Re: SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Cooper <Andrew.Cooper3@citrix.com>
To: Dario Faggioli <dfaggioli@suse.com>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "sstabellini@kernel.org" <sstabellini@kernel.org>,
	"marmarek@invisiblethingslab.com"
	<marmarek@invisiblethingslab.com>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
	Anthony Perard <anthony.perard@citrix.com>
Subject: Re: SecureBoot and PCI passthrough with kernel lockdown in place (on Xen)
Date: Mon, 14 Feb 2022 15:25:31 +0000	[thread overview]
Message-ID: <55436ceb-3c6b-beff-5cac-eb83cb1bc44d@citrix.com> (raw)
In-Reply-To: <8daad0f6c623a57bc0b047fc2388e8b698135624.camel@suse.com>

On 14/02/2022 15:02, Dario Faggioli wrote:
> Hello,
>
> We have run into an issue when trying to use PCI passthrough for a Xen
> VM running on an host where dom0 kernel is 5.14.21 (but we think it
> could be any kernel > 5.4) and SecureBoot is enabled.

Back up a bit...

Xen doesn't support SecureBoot and there's a massive pile of work to
make it function, let alone work in a way that MSFT aren't liable to
revoke your cert on 0 notice.

>
> The error we get, when (for instance) trying to attach a device to an
> (HVM) VM, on such system is:
>
> # xl pci-attach 2-fv-sles15sp4beta2 0000:58:03.0 
> libxl: error: libxl_qmp.c:1838:qmp_ev_parse_error_messages: Domain 12:Failed to initialize 12/15, type = 0x1, rc: -1
> libxl: error: libxl_pci.c:1777:device_pci_add_done: Domain 12:libxl__device_pci_add failed for PCI device 0:58:3.0 (rc -28)
> libxl: error: libxl_device.c:1420:device_addrm_aocomplete: unable to add device
>
> QEMU, is telling us the following:
>
> [00:04.0] xen_pt_msix_init: Error: Can't open /dev/mem: Operation not permitted
> [00:04.0] xen_pt_msix_size_init: Error: Internal error: Invalid xen_pt_msix_init.
>
> And the kernel reports this:
>
> Jan 27 16:20:53 narvi-sr860v2-bps-sles15sp4b2 kernel: Lockdown: qemu-system-i38: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
>
> So, it's related to lockdown. Which AFAIUI it's consistent with the
> fact that the problem only shows up when SecureBoot is enabled, as
> that's implies lockdown. It's also consistent with the fact that we
> don't seem to have any problems doing the same with a 5.3.x dom0
> kernel... As there's no lockdown there!
>
> Some digging revealed that QEMU tries to open /dev/mem in
> xen_pt_msix_init():
>
>     fd = open("/dev/mem", O_RDWR);
>     ...
>     msix->phys_iomem_base =
>             mmap(NULL,
>                  total_entries * PCI_MSIX_ENTRY_SIZE + msix->table_offset_adjust,
>                  PROT_READ,
>                  MAP_SHARED | MAP_LOCKED,
>                  fd,
>                  msix->table_base + table_off - msix->table_offset_adjust);
>     close(fd);

Yes.  Use of /dev/mem is not permitted in lockdown mode.  This wants
reworking into something which is lockdown compatible.

The real elephant in the room is that privcmd is not remotely safe to
use in a SecureBoot environment, because it lets any root userspace
trivially escalate privilege into the dom0 kernel, bypassing the
specific protection that SecureBoot is trying to achieve.

~Andrew

next prev parent reply	other threads:[~2022-02-14 15:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-14 15:02 SecureBoot and PCI passthrough with kernel lockdown in place (on Xen) Dario Faggioli
2022-02-14 15:15 ` Jan Beulich
2022-02-14 15:25 ` Andrew Cooper [this message]
2022-02-14 15:33   ` marmarek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55436ceb-3c6b-beff-5cac-eb83cb1bc44d@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=anthony.perard@citrix.com \
    --cc=dfaggioli@suse.com \
    --cc=marmarek@invisiblethingslab.com \
    --cc=qemu-devel@nongnu.org \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).