lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241203203625.GA2962643@bhelgaas>
Date: Tue, 3 Dec 2024 14:36:25 -0600
From: Bjorn Helgaas <helgaas@...nel.org>
To: Leon Romanovsky <leon@...nel.org>
Cc: Stephen Hemminger <stephen@...workplumber.org>,
	Krzysztof Wilczyński <kw@...ux.com>,
	linux-pci@...r.kernel.org, Ariel Almog <ariela@...dia.com>,
	Aditya Prabhune <aprabhune@...dia.com>,
	Hannes Reinecke <hare@...e.de>,
	Heiner Kallweit <hkallweit1@...il.com>,
	Arun Easi <aeasi@...vell.com>, Jonathan Chocron <jonnyc@...zon.com>,
	Bert Kenward <bkenward@...arflare.com>,
	Matt Carlson <mcarlson@...adcom.com>,
	Kai-Heng Feng <kai.heng.feng@...onical.com>,
	Jean Delvare <jdelvare@...e.de>,
	Alex Williamson <alex.williamson@...hat.com>,
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
	Jakub Kicinski <kuba@...nel.org>,
	Thomas Weißschuh <linux@...ssschuh.net>,
	Kees Cook <kees@...nel.org>,
	"Gustavo A. R. Silva" <gustavoars@...nel.org>,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH v3] PCI/sysfs: Change read permissions for VPD attributes

[+cc Linux hardening folks for any security/reliability concerns]

On Tue, Dec 03, 2024 at 07:40:27PM +0200, Leon Romanovsky wrote:
> On Tue, Dec 03, 2024 at 09:24:56AM -0800, Stephen Hemminger wrote:
> > On Tue,  3 Dec 2024 14:15:28 +0200
> > Leon Romanovsky <leon@...nel.org> wrote:
> > 
> > > The Vital Product Data (VPD) attribute is not readable by regular
> > > user without root permissions. Such restriction is not needed at
> > > all for Mellanox devices, as data presented in that VPD is not
> > > sensitive and access to the HW is safe and well tested.
> > > 
> > > This change changes the permissions of the VPD attribute to be accessible
> > > for read by all users for Mellanox devices, while write continue to be
> > > restricted to root only.
> > > 
> > > The main use case is to remove need to have root/setuid permissions
> > > while using monitoring library [1].
> > > 
> > > [leonro@vm ~]$ lspci |grep nox
> > > 00:09.0 Ethernet controller: Mellanox Technologies MT2910 Family [ConnectX-7]
> > > 
> > > Before:
> > > [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd
> > > -rw------- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd
> > > After:
> > > [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd
> > > -rw-r--r-- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd
> > > 
> > > [1] https://developer.nvidia.com/management-library-nvml
> > > Signed-off-by: Leon Romanovsky <leonro@...dia.com>
> > > ---
> > > Changelog:
> > > v3:
> > >  * Used | to change file attributes
> > >  * Remove WARN_ON
> > > v2: https://lore.kernel.org/all/61a0fa74461c15edfae76222522fa445c28bec34.1731502431.git.leon@kernel.org
> > >  * Another implementation to make sure that user is presented with
> > >    correct permissions without need for driver intervention.
> > > v1: https://lore.kernel.org/all/cover.1731005223.git.leonro@nvidia.com
> > >  * Changed implementation from open-read-to-everyone to be opt-in
> > >  * Removed stable and Fixes tags, as it seems like feature now.
> > > v0:
> > > https://lore.kernel.org/all/65791906154e3e5ea12ea49127cf7c707325ca56.1730102428.git.leonro@nvidia.com/
> > > ---
> > >  drivers/pci/vpd.c | 7 +++++++
> > >  1 file changed, 7 insertions(+)
> > > 
> > > diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> > > index a469bcbc0da7..a7aa54203321 100644
> > > --- a/drivers/pci/vpd.c
> > > +++ b/drivers/pci/vpd.c
> > > @@ -332,6 +332,13 @@ static umode_t vpd_attr_is_visible(struct kobject *kobj,
> > >  	if (!pdev->vpd.cap)
> > >  		return 0;
> > >  
> > > +	/*
> > > +	 * Mellanox devices have implementation that allows VPD read by
> > > +	 * unprivileged users, so just add needed bits to allow read.
> > > +	 */
> > > +	if (unlikely(pdev->vendor == PCI_VENDOR_ID_MELLANOX))
> > > +		return a->attr.mode | 0044;
> > > +
> > >  	return a->attr.mode;
> > >  }
> > 
> > Could this be with other vendor specific quirks instead?
> 
> In previous versions, I asked Bjorn about using quirks and the answer
> was that quirks are mainly to fix HW defects fixes and this change doesn't
> belong to that category.
> 
> https://lore.kernel.org/linux-pci/20241111214804.GA1820183@bhelgaas/

That previous proposal was driver-based, so VPD would only be readable
by unprivileged users after mlx5 was loaded.  VPD would be readable at
any time with either a quirk or the current patch.  The quirk would
require a new bit in pci_dev but has the advantage of getting the
Mellanox grunge out of the generic code.

My biggest concerns are that this exposes VPD data of unknown
sensitivity and exercises the sometimes-problematic device VPD
protocol for very little user benefit.  IIUC, the monitoring library
only wants this to identify the specific device variant in the user
interface; it doesn't need it to actually *use* the device.

We think these concerns are minimal for these devices (and I guess for
*all* present and future Mellanox devices), but I don't think it's a
great precedent.

Bjorn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ