From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by dpdk.org (Postfix) with ESMTP id 8DB5E1B6F1 for ; Tue, 15 May 2018 19:47:28 +0200 (CEST) Received: by mail-wm0-f67.google.com with SMTP id t11-v6so2530783wmt.0 for ; Tue, 15 May 2018 10:47:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:content-transfer-encoding:mime-version; bh=4JabHajp3dxYOJn3gs209/TlHsI0qn/bxgaOMheYocc=; b=gwaPv92CsUaPSDm9w2Q60IZkael3HglUFjvDvrdL5ALmDu8vOeVEQJ4ePl8MxgONg0 0AoqeMCRDzD2H2D12wyzuMlmNuAejJcHWNWgvdEx2aJCOiZ/SZ8IftsXKD8BFoah3D8P BMLPb3iB4ORmAIYljk5p7U1hw4G9byTmNr/SzhuyK0UiIUtv+8cCERoGDeNsbbyoAIdz T3i3T6OnQ8dbByjaCc7Rgd3UjLz0phz/Km6kyr2PePu2M7u6UvgpBi7B/xyaXVRgimWT TnARr+miDhP9VT84uDKEZfj6EJsnw54vmVJSR/ef8XsOVCO6WMMg6E0grP6j0LnHYHN3 5aQw== X-Gm-Message-State: ALKqPwfWf9/RWpLi37ek04A1/p4G6WRfVElsevKi652iV7sqHIVVf5Z3 XOnv+Und+rQM8aGSWHzpA/M= X-Google-Smtp-Source: AB8JxZqd9B2r/OxkDZIuTKoKNQhzkXVcm8zSyGoENWfW77+idiknlqAgI+EhgYHb2EoXLpDusfDGLg== X-Received: by 2002:a1c:9186:: with SMTP id t128-v6mr9210913wmd.41.1526406448135; Tue, 15 May 2018 10:47:28 -0700 (PDT) Received: from localhost ([2a00:23c5:be9a:5200:ce4c:82c0:d567:ecbb]) by smtp.gmail.com with ESMTPSA id c21-v6sm721821wre.81.2018.05.15.10.47.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 15 May 2018 10:47:27 -0700 (PDT) Message-ID: <1526406446.23337.115.camel@debian.org> From: Luca Boccassi To: Ferruh Yigit , dev@dpdk.org Cc: Christian Ehrhardt , Maxime Coquelin , Neil Horman , Stephen Hemminger Date: Tue, 15 May 2018 18:47:26 +0100 In-Reply-To: <20180515165612.61243-1-ferruh.yigit@intel.com> References: <20180515165612.61243-1-ferruh.yigit@intel.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH] igb_uio: fail and log if kernel lock down is enabled X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 17:47:28 -0000 On Tue, 2018-05-15 at 17:56 +0100, Ferruh Yigit wrote: > When EFI secure boot is enabled, it is possible to lock down kernel > and > prevent accessing device BARs and this makes igb_uio unusable. >=20 > Lock down patches are not part of the vanilla kernel but they are > applied and used by some distros already [1]. >=20 > It is not possible to fix this issue, but intention of this patch is > to > detect and log if kernel lock down enabled and don't insert the > module > for that case. >=20 > The challenge is since this feature enabled by distros, they have > different config options and APIs for it. This patch is done based on > Fedora and Ubuntu kernel source, may needs to add more distro > specific > support. >=20 > [1] > kernel.ubuntu.com/git/ubuntu/ubuntu- > artful.git/commit/?id=3D99f9ef18d5b6 > And a few more patches to >=20 > Signed-off-by: Ferruh Yigit > --- > Cc: Christian Ehrhardt > Cc: Luca Boccassi > Cc: Maxime Coquelin > Cc: Neil Horman > Cc: Stephen Hemminger > --- > =C2=A0kernel/linux/igb_uio/compat.h=C2=A0=C2=A0| 24 ++++++++++++++++++++-= --- > =C2=A0kernel/linux/igb_uio/igb_uio.c |=C2=A0=C2=A05 +++++ > =C2=A02 files changed, 25 insertions(+), 4 deletions(-) >=20 > diff --git a/kernel/linux/igb_uio/compat.h > b/kernel/linux/igb_uio/compat.h > index d9f4d29fc..774c980c2 100644 > --- a/kernel/linux/igb_uio/compat.h > +++ b/kernel/linux/igb_uio/compat.h > @@ -125,10 +125,6 @@ static bool pci_check_and_mask_intx(struct > pci_dev *pdev) > =C2=A0#define HAVE_PCI_IS_BRIDGE_API 1 > =C2=A0#endif > =C2=A0 > -#if LINUX_VERSION_CODE >=3D KERNEL_VERSION(4, 8, 0) > -#define HAVE_ALLOC_IRQ_VECTORS 1 > -#endif > - > =C2=A0#if LINUX_VERSION_CODE >=3D KERNEL_VERSION(4, 3, 0) > =C2=A0#define HAVE_MSI_LIST_IN_GENERIC_DEVICE 1 > =C2=A0#endif > @@ -136,3 +132,23 @@ static bool pci_check_and_mask_intx(struct > pci_dev *pdev) > =C2=A0#if LINUX_VERSION_CODE >=3D KERNEL_VERSION(4, 5, 0) > =C2=A0#define HAVE_PCI_MSI_MASK_IRQ 1 > =C2=A0#endif > + > +#if LINUX_VERSION_CODE >=3D KERNEL_VERSION(4, 8, 0) > +#define HAVE_ALLOC_IRQ_VECTORS 1 > +#endif > + > +static inline bool igbuio_kernel_is_locked_down(void) > +{ > +#ifdef CONFIG_LOCK_DOWN_KERNEL > +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT /* fedora */ > + return kernel_is_locked_down(NULL); > +#elif CONFIG_EFI_SECURE_BOOT_LOCK_DOWN /* ubuntu */ > + return kernel_is_locked_down(); > +#else > + return false; > +#endif > +#else > + return false; > +#endif > + > +} > diff --git a/kernel/linux/igb_uio/igb_uio.c > b/kernel/linux/igb_uio/igb_uio.c > index cd9b7e721..b3233f18e 100644 > --- a/kernel/linux/igb_uio/igb_uio.c > +++ b/kernel/linux/igb_uio/igb_uio.c > @@ -621,6 +621,11 @@ igbuio_pci_init_module(void) > =C2=A0{ > =C2=A0 int ret; > =C2=A0 > + if (igbuio_kernel_is_locked_down()) { > + pr_err("Not able to use module, kernel lock down is > enabled\n"); > + return -EINVAL; > + } > + > =C2=A0 ret =3D igbuio_config_intr_mode(intr_mode); > =C2=A0 if (ret < 0) > =C2=A0 return ret; kernel_is_locked_down already does print a message, so it seems a bit redundant (you can call it with something like=C2=A0kernel_is_locked_down("DPDK igb_uio kernel module")). In Debian Stretch the patches is the same as Ubuntu (Securelevel) but it didn't ship with any signed binaries so it's unlikely to be used. In Debian Buster the patchset is the same as Fedora (Lockdown). --=20 Kind regards, Luca Boccassi