From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6219FC004C9 for ; Mon, 29 Apr 2019 04:54:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 370E22087B for ; Mon, 29 Apr 2019 04:54:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=axtens.net header.i=@axtens.net header.b="MT3mzMT7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727414AbfD2Eys (ORCPT ); Mon, 29 Apr 2019 00:54:48 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:46124 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727152AbfD2EyJ (ORCPT ); Mon, 29 Apr 2019 00:54:09 -0400 Received: by mail-pf1-f196.google.com with SMTP id j11so4685609pff.13 for ; Sun, 28 Apr 2019 21:54:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=CXY8NMI+MMoFwyd5a0U3G9swoqWap2mhzcLLts/Z+iE=; b=MT3mzMT76800YDXvDZ5HeHvywukXbF/p5hE0jBqJpGYZZg1bhMX2UHmZ1HU1dvIheR 9V3fe+IwApl8EGbBqr2IZkMENTIoZrC2hLsTBul7PX4wqT1iG/MuEFlYgfUtMUoSToFc 7CbzrSVAtGB1V9nsEgm59WhrmtIFGM7bhpw1w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=CXY8NMI+MMoFwyd5a0U3G9swoqWap2mhzcLLts/Z+iE=; b=OVdNM5TsesyrEvYE1iSIdOjfkKe3CaiewOXf6F8m/Jo8f6K5PAW+gprgx7p4/wt2tR 0QYij01ZTQxZOzCN8Uw/3Wq2QQkF3FdS2tcw1JddGZ1u0dqaJLEeHEwB/p2VVDYh92Mh tQMsj8bQ4SNiNjiSJ1PVz8zxRzVuUQuH+4apTHV0jL5QTqiqweXQVnsLudSmnaxeIEPP 9DwTb+LdDiqP0Fqknzvex8xYwLq5aD8vtiMz0BaFzxCCHe6j3xY+KZXUH4DqmsBAlO2d FLRpP0aP8dMAnPlisCdUaWwAPSfGeixMY59TgPkYb8VqDKnt/kdqKlh/H6HflMA+08AI Xltw== X-Gm-Message-State: APjAAAX5kr74trHHT9LDGHcxrJJGJmG1GKe1at20VIfjjrwcJNX2tjeL du4RAEz3RXZYi6WKRtfbY9l3zA== X-Google-Smtp-Source: APXvYqxOmKGuDu957cqrxEQ+1VImzuI7N1RjWAr+p16Qnie6ZNUhOIBHM3h6IhCgt1zC9o45e1De9A== X-Received: by 2002:a63:7d03:: with SMTP id y3mr55014550pgc.8.1556513648514; Sun, 28 Apr 2019 21:54:08 -0700 (PDT) Received: from localhost (ppp121-45-207-92.bras1.cbr1.internode.on.net. [121.45.207.92]) by smtp.gmail.com with ESMTPSA id j67sm74431179pfc.72.2019.04.28.21.54.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 28 Apr 2019 21:54:07 -0700 (PDT) From: Daniel Axtens To: Matthew Garrett , Andrew Donnellan Cc: James Morris , LSM List , Linux Kernel Mailing List , David Howells , Linux API , Andy Lutomirski , linuxppc-dev , Michael Ellerman , cmr Subject: Re: [PATCH V32 01/27] Add the ability to lock down access to the running kernel image In-Reply-To: <87wojdy8ro.fsf@dja-thinkpad.axtens.net> References: <20190404003249.14356-1-matthewgarrett@google.com> <20190404003249.14356-2-matthewgarrett@google.com> <059c523e-926c-24ee-0935-198031712145@au1.ibm.com> <87wojdy8ro.fsf@dja-thinkpad.axtens.net> Date: Mon, 29 Apr 2019 14:54:03 +1000 Message-ID: <87tvehxvh0.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, >>> I'm thinking about whether we should lock down the powerpc xmon debug >>> monitor - intuitively, I think the answer is yes if for no other reason >>> than Least Astonishment, when lockdown is enabled you probably don't >>> expect xmon to keep letting you access kernel memory. >> >> The original patchset contained a sysrq hotkey to allow physically >> present users to disable lockdown, so I'm not super concerned about >> this case - I could definitely be convinced otherwise, though. So Mimi contacted me offlist and very helpfully provided me with a much better and less confused justification for disabling xmon in lockdown: On x86, physical presence (== console access) is a trigger to disable/enable lockdown mode. In lockdown mode, you're not supposed to be able to modify memory. xmon allows you to modify memory, and therefore shouldn't be allowed in lockdown. So, if you can disable lockdown on the console that's probably OK, but it should be specifically disabling lockdown, not randomly editing memory with xmon. Regards, Daniel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28E5DC43219 for ; Mon, 29 Apr 2019 04:56:12 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 98E272087B for ; Mon, 29 Apr 2019 04:56:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=axtens.net header.i=@axtens.net header.b="MT3mzMT7" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 98E272087B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 44ssn55jYWzDqNm for ; Mon, 29 Apr 2019 14:56:09 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::441; helo=mail-pf1-x441.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.b="MT3mzMT7"; dkim-atps=neutral Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 44ssks4KYgzDqNB for ; Mon, 29 Apr 2019 14:54:12 +1000 (AEST) Received: by mail-pf1-x441.google.com with SMTP id 188so4697107pfd.8 for ; Sun, 28 Apr 2019 21:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=CXY8NMI+MMoFwyd5a0U3G9swoqWap2mhzcLLts/Z+iE=; b=MT3mzMT76800YDXvDZ5HeHvywukXbF/p5hE0jBqJpGYZZg1bhMX2UHmZ1HU1dvIheR 9V3fe+IwApl8EGbBqr2IZkMENTIoZrC2hLsTBul7PX4wqT1iG/MuEFlYgfUtMUoSToFc 7CbzrSVAtGB1V9nsEgm59WhrmtIFGM7bhpw1w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=CXY8NMI+MMoFwyd5a0U3G9swoqWap2mhzcLLts/Z+iE=; b=qQ7VZqQOU0FUJiimI3ETlc2UYQeoQJrxnItA++f7Ps3dU5dJApfIqp224WslUo6e42 vzC6tCxn6skC14Sn5AzSpL90JPmbacHBkWr0PKg1gcVpnAKO+QS0JDk5f/eZSnR3v7Z2 YH+bmDQlgPDbZMhrtITh19PG66svmCPeBrVdANfiIeaYT/8Z4kx9OiB76Cv1ag7TrZbd H8xpEBo1dR6erCPyK73e42WmhSH5mj8R8YNbQ+VVxxNVOcA8dPrFBPkU3HyjMzqFAQBT 80nlZrNiUUdTj8gQbQmuLJYc3ERbHf6b7A31ATIN8AWR0u3PNTYwkJqp/ZKmc3QyfwiU ZR+A== X-Gm-Message-State: APjAAAUqZS0KzCgv8F/oGfNJ6GD/wr8RbrCsMufdaJOqjrwZxESrmEC3 A3J+g89JGpR3KF8E07u0I+nXLw== X-Google-Smtp-Source: APXvYqxOmKGuDu957cqrxEQ+1VImzuI7N1RjWAr+p16Qnie6ZNUhOIBHM3h6IhCgt1zC9o45e1De9A== X-Received: by 2002:a63:7d03:: with SMTP id y3mr55014550pgc.8.1556513648514; Sun, 28 Apr 2019 21:54:08 -0700 (PDT) Received: from localhost (ppp121-45-207-92.bras1.cbr1.internode.on.net. [121.45.207.92]) by smtp.gmail.com with ESMTPSA id j67sm74431179pfc.72.2019.04.28.21.54.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 28 Apr 2019 21:54:07 -0700 (PDT) From: Daniel Axtens To: Matthew Garrett , Andrew Donnellan Subject: Re: [PATCH V32 01/27] Add the ability to lock down access to the running kernel image In-Reply-To: <87wojdy8ro.fsf@dja-thinkpad.axtens.net> References: <20190404003249.14356-1-matthewgarrett@google.com> <20190404003249.14356-2-matthewgarrett@google.com> <059c523e-926c-24ee-0935-198031712145@au1.ibm.com> <87wojdy8ro.fsf@dja-thinkpad.axtens.net> Date: Mon, 29 Apr 2019 14:54:03 +1000 Message-ID: <87tvehxvh0.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux API , cmr , James Morris , Linux Kernel Mailing List , David Howells , LSM List , Andy Lutomirski , linuxppc-dev Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Hi, >>> I'm thinking about whether we should lock down the powerpc xmon debug >>> monitor - intuitively, I think the answer is yes if for no other reason >>> than Least Astonishment, when lockdown is enabled you probably don't >>> expect xmon to keep letting you access kernel memory. >> >> The original patchset contained a sysrq hotkey to allow physically >> present users to disable lockdown, so I'm not super concerned about >> this case - I could definitely be convinced otherwise, though. So Mimi contacted me offlist and very helpfully provided me with a much better and less confused justification for disabling xmon in lockdown: On x86, physical presence (== console access) is a trigger to disable/enable lockdown mode. In lockdown mode, you're not supposed to be able to modify memory. xmon allows you to modify memory, and therefore shouldn't be allowed in lockdown. So, if you can disable lockdown on the console that's probably OK, but it should be specifically disabling lockdown, not randomly editing memory with xmon. Regards, Daniel