From: Kees Cook <keescook@chromium.org>
To: Dan Williams <dan.j.williams@intel.com>
Cc: Jonathan Corbet <corbet@lwn.net>,
linux-cxl@vger.kernel.org, Ben Widawsky <ben.widawsky@intel.com>,
Linux ACPI <linux-acpi@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-nvdimm <linux-nvdimm@lists.01.org>,
Linux PCI <linux-pci@vger.kernel.org>,
Bjorn Helgaas <helgaas@kernel.org>,
Chris Browy <cbrowy@avery-design.com>,
Ira Weiny <ira.weiny@intel.com>, Jon Masters <jcm@jonmasters.org>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Rafael Wysocki <rafael.j.wysocki@intel.com>,
Randy Dunlap <rdunlap@infradead.org>,
Vishal Verma <vishal.l.verma@intel.com>,
daniel.lll@alibaba-inc.com,
"John Groves (jgroves)" <jgroves@micron.com>,
"Kelley, Sean V" <sean.v.kelley@intel.com>
Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access
Date: Mon, 8 Feb 2021 14:09:19 -0800 [thread overview]
Message-ID: <202102081406.CDE33FB8@keescook> (raw)
In-Reply-To: <CAPcyv4iPXqO5FL4_bmMQaSvmUm9FVrPv9yPJr3Q4DQWYf4t5hQ@mail.gmail.com>
On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:
> [ add Jon Corbet as I'd expect him to be Cc'd on anything that
> generically touches Documentation/ like this, and add Kees as the last
> person who added a taint (tag you're it) ]
>
> Jon, Kees, are either of you willing to ack this concept?
>
> Top-posting to add more context for the below:
>
> This taint is proposed because it has implications for
> CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices
> implement memory like DDR would, but unlike DDR there are
> administrative / configuration commands that demand kernel
> coordination before they can be sent. The posture taken with this
> taint is "guilty until proven innocent" for commands that have yet to
> be explicitly allowed by the driver. This is different than NVME for
> example where an errant vendor-defined command could destroy data on
> the device, but there is no wider threat to system integrity. The
> taint allows a pressure release valve for any and all commands to be
> sent, but flagged with WARN_TAINT_ONCE if the driver has not
> explicitly enabled it on an allowed list of known-good / kernel
> coordinated commands.
>
> On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> >
> > For drivers that moderate access to the underlying hardware it is
> > sometimes desirable to allow userspace to bypass restrictions. Once
> > userspace has done this, the driver can no longer guarantee the sanctity
> > of either the OS or the hardware. When in this state, it is helpful for
> > kernel developers to be made aware (via this taint flag) of this fact
> > for subsequent bug reports.
> >
> > Example usage:
> > - Hardware xyzzy accepts 2 commands, waldo and fred.
> > - The xyzzy driver provides an interface for using waldo, but not fred.
> > - quux is convinced they really need the fred command.
> > - xyzzy driver allows quux to frob hardware to initiate fred.
> > - kernel gets tainted.
> > - turns out fred command is borked, and scribbles over memory.
> > - developers laugh while closing quux's subsequent bug report.
But a taint flag only lasts for the current boot. If this is a drive, it
could still be compromised after reboot. It sounds like this taint is
really only for ephemeral things? "vendor shenanigans" is a pretty giant
scope ...
-Kees
> >
> > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> > ---
> > Documentation/admin-guide/sysctl/kernel.rst | 1 +
> > Documentation/admin-guide/tainted-kernels.rst | 6 +++++-
> > include/linux/kernel.h | 3 ++-
> > kernel/panic.c | 1 +
> > 4 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
> > index 1d56a6b73a4e..3e1eada53504 100644
> > --- a/Documentation/admin-guide/sysctl/kernel.rst
> > +++ b/Documentation/admin-guide/sysctl/kernel.rst
> > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports.
> > 32768 `(K)` kernel has been live patched
> > 65536 `(X)` Auxiliary taint, defined and used by for distros
> > 131072 `(T)` The kernel was built with the struct randomization plugin
> > +262144 `(H)` The kernel has allowed vendor shenanigans
> > ====== ===== ==============================================================
> >
> > See :doc:`/admin-guide/tainted-kernels` for more information.
> > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst
> > index ceeed7b0798d..ee2913316344 100644
> > --- a/Documentation/admin-guide/tainted-kernels.rst
> > +++ b/Documentation/admin-guide/tainted-kernels.rst
> > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned
> > script, but if you need something quick you can use this shell command to check
> > which bits are set::
> >
> > - $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
> > + $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
> >
> > Table for decoding tainted state
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > @@ -100,6 +100,7 @@ Bit Log Number Reason that got the kernel tainted
> > 15 _/K 32768 kernel has been live patched
> > 16 _/X 65536 auxiliary taint, defined for and used by distros
> > 17 _/T 131072 kernel was built with the struct randomization plugin
> > + 18 _/H 262144 kernel has allowed vendor shenanigans
> > === === ====== ========================================================
> >
> > Note: The character ``_`` is representing a blank in this table to make reading
> > @@ -175,3 +176,6 @@ More detailed explanation for tainting
> > produce extremely unusual kernel structure layouts (even performance
> > pathological ones), which is important to know when debugging. Set at
> > build time.
> > +
> > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make
> > + any guarantees about the stability of the device or driver.
> > diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> > index f7902d8c1048..bc95486f817e 100644
> > --- a/include/linux/kernel.h
> > +++ b/include/linux/kernel.h
> > @@ -443,7 +443,8 @@ extern enum system_states {
> > #define TAINT_LIVEPATCH 15
> > #define TAINT_AUX 16
> > #define TAINT_RANDSTRUCT 17
> > -#define TAINT_FLAGS_COUNT 18
> > +#define TAINT_RAW_PASSTHROUGH 18
> > +#define TAINT_FLAGS_COUNT 19
> > #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1)
> >
> > struct taint_flag {
> > diff --git a/kernel/panic.c b/kernel/panic.c
> > index 332736a72a58..dff22bd80eaf 100644
> > --- a/kernel/panic.c
> > +++ b/kernel/panic.c
> > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {
> > [ TAINT_LIVEPATCH ] = { 'K', ' ', true },
> > [ TAINT_AUX ] = { 'X', ' ', true },
> > [ TAINT_RANDSTRUCT ] = { 'T', ' ', true },
> > + [ TAINT_RAW_PASSTHROUGH ] = { 'H', ' ', true },
> > };
> >
> > /**
> > --
> > 2.30.0
> >
--
Kees Cook
next prev parent reply other threads:[~2021-02-08 22:10 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-30 0:24 [PATCH 00/14] CXL 2.0 Support Ben Widawsky
2021-01-30 0:24 ` [PATCH 01/14] cxl/mem: Introduce a driver for CXL-2.0-Type-3 endpoints Ben Widawsky
2021-01-30 23:51 ` David Rientjes
2021-02-01 17:21 ` Jonathan Cameron
2021-02-01 17:34 ` Konrad Rzeszutek Wilk
2021-02-02 17:58 ` Christoph Hellwig
2021-02-02 18:00 ` Christoph Hellwig
2021-01-30 0:24 ` [PATCH 02/14] cxl/mem: Map memory device registers Ben Widawsky
2021-01-30 23:51 ` David Rientjes
2021-02-01 16:46 ` Ben Widawsky
2021-02-01 18:19 ` Jonathan Cameron
2021-02-01 17:36 ` Konrad Rzeszutek Wilk
2021-02-02 18:04 ` Christoph Hellwig
2021-02-02 18:31 ` Ben Widawsky
2021-02-03 17:12 ` Christoph Hellwig
2021-01-30 0:24 ` [PATCH 03/14] cxl/mem: Find device capabilities Ben Widawsky
2021-01-30 23:51 ` David Rientjes
2021-02-01 16:53 ` Ben Widawsky
2021-02-01 21:51 ` David Rientjes
2021-02-01 21:58 ` Ben Widawsky
2021-02-01 22:23 ` David Rientjes
2021-02-01 22:28 ` Ben Widawsky
2021-02-01 22:33 ` Ben Widawsky
2021-02-01 22:45 ` David Rientjes
2021-02-01 22:50 ` Ben Widawsky
2021-02-01 23:09 ` David Rientjes
2021-02-01 23:17 ` Ben Widawsky
2021-02-01 23:58 ` David Rientjes
2021-02-02 0:11 ` Ben Widawsky
2021-02-02 0:14 ` Dan Williams
2021-02-02 1:09 ` David Rientjes
2021-02-01 22:02 ` Dan Williams
2021-02-01 17:41 ` Konrad Rzeszutek Wilk
2021-02-01 17:50 ` Ben Widawsky
2021-02-01 18:08 ` Konrad Rzeszutek Wilk
2021-02-02 18:10 ` Christoph Hellwig
2021-02-02 18:24 ` Ben Widawsky
2021-02-03 17:15 ` Christoph Hellwig
2021-02-03 17:23 ` Ben Widawsky
2021-02-03 21:23 ` Dan Williams
2021-02-04 7:16 ` Christoph Hellwig
2021-02-04 15:29 ` Ben Widawsky
2021-01-30 0:24 ` [PATCH 04/14] cxl/mem: Implement polled mode mailbox Ben Widawsky
2021-01-30 23:51 ` David Rientjes
2021-02-01 20:00 ` Dan Williams
2021-02-02 22:57 ` Ben Widawsky
2021-02-02 23:54 ` Dan Williams
2021-02-03 0:54 ` Ben Widawsky
2021-02-02 22:50 ` Ben Widawsky
2021-02-01 17:54 ` Konrad Rzeszutek Wilk
2021-02-01 19:13 ` Ben Widawsky
2021-02-01 19:28 ` Dan Williams
[not found] ` <SN6PR08MB46052FE9BC20A747CACD8F50D1B39@SN6PR08MB4605.namprd08.prod.outlook.com>
2021-02-04 22:24 ` [EXT] " Ben Widawsky
2021-01-30 0:24 ` [PATCH 05/14] cxl/mem: Register CXL memX devices Ben Widawsky
2021-01-30 0:31 ` Dan Williams
2021-01-30 23:52 ` David Rientjes
2021-02-01 17:10 ` Ben Widawsky
2021-02-01 21:53 ` David Rientjes
2021-02-01 21:55 ` Dan Williams
2021-02-02 18:13 ` Christoph Hellwig
2021-01-30 0:24 ` [PATCH 06/14] cxl/mem: Add basic IOCTL interface Ben Widawsky
2021-02-02 18:15 ` Christoph Hellwig
2021-02-02 18:33 ` Ben Widawsky
2021-01-30 0:24 ` [PATCH 07/14] cxl/mem: Add send command Ben Widawsky
2021-02-01 18:15 ` Konrad Rzeszutek Wilk
2021-02-02 23:08 ` Ben Widawsky
2021-01-30 0:24 ` [PATCH 08/14] taint: add taint for direct hardware access Ben Widawsky
2021-02-01 18:18 ` Konrad Rzeszutek Wilk
2021-02-01 18:34 ` Ben Widawsky
2021-02-01 19:01 ` Dan Williams
2021-02-02 2:49 ` Konrad Rzeszutek Wilk
2021-02-02 17:46 ` Dan Williams
2021-02-08 22:00 ` Dan Williams
2021-02-08 22:09 ` Kees Cook [this message]
2021-02-08 23:05 ` Ben Widawsky
2021-02-08 23:36 ` Dan Williams
2021-02-09 1:03 ` Dan Williams
2021-02-09 3:36 ` Ben Widawsky
2021-01-30 0:24 ` [PATCH 09/14] cxl/mem: Add a "RAW" send command Ben Widawsky
2021-02-01 18:24 ` Konrad Rzeszutek Wilk
2021-02-01 19:27 ` Ben Widawsky
2021-02-01 19:34 ` Konrad Rzeszutek Wilk
2021-02-01 21:20 ` Dan Williams
2021-01-30 0:24 ` [PATCH 10/14] cxl/mem: Create concept of enabled commands Ben Widawsky
2021-01-30 0:24 ` [PATCH 11/14] cxl/mem: Use CEL for enabling commands Ben Widawsky
2021-01-30 0:24 ` [PATCH 12/14] cxl/mem: Add set of informational commands Ben Widawsky
2021-01-30 0:24 ` [PATCH 13/14] cxl/mem: Add limited Get Log command (0401h) Ben Widawsky
2021-02-01 18:28 ` Konrad Rzeszutek Wilk
2021-02-02 23:51 ` Ben Widawsky
2021-02-02 23:57 ` Dan Williams
2021-02-03 17:16 ` Ben Widawsky
2021-02-03 18:14 ` Konrad Rzeszutek Wilk
2021-02-03 20:31 ` Dan Williams
2021-02-04 18:55 ` Ben Widawsky
2021-02-04 21:01 ` Dan Williams
2021-01-30 0:24 ` [PATCH 14/14] MAINTAINERS: Add maintainers of the CXL driver Ben Widawsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202102081406.CDE33FB8@keescook \
--to=keescook@chromium.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=ben.widawsky@intel.com \
--cc=cbrowy@avery-design.com \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=daniel.lll@alibaba-inc.com \
--cc=helgaas@kernel.org \
--cc=ira.weiny@intel.com \
--cc=jcm@jonmasters.org \
--cc=jgroves@micron.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvdimm@lists.01.org \
--cc=linux-pci@vger.kernel.org \
--cc=rafael.j.wysocki@intel.com \
--cc=rdunlap@infradead.org \
--cc=sean.v.kelley@intel.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).