Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers

From: Rajat Jain
Date: Wed Jun 10 2020 - 15:57:17 EST

Next message: Vivek Goyal: "Re: [PATCH 2/2] KVM: async_pf: Inject 'page ready' event only if 'page not present' was previously injected"
Previous message: Alex Elder: "[PATCH net 4/5] net: ipa: header pad field only valid for AP->modem endpoint"
In reply to: Oliver O'Halloran: "Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers"
Next in thread: Rajat Jain: "Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 9, 2020 at 6:34 PM Oliver O'Halloran <oohall@xxxxxxxxx> wrote:
>
> On Wed, Jun 10, 2020 at 7:04 AM Bjorn Helgaas <helgaas@xxxxxxxxxx> wrote:
> >
> > To sketch this out, my understanding of how this would work is:
> >
> > - Expose the PCI pdev->untrusted bit in sysfs. We don't expose this
> > today, but doing so would be trivial. I think I would prefer a
> > sysfs name like "external" so it's more descriptive and less of a
> > judgment.
> >
> > This comes from either the DT "external-facing" property or the
> > ACPI "ExternalFacingPort" property.
>
> I don't think internal / external is the right distinction to be
> making. We have a similar trust issue with the BMC in servers even
> though they're internal devices. They're typically network accessible
> and infrequently updated so treating them as trustworthy isn't a great
> idea. We have been slowly de-privileging the BMC over the last few
> years, but the PCIe interface isn't locked down enough for my liking
> since the SoCs we use do allow software to set the VDID and perform
> arbitrary DMAs (thankfully limited to 32bit). If we're going to add in
> infrastructure for handling possibly untrustworthy PCI devices then
> I'd like to use that for BMCs too.
>
> > - All devices present at boot are enumerated. Any statically built
> > drivers will bind to them before any userspace code runs.
> >
> > If you want to keep statically built drivers from binding, you'd
> > need to invent some mechanism so pci_driver_init() could clear
> > drivers_autoprobe after registering pci_bus_type.
> >
> > - Early userspace code prevents modular drivers from automatically
> > binding to PCI devices:
> >
> > echo 0 > /sys/bus/pci/drivers_autoprobe
> >
> > This prevents modular drivers from binding to all devices, whether
> > present at boot or hot-added.
>
> I don't see why this is preferable to just disabling autoprobe for
> untrusted devices. That would dovetail nicely with Rajat's whitelist
> idea if we want to go down that route and I think we might want to.
> The BMC usually provides some form of VGA console and we'd like that
> to continue working out-of-the-box without too much user (or distro)
> intervention.

I wouldn't mind introducing a kernel parameter to disable auto-probing
of untrusted devices if there is a wider agreement here.
The only notch is that in my opinion, if present, that parameter
should disable auto-probing for "external" devices only (i.e.
"external-facing" devices should still be auto-probed).

Thanks,

Rajat

>
> Oliver

Next message: Vivek Goyal: "Re: [PATCH 2/2] KVM: async_pf: Inject 'page ready' event only if 'page not present' was previously injected"
Previous message: Alex Elder: "[PATCH net 4/5] net: ipa: header pad field only valid for AP->modem endpoint"
In reply to: Oliver O'Halloran: "Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers"
Next in thread: Rajat Jain: "Re: [RFC] Restrict the untrusted devices, to bind to only a set of "whitelisted" drivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]