On Wed, 17 Jun 2020 at 00:21, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > Hi Rafael, Len, > > Looks like I should have CC'd you on this patch. This is probably > something we should get into 5.8-rc2, so that it can then get put into > stable kernels, as some people think this is security sensitive. > Bigger picture is this: > > https://data.zx2c4.com/american-unsigned-language-2.gif > https://data.zx2c4.com/american-unsigned-language-2-fedora-5.8.png > > Also, somebody mentioned to me that Microsoft's ACPI implementation > disallows writes to system memory as a security mitigation. I haven't > looked at what that actually entails, but I wonder if entirely > disabling support for ACPI_ADR_SPACE_SYSTEM_MEMORY would be sensible. > I haven't looked at too many DSDTs. Would that break real hardware, or > does nobody do that? Alternatively, the range of acceptable addresses > for SystemMemory could exclude kernel memory. Would that break > anything? Have you heard about Microsoft's mitigation to know more > details on what they figured out they could safely restrict without > breaking hardware? Either way, food for thought I suppose. > ACPI_ADR_SPACE_SYSTEM_MEMORY may be used for everything that is memory mapped, i.e., PCIe ECAM space, GPIO control registers etc. I agree that using ACPI_ADR_SPACE_SYSTEM_MEMORY for any memory that is under the kernel's control is a bad idea, and this should be easy to filter out: the SystemMemory address space handler needs the ACPI support routines to map the physical addresses used by AML into virtual kernel addresses, so all these accesses go through acpi_os_ioremap(). So as a first step, it should be reasonable to put a lockdown check there, and fail any access to OS owned memory if lockdown is enabled, and print a warning if it is not.