Michael S. Tsirkin
2021-Sep-30 15:59 UTC
[PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
On Thu, Sep 30, 2021 at 11:35:09AM -0400, Alan Stern wrote:> On Thu, Sep 30, 2021 at 10:58:07AM -0400, Michael S. Tsirkin wrote: > > On Thu, Sep 30, 2021 at 10:43:05AM -0400, Alan Stern wrote: > > > I don't see any point in talking about "untrusted drivers". If a > > > driver isn't trusted then it doesn't belong in your kernel. Period. > > > When you load a driver into your kernel, you are implicitly trusting > > > it (aside from limitations imposed by security modules). > > > > Trusting it to do what? Historically a ton of drivers did not > > validate input from devices they drive. Most still don't. > > Trusting it to behave properly (i.e., not destroy your system, among > other things).I don't think the current mitigations under discussion here are about keeping the system working. In fact most encrypted VM configs tend to stop booting as a preferred way to handle security issues.> The fact that many drivers haven't been trustworthy is beside the > point. By loading them into your kernel, you are trusting them > regardless. In the end, you may regret having done so. :-( > > Alan Stern-- MST
Andi Kleen
2021-Sep-30 19:23 UTC
[PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
> I don't think the current mitigations under discussion here are about > keeping the system working. In fact most encrypted VM configs tend to > stop booting as a preferred way to handle security issues.Maybe we should avoid the "trusted" term here. We're only really using it because USB is using it and we're now using a common framework like Greg requested. But I don't think it's the right way to think about it. We usually call the drivers "hardened". The requirement for a hardened driver is that all interactions through MMIO/port/config space IO/MSRs are sanitized and do not cause memory safety issues or other information leaks. Other than that there is no requirement on the functionality. In particular DOS is ok since a malicious hypervisor can decide to not run the guest at any time anyways. Someone loading an malicious driver inside the guest would be out of scope. If an attacker can do that inside the guest you already violated the security mechanisms and there are likely easier ways to take over the guest or leak data. The goal of the device filter mechanism is to prevent loading unhardened drivers that could be exploited without them being themselves malicious. -Andi