On Tue, Jun 9, 2020 at 6:34 PM Oliver O'Halloran <oohall@xxxxxxxxx> wrote: > > On Wed, Jun 10, 2020 at 7:04 AM Bjorn Helgaas <helgaas@xxxxxxxxxx> wrote: > > > > To sketch this out, my understanding of how this would work is: > > > > - Expose the PCI pdev->untrusted bit in sysfs. We don't expose this > > today, but doing so would be trivial. I think I would prefer a > > sysfs name like "external" so it's more descriptive and less of a > > judgment. > > > > This comes from either the DT "external-facing" property or the > > ACPI "ExternalFacingPort" property. > > I don't think internal / external is the right distinction to be > making. We have a similar trust issue with the BMC in servers even > though they're internal devices. They're typically network accessible > and infrequently updated so treating them as trustworthy isn't a great > idea. We have been slowly de-privileging the BMC over the last few > years, but the PCIe interface isn't locked down enough for my liking > since the SoCs we use do allow software to set the VDID and perform > arbitrary DMAs (thankfully limited to 32bit). If we're going to add in > infrastructure for handling possibly untrustworthy PCI devices then > I'd like to use that for BMCs too. > > > - All devices present at boot are enumerated. Any statically built > > drivers will bind to them before any userspace code runs. > > > > If you want to keep statically built drivers from binding, you'd > > need to invent some mechanism so pci_driver_init() could clear > > drivers_autoprobe after registering pci_bus_type. > > > > - Early userspace code prevents modular drivers from automatically > > binding to PCI devices: > > > > echo 0 > /sys/bus/pci/drivers_autoprobe > > > > This prevents modular drivers from binding to all devices, whether > > present at boot or hot-added. > > I don't see why this is preferable to just disabling autoprobe for > untrusted devices. That would dovetail nicely with Rajat's whitelist > idea if we want to go down that route and I think we might want to. > The BMC usually provides some form of VGA console and we'd like that > to continue working out-of-the-box without too much user (or distro) > intervention. I wouldn't mind introducing a kernel parameter to disable auto-probing of untrusted devices if there is a wider agreement here. The only notch is that in my opinion, if present, that parameter should disable auto-probing for "external" devices only (i.e. "external-facing" devices should still be auto-probed). Thanks, Rajat > > Oliver
