On Thu, May 06, 2021 at 11:18:59AM +0200, Maxime Coquelin wrote:
> When no-IOMMU mode is enabled, VFIO is as unsafe as accessing
> the PCI BARs via the device's sysfs, which is locked down when
> the kernel is locked down.
>
> Indeed, it is possible for an attacker to craft DMA requests
> to modify kernel's code or leak secrets stored in the kernel,
> since the device is not isolated by an IOMMU.
>
> This patch introduces a new integrity lockdown reason for the
> unsafe VFIO no-iommu mode.
>
> Signed-off-by: Maxime Coquelin <maxime.coquelin@xxxxxxxxxx>
> ---
> drivers/vfio/vfio.c | 13 +++++++++----
> include/linux/security.h | 1 +
> security/security.c | 1 +
> 3 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 5e631c359ef2..fe466d6ea5d8 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -25,6 +25,7 @@
> #include <linux/pci.h>
> #include <linux/rwsem.h>
> #include <linux/sched.h>
> +#include <linux/security.h>
> #include <linux/slab.h>
> #include <linux/stat.h>
> #include <linux/string.h>
> @@ -165,7 +166,8 @@ static void *vfio_noiommu_open(unsigned long arg)
> {
> if (arg != VFIO_NOIOMMU_IOMMU)
> return ERR_PTR(-EINVAL);
> - if (!capable(CAP_SYS_RAWIO))
> + if (!capable(CAP_SYS_RAWIO) ||
> + security_locked_down(LOCKDOWN_VFIO_NOIOMMU))
The LSM hook check should come before the capable() check to avoid
setting PF_SUPERPRIV if capable() passes and the LSM doesn't.
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 06f7c50ce77f..f29388180fab 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -120,6 +120,7 @@ enum lockdown_reason {
> LOCKDOWN_MMIOTRACE,
> LOCKDOWN_DEBUGFS,
> LOCKDOWN_XMON_WR,
> + LOCKDOWN_VFIO_NOIOMMU,
> LOCKDOWN_INTEGRITY_MAX,
> LOCKDOWN_KCORE,
> LOCKDOWN_KPROBES,
Is the security threat specific to VFIO? (i.e. could other interfaces
want a similar thing, such that naming this VFIO doesn't make sense?
--
Kees Cook
