From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 277C5C433EF for ; Thu, 30 Sep 2021 19:23:42 +0000 (UTC) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C15876126A for ; Thu, 30 Sep 2021 19:23:41 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org C15876126A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 8CFD6841C4; Thu, 30 Sep 2021 19:23:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExR3DOpdgK9C; Thu, 30 Sep 2021 19:23:40 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 1FD8884131; Thu, 30 Sep 2021 19:23:40 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 04A70C0011; Thu, 30 Sep 2021 19:23:40 +0000 (UTC) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9FC03C000D for ; Thu, 30 Sep 2021 19:23:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 8809240181 for ; Thu, 30 Sep 2021 19:23:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4wRVefylUBa for ; Thu, 30 Sep 2021 19:23:38 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by smtp2.osuosl.org (Postfix) with ESMTPS id B651B400D5 for ; Thu, 30 Sep 2021 19:23:38 +0000 (UTC) X-IronPort-AV: E=McAfee;i="6200,9189,10123"; a="212526177" X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="212526177" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:23:37 -0700 X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="438153232" Received: from akleen-mobl1.amr.corp.intel.com (HELO [10.252.134.229]) ([10.252.134.229]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:23:37 -0700 Subject: Re: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices To: "Michael S. Tsirkin" , Alan Stern References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065807-mutt-send-email-mst@kernel.org> <20210930144305.GA464826@rowland.harvard.edu> <20210930104924-mutt-send-email-mst@kernel.org> <20210930153509.GF464826@rowland.harvard.edu> <20210930115243-mutt-send-email-mst@kernel.org> From: Andi Kleen Message-ID: <00156941-300d-a34a-772b-17f0a9aad885@linux.intel.com> Date: Thu, 30 Sep 2021 12:23:36 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <20210930115243-mutt-send-email-mst@kernel.org> Content-Language: en-US Cc: Jonathan Corbet , Kuppuswamy Sathyanarayanan , Kuppuswamy Sathyanarayanan , "Rafael J . Wysocki" , Michael Jamet , Greg Kroah-Hartman , x86@kernel.org, virtualization@lists.linux-foundation.org, Yehezkel Bernat , linux-kernel@vger.kernel.org, Andreas Noever , Ingo Molnar , Borislav Petkov , linux-pci@vger.kernel.org, Bjorn Helgaas , Thomas Gleixner , linux-usb@vger.kernel.org, Mika Westerberg , Dan Williams , "Reshetova, Elena" X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" > I don't think the current mitigations under discussion here are about > keeping the system working. In fact most encrypted VM configs tend to > stop booting as a preferred way to handle security issues. Maybe we should avoid the "trusted" term here. We're only really using it because USB is using it and we're now using a common framework like Greg requested. But I don't think it's the right way to think about it. We usually call the drivers "hardened". The requirement for a hardened driver is that all interactions through MMIO/port/config space IO/MSRs are sanitized and do not cause memory safety issues or other information leaks. Other than that there is no requirement on the functionality. In particular DOS is ok since a malicious hypervisor can decide to not run the guest at any time anyways. Someone loading an malicious driver inside the guest would be out of scope. If an attacker can do that inside the guest you already violated the security mechanisms and there are likely easier ways to take over the guest or leak data. The goal of the device filter mechanism is to prevent loading unhardened drivers that could be exploited without them being themselves malicious. -Andi _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization