[PATCH 1/2] powerpc/pseries: block untrusted device tree changes when locked down
Michael Ellerman
mpe at ellerman.id.au
Fri Sep 23 07:03:59 UTC 2022
Paul Moore <paul at paul-moore.com> writes:
> On Thu, Sep 22, 2022 at 3:38 PM Nathan Lynch <nathanl at linux.ibm.com> wrote:
>>
>> The /proc/powerpc/ofdt interface allows the root user to freely alter
>> the in-kernel device tree, enabling arbitrary physical address writes
>> via drivers that could bind to malicious device nodes, thus making it
>> possible to disable lockdown.
>>
>> Historically this interface has been used on the pseries platform to
>> facilitate the runtime addition and removal of processor, memory, and
>> device resources (aka Dynamic Logical Partitioning or DLPAR). Years
>> ago, the processor and memory use cases were migrated to designs that
>> happen to be lockdown-friendly: device tree updates are communicated
>> directly to the kernel from firmware without passing through untrusted
>> user space. I/O device DLPAR via the "drmgr" command in powerpc-utils
>> remains the sole legitimate user of /proc/powerpc/ofdt, but it is
>> already broken in lockdown since it uses /dev/mem to allocate argument
>> buffers for the rtas syscall. So only illegitimate uses of the
>> interface should see a behavior change when running on a locked down
>> kernel.
>>
>> Signed-off-by: Nathan Lynch <nathanl at linux.ibm.com>
>> ---
>> arch/powerpc/platforms/pseries/reconfig.c | 5 +++++
>> include/linux/security.h | 1 +
>> security/security.c | 1 +
>> 3 files changed, 7 insertions(+)
>
> A couple of small nits below, but in general this seems reasonable.
> However, as we are currently at -rc6 I would like us to wait to merge
> this until after the upcoming merge window closes (I don't like
> merging new functionality into -next at -rc6).
It's a bug fix, not a new feature IMHO.
I'd like to take it via the powerpc tree.
cheers
More information about the Linux-security-module-archive
mailing list