrett
2019-08-20 19:45 ` Bjorn Helgaas
2019-08-20 21:04 ` Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 12/29] x86: Lock down IO port " Matthew Garrett
2022-01-05 6:25 ` Kai-Heng Feng
2022-01-05 6:48 ` Matthew Garrett
2022-01-05 6:57 ` Kai-Heng Feng
2022-01-05 7:20 ` Matthew Garrett [this message]
2022-01-05 10:05 ` Kai-Heng Feng
2022-01-05 10:14 ` Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 13/29] x86/msr: Restrict MSR " Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 14/29] ACPI: Limit access to custom_method " Matthew Garrett
2019-08-20 22:07 ` Rafael J. Wysocki
2019-08-20 0:17 ` [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-08-20 22:08 ` Rafael J. Wysocki
2019-08-20 0:17 ` [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-08-20 22:08 ` Rafael J. Wysocki
2019-08-20 0:17 ` [PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-08-20 16:39 ` Jessica Yu
2019-08-20 0:17 ` [PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 21/29] lockdown: Lock down /proc/kcore Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-08-20 0:17 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 24/29] lockdown: Lock down perf when " Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 27/29] tracefs: Restrict tracefs " Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett
2019-08-20 0:18 ` [PATCH V40 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-08-20 6:45 ` [PATCH V40 00/29] Add kernel lockdown functionality James Morris
2019-08-30 16:28 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM David Howells
2019-09-04 16:51 ` Matthew Garrett
2019-09-10 10:06 ` Matthew Garrett
2019-08-30 16:31 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down David Howells
2019-09-04 16:57 ` Matthew Garrett
2019-08-30 16:32 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105072010.GA31134@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=kai.heng.feng@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.