|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v2 3/3] Disallow most command-line options when lockdown mode is enabled
On Mon, Jun 02, 2025 at 02:46:56PM +0100, Kevin Lampis wrote:
> A subset of command-line parameters that are specifically safe to use when
> lockdown mode is enabled are annotated as such.
>
> These are commonly used parameters which have been audited to ensure they
> cannot be used to undermine the integrity of the system when booted in
> Secure Boot mode.
>
> Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx>
> Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> ---
> Changes in v2:
> - Add more information about the safe parameters
> - Add lockdown section to the command line doc
> ---
> docs/misc/xen-command-line.pandoc | 16 +++++++++
> xen/arch/arm/domain_build.c | 4 +--
> xen/arch/x86/acpi/cpu_idle.c | 2 +-
> xen/arch/x86/cpu/amd.c | 2 +-
> xen/arch/x86/cpu/mcheck/mce.c | 2 +-
> xen/arch/x86/cpu/microcode/core.c | 2 +-
> xen/arch/x86/dom0_build.c | 4 +--
> xen/arch/x86/hvm/hvm.c | 2 +-
> xen/arch/x86/irq.c | 2 +-
> xen/arch/x86/nmi.c | 2 +-
> xen/arch/x86/setup.c | 2 +-
> xen/arch/x86/traps.c | 2 +-
> xen/arch/x86/x86_64/mmconfig-shared.c | 2 +-
> xen/common/domain.c | 2 +-
> xen/common/kernel.c | 10 +++++-
> xen/common/kexec.c | 2 +-
> xen/common/lockdown.c | 2 +-
> xen/common/numa.c | 2 +-
> xen/common/page_alloc.c | 2 +-
> xen/common/shutdown.c | 2 +-
> xen/drivers/char/console.c | 2 +-
> xen/drivers/char/ns16550.c | 4 +--
> xen/drivers/video/vga.c | 2 +-
> xen/include/xen/param.h | 49 +++++++++++++++++++++------
> 24 files changed, 87 insertions(+), 36 deletions(-)
>
> diff --git a/docs/misc/xen-command-line.pandoc
> b/docs/misc/xen-command-line.pandoc
> index b0eadd2c5d..7916875f22 100644
> --- a/docs/misc/xen-command-line.pandoc
> +++ b/docs/misc/xen-command-line.pandoc
> @@ -1798,6 +1798,22 @@ immediately. Specifying `0` will disable all testing
> of illegal lock nesting.
>
> This option is available for hypervisors built with CONFIG_DEBUG_LOCKS only.
>
> +### lockdown
> +> `= <boolean>`
> +
> +> Default: `false`
This belongs to the 2/3 patch, no?
> +
> +The intention of lockdown mode is to prevent attacks from a rogue dom0
> +userspace from compromising the system. It is also enabled automatically
> +when Secure Boot is enabled and it cannot be disabled in that case.
> +
> +After lockdown mode is enabled some unsafe command line options will be
> +ignored by Xen.
> +
> +If enabling lockdown mode via the command line then ensure it is positioned
> as
> +the first option in the command line string otherwise Xen may process unsafe
> +options before reaching the lockdown parameter.
> +
> ### loglvl
> > `= <level>[/<rate-limited level>]` where level is `none | error | warning
> | info | debug | all`
>
...
> diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c
> index 84eabe9c83..cd3deeb63e 100644
> --- a/xen/common/lockdown.c
> +++ b/xen/common/lockdown.c
> @@ -35,7 +35,7 @@ static int __init parse_lockdown_opt(const char *s)
>
> return 0;
> }
> -custom_param("lockdown", parse_lockdown_opt);
> +custom_secure_param("lockdown", parse_lockdown_opt);
Is that really a good idea? It means `lockdown=yes lockdown=no` would
still disable it in the end. This may matter more if for example the
`lockdown=yes` part is in the built-in cmdline (possibly with other
integrity protection than UEFI SB).
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
Attachment:
signature.asc
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |