Michael S. Tsirkin
2021-Sep-30 15:00 UTC
[PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
On Thu, Sep 30, 2021 at 04:49:23PM +0200, Greg Kroah-Hartman wrote:> On Thu, Sep 30, 2021 at 10:38:42AM -0400, Michael S. Tsirkin wrote: > > On Thu, Sep 30, 2021 at 03:52:52PM +0200, Greg Kroah-Hartman wrote: > > > On Thu, Sep 30, 2021 at 06:59:36AM -0400, Michael S. Tsirkin wrote: > > > > On Wed, Sep 29, 2021 at 06:05:07PM -0700, Kuppuswamy Sathyanarayanan wrote: > > > > > While the common case for device-authorization is to skip probe of > > > > > unauthorized devices, some buses may still want to emit a message on > > > > > probe failure (Thunderbolt), or base probe failures on the > > > > > authorization status of a related device like a parent (USB). So add > > > > > an option (has_probe_authorization) in struct bus_type for the bus > > > > > driver to own probe authorization policy. > > > > > > > > > > Reviewed-by: Dan Williams <dan.j.williams at intel.com> > > > > > Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy at linux.intel.com> > > > > > > > > > > > > > > > > So what e.g. the PCI patch > > > > https://lore.kernel.org/all/CACK8Z6E8pjVeC934oFgr=VB3pULx_GyT2NkzAogdRQJ9TKSX9A at mail.gmail.com/ > > > > actually proposes is a list of > > > > allowed drivers, not devices. Doing it at the device level > > > > has disadvantages, for example some devices might have a legacy > > > > unsafe driver, or an out of tree driver. It also does not > > > > address drivers that poke at hardware during init. > > > > > > Doing it at a device level is the only sane way to do this. > > > > > > A user needs to say "this device is allowed to be controlled by this > > > driver". This is the trust model that USB has had for over a decade and > > > what thunderbolt also has. > > > > > > > Accordingly, I think the right thing to do is to skip > > > > driver init for disallowed drivers, not skip probe > > > > for specific devices. > > > > > > What do you mean by "driver init"? module_init()? > > > > > > No driver should be touching hardware in their module init call. They > > > should only be touching it in the probe callback as that is the only > > > time they are ever allowed to talk to hardware. Specifically the device > > > that has been handed to them. > > > > > > If there are in-kernel PCI drivers that do not do this, they need to be > > > fixed today. > > > > > > We don't care about out-of-tree drivers for obvious reasons that we have > > > no control over them. > > > > > > thanks, > > > > > > greg k-h > > > > Well talk to Andi about it pls :) > > https://lore.kernel.org/r/ad1e41d1-3f4e-8982-16ea-18a3b2c04019%40linux.intel.com > > As Alan said, the minute you allow any driver to get into your kernel, > it can do anything it wants to. > > So just don't allow drivers to be added to your kernel if you care about > these things. The system owner has that mechanism today. > > thanks, > > greg k-hThe "it" that I referred to is the claim that no driver should be touching hardware in their module init call. Andi seems to think such drivers are worth working around with a special remap API. -- MST
Greg Kroah-Hartman
2021-Sep-30 15:22 UTC
[PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices
On Thu, Sep 30, 2021 at 11:00:07AM -0400, Michael S. Tsirkin wrote:> On Thu, Sep 30, 2021 at 04:49:23PM +0200, Greg Kroah-Hartman wrote: > > On Thu, Sep 30, 2021 at 10:38:42AM -0400, Michael S. Tsirkin wrote: > > > On Thu, Sep 30, 2021 at 03:52:52PM +0200, Greg Kroah-Hartman wrote: > > > > On Thu, Sep 30, 2021 at 06:59:36AM -0400, Michael S. Tsirkin wrote: > > > > > On Wed, Sep 29, 2021 at 06:05:07PM -0700, Kuppuswamy Sathyanarayanan wrote: > > > > > > While the common case for device-authorization is to skip probe of > > > > > > unauthorized devices, some buses may still want to emit a message on > > > > > > probe failure (Thunderbolt), or base probe failures on the > > > > > > authorization status of a related device like a parent (USB). So add > > > > > > an option (has_probe_authorization) in struct bus_type for the bus > > > > > > driver to own probe authorization policy. > > > > > > > > > > > > Reviewed-by: Dan Williams <dan.j.williams at intel.com> > > > > > > Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy at linux.intel.com> > > > > > > > > > > > > > > > > > > > > So what e.g. the PCI patch > > > > > https://lore.kernel.org/all/CACK8Z6E8pjVeC934oFgr=VB3pULx_GyT2NkzAogdRQJ9TKSX9A at mail.gmail.com/ > > > > > actually proposes is a list of > > > > > allowed drivers, not devices. Doing it at the device level > > > > > has disadvantages, for example some devices might have a legacy > > > > > unsafe driver, or an out of tree driver. It also does not > > > > > address drivers that poke at hardware during init. > > > > > > > > Doing it at a device level is the only sane way to do this. > > > > > > > > A user needs to say "this device is allowed to be controlled by this > > > > driver". This is the trust model that USB has had for over a decade and > > > > what thunderbolt also has. > > > > > > > > > Accordingly, I think the right thing to do is to skip > > > > > driver init for disallowed drivers, not skip probe > > > > > for specific devices. > > > > > > > > What do you mean by "driver init"? module_init()? > > > > > > > > No driver should be touching hardware in their module init call. They > > > > should only be touching it in the probe callback as that is the only > > > > time they are ever allowed to talk to hardware. Specifically the device > > > > that has been handed to them. > > > > > > > > If there are in-kernel PCI drivers that do not do this, they need to be > > > > fixed today. > > > > > > > > We don't care about out-of-tree drivers for obvious reasons that we have > > > > no control over them. > > > > > > > > thanks, > > > > > > > > greg k-h > > > > > > Well talk to Andi about it pls :) > > > https://lore.kernel.org/r/ad1e41d1-3f4e-8982-16ea-18a3b2c04019%40linux.intel.com > > > > As Alan said, the minute you allow any driver to get into your kernel, > > it can do anything it wants to. > > > > So just don't allow drivers to be added to your kernel if you care about > > these things. The system owner has that mechanism today. > > > > thanks, > > > > greg k-h > > The "it" that I referred to is the claim that no driver should be > touching hardware in their module init call. Andi seems to think > such drivers are worth working around with a special remap API.Andi is wrong.