Re: [PATCH V3 2/5] misc: mlx5ctl: Add mlx5ctl misc driver

From: Greg Kroah-Hartman
Date: Fri Dec 08 2023 - 00:29:38 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH V3 2/5] misc: mlx5ctl: Add mlx5ctl misc driver"
Previous message: Kris Van Hees: "[PATCH 6/6] module: add install target for modules.builtin.ranges"
Next in thread: Jason Gunthorpe: "Re: [PATCH V3 2/5] misc: mlx5ctl: Add mlx5ctl misc driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 07, 2023 at 12:06:28PM -0600, Aron Silverton wrote:
> On Thu, Dec 07, 2023 at 09:23:29AM -0800, Jakub Kicinski wrote:
> > On Thu, 7 Dec 2023 10:41:25 -0600 Aron Silverton wrote:
> > > > I understand that having everything packaged and shipped together makes
> > > > life easier.
> > >
> > > I think it is a requirement. We operate with Secure Boot. The kernel is
> > > locked down. We don't have debugfs access, even if it were sufficient,
> > > and we cannot compile and load modules. Even without Secure Boot, there
> > > may not be a build environment available.
> >
> > This 'no debugfs' requirement is a kernel lockdown thing, I presume?
> > Are we expected to throw debugfs out the window and for all vendors
> > to reimplement their debug functionality via a misc driver taking
> > arbitrary ioctls? Not only does that sound like a complete waste of
> > time and going backward in terms of quality of the interfaces, needing
> > custom vendor tools etc. etc., but also you go from (hopefully somewhat)
> > upstream reviewed debugfs interface to an interface where the only
> > security assurance is vendor telling you "trust me, it's all good".
>
> IIRC, with lockdown, we can read from debugfs IFF the entries'
> permissions are 0400. We cannot write. It's not suitable for
> implementing an interactive debug interface.

This is a policy decision that a distro decides to do, and I have seen
it happen many times. The problem with this is then, as you have found
out, vendors try to work around the removal of access to debugfs by
creating new interfaces like misc drivers and sysfs files to emulate
what they were previously exporting with debugfs.

When they do that, they break the reason why the distro/vendor decided
to prevent access to debugfs in the first place, making the whole system
insecure again!

I see this happen all the time in Android devices as Android restricted
access to debugfs many years ago to try to solve the problem of drivers
doing insecure things there. Those drivers then just moved those
insecure operations to a different interface, making the system insecure
again.

To stop this cat-and-mouse game, work with the vendors that are
implementing these requirements to shut down access to these interfaces.
That is a policy decision made by them, and does NOT mean that the
kernel community needs to then start taking code to circumvent those
decisions as that makes the whole thing pointless.

So in short, use debugfs, that is what it was designed for. If a vendor
does not wish to enable access to debugfs, then that is their decision
(probably a good one), don't circumvent it by making a new interface, as
odds are, the vendor will eventually realize it and work to cut off that
new interface as well, as they rightfully should.

thanks,

greg k-h

Next message: Greg Kroah-Hartman: "Re: [PATCH V3 2/5] misc: mlx5ctl: Add mlx5ctl misc driver"
Previous message: Kris Van Hees: "[PATCH 6/6] module: add install target for modules.builtin.ranges"
Next in thread: Jason Gunthorpe: "Re: [PATCH V3 2/5] misc: mlx5ctl: Add mlx5ctl misc driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]