Xen project Mailing List

[PATCH 3/4] Add lockdown mode

From: Kevin Lampis <kevin.lampis@xxxxxxxxx>

Date: Tue, 6 May 2025 17:25:10 +0100

Cc: Kevin Lampis <kevin.lampis@xxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Delivery-date: Tue, 06 May 2025 16:31:18 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatically when Secure Boot is enabled and it cannot be disabled in that case. Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx> --- xen/arch/x86/setup.c | 1 + xen/common/Kconfig | 8 ++++++ xen/common/Makefile | 1 + xen/common/kernel.c | 3 +++ xen/common/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++ xen/include/xen/lockdown.h | 9 +++++++ 6 files changed, 74 insertions(+) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2518954124..276957c4ed 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -15,6 +15,7 @@ #include <xen/kexec.h> #include <xen/keyhandler.h> #include <xen/lib.h> +#include <xen/lockdown.h> #include <xen/multiboot.h> #include <xen/nodemask.h> #include <xen/numa.h> diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 4bec78c6f2..63ff37d046 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -596,4 +596,12 @@ config BUDDY_ALLOCATOR_SIZE Amount of memory reserved for the buddy allocator to serve Xen heap, working alongside the colored one. +config LOCKDOWN_DEFAULT + bool "Enable lockdown mode by default" + default n + help + Lockdown mode prevents attacks from a rogue dom0 userspace from + compromising the system. This is automatically enabled when Secure + Boot is enabled. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 98f0873056..b00a8a925a 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) += kexec.o obj-$(CONFIG_KEXEC) += kimage.o obj-$(CONFIG_LIVEPATCH) += livepatch.o livepatch_elf.o obj-$(CONFIG_LLC_COLORING) += llc-coloring.o +obj-y += lockdown.o obj-$(CONFIG_VM_EVENT) += mem_access.o obj-y += memory.o obj-y += multicall.o diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 8b63ca55f1..6658db9514 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline) */ void __init cmdline_parse(const char *cmdline) { + /* Call this early since it affects command-line parsing */ + lockdown_init(cmdline); + if ( opt_builtin_cmdline[0] ) { printk("Built-in command line: %s\n", opt_builtin_cmdline); diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c new file mode 100644 index 0000000000..935911dfd0 --- /dev/null +++ b/xen/common/lockdown.c @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include <xen/efi.h> +#include <xen/kernel.h> +#include <xen/lockdown.h> +#include <xen/param.h> +#include <xen/string.h> + +static bool __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT); +ignore_param("lockdown"); + +bool is_locked_down(void) +{ + return lockdown; +} + +void __init lockdown_init(const char *cmdline) +{ + if ( efi_secure_boot ) + { + printk("Enabling lockdown mode because Secure Boot is enabled\n"); + lockdown = true; + } + else + { + while ( *cmdline ) + { + size_t param_len, name_len; + int ret; + + cmdline += strspn(cmdline, " \n\r\t"); + param_len = strcspn(cmdline, " \n\r\t"); + name_len = strcspn(cmdline, "= \n\r\t"); + + if ( !strncmp(cmdline, "lockdown", max(name_len, strlen("lockdown"))) || + !strncmp(cmdline, "no-lockdown", max(name_len, strlen("no-lockdown"))) ) + { + ret = parse_boolean("lockdown", cmdline, cmdline + param_len); + if ( ret >= 0 ) + { + lockdown = ret; + printk("Lockdown mode set from command-line\n"); + break; + } + } + + cmdline += param_len; + } + } + + printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled"); +} diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h new file mode 100644 index 0000000000..b2baa31caa --- /dev/null +++ b/xen/include/xen/lockdown.h @@ -0,0 +1,9 @@ +#ifndef XEN__LOCKDOWN_H +#define XEN__LOCKDOWN_H + +#include <xen/types.h> + +bool is_locked_down(void); +void lockdown_init(const char *cmdline); + +#endif /* XEN__LOCKDOWN_H */ -- 2.42.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.