[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/2] Add lockdown mode

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Kevin Lampis <kevin.lampis@xxxxxxxxxx>
  • Date: Tue, 2 Jun 2026 17:49:10 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UFwniLJgHNjuv3GtumbskrsdLdfIoEIljqy0NDCVTps=; b=gpMVj2GaNBaITKFbTAcjKCHqLNeQXKAe+lLdvKd1Y5TUMcCiVSC9bLV0P6nol2fOsV1EJGK+o2h0tk0BiiuLuBPUeyQgcHMBgEUuwexoWredQvtb5P5MtL3Xq3IlHi5DkYh8X+1rKIV1hylUkvxlCfZ3Xsw3QiQwezfCmhIbOQySxI/4Ap1++L+U6nFpSw/brzsXmy5jSJGBVhsFh9HjyDOhb3AD1+TnvDBdU1pOshavZnel8y3pSjP5cYTT5e/YeuJE9/wFlEZDEgs011dq+VSaA23lEhB5yY82KBtY/Ff7JI5orsgul/w4P0ftvMA9dse8PXX9go4ti8SQQQOHqg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QIZXcUNr/xyIjIWvz1duyWHJ637lb8x9r50EFLzgVsIrcSJtNY4+JpEUS0s2Ll0WrhLxV+WBKwEWlfN+4ISrqww1mVL5O80JRInzJfin7NayzGa3ikOE86z2FffMuSl6DbRARhqngeKZ0LsFiM4VgRn8nLlFZg5iQZFNFk5pn4sgV8c+oC8mno0vMDX7AHqj4NMtQxyEJki4WIx+m3E4LW+3dVMLMaxK9A9iCBVwF5PR/tj/ZRnyNmuJe6Z3vtxvZhdiqNhtE8jmWaFGMoCxn2fbeBOo80FMSmXaJQkH0agMwoBJ/Wiq7cKk3Dl+zASvnzjLt/l2JIa6X9dw+2P0/w==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: jbeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx, roger.pau@xxxxxxxxxx, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
  • Delivery-date: Tue, 02 Jun 2026 16:48:49 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled
by a Kconfig option and a command-line parameter. It is also enabled
automatically when Secure Boot is enabled and it cannot be disabled in
that case.

Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
 xen/arch/x86/setup.c       |  1 +
 xen/common/Kconfig         |  8 ++++++
 xen/common/Makefile        |  1 +
 xen/common/kernel.c        |  4 +++
 xen/common/lockdown.c      | 56 ++++++++++++++++++++++++++++++++++++++
 xen/include/xen/lockdown.h |  9 ++++++
 6 files changed, 79 insertions(+)
 create mode 100644 xen/common/lockdown.c
 create mode 100644 xen/include/xen/lockdown.h

diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 19ee857abf..fd45a929f2 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -13,6 +13,7 @@
 #include <xen/kexec.h>
 #include <xen/keyhandler.h>
 #include <xen/lib.h>
+#include <xen/lockdown.h>
 #include <xen/multiboot.h>
 #include <xen/nodemask.h>
 #include <xen/numa.h>
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 5ff71480ee..c56326ff11 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -668,4 +668,12 @@ config PM_STATS
          Enable collection of performance management statistics to aid in
          analyzing and tuning power/performance characteristics of the system
 
+config LOCKDOWN_DEFAULT
+       bool "Enable lockdown mode by default"
+       default n
+       help
+         Lockdown mode prevents attacks from a rogue dom0 userspace from
+         compromising the system. This is automatically enabled when Secure
+         Boot is enabled.
+
 endmenu
diff --git a/xen/common/Makefile b/xen/common/Makefile
index 6018e25614..285e14b454 100644
--- a/xen/common/Makefile
+++ b/xen/common/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) += kexec.o
 obj-$(CONFIG_KEXEC) += kimage.o
 obj-$(CONFIG_LIVEPATCH) += livepatch.o livepatch_elf.o
 obj-$(CONFIG_LLC_COLORING) += llc-coloring.o
+obj-y += lockdown.o
 obj-$(CONFIG_VM_EVENT) += mem_access.o
 obj-y += memory.o
 obj-$(CONFIG_VM_EVENT) += monitor.o
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index fb45f81399..8351f55cde 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -14,6 +14,7 @@
 #include <xen/guest_access.h>
 #include <xen/hypercall.h>
 #include <xen/hypfs.h>
+#include <xen/lockdown.h>
 #include <xsm/xsm.h>
 #include <asm/current.h>
 #include <public/version.h>
@@ -217,6 +218,9 @@ static void __init _cmdline_parse(const char *cmdline)
  */
 void __init cmdline_parse(const char *cmdline)
 {
+    /* Call this early since it affects command-line parsing */
+    lockdown_init(cmdline);
+
     if ( opt_builtin_cmdline[0] )
     {
         printk("Built-in command line: %s\n", opt_builtin_cmdline);
diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c
new file mode 100644
index 0000000000..6e9df36baa
--- /dev/null
+++ b/xen/common/lockdown.c
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <xen/efi.h>
+#include <xen/kernel.h>
+#include <xen/lockdown.h>
+#include <xen/param.h>
+#include <xen/string.h>
+
+static bool __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT);
+ignore_param("lockdown");
+
+bool is_locked_down(void)
+{
+    return lockdown;
+}
+
+void __init lockdown_init(const char *cmdline)
+{
+#ifdef CONFIG_PV_SHIM
+    lockdown = false;
+#else
+    if ( efi_secure_boot )
+    {
+        printk("Enabling lockdown mode because Secure Boot is enabled\n");
+        lockdown = true;
+    }
+    else
+    {
+        while ( *cmdline )
+        {
+            size_t param_len, name_len;
+            int ret;
+
+            cmdline += strspn(cmdline, " \n\r\t");
+            param_len = strcspn(cmdline, " \n\r\t");
+            name_len = strcspn(cmdline, "= \n\r\t");
+
+            if ( !strncmp(cmdline, "lockdown", max(name_len, 
strlen("lockdown"))) ||
+                 !strncmp(cmdline, "no-lockdown", max(name_len, 
strlen("no-lockdown"))) )
+            {
+                ret = parse_boolean("lockdown", cmdline, cmdline + param_len);
+                if ( ret >= 0 )
+                {
+                    lockdown = ret;
+                    printk("Lockdown mode set from command-line\n");
+                    break;
+                }
+            }
+
+            cmdline += param_len;
+        }
+    }
+
+    printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled");
+#endif
+}
diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h
new file mode 100644
index 0000000000..b2baa31caa
--- /dev/null
+++ b/xen/include/xen/lockdown.h
@@ -0,0 +1,9 @@
+#ifndef XEN__LOCKDOWN_H
+#define XEN__LOCKDOWN_H
+
+#include <xen/types.h>
+
+bool is_locked_down(void);
+void lockdown_init(const char *cmdline);
+
+#endif /* XEN__LOCKDOWN_H */
-- 
2.52.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.