Re: [arm64] secure boot breach via VFIO_NOIOMMU
On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote:
>Hi,
>
>On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote:
>> Hi
>>
>> Over six years ago, support for VFIO without IOMMU was enabled for
>> arm64. This is a breach of the integrity lockdown requirement of secure
>> boot.
>>
>> VFIO is a framework for handle devices in userspace. To make
>> this safe, an IOMMU is required by default. Without it, user space can
>> write everywhere in memory. The code is still not conditional on
>> lockdown, even if a patch was proposed.
>>
>> I intend to disable this option for all supported kernels.
Definitely.
>Agreed.
>
>For the readers reading this along, this was raised in context of
>https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730
>and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464
>
>The proposed patch felt probably trough the cracks.
Nod.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
The two hard things in computing:
* naming things
* cache invalidation
* off-by-one errors -- Stig Sandbeck Mathisen
Reply to: