lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Feb 2018 16:29:42 -0800 From: Randy Dunlap <rdunlap@...radead.org> To: Mika Westerberg <mika.westerberg@...ux.intel.com>, linux-kernel@...r.kernel.org Cc: Andreas Noever <andreas.noever@...il.com>, Michael Jamet <michael.jamet@...el.com>, Yehezkel Bernat <yehezkel.bernat@...el.com>, Bjorn Helgaas <bhelgaas@...gle.com>, Mario.Limonciello@...l.com, Radion Mirchevsky <radion.mirchevsky@...el.com> Subject: Re: [PATCH 17/18] thunderbolt: Introduce USB only (SL4) security level On 02/13/2018 09:00 AM, Mika Westerberg wrote: > This new security level works so that it creates one PCIe tunnel to the > connected Thunderbolt dock, removing PCIe links downstream of the dock. > This leaves only the internal USB controller visible. > > Display Port tunnels are created normally. > > While there make sure security sysfs attribute returns "unknown" for any > future security level. > > Signed-off-by: Mika Westerberg <mika.westerberg@...ux.intel.com> Hi, Also update Documentation/admin-guide/thunderbolt.rst ?? > --- > Documentation/ABI/testing/sysfs-bus-thunderbolt | 3 +++ > drivers/thunderbolt/domain.c | 7 ++++++- > include/linux/thunderbolt.h | 4 ++++ > 3 files changed, 13 insertions(+), 1 deletion(-) > > diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt b/Documentation/ABI/testing/sysfs-bus-thunderbolt > index 4ed229789852..151584a1f950 100644 > --- a/Documentation/ABI/testing/sysfs-bus-thunderbolt > +++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt > @@ -35,6 +35,9 @@ Description: This attribute holds current Thunderbolt security level > minimum. User needs to authorize each device. > dponly: Automatically tunnel Display port (and USB). No > PCIe tunnels are created. > + usbonly: Automatically tunnel USB controller of the > + connected Thunderbolt dock (and Display Port). All > + PCIe links downstream of the dock are removed. > > What: /sys/bus/thunderbolt/devices/.../authorized > Date: Sep 2017 > diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c > index cc68faedf42a..526972227dd4 100644 > --- a/drivers/thunderbolt/domain.c > +++ b/drivers/thunderbolt/domain.c > @@ -117,6 +117,7 @@ static const char * const tb_security_names[] = { > [TB_SECURITY_USER] = "user", > [TB_SECURITY_SECURE] = "secure", > [TB_SECURITY_DPONLY] = "dponly", > + [TB_SECURITY_USBONLY] = "usbonly", > }; > > static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr, > @@ -226,8 +227,12 @@ static ssize_t security_show(struct device *dev, struct device_attribute *attr, > char *buf) > { > struct tb *tb = container_of(dev, struct tb, dev); > + const char *name = "unknown"; > > - return sprintf(buf, "%s\n", tb_security_names[tb->security_level]); > + if (tb->security_level < ARRAY_SIZE(tb_security_names)) > + name = tb_security_names[tb->security_level]; > + > + return sprintf(buf, "%s\n", name); > } > static DEVICE_ATTR_RO(security); > > diff --git a/include/linux/thunderbolt.h b/include/linux/thunderbolt.h > index 47251844d064..a3ed26082bc1 100644 > --- a/include/linux/thunderbolt.h > +++ b/include/linux/thunderbolt.h > @@ -45,12 +45,16 @@ enum tb_cfg_pkg_type { > * @TB_SECURITY_USER: User approval required at minimum > * @TB_SECURITY_SECURE: One time saved key required at minimum > * @TB_SECURITY_DPONLY: Only tunnel Display port (and USB) > + * @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected > + * Thunderbolt dock (and Display Port). All PCIe > + * links downstream of the dock are removed. > */ > enum tb_security_level { > TB_SECURITY_NONE, > TB_SECURITY_USER, > TB_SECURITY_SECURE, > TB_SECURITY_DPONLY, > + TB_SECURITY_USBONLY, > }; > > /** > thanks, -- ~Randy
Powered by blists - more mailing lists