From: Dan Williams <dan.j.williams@intel.com> To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Ben Widawsky <ben.widawsky@intel.com>, linux-cxl@vger.kernel.org, Linux ACPI <linux-acpi@vger.kernel.org>, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, linux-nvdimm <linux-nvdimm@lists.01.org>, Linux PCI <linux-pci@vger.kernel.org>, Bjorn Helgaas <helgaas@kernel.org>, Chris Browy <cbrowy@avery-design.com>, Christoph Hellwig <hch@infradead.org>, Jon Masters <jcm@jonmasters.org>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Rafael Wysocki <rafael.j.wysocki@intel.com>, Randy Dunlap <rdunlap@infradead.org>, daniel.lll@alibaba-inc.com, "John Groves (jgroves)" <jgroves@micron.com>, "Kelley, Sean V" <sean.v.kelley@intel.com> Subject: Re: [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) Date: Wed, 3 Feb 2021 12:31:00 -0800 [thread overview] Message-ID: <CAPcyv4hMM9isho5d8wS=5vtP0NxE5KA0HrMp+Bx2PZhPDrrWsg@mail.gmail.com> (raw) In-Reply-To: <YBroGrVd76p+BF0v@Konrads-MacBook-Pro.local> On Wed, Feb 3, 2021 at 10:16 AM Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wrote: > > On Wed, Feb 03, 2021 at 09:16:10AM -0800, Ben Widawsky wrote: > > On 21-02-02 15:57:03, Dan Williams wrote: > > > On Tue, Feb 2, 2021 at 3:51 PM Ben Widawsky <ben.widawsky@intel.com> wrote: > > > > > > > > On 21-02-01 13:28:48, Konrad Rzeszutek Wilk wrote: > > > > > On Fri, Jan 29, 2021 at 04:24:37PM -0800, Ben Widawsky wrote: > > > > > > The Get Log command returns the actual log entries that are advertised > > > > > > via the Get Supported Logs command (0400h). CXL device logs are selected > > > > > > by UUID which is part of the CXL spec. Because the driver tries to > > > > > > sanitize what is sent to hardware, there becomes a need to restrict the > > > > > > types of logs which can be accessed by userspace. For example, the > > > > > > vendor specific log might only be consumable by proprietary, or offline > > > > > > applications, and therefore a good candidate for userspace. > > > > > > > > > > > > The current driver infrastructure does allow basic validation for all > > > > > > commands, but doesn't inspect any of the payload data. Along with Get > > > > > > Log support comes new infrastructure to add a hook for payload > > > > > > validation. This infrastructure is used to filter out the CEL UUID, > > > > > > which the userspace driver doesn't have business knowing, and taints on > > > > > > invalid UUIDs being sent to hardware. > > > > > > > > > > Perhaps a better option is to reject invalid UUIDs? > > > > > > > > > > And if you really really want to use invalid UUIDs then: > > > > > > > > > > 1) Make that code wrapped in CONFIG_CXL_DEBUG_THIS_IS_GOING_TO..? > > > > > > > > > > 2) Wrap it with lockdown code so that you can't do this at all > > > > > when in LOCKDOWN_INTEGRITY or such? > > > > > > > > > > > > > The commit message needs update btw as CEL is allowed in the latest rev of the > > > > patches. > > > > > > > > We could potentially combine this with the now added (in a branch) CONFIG_RAW > > > > config option. Indeed I think that makes sense. Dan, thoughts? > > > > > > Yeah, unknown UUIDs blocking is the same risk as raw commands as a > > > vendor can trigger any behavior they want. A "CONFIG_RAW depends on > > > !CONFIG_INTEGRITY" policy sounds reasonable as well. > > > > What about LOCKDOWN_NONE though? I think we need something runtime for this. > > > > Can we summarize the CONFIG options here? > > > > CXL_MEM_INSECURE_DEBUG // no change > > CXL_MEM_RAW_COMMANDS // if !security_locked_down(LOCKDOWN_NONE) > > > > bool cxl_unsafe() > > Would it be better if this inverted? Aka cxl_safe().. > ? > > { > > #ifndef CXL_MEM_RAW_COMMANDS nit use IS_ENABLED() if this function lives in a C file, or provide whole alternate static inline versions in a header gated by ifdefs. > > return false; > > #else > > return !security_locked_down(LOCKDOWN_NONE); > > :thumbsup: > > (Naturally this would inverted if this was cxl_safe()). > > > > #endif > > } > > > > --- > > > > Did I get that right? > > :nods: Looks good which means it's time to bikeshed the naming. I'd call it cxl_raw_allowed(). As "safety" isn't the only reason for blocking raw, it's also to corral the userspace api. I.e. things like enforcing security passphrase material through the Linux keys api. _______________________________________________ Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com> To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: Ben Widawsky <ben.widawsky@intel.com>, linux-cxl@vger.kernel.org, Linux ACPI <linux-acpi@vger.kernel.org>, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, linux-nvdimm <linux-nvdimm@lists.01.org>, Linux PCI <linux-pci@vger.kernel.org>, Bjorn Helgaas <helgaas@kernel.org>, Chris Browy <cbrowy@avery-design.com>, Christoph Hellwig <hch@infradead.org>, Ira Weiny <ira.weiny@intel.com>, Jon Masters <jcm@jonmasters.org>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Rafael Wysocki <rafael.j.wysocki@intel.com>, Randy Dunlap <rdunlap@infradead.org>, Vishal Verma <vishal.l.verma@intel.com>, daniel.lll@alibaba-inc.com, "John Groves (jgroves)" <jgroves@micron.com>, "Kelley, Sean V" <sean.v.kelley@intel.com> Subject: Re: [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) Date: Wed, 3 Feb 2021 12:31:00 -0800 [thread overview] Message-ID: <CAPcyv4hMM9isho5d8wS=5vtP0NxE5KA0HrMp+Bx2PZhPDrrWsg@mail.gmail.com> (raw) In-Reply-To: <YBroGrVd76p+BF0v@Konrads-MacBook-Pro.local> On Wed, Feb 3, 2021 at 10:16 AM Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> wrote: > > On Wed, Feb 03, 2021 at 09:16:10AM -0800, Ben Widawsky wrote: > > On 21-02-02 15:57:03, Dan Williams wrote: > > > On Tue, Feb 2, 2021 at 3:51 PM Ben Widawsky <ben.widawsky@intel.com> wrote: > > > > > > > > On 21-02-01 13:28:48, Konrad Rzeszutek Wilk wrote: > > > > > On Fri, Jan 29, 2021 at 04:24:37PM -0800, Ben Widawsky wrote: > > > > > > The Get Log command returns the actual log entries that are advertised > > > > > > via the Get Supported Logs command (0400h). CXL device logs are selected > > > > > > by UUID which is part of the CXL spec. Because the driver tries to > > > > > > sanitize what is sent to hardware, there becomes a need to restrict the > > > > > > types of logs which can be accessed by userspace. For example, the > > > > > > vendor specific log might only be consumable by proprietary, or offline > > > > > > applications, and therefore a good candidate for userspace. > > > > > > > > > > > > The current driver infrastructure does allow basic validation for all > > > > > > commands, but doesn't inspect any of the payload data. Along with Get > > > > > > Log support comes new infrastructure to add a hook for payload > > > > > > validation. This infrastructure is used to filter out the CEL UUID, > > > > > > which the userspace driver doesn't have business knowing, and taints on > > > > > > invalid UUIDs being sent to hardware. > > > > > > > > > > Perhaps a better option is to reject invalid UUIDs? > > > > > > > > > > And if you really really want to use invalid UUIDs then: > > > > > > > > > > 1) Make that code wrapped in CONFIG_CXL_DEBUG_THIS_IS_GOING_TO..? > > > > > > > > > > 2) Wrap it with lockdown code so that you can't do this at all > > > > > when in LOCKDOWN_INTEGRITY or such? > > > > > > > > > > > > > The commit message needs update btw as CEL is allowed in the latest rev of the > > > > patches. > > > > > > > > We could potentially combine this with the now added (in a branch) CONFIG_RAW > > > > config option. Indeed I think that makes sense. Dan, thoughts? > > > > > > Yeah, unknown UUIDs blocking is the same risk as raw commands as a > > > vendor can trigger any behavior they want. A "CONFIG_RAW depends on > > > !CONFIG_INTEGRITY" policy sounds reasonable as well. > > > > What about LOCKDOWN_NONE though? I think we need something runtime for this. > > > > Can we summarize the CONFIG options here? > > > > CXL_MEM_INSECURE_DEBUG // no change > > CXL_MEM_RAW_COMMANDS // if !security_locked_down(LOCKDOWN_NONE) > > > > bool cxl_unsafe() > > Would it be better if this inverted? Aka cxl_safe().. > ? > > { > > #ifndef CXL_MEM_RAW_COMMANDS nit use IS_ENABLED() if this function lives in a C file, or provide whole alternate static inline versions in a header gated by ifdefs. > > return false; > > #else > > return !security_locked_down(LOCKDOWN_NONE); > > :thumbsup: > > (Naturally this would inverted if this was cxl_safe()). > > > > #endif > > } > > > > --- > > > > Did I get that right? > > :nods: Looks good which means it's time to bikeshed the naming. I'd call it cxl_raw_allowed(). As "safety" isn't the only reason for blocking raw, it's also to corral the userspace api. I.e. things like enforcing security passphrase material through the Linux keys api.
next prev parent reply other threads:[~2021-02-03 20:31 UTC|newest] Thread overview: 193+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-30 0:24 [PATCH 00/14] CXL 2.0 Support Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 01/14] cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 23:51 ` David Rientjes 2021-01-30 23:51 ` David Rientjes 2021-02-01 17:21 ` Jonathan Cameron 2021-02-01 17:21 ` Jonathan Cameron 2021-02-01 17:34 ` Konrad Rzeszutek Wilk 2021-02-01 17:34 ` Konrad Rzeszutek Wilk 2021-02-02 17:58 ` Christoph Hellwig 2021-02-02 17:58 ` Christoph Hellwig 2021-02-02 18:00 ` Christoph Hellwig 2021-02-02 18:00 ` Christoph Hellwig 2021-01-30 0:24 ` [PATCH 02/14] cxl/mem: Map memory device registers Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 23:51 ` David Rientjes 2021-01-30 23:51 ` David Rientjes 2021-02-01 16:46 ` Ben Widawsky 2021-02-01 16:46 ` Ben Widawsky 2021-02-01 18:19 ` Jonathan Cameron 2021-02-01 18:19 ` Jonathan Cameron 2021-02-01 17:36 ` Konrad Rzeszutek Wilk 2021-02-01 17:36 ` Konrad Rzeszutek Wilk 2021-02-02 18:04 ` Christoph Hellwig 2021-02-02 18:04 ` Christoph Hellwig 2021-02-02 18:31 ` Ben Widawsky 2021-02-02 18:31 ` Ben Widawsky 2021-02-03 17:12 ` Christoph Hellwig 2021-02-03 17:12 ` Christoph Hellwig 2021-01-30 0:24 ` [PATCH 03/14] cxl/mem: Find device capabilities Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 23:51 ` David Rientjes 2021-01-30 23:51 ` David Rientjes 2021-02-01 16:53 ` Ben Widawsky 2021-02-01 16:53 ` Ben Widawsky 2021-02-01 21:51 ` David Rientjes 2021-02-01 21:51 ` David Rientjes 2021-02-01 21:58 ` Ben Widawsky 2021-02-01 21:58 ` Ben Widawsky 2021-02-01 22:23 ` David Rientjes 2021-02-01 22:23 ` David Rientjes 2021-02-01 22:28 ` Ben Widawsky 2021-02-01 22:28 ` Ben Widawsky 2021-02-01 22:33 ` Ben Widawsky 2021-02-01 22:33 ` Ben Widawsky 2021-02-01 22:45 ` David Rientjes 2021-02-01 22:45 ` David Rientjes 2021-02-01 22:50 ` Ben Widawsky 2021-02-01 22:50 ` Ben Widawsky 2021-02-01 23:09 ` David Rientjes 2021-02-01 23:09 ` David Rientjes 2021-02-01 23:17 ` Ben Widawsky 2021-02-01 23:17 ` Ben Widawsky 2021-02-01 23:58 ` David Rientjes 2021-02-01 23:58 ` David Rientjes 2021-02-02 0:11 ` Ben Widawsky 2021-02-02 0:11 ` Ben Widawsky 2021-02-02 0:14 ` Dan Williams 2021-02-02 0:14 ` Dan Williams 2021-02-02 1:09 ` David Rientjes 2021-02-02 1:09 ` David Rientjes 2021-02-01 22:02 ` Dan Williams 2021-02-01 22:02 ` Dan Williams 2021-02-01 17:41 ` Konrad Rzeszutek Wilk 2021-02-01 17:41 ` Konrad Rzeszutek Wilk 2021-02-01 17:50 ` Ben Widawsky 2021-02-01 17:50 ` Ben Widawsky 2021-02-01 18:08 ` Konrad Rzeszutek Wilk 2021-02-01 18:08 ` Konrad Rzeszutek Wilk 2021-02-02 18:10 ` Christoph Hellwig 2021-02-02 18:10 ` Christoph Hellwig 2021-02-02 18:24 ` Ben Widawsky 2021-02-02 18:24 ` Ben Widawsky 2021-02-03 17:15 ` Christoph Hellwig 2021-02-03 17:15 ` Christoph Hellwig 2021-02-03 17:23 ` Ben Widawsky 2021-02-03 17:23 ` Ben Widawsky 2021-02-03 21:23 ` Dan Williams 2021-02-03 21:23 ` Dan Williams 2021-02-04 7:16 ` Christoph Hellwig 2021-02-04 7:16 ` Christoph Hellwig 2021-02-04 15:29 ` Ben Widawsky 2021-02-04 15:29 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 04/14] cxl/mem: Implement polled mode mailbox Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 23:51 ` David Rientjes 2021-01-30 23:51 ` David Rientjes 2021-02-01 20:00 ` Dan Williams 2021-02-01 20:00 ` Dan Williams 2021-02-02 22:57 ` Ben Widawsky 2021-02-02 22:57 ` Ben Widawsky 2021-02-02 23:54 ` Dan Williams 2021-02-02 23:54 ` Dan Williams 2021-02-03 0:54 ` Ben Widawsky 2021-02-03 0:54 ` Ben Widawsky 2021-02-02 22:50 ` Ben Widawsky 2021-02-02 22:50 ` Ben Widawsky 2021-02-01 17:54 ` Konrad Rzeszutek Wilk 2021-02-01 17:54 ` Konrad Rzeszutek Wilk 2021-02-01 19:13 ` Ben Widawsky 2021-02-01 19:13 ` Ben Widawsky 2021-02-01 19:28 ` Dan Williams 2021-02-01 19:28 ` Dan Williams 2021-02-04 21:53 ` [EXT] " John Groves (jgroves) 2021-02-04 22:24 ` Ben Widawsky 2021-02-04 22:24 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 05/14] cxl/mem: Register CXL memX devices Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 0:31 ` Dan Williams 2021-01-30 0:31 ` Dan Williams 2021-01-30 23:52 ` David Rientjes 2021-01-30 23:52 ` David Rientjes 2021-02-01 17:10 ` Ben Widawsky 2021-02-01 17:10 ` Ben Widawsky 2021-02-01 21:53 ` David Rientjes 2021-02-01 21:53 ` David Rientjes 2021-02-01 21:55 ` Dan Williams 2021-02-01 21:55 ` Dan Williams 2021-02-02 18:13 ` Christoph Hellwig 2021-02-02 18:13 ` Christoph Hellwig 2021-01-30 0:24 ` [PATCH 06/14] cxl/mem: Add basic IOCTL interface Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-02-02 18:15 ` Christoph Hellwig 2021-02-02 18:15 ` Christoph Hellwig 2021-02-02 18:33 ` Ben Widawsky 2021-02-02 18:33 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 07/14] cxl/mem: Add send command Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-02-01 18:15 ` Konrad Rzeszutek Wilk 2021-02-01 18:15 ` Konrad Rzeszutek Wilk 2021-02-02 23:08 ` Ben Widawsky 2021-02-02 23:08 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 08/14] taint: add taint for direct hardware access Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-02-01 18:18 ` Konrad Rzeszutek Wilk 2021-02-01 18:18 ` Konrad Rzeszutek Wilk 2021-02-01 18:34 ` Ben Widawsky 2021-02-01 18:34 ` Ben Widawsky 2021-02-01 19:01 ` Dan Williams 2021-02-01 19:01 ` Dan Williams 2021-02-02 2:49 ` Konrad Rzeszutek Wilk 2021-02-02 2:49 ` Konrad Rzeszutek Wilk 2021-02-02 17:46 ` Dan Williams 2021-02-02 17:46 ` Dan Williams 2021-02-08 22:00 ` Dan Williams 2021-02-08 22:00 ` Dan Williams 2021-02-08 22:09 ` Kees Cook 2021-02-08 22:09 ` Kees Cook 2021-02-08 23:05 ` Ben Widawsky 2021-02-08 23:05 ` Ben Widawsky 2021-02-08 23:36 ` Dan Williams 2021-02-08 23:36 ` Dan Williams 2021-02-09 1:03 ` Dan Williams 2021-02-09 1:03 ` Dan Williams 2021-02-09 3:36 ` Ben Widawsky 2021-02-09 3:36 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 09/14] cxl/mem: Add a "RAW" send command Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-02-01 18:24 ` Konrad Rzeszutek Wilk 2021-02-01 18:24 ` Konrad Rzeszutek Wilk 2021-02-01 19:27 ` Ben Widawsky 2021-02-01 19:27 ` Ben Widawsky 2021-02-01 19:34 ` Konrad Rzeszutek Wilk 2021-02-01 19:34 ` Konrad Rzeszutek Wilk 2021-02-01 21:20 ` Dan Williams 2021-02-01 21:20 ` Dan Williams 2021-01-30 0:24 ` [PATCH 10/14] cxl/mem: Create concept of enabled commands Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 11/14] cxl/mem: Use CEL for enabling commands Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 12/14] cxl/mem: Add set of informational commands Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-01-30 0:24 ` [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky 2021-02-01 18:28 ` Konrad Rzeszutek Wilk 2021-02-01 18:28 ` Konrad Rzeszutek Wilk 2021-02-02 23:51 ` Ben Widawsky 2021-02-02 23:51 ` Ben Widawsky 2021-02-02 23:57 ` Dan Williams 2021-02-02 23:57 ` Dan Williams 2021-02-03 17:16 ` Ben Widawsky 2021-02-03 17:16 ` Ben Widawsky 2021-02-03 18:14 ` Konrad Rzeszutek Wilk 2021-02-03 18:14 ` Konrad Rzeszutek Wilk 2021-02-03 20:31 ` Dan Williams [this message] 2021-02-03 20:31 ` Dan Williams 2021-02-04 18:55 ` Ben Widawsky 2021-02-04 18:55 ` Ben Widawsky 2021-02-04 21:01 ` Dan Williams 2021-02-04 21:01 ` Dan Williams 2021-01-30 0:24 ` [PATCH 14/14] MAINTAINERS: Add maintainers of the CXL driver Ben Widawsky 2021-01-30 0:24 ` Ben Widawsky
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAPcyv4hMM9isho5d8wS=5vtP0NxE5KA0HrMp+Bx2PZhPDrrWsg@mail.gmail.com' \ --to=dan.j.williams@intel.com \ --cc=Jonathan.Cameron@huawei.com \ --cc=ben.widawsky@intel.com \ --cc=cbrowy@avery-design.com \ --cc=daniel.lll@alibaba-inc.com \ --cc=hch@infradead.org \ --cc=helgaas@kernel.org \ --cc=jcm@jonmasters.org \ --cc=jgroves@micron.com \ --cc=konrad.wilk@oracle.com \ --cc=linux-acpi@vger.kernel.org \ --cc=linux-cxl@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nvdimm@lists.01.org \ --cc=linux-pci@vger.kernel.org \ --cc=rafael.j.wysocki@intel.com \ --cc=rdunlap@infradead.org \ --cc=sean.v.kelley@intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.