[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 4/4] Disallow most command-line options when lockdown mode is enabled

Hello,

Le 12/05/2025 à 11:04, Kevin Lampis a écrit :
> A subset of command-line parameters that are specifically safe to use
> when lockdown mode is enabled are annotated as such.
>
> Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx>
> ---
>   xen/arch/arm/domain_build.c           |  4 +--
>   xen/arch/x86/acpi/cpu_idle.c          |  2 +-
>   xen/arch/x86/cpu/amd.c                |  2 +-
>   xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
>   xen/arch/x86/cpu/microcode/core.c     |  2 +-
>   xen/arch/x86/dom0_build.c             |  4 +--
>   xen/arch/x86/hvm/hvm.c                |  2 +-
>   xen/arch/x86/irq.c                    |  2 +-
>   xen/arch/x86/nmi.c                    |  2 +-
>   xen/arch/x86/setup.c                  |  2 +-
>   xen/arch/x86/traps.c                  |  2 +-
>   xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
>   xen/common/domain.c                   |  2 +-
>   xen/common/kernel.c                   | 10 +++++-
>   xen/common/kexec.c                    |  2 +-
>   xen/common/numa.c                     |  2 +-
>   xen/common/page_alloc.c               |  2 +-
>   xen/common/shutdown.c                 |  2 +-
>   xen/drivers/char/console.c            |  2 +-
>   xen/drivers/char/ns16550.c            |  4 +--
>   xen/drivers/video/vga.c               |  2 +-
>   xen/include/xen/param.h               | 49 +++++++++++++++++++++------
>   22 files changed, 70 insertions(+), 35 deletions(-)
>
> diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
> index df29619c40..8ff1af3787 100644
> --- a/xen/arch/arm/domain_build.c
> +++ b/xen/arch/arm/domain_build.c
> @@ -41,7 +41,7 @@
>   #include <xen/serial.h>
>
>   static unsigned int __initdata opt_dom0_max_vcpus;
> -integer_param("dom0_max_vcpus", opt_dom0_max_vcpus);
> +integer_secure_param("dom0_max_vcpus", opt_dom0_max_vcpus);
>
>   /*
>    * If true, the extended regions support is enabled for dom0 and
> @@ -61,7 +61,7 @@ static int __init parse_dom0_mem(const char *s)
>
>       return *s ? -EINVAL : 0;
>   }
> -custom_param("dom0_mem", parse_dom0_mem);
> +custom_secure_param("dom0_mem", parse_dom0_mem);
>
>   int __init parse_arch_dom0_param(const char *s, const char *e)
>   {
> diff --git a/xen/arch/x86/acpi/cpu_idle.c b/xen/arch/x86/acpi/cpu_idle.c
> index 1dbf15b01e..431fd0c997 100644
> --- a/xen/arch/x86/acpi/cpu_idle.c
> +++ b/xen/arch/x86/acpi/cpu_idle.c
> @@ -113,7 +113,7 @@ static int __init cf_check parse_cstate(const char *s)
>           max_csubstate = simple_strtoul(s + 1, NULL, 0);
>       return 0;
>   }

What makes ...

> -custom_param("max_cstate", parse_cstate);
> +custom_secure_param("max_cstate", parse_cstate);

... specifically unsafe ?

>
>   static bool __read_mostly local_apic_timer_c2_ok;
>   boolean_param("lapic_timer_c2_ok", local_apic_timer_c2_ok);
> diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
> index 37d67dd15c..c36351c968 100644
> --- a/xen/arch/x86/cpu/amd.c
> +++ b/xen/arch/x86/cpu/amd.c
> @@ -47,7 +47,7 @@ integer_param("cpuid_mask_thermal_ecx", 
> opt_cpuid_mask_thermal_ecx);
>
>   /* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
>   int8_t __read_mostly opt_allow_unsafe;
> -boolean_param("allow_unsafe", opt_allow_unsafe);
> +boolean_secure_param("allow_unsafe", opt_allow_unsafe);
>
>   /* Signal whether the ACPI C1E quirk is required. */
>   bool __read_mostly amd_acpi_c1e_quirk;
> diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c
> index 1c348e557d..a229af6fd3 100644
> --- a/xen/arch/x86/cpu/mcheck/mce.c
> +++ b/xen/arch/x86/cpu/mcheck/mce.c
> @@ -31,7 +31,7 @@
>   #include "vmce.h"
>
>   bool __read_mostly opt_mce = true;
> -boolean_param("mce", opt_mce);
> +boolean_secure_param("mce", opt_mce);
>   bool __read_mostly mce_broadcast;
>   bool is_mc_panic;
>   DEFINE_PER_CPU_READ_MOSTLY(unsigned int, nr_mce_banks);
> diff --git a/xen/arch/x86/cpu/microcode/core.c 
> b/xen/arch/x86/cpu/microcode/core.c
> index 34a94cd25b..b5b7304ae7 100644
> --- a/xen/arch/x86/cpu/microcode/core.c
> +++ b/xen/arch/x86/cpu/microcode/core.c
> @@ -160,7 +160,7 @@ static int __init cf_check parse_ucode(const char *s)
>
>       return rc;
>   }
> -custom_param("ucode", parse_ucode);
> +custom_secure_param("ucode", parse_ucode);
>
>   static struct microcode_ops __ro_after_init ucode_ops;
>
> diff --git a/xen/arch/x86/dom0_build.c b/xen/arch/x86/dom0_build.c
> index 0b467fd4a4..6d42acb661 100644
> --- a/xen/arch/x86/dom0_build.c
> +++ b/xen/arch/x86/dom0_build.c
> @@ -142,7 +142,7 @@ static int __init cf_check parse_dom0_mem(const char *s)
>
>       return s[-1] ? -EINVAL : ret;
>   }
> -custom_param("dom0_mem", parse_dom0_mem);
> +custom_secure_param("dom0_mem", parse_dom0_mem);
>
>   static unsigned int __initdata opt_dom0_max_vcpus_min = 1;
>   static unsigned int __initdata opt_dom0_max_vcpus_max = UINT_MAX;
> @@ -164,7 +164,7 @@ static int __init cf_check parse_dom0_max_vcpus(const 
> char *s)
>
>       return *s ? -EINVAL : 0;
>   }
> -custom_param("dom0_max_vcpus", parse_dom0_max_vcpus);
> +custom_secure_param("dom0_max_vcpus", parse_dom0_max_vcpus);
>

I think it is acceptable for being able to configure dom0-max-vcpus and
dom0-mem. It's very likely that the toolstack/user wants to configure that.

>   static __initdata unsigned int dom0_nr_pxms;
>   static __initdata unsigned int dom0_pxms[MAX_NUMNODES] =
> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> index 4cb2e13046..97afb274fe 100644
> --- a/xen/arch/x86/hvm/hvm.c
> +++ b/xen/arch/x86/hvm/hvm.c
> @@ -87,7 +87,7 @@ unsigned long __section(".bss.page_aligned") 
> __aligned(PAGE_SIZE)
>
>   /* Xen command-line option to enable HAP */
>   static bool __initdata opt_hap_enabled = true;
> -boolean_param("hap", opt_hap_enabled);
> +boolean_secure_param("hap", opt_hap_enabled);

---

I think there are several lockdown missing parameters, for instance
(dom0-)iommu related parameters should be definetely supposed unsafe.

(dom0-)iommu parameter can be used to disable PCI Passthrough related
security features (quarantine thus disabling fix for some XSA variants)
or using invalid IOMMU configurations (e.g dom0-iommu=none).

In the same idea, PCI Passthrough to PV guests without a IOMMU should be
made impossible in this mode, as it actually allows the guest to perform
a privilege escalation using (actually unrestricted) DMA.

Teddy


Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.