lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230324004919.GHZBzzj1FzwEZclTCL@fat_crate.local>
Date:   Fri, 24 Mar 2023 01:49:19 +0100
From:   Borislav Petkov <bp@...en8.de>
To:     kyle-meyer <kyle.meyer@....com>
Cc:     dimitri.sivanich@....com, steve.wahl@....com, tglx@...utronix.de,
        mingo@...hat.com, dave.hansen@...ux.intel.com, x86@...nel.org,
        hpa@...or.com, tony.luck@...el.com, qiuxu.zhuo@...el.com,
        yazen.ghannam@....com, linux-kernel@...r.kernel.org,
        linux-edac@...r.kernel.org
Subject: Re: [PATCH] RAS/CEC: Move non-debug attributes out of debugfs

On Thu, Mar 23, 2023 at 03:22:01PM -0500, kyle-meyer wrote:
> From: Kyle Meyer <kyle.meyer@....com>
> 
> When kernel lockdown is in effect, use of debugfs is not permitted. Move
> decay_interval and action_threshold out of debugfs, from debugfs/ras/cec
> to sysfs/system/devices/machinecheck/cec.

All those knobs are in debugfs because we wanted to discuss the proper
interface design first and only then cast them in stone. I guess that
has not happened yet.

What you're doing is certainly not what we had in mind so just because
some lockdown policy says so, is not good enough.

> diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
> index 2eec60f50057..1a3eaa501ae4 100644
> --- a/arch/x86/kernel/cpu/mce/core.c
> +++ b/arch/x86/kernel/cpu/mce/core.c
> @@ -2376,10 +2376,11 @@ static void mce_enable_ce(void *all)
>  		__mcheck_cpu_init_timer();
>  }
>  
> -static struct bus_type mce_subsys = {
> +struct bus_type mce_subsys = {
>  	.name		= "machinecheck",
>  	.dev_name	= "machinecheck",
>  };
> +EXPORT_SYMBOL_GPL(mce_subsys);

Nope, this is not going to happen.

Besides, that error collector is used on x86 but it is generic enough so
that it can be used by other arches. So if anything, it should not be
exposed in the x86's "machinecheck" hierarchy but somewhere generic.

And until that proper interface has been hammered out, you can just as
well disable it in your lockdown configs.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists