DPDK patches and discussions
 help / color / mirror / Atom feed
From: Neil Horman <nhorman@tuxdriver.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
	dev@dpdk.org,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>,
	Luca Boccassi <bluca@debian.org>,
	Maxime Coquelin <maxime.coquelin@redhat.com>
Subject: Re: [dpdk-dev] [PATCH] igb_uio: fail and log if kernel lock down is enabled
Date: Thu, 17 May 2018 15:49:39 -0400	[thread overview]
Message-ID: <20180517194939.GC21980@hmswarspite.think-freely.org> (raw)
In-Reply-To: <20180517073912.064c0a48@xeon-e3>

On Thu, May 17, 2018 at 07:39:12AM -0700, Stephen Hemminger wrote:
> On Thu, 17 May 2018 14:23:46 +0100
> Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> 
> > On 5/16/2018 12:47 PM, Neil Horman wrote:
> > > On Tue, May 15, 2018 at 05:56:12PM +0100, Ferruh Yigit wrote:  
> > >> When EFI secure boot is enabled, it is possible to lock down kernel and
> > >> prevent accessing device BARs and this makes igb_uio unusable.
> > >>
> > >> Lock down patches are not part of the vanilla kernel but they are
> > >> applied and used by some distros already [1].
> > >>
> > >> It is not possible to fix this issue, but intention of this patch is to
> > >> detect and log if kernel lock down enabled and don't insert the module
> > >> for that case.
> > >>
> > >> The challenge is since this feature enabled by distros, they have
> > >> different config options and APIs for it. This patch is done based on
> > >> Fedora and Ubuntu kernel source, may needs to add more distro specific
> > >> support.
> > >>
> > >> [1]
> > >> kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/?id=99f9ef18d5b6
> > >> And a few more patches to
> > >>  
> > > What exactly is the error you get when you load the igb_uio module?  I ask
> > > because, looking at least at the Fedora patches, the BAR registers themselves
> > > aren't made unwriteable, its only userspace access through very specific
> > > channels that are gated on (things like /proc/bus/pci/...).  From what I can see
> > > (again, not having looked at other implementations), kernel modules that load
> > > successfully should be able to modify bar registers, and otherwise function
> > > normally (as to weather they are permitted to load is another question).  
> > 
> > This patch is based on understanding on the effect of the lockdown patches, that
> > it will disable hardware access from userspace.
> > I don't have an environment to test this and indeed I am not very clear about
> > effects of the lockdown set.
> > 
> > > 
> > > The reason I ask this is twofold:
> > > 
> > > 1) if a specific access is failing, that seems like it could be the trigger to
> > > use, rather than explicitly checking if the kernel is locked down.  I don't see
> > > one expressly called, but if you're calling pci_write_config_* somewhere, and
> > > getting an EPERM error, thats a reason to fail the loading of igb_uio, based on
> > > the fact that you don't have permission to write to the appropriate hardware.
> > > 
> > > 2) Its more than just the igb_uio module that will fail.  Any attempt to pass a
> > > VF into a guest using user space tools (including the vfio scripts that dpdk
> > > includes), should fail.  As such, it might be better to have some component in
> > > user space test one of the aforementioned restricted paths for writeability.
> > > Such an approach would be more generic, and eliminate the need to assemble a set
> > > of tests to see if the kernel is locked down.  A more generic error message
> > > could then be logged and the dpdk could exit gracefully, weather or not igb_uio
> > > was loaded.  
> > 
> > With the existing patches, expectation is vfio will work but it will only effect
> > igb_uio.
> > 
> > > 
> > > Its probably also important to note here that, this lockdown patch, from my
> > > digging, has been carried in Fedora since December of 2016, and its still not
> > > made it upstream.  Thats not to say that it will never do so, but it suggests
> > > that, given the 2 years of out of tree updates its received, there its use is
> > > both very specific and limted to users who understand its implications.  This
> > > probably isn't something to make significant or hard-to-maintain changes to the
> > > dpdk (or any other software) over.  
> > 
> > Have same expectation that use will be specific and limited, that is why planed
> > to change only igb_uio to detect the case and return with a log, instead of
> > updating anything in the dpdk.
> > 
> > in igb_uio the plan was just adding simple check, patches being not upstreamed
> > added more complexity, but not still I believe it is not significant or
> > hard-to-maintain change.
> 
> The  issue is that igb_uio is not secure since it allows userspace to setup
> DMA to any physical address. In lockdown mode, even root is not supposed to be
> able to peek and poke arbitrary memory.
> 
> Actually, it would make more sense to just have code to block all UIO drivers
> in uio.c since uio_pci_generic has the same issue.
> 
That makes a bit more sense to me, yes.
Neil

  reply	other threads:[~2018-05-17 19:50 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-15 16:56 Ferruh Yigit
2018-05-15 17:47 ` Luca Boccassi
2018-05-16  9:45   ` Ferruh Yigit
2018-05-16  9:56     ` Luca Boccassi
2018-05-15 18:52 ` Stephen Hemminger
2018-05-16  9:53   ` Ferruh Yigit
2018-05-16 10:18 ` [dpdk-dev] [PATCH v2] " Ferruh Yigit
2018-05-16 10:50   ` Luca Boccassi
2018-05-16 14:42   ` [dpdk-dev] [PATCH v3] " Ferruh Yigit
2018-05-17 11:34     ` Neil Horman
2018-05-17 13:26       ` Ferruh Yigit
2018-05-17 18:16         ` Neil Horman
2018-06-27 14:39     ` Thomas Monjalon
2018-06-29  7:04     ` David Marchand
2018-06-29  9:35       ` Ferruh Yigit
2018-05-16 11:47 ` [dpdk-dev] [PATCH] " Neil Horman
2018-05-17 13:23   ` Ferruh Yigit
2018-05-17 14:39     ` Stephen Hemminger
2018-05-17 19:49       ` Neil Horman [this message]
2018-05-22 15:23         ` Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180517194939.GC21980@hmswarspite.think-freely.org \
    --to=nhorman@tuxdriver.com \
    --cc=bluca@debian.org \
    --cc=christian.ehrhardt@canonical.com \
    --cc=dev@dpdk.org \
    --cc=ferruh.yigit@intel.com \
    --cc=maxime.coquelin@redhat.com \
    --cc=stephen@networkplumber.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).