[cip-dev] Kernel feature support - architecture options and drivers

[ben.hutchings@codethink.co.uk (Ben Hutchings)]

On Fri, 2017-07-28 at 04:49 +0000, ???? / KAWAI?HIDEHIRO wrote:
> Hello Ben,
> 
> I'm sorry for the late reply.

Likewise. :-/

[...]
> > KVM (CONFIG_VIRTUALIZATION) adds a large attack surface (guest-to-host)
> > and is likely to be hard to maintain in the long term.  Several of the
> > configurations (hitachi_omap, plathome_obsvx1, siemens_iot2000,
> > siemens_server) enable this.  Do you need it?
> 
> It is not used at this point, but may be need in the future.
> 
> As long as we don't use KVM to build up a multi tenant VM service,
> i.e. all users are the same legitimate user, the security risk of
> guest-to-host attack will not become higher.  So with regard to the
> security risk, it will not be a problem for some use cases.

Even when the guests are running known trusted code, that code might
have its own security flaws.  KVM then potentially provides a useful
security boundary between a compromised guest and the host.  But I take
your point - if the code running in the guest is trusted and security
supported, an outdated KVM doesn't add significant extra risk.

> > /dev/kmem (CONFIG_DEVKMEM) is only rarely needed for kernel debugging,
> > but is enabled in many configs.  Please disable it.
> > 
> > /dev/mem (CONFIG_DEVMEM) is needed by some userland drivers, though UIO
> > provides a cleaner way to do this.  Please check whether you can disable
> > it.
> 
> I tried to grep executable files in /usr/{bin,sbin}, and I found multiple
> commands which may access /dev/mem.  But I'm not sure how much impact
> disabling /dev/mem has on us.  We also use /dev/mem for a user land
> driver, but we will be able to reimplement it via UIO.
> 
> 
> By the way, I think that `supporting a feature' is not the same as
> `enabling a feature'.  Does `please disable it' mean that this is a
> suggestion for a secure config, or imply that CIP shouldn't support
> this feature?

Where I said 'please disable it' with no qualification, I think the
feature is inherently insecure and I don't think CIP should pretend to
provide security support for it.

Where I said something like 'check whether you can disable it', I
consider the feature to be high risk, but CIP should try to support it
if members need it.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.