On Fri, Dec 5, 2014 at 1:27 PM, Pantelis Antoniou <panto@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hi Kees, > >> On Dec 5, 2014, at 21:53 , Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> >> On Thu, Dec 4, 2014 at 2:31 AM, Grant Likely <grant.likely@xxxxxxxxxxxx> wrote: >>> Kees, >>> >>> I'm copying you on this email. This is a new interface being proposed >>> for making live changes to the device tree at runtime, which gives >>> pretty close to direct control to userspace of the Linux device model. >>> Userspace can supply a blob that causes devices to get added or removed >>> from /sys/devices, and can change how a device is accessed. This is >>> definitely a security concern and I would love to get your opinion on >>> the interface. >>> >>> Naturally, the interface has been made root-only, but I don't think that >>> is enough. I think we need a method which parts of the devicetree can be >>> modified by a devicetree overlay. I've been thinking in terms of adding >>> allow/deny properties that control whether or not changes can be made >>> below a particular node, with the default for the whole tree to be >>> 'deny'. That way the devicetree for the platform can restrict dynamic >>> change to only the node that need to be modifed. >>> >>> What do you think? >> >> I'm less familiar with device tree, but given the things that I'm >> imagining can be twiddled via this interface, it looks extremely >> powerful. Could devices be changed out from under drivers, or physical >> RAM remapped, etc? >> > > Devices sure, RAM remapped not yet ;) > >> Coming from the perspective of drawing a bright line between kernel >> and the root user (which tends to start with disabling kernel module >> loading), I would say that there at least needs to be a high-level >> one-way "off" switch for the interface so that systems that have this >> interface can choose to turn it off during initial boot, etc. >> > > Sure, that’s easy enough to add. Is a sysfs property good enough? As long as it's one-way and controls the whole interface (or tree), I think that'd be great. I'd normally only done this with sysctls before, but Johannes Berg just did a one-way sysfs flag at my urging in devcoredump, so it would probably look pretty similar: https://lkml.org/lkml/2014/11/13/610 > >> If the tree node ACL you're considering could be used like this, that >> seems like a good approach, as long as the non-deny nodes don't allow >> attaching devices that could access memory in some way, since then >> they could be used to flip the deny bits on other nodes and the >> slippery slope starts... :) >> > > Devices will be created potentially; those have a probe method, which can > can make anything happen. > > This is exactly like from a security point of view as loading modules. Just a random idea, but would it make sense to just tie the logic to the modules_disabled flag? Probably not, but thought I'd throw it out there. -Kees > >> Hopefully that's useful? >> > > Yes. > >> -Kees >> > > Regards > > — Pantelis > >>> >>> Pantelis, I've made comments below on the patch... >>> >>> On Wed, 3 Dec 2014 13:23:28 +0200 >>> , Pantelis Antoniou <pantelis.antoniou@xxxxxxxxxxxx> >>> wrote: >>>> Add a runtime interface to using configfs for generic device tree overlay >>>> usage. With it its possible to use device tree overlays without having >>>> to use a per-platform overlay manager. >>>> >>>> Please see Documentation/devicetree/configfs-overlays.txt for more info. >>>> >>>> Changes since v2: >>>> - Removed ifdef CONFIG_OF_OVERLAY (since for now it's required) >>>> - Created a documentation entry >>>> - Slight rewording in Kconfig >>>> >>>> Changes since v1: >>>> - of_resolve() -> of_resolve_phandles(). >>>> >>>> Signed-off-by: Pantelis Antoniou <pantelis.antoniou@xxxxxxxxxxxx> >>>> --- >>>> Documentation/devicetree/configfs-overlays.txt | 31 +++ >>>> drivers/of/Kconfig | 7 + >>>> drivers/of/Makefile | 1 + >>>> drivers/of/configfs.c | 332 +++++++++++++++++++++++++ >>>> 4 files changed, 371 insertions(+) >>>> create mode 100644 Documentation/devicetree/configfs-overlays.txt >>>> create mode 100644 drivers/of/configfs.c >>>> >>>> diff --git a/Documentation/devicetree/configfs-overlays.txt b/Documentation/devicetree/configfs-overlays.txt >>>> new file mode 100644 >>>> index 0000000..5fa43e0 >>>> --- /dev/null >>>> +++ b/Documentation/devicetree/configfs-overlays.txt >>>> @@ -0,0 +1,31 @@ >>>> +Howto use the configfs overlay interface. >>>> + >>>> +A device-tree configfs entry is created in /config/device-tree/overlays >>>> +and and it is manipulated using standard file system I/O. >>>> +Note that this is a debug level interface, for use by developers and >>>> +not necessarily something accessed by normal users due to the >>>> +security implications of having direct access to the kernel's device tree. >>>> + >>>> +* To create an overlay you mkdir the directory: >>>> + >>>> + # mkdir /config/device-tree/overlays/foo >>>> + >>>> +* Either you echo the overlay firmware file to the path property file. >>>> + >>>> + # echo foo.dtbo >/config/device-tree/overlays/foo/path >>>> + >>>> +* Or you cat the contents of the overlay to the dtbo file >>>> + >>>> + # cat foo.dtbo >/config/device-tree/overlays/foo/dtbo >>>> + >>>> +The overlay file will be applied, and devices will be created/destroyed >>>> +as required. >>>> + >>>> +To remove it simply rmdir the directory. >>>> + >>>> + # rmdir /config/device-tree/overlays/foo >>>> + >>>> +The rationalle of the dual interface (firmware & direct copy) is that each is >>> >>> sp. rationale >>> >>>> +better suited to different use patterns. The firmware interface is what's >>>> +intended to be used by hardware managers in the kernel, while the copy interface >>>> +make sense for developers (since it avoids problems with namespaces). >>> >>> The distinction between developer and production interfaces is >>> unfortunately meaningless in the real world. The developer interface >>> will get used in production if it is there, and having two interfaces >>> means we have to support two interfaces that do /exactly the same >>> thing/. >>> >>> One interface only please. >>> >>> What are the problems with namespaces that you see with the firmware >>> interface? >>> >>>> diff --git a/drivers/of/Kconfig b/drivers/of/Kconfig >>>> index 18b2e25..5d36306 100644 >>>> --- a/drivers/of/Kconfig >>>> +++ b/drivers/of/Kconfig >>>> @@ -91,4 +91,11 @@ config OF_OVERLAY >>>> select OF_DEVICE >>>> select OF_RESOLVE >>>> >>>> +config OF_CONFIGFS >>>> + bool "Device Tree Overlay ConfigFS interface" >>>> + select CONFIGFS_FS >>>> + select OF_OVERLAY >>>> + help >>>> + Enable a simple user-space driven DT overlay interface. >>>> + >>>> endmenu # OF >>>> diff --git a/drivers/of/Makefile b/drivers/of/Makefile >>>> index 7563f36..6f7f4f8 100644 >>>> --- a/drivers/of/Makefile >>>> +++ b/drivers/of/Makefile >>>> @@ -1,4 +1,5 @@ >>>> obj-y = base.o device.o platform.o >>>> +obj-$(CONFIG_OF_CONFIGFS) += configfs.o >>>> obj-$(CONFIG_OF_DYNAMIC) += dynamic.o >>>> obj-$(CONFIG_OF_FLATTREE) += fdt.o >>>> obj-$(CONFIG_OF_EARLY_FLATTREE) += fdt_address.o >>>> diff --git a/drivers/of/configfs.c b/drivers/of/configfs.c >>>> new file mode 100644 >>>> index 0000000..1434ade >>>> --- /dev/null >>>> +++ b/drivers/of/configfs.c >>>> @@ -0,0 +1,332 @@ >>>> +/* >>>> + * Configfs entries for device-tree >>>> + * >>>> + * Copyright (C) 2013 - Pantelis Antoniou <panto@xxxxxxxxxxxxxxxxxxxxxxx> >>>> + * >>>> + * This program is free software; you can redistribute it and/or >>>> + * modify it under the terms of the GNU General Public License >>>> + * as published by the Free Software Foundation; either version >>>> + * 2 of the License, or (at your option) any later version. >>>> + */ >>>> +#include <linux/ctype.h> >>>> +#include <linux/cpu.h> >>>> +#include <linux/module.h> >>>> +#include <linux/of.h> >>>> +#include <linux/of_fdt.h> >>>> +#include <linux/spinlock.h> >>>> +#include <linux/slab.h> >>>> +#include <linux/proc_fs.h> >>>> +#include <linux/configfs.h> >>>> +#include <linux/types.h> >>>> +#include <linux/stat.h> >>>> +#include <linux/limits.h> >>>> +#include <linux/file.h> >>>> +#include <linux/vmalloc.h> >>>> +#include <linux/firmware.h> >>>> + >>>> +#include "of_private.h" >>>> + >>>> +struct cfs_overlay_item { >>>> + struct config_item item; >>>> + >>>> + char path[PATH_MAX]; >>> >>> Hard coded maximum path length? >>> >>>> + >>>> + const struct firmware *fw; >>>> + struct device_node *overlay; >>>> + int ov_id; >>>> + >>>> + void *dtbo; >>>> + int dtbo_size; >>>> +}; >>>> + >>>> +static int create_overlay(struct cfs_overlay_item *overlay, void *blob) >>>> +{ >>>> + int err; >>>> + >>>> + /* unflatten the tree */ >>>> + of_fdt_unflatten_tree(blob, &overlay->overlay); >>>> + if (overlay->overlay == NULL) { >>>> + pr_err("%s: failed to unflatten tree\n", __func__); >>>> + err = -EINVAL; >>>> + goto out_err; >>>> + } >>>> + pr_debug("%s: unflattened OK\n", __func__); >>>> + >>>> + /* mark it as detached */ >>>> + of_node_set_flag(overlay->overlay, OF_DETACHED); >>>> + >>>> + /* perform resolution */ >>>> + err = of_resolve_phandles(overlay->overlay); >>>> + if (err != 0) { >>>> + pr_err("%s: Failed to resolve tree\n", __func__); >>>> + goto out_err; >>>> + } >>>> + pr_debug("%s: resolved OK\n", __func__); >>>> + >>>> + err = of_overlay_create(overlay->overlay); >>>> + if (err < 0) { >>>> + pr_err("%s: Failed to create overlay (err=%d)\n", >>>> + __func__, err); >>>> + goto out_err; >>>> + } >>>> + overlay->ov_id = err; >>>> + >>>> +out_err: >>>> + return err; >>>> +} >>>> + >>>> +static inline struct cfs_overlay_item *to_cfs_overlay_item( >>>> + struct config_item *item) >>>> +{ >>>> + return item ? container_of(item, struct cfs_overlay_item, item) : NULL; >>>> +} >>>> + >>>> +CONFIGFS_ATTR_STRUCT(cfs_overlay_item); >>>> +#define CFS_OVERLAY_ITEM_ATTR(_name, _mode, _show, _store) \ >>>> +struct cfs_overlay_item_attribute cfs_overlay_item_attr_##_name = \ >>>> + __CONFIGFS_ATTR(_name, _mode, _show, _store) >>>> +#define CFS_OVERLAY_ITEM_ATTR_RO(_name, _show) \ >>>> +struct cfs_overlay_item_attribute cfs_overlay_item_attr_##_name = \ >>>> + __CONFIGFS_ATTR_RO(_name, _show) >>>> + >>>> +CONFIGFS_BIN_ATTR_STRUCT(cfs_overlay_item); >>>> +#define CFS_OVERLAY_ITEM_BIN_ATTR(_name, _mode, _read, _write, _priv, _max) \ >>>> +struct cfs_overlay_item_bin_attribute cfs_overlay_item_bin_attr_##_name = \ >>>> + __CONFIGFS_BIN_ATTR(_name, _mode, _read, _write, _priv, _max) >>>> +#define CFS_OVERLAY_ITEM_BIN_ATTR_RO(_name, _read, _priv, _max) \ >>>> +struct cfs_overlay_item_bin_attribute cfs_overlay_item_bin_attr_##_name = \ >>>> + __CONFIGFS_BIN_ATTR_RO(_name, _read, _priv, _max) >>>> + >>>> +static ssize_t cfs_overlay_item_path_show(struct cfs_overlay_item *overlay, >>>> + char *page) >>>> +{ >>>> + return sprintf(page, "%s\n", overlay->path); >>>> +} >>>> + >>>> +static ssize_t cfs_overlay_item_path_store(struct cfs_overlay_item *overlay, >>>> + const char *page, size_t count) >>>> +{ >>>> + const char *p = page; >>>> + char *s; >>>> + int err; >>>> + >>>> + /* if it's set do not allow changes */ >>>> + if (overlay->path[0] != '\0' || overlay->dtbo_size > 0) >>>> + return -EPERM; >>>> + >>>> + /* copy to path buffer (and make sure it's always zero terminated */ >>>> + count = snprintf(overlay->path, sizeof(overlay->path) - 1, "%s", p); >>>> + overlay->path[sizeof(overlay->path) - 1] = '\0'; >>> >>> kmemdup perhaps to get rid of the hard coded path length? >>> >>>> + >>>> + /* strip trailing newlines */ >>>> + s = overlay->path + strlen(overlay->path); >>>> + while (s > overlay->path && *--s == '\n') >>>> + *s = '\0'; >>> >>> strchr() will find trailing \n's for you. >>> >>>> + >>>> + pr_debug("%s: path is '%s'\n", __func__, overlay->path); >>>> + >>>> + err = request_firmware(&overlay->fw, overlay->path, NULL); >>>> + if (err != 0) >>>> + goto out_err; >>>> + >>>> + err = create_overlay(overlay, (void *)overlay->fw->data); >>>> + if (err != 0) >>>> + goto out_err; >>>> + >>>> + return count; >>>> + >>>> +out_err: >>>> + >>>> + release_firmware(overlay->fw); >>>> + overlay->fw = NULL; >>>> + >>>> + overlay->path[0] = '\0'; >>>> + return err; >>>> +} >>>> + >>>> +static ssize_t cfs_overlay_item_status_show(struct cfs_overlay_item *overlay, >>>> + char *page) >>>> +{ >>>> + return sprintf(page, "%s\n", >>>> + overlay->ov_id >= 0 ? "applied" : "unapplied"); >>>> +} >>>> + >>>> +CFS_OVERLAY_ITEM_ATTR(path, S_IRUGO | S_IWUSR, >>>> + cfs_overlay_item_path_show, cfs_overlay_item_path_store); >>>> +CFS_OVERLAY_ITEM_ATTR_RO(status, cfs_overlay_item_status_show); >>>> + >>>> +static struct configfs_attribute *cfs_overlay_attrs[] = { >>>> + &cfs_overlay_item_attr_path.attr, >>>> + &cfs_overlay_item_attr_status.attr, >>>> + NULL, >>>> +}; >>>> + >>>> +ssize_t cfs_overlay_item_dtbo_read(struct cfs_overlay_item *overlay, >>>> + void *buf, size_t max_count) >>>> +{ >>>> + pr_debug("%s: buf=%p max_count=%u\n", __func__, >>>> + buf, max_count); >>>> + >>>> + if (overlay->dtbo == NULL) >>>> + return 0; >>>> + >>>> + /* copy if buffer provided */ >>>> + if (buf != NULL) { >>>> + /* the buffer must be large enough */ >>>> + if (overlay->dtbo_size > max_count) >>>> + return -ENOSPC; >>> >>> I've not dug into configfs code. Is it not possible to do a partial >>> read? >>> >>>> + >>>> + memcpy(buf, overlay->dtbo, overlay->dtbo_size); >>>> + } >>>> + >>>> + return overlay->dtbo_size; >>>> +} >>>> + >>>> +ssize_t cfs_overlay_item_dtbo_write(struct cfs_overlay_item *overlay, >>>> + const void *buf, size_t count) >>>> +{ >>>> + int err; >>>> + >>>> + /* if it's set do not allow changes */ >>>> + if (overlay->path[0] != '\0' || overlay->dtbo_size > 0) >>>> + return -EPERM; >>>> + >>>> + /* copy the contents */ >>>> + overlay->dtbo = kmemdup(buf, count, GFP_KERNEL); >>>> + if (overlay->dtbo == NULL) >>>> + return -ENOMEM; >>>> + >>>> + overlay->dtbo_size = count; >>>> + >>>> + err = create_overlay(overlay, overlay->dtbo); >>>> + if (err != 0) >>>> + goto out_err; >>>> + >>>> + return count; >>>> + >>>> +out_err: >>>> + kfree(overlay->dtbo); >>>> + overlay->dtbo = NULL; >>>> + overlay->dtbo_size = 0; >>>> + >>>> + return err; >>>> +} >>>> + >>>> +CFS_OVERLAY_ITEM_BIN_ATTR(dtbo, S_IRUGO | S_IWUSR, >>>> + cfs_overlay_item_dtbo_read, cfs_overlay_item_dtbo_write, >>>> + NULL, SZ_1M); >>>> + >>>> +static struct configfs_bin_attribute *cfs_overlay_bin_attrs[] = { >>>> + &cfs_overlay_item_bin_attr_dtbo.bin_attr, >>>> + NULL, >>>> +}; >>>> + >>>> +static void cfs_overlay_release(struct config_item *item) >>>> +{ >>>> + struct cfs_overlay_item *overlay = to_cfs_overlay_item(item); >>>> + >>>> + if (overlay->ov_id >= 0) >>>> + of_overlay_destroy(overlay->ov_id); >>>> + if (overlay->fw) >>>> + release_firmware(overlay->fw); >>>> + /* kfree with NULL is safe */ >>>> + kfree(overlay->dtbo); >>>> + kfree(overlay); >>>> +} >>>> + >>>> +CONFIGFS_ATTR_OPS(cfs_overlay_item); >>>> +CONFIGFS_BIN_ATTR_OPS(cfs_overlay_item); >>>> +static struct configfs_item_operations cfs_overlay_item_ops = { >>>> + .release = cfs_overlay_release, >>>> + .show_attribute = cfs_overlay_item_attr_show, >>>> + .store_attribute = cfs_overlay_item_attr_store, >>>> + .read_bin_attribute = cfs_overlay_item_bin_attr_read, >>>> + .write_bin_attribute = cfs_overlay_item_bin_attr_write, >>>> +}; >>>> + >>>> +static struct config_item_type cfs_overlay_type = { >>>> + .ct_item_ops = &cfs_overlay_item_ops, >>>> + .ct_attrs = cfs_overlay_attrs, >>>> + .ct_bin_attrs = cfs_overlay_bin_attrs, >>>> + .ct_owner = THIS_MODULE, >>>> +}; >>>> + >>>> +static struct config_item *cfs_overlay_group_make_item( >>>> + struct config_group *group, const char *name) >>>> +{ >>>> + struct cfs_overlay_item *overlay; >>>> + >>>> + overlay = kzalloc(sizeof(*overlay), GFP_KERNEL); >>>> + if (!overlay) >>>> + return ERR_PTR(-ENOMEM); >>>> + overlay->ov_id = -1; >>>> + >>>> + config_item_init_type_name(&overlay->item, name, &cfs_overlay_type); >>>> + return &overlay->item; >>>> +} >>>> + >>>> +static void cfs_overlay_group_drop_item(struct config_group *group, >>>> + struct config_item *item) >>>> +{ >>>> + struct cfs_overlay_item *overlay = to_cfs_overlay_item(item); >>>> + >>>> + config_item_put(&overlay->item); >>>> +} >>>> + >>>> +static struct configfs_group_operations overlays_ops = { >>>> + .make_item = cfs_overlay_group_make_item, >>>> + .drop_item = cfs_overlay_group_drop_item, >>>> +}; >>>> + >>>> +static struct config_item_type overlays_type = { >>>> + .ct_group_ops = &overlays_ops, >>>> + .ct_owner = THIS_MODULE, >>>> +}; >>>> + >>>> +static struct configfs_group_operations of_cfs_ops = { >>>> + /* empty - we don't allow anything to be created */ >>>> +}; >>>> + >>>> +static struct config_item_type of_cfs_type = { >>>> + .ct_group_ops = &of_cfs_ops, >>>> + .ct_owner = THIS_MODULE, >>>> +}; >>>> + >>>> +struct config_group of_cfs_overlay_group; >>>> + >>>> +struct config_group *of_cfs_def_groups[] = { >>>> + &of_cfs_overlay_group, >>>> + NULL >>>> +}; >>>> + >>>> +static struct configfs_subsystem of_cfs_subsys = { >>>> + .su_group = { >>>> + .cg_item = { >>>> + .ci_namebuf = "device-tree", >>>> + .ci_type = &of_cfs_type, >>>> + }, >>>> + .default_groups = of_cfs_def_groups, >>>> + }, >>>> + .su_mutex = __MUTEX_INITIALIZER(of_cfs_subsys.su_mutex), >>>> +}; >>>> + >>>> +static int __init of_cfs_init(void) >>>> +{ >>>> + int ret; >>>> + >>>> + pr_info("%s\n", __func__); >>>> + >>>> + config_group_init(&of_cfs_subsys.su_group); >>>> + config_group_init_type_name(&of_cfs_overlay_group, "overlays", >>>> + &overlays_type); >>>> + >>>> + ret = configfs_register_subsystem(&of_cfs_subsys); >>>> + if (ret != 0) { >>>> + pr_err("%s: failed to register subsys\n", __func__); >>>> + goto out; >>>> + } >>>> + pr_info("%s: OK\n", __func__); >>>> +out: >>>> + return ret; >>>> +} >>>> +late_initcall(of_cfs_init); >>>> -- >>>> 1.7.12 >>>> >>> >> >> >> >> -- >> Kees Cook >> Chrome OS Security >> -- >> To unsubscribe from this list: send the line "unsubscribe devicetree" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html