From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97CA5C4320A for ; Thu, 5 Aug 2021 18:11:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7EAAE60F43 for ; Thu, 5 Aug 2021 18:11:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241006AbhHESMB (ORCPT ); Thu, 5 Aug 2021 14:12:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:44734 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239986AbhHESMA (ORCPT ); Thu, 5 Aug 2021 14:12:00 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AF09A60F25; Thu, 5 Aug 2021 18:11:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628187106; bh=bCqDkZoewa4Itcg2pGQD3OuK7e6G6yDkQbh7McanSR0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OGwO6SNGjiVK5Uq/XID5d1YgoYhkFNieVoUh+bHUsdRjlPZMThcU0IIO53CnhjE69 bA59vHAXgdHt/JtWtHKZ1lSjIvTHaIN0A6g2hF8F0TCAPShBpr1EgCfed+MCjzrTkt Xnw+/NMmG+g89eMEKeObNB3r3zhIWqSfVz54z4Io= Date: Thu, 5 Aug 2021 20:11:43 +0200 From: Greg Kroah-Hartman To: Andi Kleen Cc: "Kuppuswamy, Sathyanarayanan" , Dan Williams , "Rafael J . Wysocki" , Jonathan Corbet , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux Doc Mailing List Subject: Re: [PATCH v1] driver: base: Add driver filter support Message-ID: References: <20210804174322.2898409-1-sathyanarayanan.kuppuswamy@linux.intel.com> <1e9efeb3-4aef-68e2-6af3-cf6bb5decb38@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 05, 2021 at 10:52:10AM -0700, Andi Kleen wrote: > > On 8/5/2021 10:25 AM, Kuppuswamy, Sathyanarayanan wrote: > > > > > > On 8/5/21 9:37 AM, Dan Williams wrote: > > > I overlooked the "authorized" attribute in usb and thunderbolt. The > > > collision problem makes sense. Are you open to a core "authorized" > > > attribute that buses like usb and thunderbolt would override in favor > > > of their local implementation? I.e. similar to suppress_bind_attrs: > > > > Even if such overriding is allowed in default boot, it should not be > > allowed in protected guest + driver_filter model. > > > Allowing overriding would be acceptable, as long as nobody does it by > default. In theory a (root) user program can already do other things that > make the guest insecure. > > Still it's not clear to me how this proposal solves the builtin and platform > drivers problem. AFAIK that needs a builtin allowlist in any case. And once > we have that likely we don't need anything else for current TDX at least, > because the allowlist is so small and there is no concept of hotplug or > similar. What specific platform drivers do you need on these systems that you would ever want to exclude some and not just allow them all? > Also another consideration is that we were trying to avoid relying too much > on user space for this. One of the goals was to move an existing guest image > to a confidential guest with only minor changes (new kernel / enable > attestation). Complex changes for securing it would make that much harder. Just deny all and only allow the ones you "trust". That is a well-defined policy that (/me checks notes) Intel created for USB a very long time ago. greg k-h