|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH 3/4] Add lockdown mode
Hello Kevin,
Le 06/05/2025 à 18:32, Kevin Lampis a écrit :
> The intention of lockdown mode is to prevent attacks from a rogue dom0
> userspace from compromising the system. Lockdown mode can be controlled by a
> Kconfig option and a command-line parameter.
What is the effective effect of such mode ? How does it protect the
hypervisor from Dom0 ?
(I can't find the PATCH 4/4 which seems to give a explanation)
It is also enabled automatically
> when Secure Boot is enabled and it cannot be disabled in that case.
>
> Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> Signed-off-by: Kevin Lampis <kevin.lampis@xxxxxxxxx>
> ---
> xen/arch/x86/setup.c | 1 +
> xen/common/Kconfig | 8 ++++++
> xen/common/Makefile | 1 +
> xen/common/kernel.c | 3 +++
> xen/common/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++
> xen/include/xen/lockdown.h | 9 +++++++
> 6 files changed, 74 insertions(+)
> create mode 100644 xen/common/lockdown.c
> create mode 100644 xen/include/xen/lockdown.h
>
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 2518954124..276957c4ed 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -15,6 +15,7 @@
> #include <xen/kexec.h>
> #include <xen/keyhandler.h>
> #include <xen/lib.h>
> +#include <xen/lockdown.h>
> #include <xen/multiboot.h>
> #include <xen/nodemask.h>
> #include <xen/numa.h>
> diff --git a/xen/common/Kconfig b/xen/common/Kconfig
> index 4bec78c6f2..63ff37d046 100644
> --- a/xen/common/Kconfig
> +++ b/xen/common/Kconfig
> @@ -596,4 +596,12 @@ config BUDDY_ALLOCATOR_SIZE
> Amount of memory reserved for the buddy allocator to serve Xen heap,
> working alongside the colored one.
>
> +config LOCKDOWN_DEFAULT
> + bool "Enable lockdown mode by default"
> + default n
> + help
> + Lockdown mode prevents attacks from a rogue dom0 userspace from
> + compromising the system. This is automatically enabled when Secure
> + Boot is enabled.
> +
> endmenu
> diff --git a/xen/common/Makefile b/xen/common/Makefile
> index 98f0873056..b00a8a925a 100644
> --- a/xen/common/Makefile
> +++ b/xen/common/Makefile
> @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) += kexec.o
> obj-$(CONFIG_KEXEC) += kimage.o
> obj-$(CONFIG_LIVEPATCH) += livepatch.o livepatch_elf.o
> obj-$(CONFIG_LLC_COLORING) += llc-coloring.o
> +obj-y += lockdown.o
> obj-$(CONFIG_VM_EVENT) += mem_access.o
> obj-y += memory.o
> obj-y += multicall.o
> diff --git a/xen/common/kernel.c b/xen/common/kernel.c
> index 8b63ca55f1..6658db9514 100644
> --- a/xen/common/kernel.c
> +++ b/xen/common/kernel.c
> @@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline)
> */
> void __init cmdline_parse(const char *cmdline)
> {
> + /* Call this early since it affects command-line parsing */
> + lockdown_init(cmdline);
> +
> if ( opt_builtin_cmdline[0] )
> {
> printk("Built-in command line: %s\n", opt_builtin_cmdline);
> diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c
> new file mode 100644
> index 0000000000..935911dfd0
> --- /dev/null
> +++ b/xen/common/lockdown.c
> @@ -0,0 +1,52 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +
> +#include <xen/efi.h>
> +#include <xen/kernel.h>
> +#include <xen/lockdown.h>
> +#include <xen/param.h>
> +#include <xen/string.h>
> +
> +static bool __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT);
> +ignore_param("lockdown");
> +
> +bool is_locked_down(void)
> +{
> + return lockdown;
> +}
> +
> +void __init lockdown_init(const char *cmdline)
> +{
> + if ( efi_secure_boot )
> + {
> + printk("Enabling lockdown mode because Secure Boot is enabled\n");
> + lockdown = true;
> + }
> + else
> + {
> + while ( *cmdline )
> + {
> + size_t param_len, name_len;
> + int ret;
> +
> + cmdline += strspn(cmdline, " \n\r\t");
> + param_len = strcspn(cmdline, " \n\r\t");
> + name_len = strcspn(cmdline, "= \n\r\t");
> +
> + if ( !strncmp(cmdline, "lockdown", max(name_len,
> strlen("lockdown"))) ||
> + !strncmp(cmdline, "no-lockdown", max(name_len,
> strlen("no-lockdown"))) )
> + {
> + ret = parse_boolean("lockdown", cmdline, cmdline +
> param_len);
> + if ( ret >= 0 )
> + {
> + lockdown = ret;
> + printk("Lockdown mode set from command-line\n");
> + break;
> + }
> + }
> +
> + cmdline += param_len;
> + }
> + }
> +
> + printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled");
> +}
With
> Kevin Lampis (1):
> Disallow most command-line options when lockdown mode is enabled
I am not convinced of the efficiency of being able to toggle lockdown
(including disabling it) mode from command-line. In case the userland
can hijack the cmdline, I can't see what would prevent it from setting
no-lockdown, which will disable the lockdown mode (also overriding
CONFIG_LOCKDOWN_DEFAULT).
> diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h
> new file mode 100644
> index 0000000000..b2baa31caa
> --- /dev/null
> +++ b/xen/include/xen/lockdown.h
> @@ -0,0 +1,9 @@
> +#ifndef XEN__LOCKDOWN_H
> +#define XEN__LOCKDOWN_H
> +
> +#include <xen/types.h>
> +
> +bool is_locked_down(void);
> +void lockdown_init(const char *cmdline);
> +
> +#endif /* XEN__LOCKDOWN_H */
Teddy
Teddy Astie | Vates XCP-ng Developer
XCP-ng & Xen Orchestra - Vates solutions
web: https://vates.tech
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |