lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <668d9900b3522_102cc29442@dwillia2-xfh.jf.intel.com.notmuch>
Date: Tue, 9 Jul 2024 13:09:36 -0700
From: Dan Williams <dan.j.williams@...el.com>
To: Greg KH <gregkh@...uxfoundation.org>, Dan Williams
	<dan.j.williams@...el.com>
CC: <ksummit@...ts.linux.dev>, <linux-cxl@...r.kernel.org>,
	<linux-rdma@...r.kernel.org>, <netdev@...r.kernel.org>, <jgg@...dia.com>
Subject: Re: [MAINTAINERS SUMMIT] Device Passthrough Considered Harmful?

Greg KH wrote:
> On Mon, Jul 08, 2024 at 03:26:43PM -0700, Dan Williams wrote:
> > Enter the fwctl proposal [1]. From the CXL subsystem perspective it
> > looks like a long-term solution to the problem of managing expectations
> > between hardware vendors and mainline subsystems. It disclaims support
> > for the fast-path (data-plane) and is targeted at the long tail of
> > slow-path (config/debug plane) device-specific operations that are often
> > uninteresting to mainline.
> 
> That's not true at all, device-specific operations are very interesting
> to mainline, and I would argue that the "slow-path" is the most
> important thing for the kernel to manage as that is where the security
> and unification layers can be properly enforced.
> 
> Vendors that think the control plane should just be allowed to be
> accessed by userspace "blindly" are not saying outloud that they just
> want to circumvent the security layer entirely like they previously were
> doing by directly accessing /dev/mem which is one of the strongest
> reasons to keep enforcing this through the kernel as Christoph points
> out.
> 
> It's the cumulation of multiple vendors of semi-alike config paths that
> allow us to standardize them to provide the most important thing of all,
> a unified view to userspace where a user does not care about what type
> of hardware is running, which is really the goal of Linux as well, but
> directly goes against what a vendor wants to have happen.

100% agree and this is the argument I made for creating
tsm-report-configfs. What I meant by "config-plane" is something more
along the lines of an FPGA bitstream redefining device parameters that
get realized after a reset, less the in-band live-config-plane of a
device that is likely similar across a class of devices where the kernel
has a clear interest in mediating.

A fuzzier example is that CXL has commands like "read vendor debug log"
and I can see a device having specific control toggles to modify the
data the device dumps into that log. The expectation is the device
designer will put anything of general/kernel interest into other formal
telemetry commands. That "vendor debug log" command is trusted to not
have other kernel relevant side effects, it just facilitates debug
between end users and device manufacturers.

> > It sets expectations that the device must
> > advertise the effect of all commands so that the kernel can deploy
> > reasonable Kernel Lockdown policy, or otherwise require CAP_SYS_RAWIO
> > for commands that may affect user-data.
> 
> Yes, this is a good start, but it might still be too "vendor-specific"
> at this point in time.

This gets back to the trusted protocols point that Christoph raised. The
community has examples where this tension is resolved with negotiated
protocol concessions. The fwctl discussion has not progressed to the
protocol concessions phase.

> > It sets common expectations for
> > device designers, distribution maintainers, and kernel developers. It is
> > complimentary to the Linux-command path for operations that need deeper
> > kernel coordination.
> 
> Yes, it's a good start, BUT by circumventing the network control plane,
> the network driver maintainers rightfully are worried about this as
> their review comments seem to be ignored here.  The rest of us
> maintainers can't ignore that objection, sorry.

Hence a mediated discussion proposal because the on list debate has a
visible deficit of trust that email is unlikely to overcome.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ