Xen project Mailing List

Re: [PATCH v2 2/3] Add lockdown mode

To: Kevin Lampis <kevin.lampis@xxxxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Mon, 2 Jun 2025 16:20:26 +0200

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Delivery-date: Mon, 02 Jun 2025 14:20:34 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jun 02, 2025 at 02:46:55PM +0100, Kevin Lampis wrote: > From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> > > The intention of lockdown mode is to prevent attacks from a rogue dom0 > userspace from compromising the system. Lockdown mode can be controlled by a > Kconfig option and a command-line parameter. It is also enabled automatically > when Secure Boot is enabled and it cannot be disabled in that case. > > If enabled from the command-line then it is required to be first in the > list otherwise Xen may process some insecure parameters before reaching > the lockdown parameter. > > Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> > Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx> > --- > Changes in v2: > - Remove custom command line parsing > - Print warning if lockdown is not first on command line > --- ... > diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c > new file mode 100644 > index 0000000000..84eabe9c83 > --- /dev/null > +++ b/xen/common/lockdown.c > @@ -0,0 +1,54 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > + > +#include <xen/efi.h> > +#include <xen/lockdown.h> > +#include <xen/param.h> > + > +#define FIRST_ARG_FLAG 2 > + > +static int __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT); > + > +void __init lockdown_set_first_flag(void) > +{ > + lockdown |= FIRST_ARG_FLAG; > +} > + > +void __init lockdown_clear_first_flag(void) > +{ > + lockdown &= ~FIRST_ARG_FLAG; > +} > + > +static int __init parse_lockdown_opt(const char *s) > +{ > + if ( strncmp("no", s, 2) == 0 ) This is rather inconsistent with other bool options. I think you want to use parse_bool() here. > + if ( efi_secure_boot ) > + printk("lockdown can't be disabled because Xen booted in Secure > Boot mode\n"); > + else > + lockdown = 0; > + else > + { > + if ( !(lockdown & FIRST_ARG_FLAG) ) > + printk("lockdown was not the first argument, unsafe arguments > may have been already processed\n"); > + > + lockdown = 1; > + } > + > + return 0; > +} > +custom_param("lockdown", parse_lockdown_opt); -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.