lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 13 Feb 2018 16:29:42 -0800
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Mika Westerberg <mika.westerberg@...ux.intel.com>,
        linux-kernel@...r.kernel.org
Cc:     Andreas Noever <andreas.noever@...il.com>,
        Michael Jamet <michael.jamet@...el.com>,
        Yehezkel Bernat <yehezkel.bernat@...el.com>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Mario.Limonciello@...l.com,
        Radion Mirchevsky <radion.mirchevsky@...el.com>
Subject: Re: [PATCH 17/18] thunderbolt: Introduce USB only (SL4) security
 level

On 02/13/2018 09:00 AM, Mika Westerberg wrote:
> This new security level works so that it creates one PCIe tunnel to the
> connected Thunderbolt dock, removing PCIe links downstream of the dock.
> This leaves only the internal USB controller visible.
> 
> Display Port tunnels are created normally.
> 
> While there make sure security sysfs attribute returns "unknown" for any
> future security level.
> 
> Signed-off-by: Mika Westerberg <mika.westerberg@...ux.intel.com>

Hi,

Also update Documentation/admin-guide/thunderbolt.rst ??


> ---
>  Documentation/ABI/testing/sysfs-bus-thunderbolt | 3 +++
>  drivers/thunderbolt/domain.c                    | 7 ++++++-
>  include/linux/thunderbolt.h                     | 4 ++++
>  3 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> index 4ed229789852..151584a1f950 100644
> --- a/Documentation/ABI/testing/sysfs-bus-thunderbolt
> +++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> @@ -35,6 +35,9 @@ Description:	This attribute holds current Thunderbolt security level
>  			minimum. User needs to authorize each device.
>  		dponly: Automatically tunnel Display port (and USB). No
>  			PCIe tunnels are created.
> +		usbonly: Automatically tunnel USB controller of the
> +			 connected Thunderbolt dock (and Display Port). All
> +			 PCIe links downstream of the dock are removed.
>  
>  What: /sys/bus/thunderbolt/devices/.../authorized
>  Date:		Sep 2017
> diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
> index cc68faedf42a..526972227dd4 100644
> --- a/drivers/thunderbolt/domain.c
> +++ b/drivers/thunderbolt/domain.c
> @@ -117,6 +117,7 @@ static const char * const tb_security_names[] = {
>  	[TB_SECURITY_USER] = "user",
>  	[TB_SECURITY_SECURE] = "secure",
>  	[TB_SECURITY_DPONLY] = "dponly",
> +	[TB_SECURITY_USBONLY] = "usbonly",
>  };
>  
>  static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr,
> @@ -226,8 +227,12 @@ static ssize_t security_show(struct device *dev, struct device_attribute *attr,
>  			     char *buf)
>  {
>  	struct tb *tb = container_of(dev, struct tb, dev);
> +	const char *name = "unknown";
>  
> -	return sprintf(buf, "%s\n", tb_security_names[tb->security_level]);
> +	if (tb->security_level < ARRAY_SIZE(tb_security_names))
> +		name = tb_security_names[tb->security_level];
> +
> +	return sprintf(buf, "%s\n", name);
>  }
>  static DEVICE_ATTR_RO(security);
>  
> diff --git a/include/linux/thunderbolt.h b/include/linux/thunderbolt.h
> index 47251844d064..a3ed26082bc1 100644
> --- a/include/linux/thunderbolt.h
> +++ b/include/linux/thunderbolt.h
> @@ -45,12 +45,16 @@ enum tb_cfg_pkg_type {
>   * @TB_SECURITY_USER: User approval required at minimum
>   * @TB_SECURITY_SECURE: One time saved key required at minimum
>   * @TB_SECURITY_DPONLY: Only tunnel Display port (and USB)
> + * @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected
> + *			 Thunderbolt dock (and Display Port). All PCIe
> + *			 links downstream of the dock are removed.
>   */
>  enum tb_security_level {
>  	TB_SECURITY_NONE,
>  	TB_SECURITY_USER,
>  	TB_SECURITY_SECURE,
>  	TB_SECURITY_DPONLY,
> +	TB_SECURITY_USBONLY,
>  };
>  
>  /**
> 

thanks,
-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ