[PATCH] platform/x86: Export LPC attributes for the system SPI chip

Mario.Limonciello at dell.com Mario.Limonciello at dell.com
Thu May 7 19:22:02 UTC 2020


> -----Original Message-----
> From: platform-driver-x86-owner at vger.kernel.org <platform-driver-x86-
> owner at vger.kernel.org> On Behalf Of Richard Hughes
> Sent: Thursday, May 7, 2020 1:47 PM
> To: Limonciello, Mario
> Cc: Platform Driver; linux-security-module
> Subject: Re: [PATCH] platform/x86: Export LPC attributes for the system SPI
> chip
> 
> 
> [EXTERNAL EMAIL]
> 
> On Thu, 7 May 2020 at 18:45, <Mario.Limonciello at dell.com> wrote:
> > To echo Andy's question, I would wonder if it makes sense to just export
> > these attributes in securityfs directly from the intel-spi-pci driver rather
> > than to have another driver in platform-x86 to get the information.
> 
> The "DANGEROUS" in the SPI_INTEL_SPI_PCI and SPI_INTEL_SPI_PLATFORM
> worried me somewhat. I'm guessing this is why most distros don't
> compile it as a module by default. If the module isn't actually still
> considered dangerous, and we can remove the warning I can of course
> respin my patch on top of that instead.
> 
> Richard.

Well reading the documentation for it can explain why it's potentially dangerous.
If a manufacturer hasn't properly configured lock down bits like those you're trying
to expose, that would allow doing dangerous things.

https://www.kernel.org/doc/html/latest/driver-api/mtd/intel-spi.html
"
 The intel-spi driver makes it possible to read and write the SPI serial flash, if 
certain protection bits are not set and locked. If it finds any of them set, the 
whole MTD device is made read-only to prevent partial overwrites.
By default the driver exposes SPI serial flash contents as read-only but it can
be changed from kernel command line, passing “intel-spi.writeable=1”.
"



More information about the Linux-security-module-archive mailing list