Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}
From: Andi Kleen
Date: Sun Aug 29 2021 - 12:17:59 EST
Let's be frank, even without encryption disabling most drivers -
especially weird ones that poke at hardware before probe -
is far safer than keeping them, but one loses a bunch of features.
Usually we don't lose features at all. None of the legacy drivers are
needed on a guest (or even a modern native system). It's all just all
for old hardware. Maybe in 20+ years it can be all removed, but we can't
wait that long.
IOW all this hardening is nice but which security/feature tradeoff
to take it a policy decision, not something kernel should do
imho.
There's no mechanism to push this kind of policy to user space. Users
don't have control what initcalls run. At the time they execute there
isn't even any user space yet.
Even if they could somehow control them it's very unlikely they would
understand them and make an informed decision.
Doing it at build time is not feasible either since we want to run on
standard distribution kernels.
For modules we have a policy mechanism (prevent udev probing by
preventing enumeration), and that is implemented, but only handling
modules is not enough. The compiled in drivers have to be handled too,
otherwise you have gaping holes in the protection. We don't prevent
users manually loading modules that might probe, but that is a policy
decision that users actually sensibly make in user space.
Also I changing this single call really that bad? It's not that we
changing anything drastic here, just give the low level subsystem a
better hint about the intention. If you don't like the function name,
could make it an argument instead?
-Andi