lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <599905d9-19ac-4027-85d1-9b185603051c@gmail.com>
Date: Fri, 9 Jan 2026 01:00:48 +0200
From: Sergey Ryazanov <ryazanov.s.a@...il.com>
To: "wanquan.zhong" <zwq2226404116@....com>,
 chandrashekar.devegowda@...el.com, chiranjeevi.rapolu@...ux.intel.com,
 haijun.liu@...iatek.com, ricardo.martinez@...ux.intel.com
Cc: netdev@...r.kernel.org, loic.poulain@....qualcomm.com,
 johannes@...solutions.net, davem@...emloft.net, andrew+netdev@...n.ch,
 kuba@...nel.org, pabeni@...hat.com, linux-kernel@...r.kernel.org,
 "wanquan.zhong" <wanquan.zhong@...ocom.com>
Subject: Re: [PATCH] wwan: t7xx: Add CONFIG_WWAN_DEBUG_PORTS to control ADB
 debug port

Hi Wanquan,

On 1/8/26 14:52, wanquan.zhong wrote:
> From: "wanquan.zhong" <wanquan.zhong@...ocom.com>
> 
> Add a new Kconfig option CONFIG_WWAN_DEBUG_PORTS for WWAN devices,
> to conditionally enable the ADB debug port functionality. This option:
> - Depends on DEBUG_FS (aligning with existing debug-related WWAN configs)
> - Defaults to 'y',If default to n, it may cause difficulties for t7xx
> debugging
> - Requires EXPERT to be visible (to avoid accidental enablement)
> 
> In t7xx_port_proxy.c, wrap the ADB port configuration struct with
> CONFIG_WWAN_DEBUG_PORTS, so the port is only exposed when
> the config is explicitly enabled (e.g. for lab debugging scenarios).
> 
> This aligns with security best practices of restricting debug interfaces
> on production user devices, while retaining access for development.

This security argument sounds a bit weak. Debugfs can be enabled easily, 
and devlink allowing a firmware replacement is enabled by every 2nd 
driver. Proper privilege management contributes to the security better. 
ADB is hidden by default, and a user have to write a file in sysfs. What 
does effectively mean that he already has the root privileges.

BTW, why does the patch disable only ADB? MIPC is not so dangerous?

On the other hand, I agree that ADB is not a port for daily usage, and 
it might be beneficial to save some resources on excluding it. Proposed 
patch eliminates one array element, what does not worth burden of the 
new configuration option maintenance.

Considering the above. The patch is NACKed by me.

--
Sergey

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ