From: Andi Kleen <ak@linux.intel.com>
To: "Michael S. Tsirkin" <mst@redhat.com>,
Alan Stern <stern@rowland.harvard.edu>
Cc: Jonathan Corbet <corbet@lwn.net>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Michael Jamet <michael.jamet@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
x86@kernel.org, virtualization@lists.linux-foundation.org,
Yehezkel Bernat <YehezkelShB@gmail.com>,
linux-kernel@vger.kernel.org,
Andreas Noever <andreas.noever@gmail.com>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
linux-pci@vger.kernel.org, Bjorn Helgaas <bhelgaas@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-usb@vger.kernel.org,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Dan Williams <dan.j.williams@intel.com>,
"Reshetova, Elena" <elena.reshetova@intel.com>
Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
Date: Thu, 30 Sep 2021 12:23:36 -0700 [thread overview]
Message-ID: <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> (raw)
In-Reply-To: <20210930115243-mutt-send-email-mst@kernel.org>
> I don't think the current mitigations under discussion here are about
> keeping the system working. In fact most encrypted VM configs tend to
> stop booting as a preferred way to handle security issues.
Maybe we should avoid the "trusted" term here. We're only really using
it because USB is using it and we're now using a common framework like
Greg requested. But I don't think it's the right way to think about it.
We usually call the drivers "hardened". The requirement for a hardened
driver is that all interactions through MMIO/port/config space IO/MSRs
are sanitized and do not cause memory safety issues or other information
leaks. Other than that there is no requirement on the functionality. In
particular DOS is ok since a malicious hypervisor can decide to not run
the guest at any time anyways.
Someone loading an malicious driver inside the guest would be out of
scope. If an attacker can do that inside the guest you already violated
the security mechanisms and there are likely easier ways to take over
the guest or leak data.
The goal of the device filter mechanism is to prevent loading unhardened
drivers that could be exploited without them being themselves malicious.
-Andi
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-09-30 19:23 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com>
[not found] ` <20210930010511.3387967-2-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-09-30 1:42 ` [PATCH v2 1/6] driver core: Move the "authorized" attribute from USB/Thunderbolt to core Alan Stern
2021-09-30 1:55 ` Dan Williams
[not found] ` <f9b7cf97-0a14-1c80-12ab-23213ec2f4f2@linux.intel.com>
2021-09-30 4:59 ` Dan Williams
2021-09-30 9:05 ` Rafael J. Wysocki
2021-09-30 14:59 ` Alan Stern
2021-09-30 15:25 ` Dan Williams
[not found] ` <CA+CmpXtXn5wjxwow5va5u9qHcQDLkd4Sh2dcqB545SXaxV1GkQ@mail.gmail.com>
2021-09-30 15:28 ` Dan Williams
[not found] ` <CA+CmpXvGCAny-WHGioJQHF9ZZ5pCaR-E_rw5oeE82xC30naVXg@mail.gmail.com>
2021-09-30 19:04 ` Dan Williams
[not found] ` <c701ca61-4e7d-1060-102f-8f92dd6e6802@linux.intel.com>
2021-09-30 20:23 ` Dan Williams
[not found] ` <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-09-30 10:59 ` [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices Michael S. Tsirkin
2021-09-30 13:52 ` Greg Kroah-Hartman
2021-09-30 14:38 ` Michael S. Tsirkin
2021-09-30 14:49 ` Greg Kroah-Hartman
2021-09-30 15:00 ` Michael S. Tsirkin
2021-09-30 15:22 ` Greg Kroah-Hartman
2021-09-30 17:17 ` Andi Kleen
2021-09-30 17:23 ` Greg Kroah-Hartman
2021-09-30 19:15 ` Andi Kleen
2021-10-01 6:29 ` Greg Kroah-Hartman
2021-10-01 15:51 ` Alan Stern
2021-10-01 15:56 ` Andi Kleen
2021-09-30 14:43 ` Alan Stern
2021-09-30 14:48 ` Michael S. Tsirkin
2021-09-30 15:32 ` Alan Stern
2021-09-30 15:52 ` Michael S. Tsirkin
2021-09-30 14:58 ` Michael S. Tsirkin
2021-09-30 15:35 ` Alan Stern
2021-09-30 15:59 ` Michael S. Tsirkin
2021-09-30 19:23 ` Andi Kleen [this message]
2021-09-30 20:44 ` Alan Stern
2021-09-30 20:52 ` Dan Williams
2021-10-01 1:41 ` Alan Stern
2021-10-01 2:20 ` Dan Williams
2021-09-30 21:12 ` Andi Kleen
[not found] ` <20210930010511.3387967-5-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-09-30 11:03 ` [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Michael S. Tsirkin
2021-09-30 13:36 ` Dan Williams
2021-09-30 13:49 ` Greg Kroah-Hartman
[not found] ` <6d1e2701-5095-d110-3b0a-2697abd0c489@linux.intel.com>
2021-09-30 15:20 ` Michael S. Tsirkin
2021-09-30 15:23 ` Greg Kroah-Hartman
[not found] ` <1cfdce51-6bb4-f7af-a86b-5854b6737253@linux.intel.com>
2021-09-30 19:30 ` Andi Kleen
2021-10-01 7:03 ` Greg Kroah-Hartman
2021-10-01 15:49 ` Andi Kleen
2021-10-02 11:04 ` Michael S. Tsirkin
2021-10-02 11:14 ` Greg Kroah-Hartman
2021-10-02 14:20 ` Andi Kleen
2021-10-02 14:44 ` Greg Kroah-Hartman
2021-10-02 18:40 ` Michael S. Tsirkin
2021-10-03 6:40 ` Greg Kroah-Hartman
2021-10-04 21:04 ` Dan Williams
2021-10-01 16:13 ` Dan Williams
2021-10-01 16:45 ` Alan Stern
2021-10-01 18:09 ` Dan Williams
2021-10-01 19:00 ` Alan Stern
2021-10-01 19:57 ` Dan Williams
[not found] ` <YVqONA0vhl0/H3QE@lahna>
2021-10-05 22:33 ` Dan Williams
2021-10-06 5:45 ` Greg Kroah-Hartman
2021-09-30 19:25 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com \
--to=ak@linux.intel.com \
--cc=YehezkelShB@gmail.com \
--cc=andreas.noever@gmail.com \
--cc=bhelgaas@google.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=knsathya@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=michael.jamet@intel.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mingo@redhat.com \
--cc=mst@redhat.com \
--cc=rafael@kernel.org \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=stern@rowland.harvard.edu \
--cc=tglx@linutronix.de \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).