On Wed, Jun 17, 2020 at 2:38 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Wed, 17 Jun 2020 at 00:21, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > Hi Rafael, Len, > > > > Looks like I should have CC'd you on this patch. This is probably > > something we should get into 5.8-rc2, so that it can then get put into > > stable kernels, as some people think this is security sensitive. > > Bigger picture is this: > > > > https://data.zx2c4.com/american-unsigned-language-2.gif > > https://data.zx2c4.com/american-unsigned-language-2-fedora-5.8.png > > > > Also, somebody mentioned to me that Microsoft's ACPI implementation > > disallows writes to system memory as a security mitigation. I haven't > > looked at what that actually entails, but I wonder if entirely > > disabling support for ACPI_ADR_SPACE_SYSTEM_MEMORY would be sensible. > > I haven't looked at too many DSDTs. Would that break real hardware, or > > does nobody do that? Alternatively, the range of acceptable addresses > > for SystemMemory could exclude kernel memory. Would that break > > anything? Have you heard about Microsoft's mitigation to know more > > details on what they figured out they could safely restrict without > > breaking hardware? Either way, food for thought I suppose. > > > > ACPI_ADR_SPACE_SYSTEM_MEMORY may be used for everything that is memory > mapped, i.e., PCIe ECAM space, GPIO control registers etc. > > I agree that using ACPI_ADR_SPACE_SYSTEM_MEMORY for any memory that is > under the kernel's control is a bad idea, and this should be easy to > filter out: the SystemMemory address space handler needs the ACPI > support routines to map the physical addresses used by AML into > virtual kernel addresses, so all these accesses go through > acpi_os_ioremap(). So as a first step, it should be reasonable to put > a lockdown check there, and fail any access to OS owned memory if > lockdown is enabled, and print a warning if it is not. Makes sense. Though I was thinking of doing this unconditionally, not just for lockdown, as a "realer" security mitigation (hence CCing kernel-hardening), against bugs that manage to mess with acpi things. A second mitigation might be marking inmemory acpi bytecode pages as read only.
