| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5b787d94-af95-a249-69ba-54f1528be11e@infradead.org>
Date: Tue, 13 Feb 2018 16:29:42 -0800
From: Randy Dunlap <rdunlap@...radead.org>
To: Mika Westerberg <mika.westerberg@...ux.intel.com>,
linux-kernel@...r.kernel.org
Cc: Andreas Noever <andreas.noever@...il.com>,
Michael Jamet <michael.jamet@...el.com>,
Yehezkel Bernat <yehezkel.bernat@...el.com>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Mario.Limonciello@...l.com,
Radion Mirchevsky <radion.mirchevsky@...el.com>
Subject: Re: [PATCH 17/18] thunderbolt: Introduce USB only (SL4) security
level
On 02/13/2018 09:00 AM, Mika Westerberg wrote:
> This new security level works so that it creates one PCIe tunnel to the
> connected Thunderbolt dock, removing PCIe links downstream of the dock.
> This leaves only the internal USB controller visible.
>
> Display Port tunnels are created normally.
>
> While there make sure security sysfs attribute returns "unknown" for any
> future security level.
>
> Signed-off-by: Mika Westerberg <mika.westerberg@...ux.intel.com>
Hi,
Also update Documentation/admin-guide/thunderbolt.rst ??
> ---
> Documentation/ABI/testing/sysfs-bus-thunderbolt | 3 +++
> drivers/thunderbolt/domain.c | 7 ++++++-
> include/linux/thunderbolt.h | 4 ++++
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> index 4ed229789852..151584a1f950 100644
> --- a/Documentation/ABI/testing/sysfs-bus-thunderbolt
> +++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> @@ -35,6 +35,9 @@ Description: This attribute holds current Thunderbolt security level
> minimum. User needs to authorize each device.
> dponly: Automatically tunnel Display port (and USB). No
> PCIe tunnels are created.
> + usbonly: Automatically tunnel USB controller of the
> + connected Thunderbolt dock (and Display Port). All
> + PCIe links downstream of the dock are removed.
>
> What: /sys/bus/thunderbolt/devices/.../authorized
> Date: Sep 2017
> diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
> index cc68faedf42a..526972227dd4 100644
> --- a/drivers/thunderbolt/domain.c
> +++ b/drivers/thunderbolt/domain.c
> @@ -117,6 +117,7 @@ static const char * const tb_security_names[] = {
> [TB_SECURITY_USER] = "user",
> [TB_SECURITY_SECURE] = "secure",
> [TB_SECURITY_DPONLY] = "dponly",
> + [TB_SECURITY_USBONLY] = "usbonly",
> };
>
> static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr,
> @@ -226,8 +227,12 @@ static ssize_t security_show(struct device *dev, struct device_attribute *attr,
> char *buf)
> {
> struct tb *tb = container_of(dev, struct tb, dev);
> + const char *name = "unknown";
>
> - return sprintf(buf, "%s\n", tb_security_names[tb->security_level]);
> + if (tb->security_level < ARRAY_SIZE(tb_security_names))
> + name = tb_security_names[tb->security_level];
> +
> + return sprintf(buf, "%s\n", name);
> }
> static DEVICE_ATTR_RO(security);
>
> diff --git a/include/linux/thunderbolt.h b/include/linux/thunderbolt.h
> index 47251844d064..a3ed26082bc1 100644
> --- a/include/linux/thunderbolt.h
> +++ b/include/linux/thunderbolt.h
> @@ -45,12 +45,16 @@ enum tb_cfg_pkg_type {
> * @TB_SECURITY_USER: User approval required at minimum
> * @TB_SECURITY_SECURE: One time saved key required at minimum
> * @TB_SECURITY_DPONLY: Only tunnel Display port (and USB)
> + * @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected
> + * Thunderbolt dock (and Display Port). All PCIe
> + * links downstream of the dock are removed.
> */
> enum tb_security_level {
> TB_SECURITY_NONE,
> TB_SECURITY_USER,
> TB_SECURITY_SECURE,
> TB_SECURITY_DPONLY,
> + TB_SECURITY_USBONLY,
> };
>
> /**
>
thanks,
--
~Randy
Powered by blists - more mailing lists