From: Dan Williams <dan.j.williams@intel.com>
To: Andi Kleen <ak@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Doc Mailing List <linux-doc@vger.kernel.org>
Subject: Re: [PATCH v1] driver: base: Add driver filter support
Date: Thu, 5 Aug 2021 18:00:25 -0700 [thread overview]
Message-ID: <CAPcyv4ju0kzUuamiuE=xC_DoEArk1KxD+n+-TUw0LLTWoSj2VA@mail.gmail.com> (raw)
In-Reply-To: <9b2956f5-3acf-e798-ff0f-002d2d5254db@linux.intel.com>
On Thu, Aug 5, 2021 at 2:10 PM Andi Kleen <ak@linux.intel.com> wrote:
>
>
> On 8/5/2021 12:01 PM, Dan Williams wrote:
>
> >> That's why I think the builtin allow list hook is still needed. Thoughts?
> > I see nothing that prevents a built-in allow list to augment the
> > driver-core default. Is there a gap I'm missing?
>
>
> Okay so you're suggesting to build the builtin allow list on top of the
> existing framework?
>
> I thought Greg's suggestion was to only rely on user space only.
>
> But if we have a way to change the authorized defaults by device (not
> just bus) from inside the kernel at early boot that could well work.
The default usb authorization is set at device creation time inherited
from controller policy, which is in turn inherited from usbcore
policy. So appending a built-in way to augment that policy further
seems doable.
> Doing it only on the bus level I suspect wouldn't work though.
I think /sys/devices/.../$dev/authorized attribute can be used
generically as the override interface, not that the TDX use case cares
about user overrides, but that was the bulk of the unnecessary
reinvention. That also addresses the ABI confusion so tools like
usbguard don't need to look in 2 places to find a device is not
authorized.
That said, per-device authorization is a little bit different than
per-driver trust. Driver trust is easy to reason about for a built-in
policy, while per-device authorization is easy for userspace to reason
about for "why is this device not talking to its driver?".
So a strawman (I'm willing to watch go up in flames like
driver-filter) is an arch overridable callback in driver_sysfs_add()
as a central location where a device could have its authorization
state set if it has not been previously changed from its
initialization value. That callback could then consider device-name,
bus-name, and/or driver-name for the default authorization.
driver_sysfs_add() should also catch drivers that are manually bound
without a bus.
next prev parent reply other threads:[~2021-08-06 1:00 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 17:43 [PATCH v1] driver: base: Add driver filter support Kuppuswamy Sathyanarayanan
2021-08-04 18:08 ` Matthew Wilcox
2021-08-04 18:29 ` Kuppuswamy, Sathyanarayanan
2021-08-04 18:33 ` Matthew Wilcox
2021-08-04 19:27 ` Andi Kleen
2021-08-04 18:45 ` Dan Williams
2021-08-04 19:29 ` Greg Kroah-Hartman
2021-08-04 19:50 ` Andi Kleen
2021-08-04 20:09 ` Kuppuswamy, Sathyanarayanan
2021-08-05 7:50 ` Greg Kroah-Hartman
2021-08-05 7:49 ` Greg Kroah-Hartman
2021-08-05 7:55 ` Greg Kroah-Hartman
2021-08-05 7:58 ` Greg Kroah-Hartman
2021-08-05 13:52 ` Andi Kleen
2021-08-05 17:51 ` Greg Kroah-Hartman
2021-08-05 17:58 ` Andi Kleen
2021-08-05 18:09 ` Greg Kroah-Hartman
2021-08-05 18:44 ` Andi Kleen
2021-08-05 19:01 ` Dan Williams
2021-08-05 19:08 ` Kuppuswamy, Sathyanarayanan
2021-08-05 19:28 ` Greg Kroah-Hartman
2021-08-05 21:10 ` Andi Kleen
2021-08-06 1:00 ` Dan Williams [this message]
2021-08-06 5:17 ` Greg Kroah-Hartman
2021-08-06 14:36 ` Dan Williams
2021-08-06 5:07 ` Greg Kroah-Hartman
2021-08-05 18:53 ` Kuppuswamy, Sathyanarayanan
2021-08-05 19:12 ` Greg Kroah-Hartman
2021-08-05 19:18 ` Dan Williams
2021-08-05 19:28 ` Greg Kroah-Hartman
2021-08-05 19:52 ` Dan Williams
2021-08-06 11:15 ` Jonathan Cameron
2021-08-05 16:37 ` Dan Williams
2021-08-05 17:25 ` Kuppuswamy, Sathyanarayanan
2021-08-05 17:48 ` Greg Kroah-Hartman
2021-08-05 17:52 ` Andi Kleen
2021-08-05 18:11 ` Greg Kroah-Hartman
2021-08-05 17:49 ` Greg Kroah-Hartman
2021-08-04 20:11 ` Dan Williams
2021-08-04 20:29 ` Kuppuswamy, Sathyanarayanan
2021-08-04 21:07 ` Matthew Wilcox
2021-08-04 21:28 ` Dan Williams
2021-08-05 4:45 ` Andi Kleen
2021-08-05 7:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPcyv4ju0kzUuamiuE=xC_DoEArk1KxD+n+-TUw0LLTWoSj2VA@mail.gmail.com' \
--to=dan.j.williams@intel.com \
--cc=ak@linux.intel.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=knsathya@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).