Jason Gunthorpe wrote: > On Mon, Jul 15, 2024 at 10:21:48AM -0700, Kees Cook wrote: > > > Anyway, following the threat model, it doesn't seem like half measures > > make any sense. If the threat model is "we cannot trust bus members" and > > authentication is being used to establish trust, then anything else must > > be explicitly excluded. If this can only be done via the described > > firewalling, then that really does seem to be the right choice. > > There is supposed to be a state machine here, devices start up at VM > time 0 unable to DMA to secure guest memory under any conditions. This > property must be enforced by the trusted platform. > > Further the trusted plaform is supposed to prevent "replacement" > attacks, so once the VM says it trusts a device it cannot be replaced > with something else. > > When the guest decides it would like the device to reach secure memory > the trusted platform is part of making that happen. > > From a kernel and lifecycle perspective we need a bunch of new options > for PCI devices that should be triggered after userspace has had a > look at the device. > > - A device is just forbidden from anything using it > - A device used only with untrusted memory > - A device is usable with trusted memory > > IMHO this determination needs to be made before the device driver is > bound. Yes, and it depends on the device. Some devices should be filtered early, some devices need to be operated against untrusted memory just to get to the point where they can complete the acceptance flow into the TCB. The motivation for the security policy is "there is trusted memory to protect". Absent trusted memory, the status quo for the device-driver model applies. > The kernel will self-accept a bunch of platform devices, but something > like the boot volume's device will need something to go look and > approve it. > > Today the kernel self-approves untrusted devices, but this is perhaps > not a great idea in the long run. Right, I think the capability to "forbid devices to protect trusted memory" can one day be deployed in the absence of any trusted memory to protect. I am just not convinced that needs to be the task on day1 to assert "mere authentication exists, all devices are malicious now even in the absence of trusted memory".
