From: <Mario.Limonciello@dell.com>
To: hughsient@gmail.com
Cc: platform-driver-x86@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: RE: [PATCH] platform/x86: Export LPC attributes for the system SPI chip
Date: Thu, 7 May 2020 19:22:02 +0000 [thread overview]
Message-ID: <61c7782cd2e64bb9ab2aaf6a016bbb6c@AUSX13MPC101.AMER.DELL.COM> (raw)
In-Reply-To: <CAD2FfiEk8Fq3=i_3NHvtuwip=-v_cGfnYSowdPi86U_BcgP2gQ@mail.gmail.com>
> -----Original Message-----
> From: platform-driver-x86-owner@vger.kernel.org <platform-driver-x86-
> owner@vger.kernel.org> On Behalf Of Richard Hughes
> Sent: Thursday, May 7, 2020 1:47 PM
> To: Limonciello, Mario
> Cc: Platform Driver; linux-security-module
> Subject: Re: [PATCH] platform/x86: Export LPC attributes for the system SPI
> chip
>
>
> [EXTERNAL EMAIL]
>
> On Thu, 7 May 2020 at 18:45, <Mario.Limonciello@dell.com> wrote:
> > To echo Andy's question, I would wonder if it makes sense to just export
> > these attributes in securityfs directly from the intel-spi-pci driver rather
> > than to have another driver in platform-x86 to get the information.
>
> The "DANGEROUS" in the SPI_INTEL_SPI_PCI and SPI_INTEL_SPI_PLATFORM
> worried me somewhat. I'm guessing this is why most distros don't
> compile it as a module by default. If the module isn't actually still
> considered dangerous, and we can remove the warning I can of course
> respin my patch on top of that instead.
>
> Richard.
Well reading the documentation for it can explain why it's potentially dangerous.
If a manufacturer hasn't properly configured lock down bits like those you're trying
to expose, that would allow doing dangerous things.
https://www.kernel.org/doc/html/latest/driver-api/mtd/intel-spi.html
"
The intel-spi driver makes it possible to read and write the SPI serial flash, if
certain protection bits are not set and locked. If it finds any of them set, the
whole MTD device is made read-only to prevent partial overwrites.
By default the driver exposes SPI serial flash contents as read-only but it can
be changed from kernel command line, passing “intel-spi.writeable=1”.
"
WARNING: multiple messages have this Message-ID (diff)
From: <Mario.Limonciello@dell.com>
To: <hughsient@gmail.com>
Cc: <platform-driver-x86@vger.kernel.org>,
<linux-security-module@vger.kernel.org>
Subject: RE: [PATCH] platform/x86: Export LPC attributes for the system SPI chip
Date: Thu, 7 May 2020 19:22:02 +0000 [thread overview]
Message-ID: <61c7782cd2e64bb9ab2aaf6a016bbb6c@AUSX13MPC101.AMER.DELL.COM> (raw)
In-Reply-To: <CAD2FfiEk8Fq3=i_3NHvtuwip=-v_cGfnYSowdPi86U_BcgP2gQ@mail.gmail.com>
> -----Original Message-----
> From: platform-driver-x86-owner@vger.kernel.org <platform-driver-x86-
> owner@vger.kernel.org> On Behalf Of Richard Hughes
> Sent: Thursday, May 7, 2020 1:47 PM
> To: Limonciello, Mario
> Cc: Platform Driver; linux-security-module
> Subject: Re: [PATCH] platform/x86: Export LPC attributes for the system SPI
> chip
>
>
> [EXTERNAL EMAIL]
>
> On Thu, 7 May 2020 at 18:45, <Mario.Limonciello@dell.com> wrote:
> > To echo Andy's question, I would wonder if it makes sense to just export
> > these attributes in securityfs directly from the intel-spi-pci driver rather
> > than to have another driver in platform-x86 to get the information.
>
> The "DANGEROUS" in the SPI_INTEL_SPI_PCI and SPI_INTEL_SPI_PLATFORM
> worried me somewhat. I'm guessing this is why most distros don't
> compile it as a module by default. If the module isn't actually still
> considered dangerous, and we can remove the warning I can of course
> respin my patch on top of that instead.
>
> Richard.
Well reading the documentation for it can explain why it's potentially dangerous.
If a manufacturer hasn't properly configured lock down bits like those you're trying
to expose, that would allow doing dangerous things.
https://www.kernel.org/doc/html/latest/driver-api/mtd/intel-spi.html
"
The intel-spi driver makes it possible to read and write the SPI serial flash, if
certain protection bits are not set and locked. If it finds any of them set, the
whole MTD device is made read-only to prevent partial overwrites.
By default the driver exposes SPI serial flash contents as read-only but it can
be changed from kernel command line, passing “intel-spi.writeable=1”.
"
next prev parent reply other threads:[~2020-05-07 19:22 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 15:52 [PATCH] platform/x86: Export LPC attributes for the system SPI chip Richard Hughes
2020-05-06 16:29 ` Andy Shevchenko
2020-05-06 16:39 ` Richard Hughes
2020-05-07 17:05 ` Javier Martinez Canillas
2020-05-07 17:22 ` Andy Shevchenko
2020-05-07 17:28 ` Javier Martinez Canillas
2020-05-07 17:45 ` Mario.Limonciello
2020-05-07 17:45 ` Mario.Limonciello
2020-05-07 18:47 ` Richard Hughes
2020-05-07 19:22 ` Mario.Limonciello [this message]
2020-05-07 19:22 ` Mario.Limonciello
2020-05-07 19:49 ` Richard Hughes
2020-05-07 20:03 ` Mario.Limonciello
2020-05-07 20:03 ` Mario.Limonciello
2020-05-08 8:20 ` Mika Westerberg
2020-05-08 16:15 ` Richard Hughes
2020-05-11 10:45 ` Mika Westerberg
2020-05-11 15:40 ` Richard Hughes
2020-05-11 16:28 ` Mika Westerberg
2020-05-11 20:08 ` Richard Hughes
2020-05-12 6:44 ` Mika Westerberg
2020-05-12 20:37 ` Richard Hughes
2020-05-08 17:27 ` Mario.Limonciello
2020-05-08 17:27 ` Mario.Limonciello
2020-05-11 10:41 ` Mika Westerberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=61c7782cd2e64bb9ab2aaf6a016bbb6c@AUSX13MPC101.AMER.DELL.COM \
--to=mario.limonciello@dell.com \
--cc=hughsient@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=platform-driver-x86@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.