lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210521205730.GA444958@bjorn-Precision-5520>
Date:   Fri, 21 May 2021 15:57:30 -0500
From:   Bjorn Helgaas <helgaas@...nel.org>
To:     Rajat Jain <rajatja@...gle.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Alan Stern <stern@...land.harvard.edu>,
        linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org,
        linux-usb@...r.kernel.org, Oliver Neukum <oneukum@...e.com>,
        David Laight <David.Laight@...lab.com>,
        Krzysztof WilczyƄski <kw@...ux.com>,
        rajatxjain@...il.com, jsbarnes@...gle.com, dtor@...gle.com
Subject: Re: [PATCH v4 2/2] PCI: Add sysfs "removable" attribute

On Thu, May 13, 2021 at 04:27:01PM -0700, Rajat Jain wrote:
> A PCI device is "external_facing" if it's a Root Port with the ACPI
> "ExternalFacingPort" property or if it has the DT "external-facing"
> property.  We consider everything downstream from such a device to
> be removable by user.
> 
> We're mainly concerned with consumer platforms with user accessible
> Thunderbolt ports that are vulnerable to DMA attacks, and we expect those
> ports to be identified by firmware as "ExternalFacingPort". Devices in
> traditional hotplug slots can technically be removed, but the expectation
> is that unless the port is marked with "ExternalFacingPort", such devices
> are less accessible to user / may not be removed by end user, and thus not
> exposed as "removable" to userspace.
>
> This can be used to implement userspace policies tailored for
> user removable devices. Eg usage:
> https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2591812
> https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2795038
> (code uses such an attribute to remove external PCI devices or disable
> features on them as needed by the policy desired)
> 
> Signed-off-by: Rajat Jain <rajatja@...gle.com>

Acked-by: Bjorn Helgaas <bhelgaas@...gle.com>

Greg, feel free to merge both these via your tree.

> ---
> v4: - code comments, commit log updates
>     - Make "removable" attribute show up only under devices that are
>       really removable.
> v3: - commit log updated
>     - Rename set_pci_dev_removable() -> pci_set_removable()
>     - Call it after applying early PCI quirks.
> v2: Add documentation
> 
>  .../ABI/testing/sysfs-devices-removable       |  3 ++-
>  drivers/pci/probe.c                           | 22 +++++++++++++++++++
>  2 files changed, 24 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/ABI/testing/sysfs-devices-removable b/Documentation/ABI/testing/sysfs-devices-removable
> index acf7766e800b..bda6c320c8d3 100644
> --- a/Documentation/ABI/testing/sysfs-devices-removable
> +++ b/Documentation/ABI/testing/sysfs-devices-removable
> @@ -14,4 +14,5 @@ Description:
>  
>  		Currently this is only supported by USB (which infers the
>  		information from a combination of hub descriptor bits and
> -		platform-specific data such as ACPI).
> +		platform-specific data such as ACPI) and PCI (which gets this
> +		from ACPI / device tree).
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index 3a62d09b8869..812e0d7fd7a7 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1575,6 +1575,26 @@ static void set_pcie_untrusted(struct pci_dev *dev)
>  		dev->untrusted = true;
>  }
>  
> +static void pci_set_removable(struct pci_dev *dev)
> +{
> +	struct pci_dev *parent = pci_upstream_bridge(dev);
> +
> +	/*
> +	 * We (only) consider everything downstream from an external_facing
> +	 * device to be removable by the user. We're mainly concerned with
> +	 * consumer platforms with user accessible thunderbolt ports that are
> +	 * vulnerable to DMA attacks, and we expect those ports to be marked by
> +	 * the firmware as external_facing. Devices in traditional hotplug
> +	 * slots can technically be removed, but the expectation is that unless
> +	 * the port is marked with external_facing, such devices are less
> +	 * accessible to user / may not be removed by end user, and thus not
> +	 * exposed as "removable" to userspace.
> +	 */
> +	if (parent &&
> +	    (parent->external_facing || dev_is_removable(&parent->dev)))
> +		dev_set_removable(&dev->dev, DEVICE_REMOVABLE);
> +}
> +
>  /**
>   * pci_ext_cfg_is_aliased - Is ext config space just an alias of std config?
>   * @dev: PCI device
> @@ -1822,6 +1842,8 @@ int pci_setup_device(struct pci_dev *dev)
>  	/* Early fixups, before probing the BARs */
>  	pci_fixup_device(pci_fixup_early, dev);
>  
> +	pci_set_removable(dev);
> +
>  	pci_info(dev, "[%04x:%04x] type %02x class %#08x\n",
>  		 dev->vendor, dev->device, dev->hdr_type, dev->class);
>  
> -- 
> 2.31.1.751.gd2f1c929bd-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ