lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 20 May 2021 10:38:52 +0200
From:   Maxime Coquelin <maxime.coquelin@...hat.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     alex.williamson@...hat.com, jmorris@...ei.org, dhowells@...hat.com,
        linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, kvm@...r.kernel.org,
        mjg59@...f.ucam.org, cohuck@...hat.com
Subject: Re: [PATCH] vfio: Lock down no-IOMMU mode when kernel is locked down



On 5/11/21 4:58 AM, Kees Cook wrote:
> On Thu, May 06, 2021 at 11:18:59AM +0200, Maxime Coquelin wrote:
>> When no-IOMMU mode is enabled, VFIO is as unsafe as accessing
>> the PCI BARs via the device's sysfs, which is locked down when
>> the kernel is locked down.
>>
>> Indeed, it is possible for an attacker to craft DMA requests
>> to modify kernel's code or leak secrets stored in the kernel,
>> since the device is not isolated by an IOMMU.
>>
>> This patch introduces a new integrity lockdown reason for the
>> unsafe VFIO no-iommu mode.
>>
>> Signed-off-by: Maxime Coquelin <maxime.coquelin@...hat.com>
>> ---
>>  drivers/vfio/vfio.c      | 13 +++++++++----
>>  include/linux/security.h |  1 +
>>  security/security.c      |  1 +
>>  3 files changed, 11 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
>> index 5e631c359ef2..fe466d6ea5d8 100644
>> --- a/drivers/vfio/vfio.c
>> +++ b/drivers/vfio/vfio.c
>> @@ -25,6 +25,7 @@
>>  #include <linux/pci.h>
>>  #include <linux/rwsem.h>
>>  #include <linux/sched.h>
>> +#include <linux/security.h>
>>  #include <linux/slab.h>
>>  #include <linux/stat.h>
>>  #include <linux/string.h>
>> @@ -165,7 +166,8 @@ static void *vfio_noiommu_open(unsigned long arg)
>>  {
>>  	if (arg != VFIO_NOIOMMU_IOMMU)
>>  		return ERR_PTR(-EINVAL);
>> -	if (!capable(CAP_SYS_RAWIO))
>> +	if (!capable(CAP_SYS_RAWIO) ||
>> +			security_locked_down(LOCKDOWN_VFIO_NOIOMMU))
> 
> The LSM hook check should come before the capable() check to avoid
> setting PF_SUPERPRIV if capable() passes and the LSM doesn't.

OK, good to know, I'll swap in next revision.

BTW, it seems other places are doing the capable check before the LSM
hook check, for example in ioport [0].

>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 06f7c50ce77f..f29388180fab 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -120,6 +120,7 @@ enum lockdown_reason {
>>  	LOCKDOWN_MMIOTRACE,
>>  	LOCKDOWN_DEBUGFS,
>>  	LOCKDOWN_XMON_WR,
>> +	LOCKDOWN_VFIO_NOIOMMU,
>>  	LOCKDOWN_INTEGRITY_MAX,
>>  	LOCKDOWN_KCORE,
>>  	LOCKDOWN_KPROBES,
> 
> Is the security threat specific to VFIO? (i.e. could other interfaces
> want a similar thing, such that naming this VFIO doesn't make sense?

It could possibly in theory, maybe something like
"LOCKDOWN_UNRESTRICTED_DMA" would be a better fit?

Maxime

[0]:
https://elixir.bootlin.com/linux/v5.13-rc2/source/arch/x86/kernel/ioport.c#L73

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ