Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

Alexei Starovoitov wrote: > > TBH, I've no idea how bpf does anything, so I can't say whether this is > > better, overkill or insufficient. > > ok. To make it clear: > Nacked-by: Alexei Starovoitov > For the current patch. > Unnecessary checks for

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

On Mon, Oct 23, 2017 at 03:53:00PM +0100, David Howells wrote: > j...@suse.com wrote: > > > hm... patch 4 only prevents write_mem() but not read_mem(). > > Or I missed anything? > > Actually, yes, as it happens, patch 11 prevents you from even opening /dev/mem > and /dev/kmem by locking down

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

j...@suse.com wrote: > hm... patch 4 only prevents write_mem() but not read_mem(). > Or I missed anything? Actually, yes, as it happens, patch 11 prevents you from even opening /dev/mem and /dev/kmem by locking down open of /dev/port. So I've moved this bit to patch 4, simplified and posted a

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

On Fri, Oct 20, 2017 at 05:03:22PM +0100, David Howells wrote: > j...@suse.com wrote: > > > I think that we don't need to lock down sys_bpf() now because > > we didn't lock down other interfaces for reading arbitrary > > address like /dev/mem and /dev/kmem. > > Ummm... See patch 4. You even

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

j...@suse.com wrote: > I think that we don't need to lock down sys_bpf() now because > we didn't lock down other interfaces for reading arbitrary > address like /dev/mem and /dev/kmem. Ummm... See patch 4. You even gave me a Reviewed-by for it ;-) David -- To unsubscribe from this list: send

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

On Fri, Oct 20, 2017 at 09:08:48AM +0100, David Howells wrote: > Hi Joey, > > Should I just lock down sys_bpf() entirely for now? We can always free it up > somewhat later. > > David OK~~ Please just remove my patch until we find out a way to verify bpf code or protect sensitive data in

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

Hi Joey, Should I just lock down sys_bpf() entirely for now? We can always free it up somewhat later. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

On Thu, Oct 19, 2017 at 11:48:34PM +0100, David Howells wrote: > Alexei Starovoitov wrote: > > > > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, > > > const void *, unsafe_ptr) > > > { > > > int ret; > > > > > > + if

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

Alexei Starovoitov wrote: > > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const > > void *, unsafe_ptr) > > { > > int ret; > > > > + if (kernel_is_locked_down("BPF")) { > > + memset(dst, 0, size); > > + return

Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down

On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation