From: Ard Biesheuvel <ardb@kernel.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Len Brown <lenb@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
LKML <linux-kernel@vger.kernel.org>,
ACPI Devel Maling List <linux-acpi@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH] acpi: disallow loading configfs acpi tables when locked down
Date: Wed, 17 Jun 2020 10:37:52 +0200 [thread overview]
Message-ID: <CAMj1kXGWma7T+C5TJ2wYZ22MJr=3FQRqDjF--YuGuzFdAygP-g@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9oemScgo2mg8fzqtJCbKJfu-op0WvG5RcpBCS1hHNmpZw@mail.gmail.com>
On Wed, 17 Jun 2020 at 00:21, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Rafael, Len,
>
> Looks like I should have CC'd you on this patch. This is probably
> something we should get into 5.8-rc2, so that it can then get put into
> stable kernels, as some people think this is security sensitive.
> Bigger picture is this:
>
> https://data.zx2c4.com/american-unsigned-language-2.gif
> https://data.zx2c4.com/american-unsigned-language-2-fedora-5.8.png
>
> Also, somebody mentioned to me that Microsoft's ACPI implementation
> disallows writes to system memory as a security mitigation. I haven't
> looked at what that actually entails, but I wonder if entirely
> disabling support for ACPI_ADR_SPACE_SYSTEM_MEMORY would be sensible.
> I haven't looked at too many DSDTs. Would that break real hardware, or
> does nobody do that? Alternatively, the range of acceptable addresses
> for SystemMemory could exclude kernel memory. Would that break
> anything? Have you heard about Microsoft's mitigation to know more
> details on what they figured out they could safely restrict without
> breaking hardware? Either way, food for thought I suppose.
>
ACPI_ADR_SPACE_SYSTEM_MEMORY may be used for everything that is memory
mapped, i.e., PCIe ECAM space, GPIO control registers etc.
I agree that using ACPI_ADR_SPACE_SYSTEM_MEMORY for any memory that is
under the kernel's control is a bad idea, and this should be easy to
filter out: the SystemMemory address space handler needs the ACPI
support routines to map the physical addresses used by AML into
virtual kernel addresses, so all these accesses go through
acpi_os_ioremap(). So as a first step, it should be reasonable to put
a lockdown check there, and fail any access to OS owned memory if
lockdown is enabled, and print a warning if it is not.
next prev parent reply other threads:[~2020-06-17 8:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAHmME9rmAznrAmEQTOaLeMM82iMFTfCNfpxDGXw4CJjuVEF_gQ@mail.gmail.com>
2020-06-15 10:43 ` [PATCH] acpi: disallow loading configfs acpi tables when locked down Jason A. Donenfeld
2020-06-16 22:20 ` Jason A. Donenfeld
2020-06-17 8:37 ` Ard Biesheuvel [this message]
2020-06-17 8:42 ` Jason A. Donenfeld
2020-06-17 16:52 ` Kaneda, Erik
2020-06-22 14:45 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMj1kXGWma7T+C5TJ2wYZ22MJr=3FQRqDjF--YuGuzFdAygP-g@mail.gmail.com' \
--to=ardb@kernel.org \
--cc=Jason@zx2c4.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).