On 8/30/2021 1:59 PM, Michael S. Tsirkin wrote:
Or we can add _audited to the name. ioremap_shared_audited?
But it's not the mapping that has to be done in handled special way.
It's any data we get from device, not all of it coming from IO, e.g.
there's DMA and interrupts that all have to be validated.
Wouldn't you say that what is really wanted is just not running
unaudited drivers in the first place?
Yes.
And we've been avoiding that drivers can self declare auditing, we've been
trying to have a separate centralized list so that it's easier to enforce
and avoids any cut'n'paste mistakes.
-Andi
Now I'm confused. What is proposed here seems to be basically that,
drivers need to declare auditing by replacing ioremap with
ioremap_shared.
Auditing is declared on the device model level using a central allow list.
But this cannot do anything to initcalls that run before probe, that's
why an extra level of defense of ioremap opt-in is useful. But it's not
the primary mechanism to declare a driver audited, that's the allow
list. The ioremap is just another mechanism to avoid having to touch a
lot of legacy drivers.
If we agree on that then the original proposed semantics of
"ioremap_shared" may be acceptable?
-Andi
