lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202102081406.CDE33FB8@keescook>
Date:   Mon, 8 Feb 2021 14:09:19 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Dan Williams <dan.j.williams@...el.com>
Cc:     Jonathan Corbet <corbet@....net>, linux-cxl@...r.kernel.org,
        Ben Widawsky <ben.widawsky@...el.com>,
        Linux ACPI <linux-acpi@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-nvdimm <linux-nvdimm@...ts.01.org>,
        Linux PCI <linux-pci@...r.kernel.org>,
        Bjorn Helgaas <helgaas@...nel.org>,
        Chris Browy <cbrowy@...ry-design.com>,
        Ira Weiny <ira.weiny@...el.com>,
        Jon Masters <jcm@...masters.org>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        Rafael Wysocki <rafael.j.wysocki@...el.com>,
        Randy Dunlap <rdunlap@...radead.org>,
        Vishal Verma <vishal.l.verma@...el.com>,
        daniel.lll@...baba-inc.com,
        "John Groves (jgroves)" <jgroves@...ron.com>,
        "Kelley, Sean V" <sean.v.kelley@...el.com>
Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access

On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:
> [ add Jon Corbet as I'd expect him to be Cc'd on anything that
> generically touches Documentation/ like this, and add Kees as the last
> person who added a taint (tag you're it) ]
> 
> Jon, Kees, are either of you willing to ack this concept?
> 
> Top-posting to add more context for the below:
> 
> This taint is proposed because it has implications for
> CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices
> implement memory like DDR would, but unlike DDR there are
> administrative / configuration commands that demand kernel
> coordination before they can be sent. The posture taken with this
> taint is "guilty until proven innocent" for commands that have yet to
> be explicitly allowed by the driver. This is different than NVME for
> example where an errant vendor-defined command could destroy data on
> the device, but there is no wider threat to system integrity. The
> taint allows a pressure release valve for any and all commands to be
> sent, but flagged with WARN_TAINT_ONCE if the driver has not
> explicitly enabled it on an allowed list of known-good / kernel
> coordinated commands.
> 
> On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@...el.com> wrote:
> >
> > For drivers that moderate access to the underlying hardware it is
> > sometimes desirable to allow userspace to bypass restrictions. Once
> > userspace has done this, the driver can no longer guarantee the sanctity
> > of either the OS or the hardware. When in this state, it is helpful for
> > kernel developers to be made aware (via this taint flag) of this fact
> > for subsequent bug reports.
> >
> > Example usage:
> > - Hardware xyzzy accepts 2 commands, waldo and fred.
> > - The xyzzy driver provides an interface for using waldo, but not fred.
> > - quux is convinced they really need the fred command.
> > - xyzzy driver allows quux to frob hardware to initiate fred.
> >   - kernel gets tainted.
> > - turns out fred command is borked, and scribbles over memory.
> > - developers laugh while closing quux's subsequent bug report.

But a taint flag only lasts for the current boot. If this is a drive, it
could still be compromised after reboot. It sounds like this taint is
really only for ephemeral things? "vendor shenanigans" is a pretty giant
scope ...

-Kees

> >
> > Signed-off-by: Ben Widawsky <ben.widawsky@...el.com>
> > ---
> >  Documentation/admin-guide/sysctl/kernel.rst   | 1 +
> >  Documentation/admin-guide/tainted-kernels.rst | 6 +++++-
> >  include/linux/kernel.h                        | 3 ++-
> >  kernel/panic.c                                | 1 +
> >  4 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst
> > index 1d56a6b73a4e..3e1eada53504 100644
> > --- a/Documentation/admin-guide/sysctl/kernel.rst
> > +++ b/Documentation/admin-guide/sysctl/kernel.rst
> > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports.
> >   32768  `(K)`  kernel has been live patched
> >   65536  `(X)`  Auxiliary taint, defined and used by for distros
> >  131072  `(T)`  The kernel was built with the struct randomization plugin
> > +262144  `(H)`  The kernel has allowed vendor shenanigans
> >  ======  =====  ==============================================================
> >
> >  See :doc:`/admin-guide/tainted-kernels` for more information.
> > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst
> > index ceeed7b0798d..ee2913316344 100644
> > --- a/Documentation/admin-guide/tainted-kernels.rst
> > +++ b/Documentation/admin-guide/tainted-kernels.rst
> > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned
> >  script, but if you need something quick you can use this shell command to check
> >  which bits are set::
> >
> > -       $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
> > +       $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done
> >
> >  Table for decoding tainted state
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > @@ -100,6 +100,7 @@ Bit  Log  Number  Reason that got the kernel tainted
> >   15  _/K   32768  kernel has been live patched
> >   16  _/X   65536  auxiliary taint, defined for and used by distros
> >   17  _/T  131072  kernel was built with the struct randomization plugin
> > + 18  _/H  262144  kernel has allowed vendor shenanigans
> >  ===  ===  ======  ========================================================
> >
> >  Note: The character ``_`` is representing a blank in this table to make reading
> > @@ -175,3 +176,6 @@ More detailed explanation for tainting
> >       produce extremely unusual kernel structure layouts (even performance
> >       pathological ones), which is important to know when debugging. Set at
> >       build time.
> > +
> > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make
> > +     any guarantees about the stability of the device or driver.
> > diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> > index f7902d8c1048..bc95486f817e 100644
> > --- a/include/linux/kernel.h
> > +++ b/include/linux/kernel.h
> > @@ -443,7 +443,8 @@ extern enum system_states {
> >  #define TAINT_LIVEPATCH                        15
> >  #define TAINT_AUX                      16
> >  #define TAINT_RANDSTRUCT               17
> > -#define TAINT_FLAGS_COUNT              18
> > +#define TAINT_RAW_PASSTHROUGH          18
> > +#define TAINT_FLAGS_COUNT              19
> >  #define TAINT_FLAGS_MAX                        ((1UL << TAINT_FLAGS_COUNT) - 1)
> >
> >  struct taint_flag {
> > diff --git a/kernel/panic.c b/kernel/panic.c
> > index 332736a72a58..dff22bd80eaf 100644
> > --- a/kernel/panic.c
> > +++ b/kernel/panic.c
> > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {
> >         [ TAINT_LIVEPATCH ]             = { 'K', ' ', true },
> >         [ TAINT_AUX ]                   = { 'X', ' ', true },
> >         [ TAINT_RANDSTRUCT ]            = { 'T', ' ', true },
> > +       [ TAINT_RAW_PASSTHROUGH ]       = { 'H', ' ', true },
> >  };
> >
> >  /**
> > --
> > 2.30.0
> >

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ