Re: [PATCH v6 02/14] Documentation/x86: Secure Launch kernel documentation

From: Thomas Gleixner
Date: Fri May 12 2023 - 09:20:14 EST

Next message: Shenwei Wang: "[PATCH v4] net: fec: using the standard return codes when xdp xmit errors"
Previous message: Harald Mommer: "Re: [virtio-dev] [RFC PATCH 1/1] can: virtio: Initial virtio CAN driver."
In reply to: Matthew Garrett: "Re: [PATCH v6 02/14] Documentation/x86: Secure Launch kernel documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 04 2023 at 14:50, Ross Philipson wrote:
> +KASLR Configuration
> +-------------------
> +
> +Secure Launch does not interoperate with KASLR. If possible, the MLE should be
> +built with KASLR disabled::

Why?

> + "Processor type and features" -->
> + "Build a relocatable kernel" -->
> + "Randomize the address of the kernel image (KASLR) [ ]"
> +
> +This unsets the Kconfig value CONFIG_RANDOMIZE_BASE.
> +
> +If not possible, KASLR must be disabled on the kernel command line when doing
> +a Secure Launch as follows::
> +
> + nokaslr

So what happens if KASLR is enabled in Kconfig and not disabled on the
command line?

> +IOMMU Configuration
> +-------------------
> +
> +When doing a Secure Launch, the IOMMU should always be enabled and the drivers
> +loaded. However, IOMMU passthrough mode should never be used. This leaves the
> +MLE completely exposed to DMA after the PMR's [2]_ are disabled. The current default
> +mode is to use IOMMU in lazy translated mode but strict translated mode is the preferred
> +IOMMU mode and this should be selected in the build configuration::
> +
> + "Device Drivers" -->
> + "IOMMU Hardware Support" -->
> + "IOMMU default domain type" -->
> + "(X) Translated - Strict"
> +
> +In addition, the Intel IOMMU should be on by default. The following sets this as the
> +default in the build configuration::
> +
> + "Device Drivers" -->
> + "IOMMU Hardware Support" -->
> + "Support for Intel IOMMU using DMA Remapping Devices [*]"
> +
> +and::
> +
> + "Device Drivers" -->
> + "IOMMU Hardware Support" -->
> + "Support for Intel IOMMU using DMA Remapping Devices [*]" -->
> + "Enable Intel DMA Remapping Devices by default [*]"
> +
> +It is recommended that no other command line options should be set to override
> +the defaults above.

Is any of this validated and are proper warnings emitted or is it just
recommended and left to the user to do the right thing?

Thanks,

tglx

Next message: Shenwei Wang: "[PATCH v4] net: fec: using the standard return codes when xdp xmit errors"
Previous message: Harald Mommer: "Re: [virtio-dev] [RFC PATCH 1/1] can: virtio: Initial virtio CAN driver."
In reply to: Matthew Garrett: "Re: [PATCH v6 02/14] Documentation/x86: Secure Launch kernel documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]