On Thu, Sep 30, 2021 at 12:04:05PM -0700, Kuppuswamy, Sathyanarayanan wrote:
You have not defined the term "audited" here at all in any way that can
On 9/30/21 8:23 AM, Greg Kroah-Hartman wrote:
On Thu, Sep 30, 2021 at 08:18:18AM -0700, Kuppuswamy, Sathyanarayanan wrote:
What is the official definition of "audited"?
On 9/30/21 6:36 AM, Dan Williams wrote:
Yes, AFAIK, it has been audited. Andi also submitted some patchesAnd in particular, not all virtio drivers are hardened -My understanding was that they have been audited, Sathya?
I think at this point blk and scsi drivers have been hardened - so
treating them all the same looks wrong.
related to it. Andi, can you confirm.
In our case (Confidential Computing platform), the host is an un-trusted
entity. So any interaction with host from the drivers will have to be
protected against the possible attack from the host. For example, if we
are accessing a memory based on index value received from host, we have
to make sure it does not lead to out of bound access or when sharing the
memory with the host, we need to make sure only the required region is
shared with the host and the memory is un-shared after use properly.
be reviewed or verified by anyone from what I can tell.
You have only described a new model that you wish the kernel to run in,
one in which it does not trust the hardware at all. That is explicitly
NOT what the kernel has been designed for so far,
and if you wish to
change that, lots of things need to be done outside of simply running
some fuzzers on a few random drivers.
For one example, how do you ensure that the memory you are reading from
hasn't been modified by the host between writing to it the last time you
did?
Do you have a list of specific drivers and kernel options that you
feel you now "trust"?
If so, how long does that trust last for? Until
someonen else modifies that code? What about modifications to functions
that your "audited" code touches? Who is doing this auditing? How do
you know the auditing has been done correctly? Who has reviewed and
audited the tools that are doing the auditing? Where is the
specification that has been agreed on how the auditing must be done?
And so on...
I feel like there are a lot of different things all being mixed up here
into one "oh we want this to happen!" type of thread.
Please let's just
stick to the one request that I had here, which was to move the way that
busses are allowed to authorize the devices they wish to control into a
generic way instead of being bus-specific logic.
Any requests outside of that type of functionality are just that,
outside the scope of this patchset and should get their own patch series
and discussion.