lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3a6889b3-114a-4921-adbb-0579891aca6c@suse.com>
Date: Tue, 18 Mar 2025 19:56:32 +0200
From: Nikolay Borisov <nik.borisov@...e.com>
To: Dave Hansen <dave.hansen@...el.com>, dave.hansen@...ux.intel.com
Cc: kirill.shutemov@...ux.intel.com, linux-coco@...ts.linux.dev,
 x86@...nel.org, linux-kernel@...r.kernel.org, vannapurve@...gle.com
Subject: Re: [RFC PATCH] /dev/mem: Disable /dev/mem under TDX guest



On 18.03.25 г. 16:48 ч., Dave Hansen wrote:
> On 3/18/25 04:36, Nikolay Borisov wrote:
>> 1. Should we forbid getting a descriptor to /dev/mem (this patch)
>> 2. Skip creating /dev/mem altogether3
> 
> Like Kirill mentioned, it would be nice to leverage the existing hooks:
> 
>          if (!capable(CAP_SYS_RAWIO))
>                  return -EPERM;
> 
>          rc = security_locked_down(LOCKDOWN_DEV_MEM);
>          if (rc)
>                  return rc;
> 
> Lockdown seems like a decent fit. We'd also ideally check
> lockdown_is_locked_down() in x86 code and spew epithets if someone is
> booting a CoCo guest without lockdown.
> 
>> 3. Possibly tinker with internals of ioremap to ensure that no memory which is
>> backed by kvm memslots is remapped as shared.
> 
> It's not just memslots, though. It's any TDX private memory which
> includes stuff the TDX module uses like the PAMT or SEPT pages.
> 
> 

How about something along those lines to warn when a CoCo guest is run 
but lockdown is not enabled:

diff --git a/arch/x86/coco/core.c b/arch/x86/coco/core.c
index 9a0ddda3aa69..e34f6c0f9269 100644
--- a/arch/x86/coco/core.c
+++ b/arch/x86/coco/core.c
@@ -10,6 +10,7 @@

  #include <linux/export.h>
  #include <linux/cc_platform.h>
+#include <linux/security.h>
  #include <linux/string.h>
  #include <linux/random.h>

@@ -206,6 +207,25 @@ void cc_platform_set(enum cc_attr attr)
         }
  }

+static int __init cc_lockdown_warn(void)
+{
+       if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))
+               return 0;
+
+       /* Not a CoCo guest */
+       if (!cpu_feature_enabled(X86_FEATURE_TDX_GUEST) ||
+           cc_platform_has(CC_ATTR_HOST_SEV_SNP))
+               return 0;
+
+
+       if (!security_locked_down(LOCKDOWN_DEV_MEM))
+               pr_warn("CoCo guest running with kernel lockdown 
disabled\n");
+
+       return 0;
+}
+late_initcall(cc_lockdown_warn);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ