From: Dan Williams <dan.j.williams@intel.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Jonathan Corbet <corbet@lwn.net>, Andi Kleen <ak@linux.intel.com>,
Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Doc Mailing List <linux-doc@vger.kernel.org>
Subject: Re: [PATCH v1] driver: base: Add driver filter support
Date: Wed, 4 Aug 2021 13:11:27 -0700 [thread overview]
Message-ID: <CAPcyv4iEEDCz5719d0vNi=zi=6oN5vctcVfY5P=WQ9j_Zpz6eA@mail.gmail.com> (raw)
In-Reply-To: <YQrqhYEL64CSLRTy@kroah.com>
On Wed, Aug 4, 2021 at 12:29 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Wed, Aug 04, 2021 at 10:43:22AM -0700, Kuppuswamy Sathyanarayanan wrote:
> > Intel's Trust Domain Extensions (TDX) is a new Intel technology that
> > adds support for VMs to maintain confidentiality and integrity in the
> > presence of an untrusted VMM.
> >
> > Given the VMM is an untrusted entity and the VMM presents emulated
> > hardware to the guest, a threat vector similar to Thunderclap [1] is
> > present. Also, for ease of deployment, it is useful to be able to use
> > the same kernel binary on host and guest, but that presents a wide
> > attack surface given the range of hardware supported in typical
> > builds. However, TDX guests only require a small number of drivers, a
> > number small enough to audit for Thunderclap style attacks, and the
> > rest can be disabled via policy. Add a mechanism to filter drivers
> > based on a "protected-guest trusted" indication.
>
> So you are trying to work around the "problem" that distro kernels
> provides drivers for everything by adding additional kernel complexity?
>
> What prevents you from using a sane, stripped down, kernel image for
> these vms which would keep things sane and simpler and easier to audit
> and most importantly, prove, that the image is not doing something you
> don't expect it to do?
>
> Why not just make distros that want to support this type of platform,
> also provide these tiny kernel images? Why are you pushing this work on
> the kernel community instead?
In fact, these questions are where I started when first encountering
this proposal. Andi has addressed the single kernel image constraint,
but I want to pick up on this "pushing work to the kernel community"
contention. The small list of vetted drivers that a TDX guest needs
will be built-in and maintained in the kernel by the protected guest
developer community, so no "pushing work" there. However, given that
any driver disable mechanism needs to touch the driver core I
advocated to go ahead and make this a general purpose capability to
pick up where this [1] conversation left off. I.e. a general facility
for the corner cases that modprobe and kernel config policy can not
reach. Corner cases like VMM attacking the VM, or broken hardware with
a built-in driver that can't be unbound after the fact.
[1]: https://lore.kernel.org/lkml/20170928090901.GC12599@kroah.com/
>
> > An alternative solution is to disable untrusted drivers using a custom
> > kernel config for TDX, but such solution will break our goal of using
> > same kernel binary in guest/host or in standard OS distributions. So
> > it is not considered.
>
> Why is that a goal that you _have_ to have? Who is making that
> requirement?
>
> > Driver filter framework adds support to filter drivers at boot
> > time by using platform specific allow list. This is a generic
> > solution that can be reused by TDX. Driver filter framework adds a
> > new hook (driver_allowed()) in driver_register() interface which
> > will update the "allowed" status of the driver based on platform
> > specific driver allow list or deny list. During driver bind process,
> > trusted status is used to determine whether to continue or deny the
> > bind process. If platform does not register any allow or deny list,
> > all devices will be allowed. Platforms can use wildcard like "ALL:ALL"
> > in bus_name and driver_name of filter node to allow or deny all
> > bus and drivers.
> >
> > Per driver opt-in model is also considered as an alternative design
> > choice, but central allow or deny list is chosen because it is
> > easier to maintain and audit. Also, "driver self serve" might be
> > abused by mistake by driver authors cutting and pasting the code.
> >
> > Also add an option in kernel command line and sysfs to update the
> > allowed or denied drivers list. Driver filter allowed status
> > can be read using following command.
> >
> > cat /sys/bus/$bus/drivers/$driver/allowed
>
> You added a sysfs file without Documentation/ABI/ update as well?
>
> {sigh}
Argh, my fault, that one slipped through in the internal review.
next prev parent reply other threads:[~2021-08-04 20:11 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 17:43 [PATCH v1] driver: base: Add driver filter support Kuppuswamy Sathyanarayanan
2021-08-04 18:08 ` Matthew Wilcox
2021-08-04 18:29 ` Kuppuswamy, Sathyanarayanan
2021-08-04 18:33 ` Matthew Wilcox
2021-08-04 19:27 ` Andi Kleen
2021-08-04 18:45 ` Dan Williams
2021-08-04 19:29 ` Greg Kroah-Hartman
2021-08-04 19:50 ` Andi Kleen
2021-08-04 20:09 ` Kuppuswamy, Sathyanarayanan
2021-08-05 7:50 ` Greg Kroah-Hartman
2021-08-05 7:49 ` Greg Kroah-Hartman
2021-08-05 7:55 ` Greg Kroah-Hartman
2021-08-05 7:58 ` Greg Kroah-Hartman
2021-08-05 13:52 ` Andi Kleen
2021-08-05 17:51 ` Greg Kroah-Hartman
2021-08-05 17:58 ` Andi Kleen
2021-08-05 18:09 ` Greg Kroah-Hartman
2021-08-05 18:44 ` Andi Kleen
2021-08-05 19:01 ` Dan Williams
2021-08-05 19:08 ` Kuppuswamy, Sathyanarayanan
2021-08-05 19:28 ` Greg Kroah-Hartman
2021-08-05 21:10 ` Andi Kleen
2021-08-06 1:00 ` Dan Williams
2021-08-06 5:17 ` Greg Kroah-Hartman
2021-08-06 14:36 ` Dan Williams
2021-08-06 5:07 ` Greg Kroah-Hartman
2021-08-05 18:53 ` Kuppuswamy, Sathyanarayanan
2021-08-05 19:12 ` Greg Kroah-Hartman
2021-08-05 19:18 ` Dan Williams
2021-08-05 19:28 ` Greg Kroah-Hartman
2021-08-05 19:52 ` Dan Williams
2021-08-06 11:15 ` Jonathan Cameron
2021-08-05 16:37 ` Dan Williams
2021-08-05 17:25 ` Kuppuswamy, Sathyanarayanan
2021-08-05 17:48 ` Greg Kroah-Hartman
2021-08-05 17:52 ` Andi Kleen
2021-08-05 18:11 ` Greg Kroah-Hartman
2021-08-05 17:49 ` Greg Kroah-Hartman
2021-08-04 20:11 ` Dan Williams [this message]
2021-08-04 20:29 ` Kuppuswamy, Sathyanarayanan
2021-08-04 21:07 ` Matthew Wilcox
2021-08-04 21:28 ` Dan Williams
2021-08-05 4:45 ` Andi Kleen
2021-08-05 7:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPcyv4iEEDCz5719d0vNi=zi=6oN5vctcVfY5P=WQ9j_Zpz6eA@mail.gmail.com' \
--to=dan.j.williams@intel.com \
--cc=ak@linux.intel.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=knsathya@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).