From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9FCD2C5AD49 for ; Tue, 3 Jun 2025 13:10:10 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.1004413.1384117 (Exim 4.92) (envelope-from ) id 1uMROu-0008Ax-SY; Tue, 03 Jun 2025 13:09:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1004413.1384117; Tue, 03 Jun 2025 13:09:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uMROu-0008Aq-Pe; Tue, 03 Jun 2025 13:09:56 +0000 Received: by outflank-mailman (input) for mailman id 1004413; Tue, 03 Jun 2025 13:09:55 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uMROt-0008Ae-9U for xen-devel@lists.xenproject.org; Tue, 03 Jun 2025 13:09:55 +0000 Received: from fout-b2-smtp.messagingengine.com (fout-b2-smtp.messagingengine.com [202.12.124.145]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 098fc0f8-407c-11f0-a300-13f23c93f187; Tue, 03 Jun 2025 15:09:53 +0200 (CEST) Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.stl.internal (Postfix) with ESMTP id 432BA1140181; Tue, 3 Jun 2025 09:09:52 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-12.internal (MEProxy); Tue, 03 Jun 2025 09:09:52 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 3 Jun 2025 09:09:51 -0400 (EDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 098fc0f8-407c-11f0-a300-13f23c93f187 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1748956192; x=1749042592; bh=+58UHdLqAT2Wlb0AI7vyz1T675DG2Tu3VLsBD8GaoY8=; b= XLaSkVBFvRGLiWVxft9aC944LoRbW45iSxfuaVpBNeTZ/G0xjgnWv6ywRvj2QZTB XodZpaSNKjndn/t2Odgx6B28xowh9h3U7PeL6btiZ8LGY85ZoLO1dK0V+bTo7Wgs R2pG+3AzeqHKSi/ICmTOk9dLqZxNTrH0R4hArownohxo8dWQpj6D8uJuXZ5xJRuQ Xcq6xRd4qX4oxHIWf6KYpmCV2NdTuNe3BCZGKwq5uSvPLVbtpWNsmBB3txpp4IRS vMMIhLDLqjdE4fgshwpzRKQpFtz0mGAvtm2FICotWsGFFhF0PchA8Xaz6CoyTIbd bT9wZhM7BZarL+fMdrp2EQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1748956192; x=1749042592; bh=+58UHdLqAT2Wlb0AI7vyz1T675DG2Tu3VLs BD8GaoY8=; b=hSN8jUgaPzga/rQql9/9EyQ/gy0NDZlb+6jpNN+OjdQElVPO6+t PCmA0lGa6Q22X05ghk5nnWVJByO9rZAbemZgGH0+6O+3qyfhB1tDmmBdDwGun4KE Tzady2pYOvdBitoetoJrEKL3QgTSPrJ8KyXY6UcRWtGtglriE+MPuMxjloZzE+dE r6/Px2sPdMbthbBZ898PAML81ImqjRwrK/GDsLzeTYhySwmAFCr/FZAHwlOX1Iai h0OUsbeaScR0h8DJbiuswhPY9QdEgGK36jwFPAKXBord1zGB2WTW4crKrWYoYhOp rkJwulnyZuev/fbddYoy6RKtefIJ1fN3oRA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdeffecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredttdejnecu hfhrohhmpeforghrvghkucforghrtgiihihkohifshhkihdqifpkrhgvtghkihcuoehmrg hrmhgrrhgvkhesihhnvhhishhisghlvghthhhinhhgshhlrggsrdgtohhmqeenucggtffr rghtthgvrhhnpefgudelteefvefhfeehieetleeihfejhfeludevteetkeevtedtvdegue etfeejudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm pehmrghrmhgrrhgvkhesihhnvhhishhisghlvghthhhinhhgshhlrggsrdgtohhmpdhnsg gprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehjsggvuhhl ihgthhesshhushgvrdgtohhmpdhrtghpthhtohepgigvnhdquggvvhgvlheslhhishhtsh drgigvnhhprhhojhgvtghtrdhorhhgpdhrtghpthhtoheprhhoshhsrdhlrghgvghrfigr lhhlsegtihhtrhhigidrtghomhdprhgtphhtthhopehkvghvihhnrdhlrghmphhishestg hlohhuugdrtghomh X-ME-Proxy: Feedback-ID: i1568416f:Fastmail Date: Tue, 3 Jun 2025 15:09:48 +0200 From: Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= To: Jan Beulich Cc: xen-devel@lists.xenproject.org, Ross Lagerwall , Kevin Lampis Subject: Re: [PATCH v2 3/3] Disallow most command-line options when lockdown mode is enabled Message-ID: References: <20250602134656.3836280-1-kevin.lampis@cloud.com> <20250602134656.3836280-4-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OYPP6qUbWlcHD4Zh" Content-Disposition: inline In-Reply-To: --OYPP6qUbWlcHD4Zh Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Tue, 3 Jun 2025 15:09:48 +0200 From: Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= To: Jan Beulich Cc: xen-devel@lists.xenproject.org, Ross Lagerwall , Kevin Lampis Subject: Re: [PATCH v2 3/3] Disallow most command-line options when lockdown mode is enabled On Mon, Jun 02, 2025 at 04:22:06PM +0200, Jan Beulich wrote: > On 02.06.2025 16:16, Marek Marczykowski-G=C3=B3recki wrote: > > On Mon, Jun 02, 2025 at 02:46:56PM +0100, Kevin Lampis wrote: > >> --- a/xen/common/lockdown.c > >> +++ b/xen/common/lockdown.c > >> @@ -35,7 +35,7 @@ static int __init parse_lockdown_opt(const char *s) > >> =20 > >> return 0; > >> } > >> -custom_param("lockdown", parse_lockdown_opt); > >> +custom_secure_param("lockdown", parse_lockdown_opt); > >=20 > > Is that really a good idea? It means `lockdown=3Dyes lockdown=3Dno` wou= ld > > still disable it in the end. This may matter more if for example the > > `lockdown=3Dyes` part is in the built-in cmdline (possibly with other > > integrity protection than UEFI SB). >=20 > But having a way to override an earlier "lockdown" by "lockdown=3Dno" is > intended? E.g. when your xen.cfg has the former, but you don't really > want that (for, say, an experiment). Ok, I guess those are conflicting use cases: using "lockdown" option to restrict what user can set via bootloader menu (even without secureboot), vs giving the local user full control (developer case). But in that latter case, maybe you can simply remove the "lockdown" option instead of adding "lockdown=3Dno" (granted, more work with xen.cfg or built-in cmdline...) ?=20 Anyway, what really matters here is the behavior for UEFI SecureBoot, and this one is okay. The behavior outside of SB is secondary, and if that's the intention, I'm okay with the current version too. --=20 Best Regards, Marek Marczykowski-G=C3=B3recki Invisible Things Lab --OYPP6qUbWlcHD4Zh Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmg+9B0ACgkQ24/THMrX 1yympQf9FX/FIlmCa1fgmKxqcikietoQqwWCHv45Wm1G4L+B1bY9BpfWHiaGk9ls cVxIl5z0DBH7PGmY28Z2gSVL2rLZrFpCNcdPYnwiGfOuxb72+Pr2jkh/jPDb68d0 dJlUO9yt95mH+4lXRi9SxDAhMki+XhdQvbMGslKg4JspeF4X82u4xBJKoXJOMqo8 OaRmybqO8ZiDoXMtuY4nCZNg8mOa1Un6gvzjKv7JkFb8Thw0ry7dmBRnOyVhp85x K0P5TqkgNG1eX+ig1AzC1O08rFj5Hk4EDAWm3XCvpe+LfSsDwg3t42SMtWgRTwZp wH3o38Fa9Ogs0h1LudpmdOq/40HE8Q== =KGYd -----END PGP SIGNATURE----- --OYPP6qUbWlcHD4Zh--