[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [arm64] secure boot breach via VFIO_NOIOMMU

On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote:
>Hi,
>
>On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote:
>> Hi
>> 
>> Over six years ago, support for VFIO without IOMMU was enabled for
>> arm64.  This is a breach of the integrity lockdown requirement of secure
>> boot.
>> 
>> VFIO is a framework for handle devices in userspace.  To make
>> this safe, an IOMMU is required by default.  Without it, user space can
>> write everywhere in memory.  The code is still not conditional on
>> lockdown, even if a patch was proposed.
>> 
>> I intend to disable this option for all supported kernels.

Definitely.

>Agreed. 
>
>For the readers reading this along, this was raised in context of
>https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730
>and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464 
>
>The proposed patch felt probably trough the cracks.

Nod.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
The two hard things in computing:
 * naming things
 * cache invalidation
 * off-by-one errors                  -- Stig Sandbeck Mathisen
Reply to: