From: <dan.j.williams@intel.com>
To: xiujianfeng <xiujianfeng@huawei.com>,
Nikolay Borisov <nik.borisov@suse.com>,
Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>
Cc: <linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <paul@paul-moore.com>,
<serge@hallyn.com>, <jmorris@namei.org>,
<dan.j.williams@intel.com>
Subject: Re: [PATCH v2 0/3] Allow individual features to be locked down
Date: Tue, 5 Aug 2025 16:28:10 -0700 [thread overview]
Message-ID: <6892938a78e77_184e1f10067@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <42b2cf1b-417e-1594-d525-f4c84f7405b0@huawei.com>
xiujianfeng wrote:
>
>
> On 2025/7/29 20:25, Nikolay Borisov wrote:
> >
> >
> > On 29.07.25 г. 15:16 ч., Nicolas Bouchinet wrote:
> >> Hi Nikolay,
> >>
> >> Thanks for you patch.
> >>
> >> Quoting Kees [1], Lockdown is "about creating a bright line between
> >> uid-0 and ring-0".
> >>
> >> Having a bitmap enabled Lockdown would mean that Lockdown reasons could
> >> be activated independently. I fear this would lead to a false sense of
> >> security, locking one reason alone often permits Lockdown restrictions
> >> bypass. i.e enforcing kernel module signature verification but not
> >> blocking accesses to `/dev/{k,}mem` or authorizing gkdb which can be
> >> used to disable the module signature enforcement.
> >>
> >> If one wants to restrict accesses to `/dev/mem`,
> >> `security_locked_down(LOCKDOWN_DEV_MEM)` should be sufficient.
> >>
> >> My understanding of your problem is that this locks too much for your
> >> usecase and you want to restrict reasons of Lockdown independently in
> >> case it has not been enabled in "integrity" mode by default ?
> >>
> >> Can you elaborate more on the usecases for COCO ?
> >
> > Initially this patchset was supposed to allow us selectively disable
> > /dev/iomem access in a CoCo context [0]. As evident from Dan's initial
> > response that point pretty much became moot as the issue was fixed in a
> > different way. However, later [1] he came back and said that actually
> > this patch could be useful in a similar context. So This v2 is
> > essentially following up on that.
>
> Hi Nikolay,
>
> I share a similar view with Nicolas, namely that using a bitmap
> implementation would compromise the goal of Lockdown.
>
> After reading the threads below, I understand you aim is to block user
> access to /dev/mem, but without having Lockdown integrity mode enabled
> to block other reasons, right? How about using BPF LSM? It seems it
> could address your requirements.
BPF LSM does not seem suitable for the main concern which is that arch
code needs hard guarantess that certain code paths are disabled. For
Confidential Computing it needs to know that userspace access of
/dev/mem is always disabled.
This is a functional concern, not a security concern. Both Arnd [1] and
Greg [2] lamented needing new hacks to achieve the same outcome as just
reusing the existing security_locked_down() checks. The
SECURITY_LOCKDOWN_LSM already has /sys/kernel/security/lockdown ABI for
communicating built-in and now kernel-internal sources of locked
functionality.
[1]: http://lore.kernel.org/0bdb1876-0cb3-4632-910b-2dc191902e3e@app.fastmail.com
[2]: http://lore.kernel.org/2025043025-cathouse-headlamp-7bde@gregkh
next prev parent reply other threads:[~2025-08-05 23:28 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 11:15 [PATCH v2 0/3] Allow individual features to be locked down Nikolay Borisov
2025-07-28 11:15 ` [PATCH v2 1/3] lockdown: Switch implementation to using bitmap Nikolay Borisov
2025-07-28 12:47 ` Serge E. Hallyn
2025-07-28 13:21 ` Serge E. Hallyn
2025-08-05 22:18 ` dan.j.williams
2025-07-28 11:15 ` [PATCH v2 2/3] lockdown/kunit: Introduce kunit tests Nikolay Borisov
2025-07-28 12:49 ` Serge E. Hallyn
2025-07-28 22:04 ` kernel test robot
2025-07-29 7:46 ` Nikolay Borisov
2025-07-29 23:28 ` Philip Li
2025-07-29 7:30 ` kernel test robot
2025-07-28 11:15 ` [PATCH v2 3/3] lockdown: Use snprintf in lockdown_read Nikolay Borisov
2025-07-28 12:39 ` Serge E. Hallyn
2025-08-05 7:56 ` Nikolay Borisov
2025-08-05 22:30 ` dan.j.williams
2025-07-29 12:16 ` [PATCH v2 0/3] Allow individual features to be locked down Nicolas Bouchinet
2025-07-29 12:25 ` Nikolay Borisov
2025-08-05 6:57 ` xiujianfeng
2025-08-05 8:03 ` Nikolay Borisov
2025-08-05 23:28 ` dan.j.williams [this message]
2025-08-14 8:59 ` Nicolas Bouchinet
2025-08-14 10:02 ` Nikolay Borisov
2025-08-14 10:51 ` Nicolas Bouchinet
2025-08-05 23:43 ` dan.j.williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6892938a78e77_184e1f10067@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=nik.borisov@suse.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox