From: Dan Williams <dan.j.williams@intel.com>
To: Dan Williams <dan.j.williams@intel.com>,
Paul Moore <paul@paul-moore.com>,
Nikolay Borisov <nik.borisov@suse.com>
Cc: <linux-security-module@vger.kernel.org>, <serge@hallyn.com>,
<kees@kernel.org>, <linux-kernel@vger.kernel.org>,
<kirill.shutemov@linux.intel.com>, <linux-coco@lists.linux.dev>
Subject: Re: [PATCH 0/2] Allow individual features to be locked down
Date: Mon, 12 May 2025 14:40:37 -0700 [thread overview]
Message-ID: <68226ad551afd_29032945b@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <67f69600ed221_71fe2946f@dwillia2-xfh.jf.intel.com.notmuch>
Dan Williams wrote:
> Paul Moore wrote:
> > On Fri, Mar 21, 2025 at 6:24 AM Nikolay Borisov <nik.borisov@suse.com> wrote:
> > >
> > > This simple change allows usecases where someone might want to lock only specific
> > > feature at a finer granularity than integrity/confidentiality levels allows.
> > > The first likely user of this is the CoCo subsystem where certain features will be
> > > disabled.
> > >
> > > Nikolay Borisov (2):
> > > lockdown: Switch implementation to using bitmap
> > > lockdown/kunit: Introduce kunit tests
> >
> > Hi Nikolay,
> >
> > Thanks for the patches! With the merge window opening in a few days,
> > it is too late to consider this for the upcoming merge window so
> > realistically this patchset is two weeks out and I'm hopeful we'll
> > have a dedicated Lockdown maintainer by then so I'm going to defer the
> > ultimate decision on acceptance to them.
>
> The patches in this thread proposed to selectively disable /dev/mem
> independent of all the other lockdown mitigations. That goal can be
> achieved with more precision with this proposed patch:
>
> http://lore.kernel.org/67f5b75c37143_71fe2949b@dwillia2-xfh.jf.intel.com.notmuch
Just wanted to circle back here and repair the damage I caused to the
momentum of this "lockdown feature bitmap" proposal. It turns out that
devmem maintainers are not looking to add yet more arch-specific hacks
[1].
"Restricting /dev/mem further is a good idea, but it would be nice
if that could be done without adding yet another special case."
security_locked_down() is already plumbed into all the places that
confidential VMs may need to manage userspace access to confidential /
private memory.
I considered registering a new "coco-LSM" to hook
security_locked_down(), but that immediately raises the next question of
how does userspace discover what is currently locked_down. So just teach
the native lockdown LSM how to be more fine-grained rather than
complicate the situation with a new LSM.
[1]: http://lore.kernel.org/0bdb1876-0cb3-4632-910b-2dc191902e3e@app.fastmail.com
next prev parent reply other threads:[~2025-05-12 21:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 10:24 [PATCH 0/2] Allow individual features to be locked down Nikolay Borisov
2025-03-21 10:24 ` [PATCH 1/2] lockdown: Switch implementation to using bitmap Nikolay Borisov
2025-03-21 20:34 ` sergeh
2025-04-09 15:18 ` Nikolay Borisov
2025-03-21 10:24 ` [PATCH 2/2] lockdown/kunit: Introduce kunit tests Nikolay Borisov
2025-03-21 21:13 ` [PATCH 0/2] Allow individual features to be locked down Paul Moore
2025-04-09 15:45 ` Dan Williams
2025-04-09 15:47 ` Nikolay Borisov
2025-05-12 21:40 ` Dan Williams [this message]
2025-05-12 22:01 ` Paul Moore
2025-05-13 11:10 ` Nikolay Borisov
2025-05-13 23:07 ` Paul Moore
2025-04-13 19:25 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68226ad551afd_29032945b@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=kees@kernel.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox