1. Patchew
  2. Xen
  3. View series

[PATCH 0/4] Add lockdown mode

Kevin Lampis posted 4 patches 5 months, 3 weeks ago
Only 1 patches received!
There is a newer version of this series
xen/arch/arm/domain_build.c           |  4 +--
xen/arch/x86/acpi/cpu_idle.c          |  2 +-
xen/arch/x86/cpu/amd.c                |  2 +-
xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
xen/arch/x86/cpu/microcode/core.c     |  2 +-
xen/arch/x86/dom0_build.c             |  4 +--
xen/arch/x86/hvm/hvm.c                |  2 +-
xen/arch/x86/irq.c                    |  2 +-
xen/arch/x86/nmi.c                    |  2 +-
xen/arch/x86/setup.c                  |  3 +-
xen/arch/x86/traps.c                  |  2 +-
xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
xen/common/Kconfig                    |  8 +++++
xen/common/Makefile                   |  1 +
xen/common/domain.c                   |  2 +-
xen/common/efi/boot.c                 | 23 ++++++++++++
xen/common/efi/runtime.c              |  3 ++
xen/common/kernel.c                   | 13 ++++++-
xen/common/kexec.c                    |  2 +-
xen/common/lockdown.c                 | 52 +++++++++++++++++++++++++++
xen/common/numa.c                     |  2 +-
xen/common/page_alloc.c               |  2 +-
xen/common/shutdown.c                 |  2 +-
xen/drivers/char/console.c            |  2 +-
xen/drivers/char/ns16550.c            |  4 +--
xen/drivers/video/vga.c               |  2 +-
xen/include/xen/efi.h                 |  6 ++++
xen/include/xen/lockdown.h            |  9 +++++
xen/include/xen/param.h               | 49 +++++++++++++++++++------
xen/include/xen/string.h              |  1 +
xen/lib/Makefile                      |  1 +
xen/lib/strcspn.c                     | 22 ++++++++++++
32 files changed, 200 insertions(+), 35 deletions(-)
create mode 100644 xen/common/lockdown.c
create mode 100644 xen/include/xen/lockdown.h
create mode 100644 xen/lib/strcspn.c
[PATCH 0/4] Add lockdown mode
Posted by Kevin Lampis 5 months, 3 weeks ago 
Add lockdown mode

The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.

Ross Lagerwall (3):
  lib: Add strcspn function
  efi: Add a function to check if Secure Boot mode is enabled
  Add lockdown mode

Kevin Lampis (1):
  Disallow most command-line options when lockdown mode is enabled

 xen/arch/arm/domain_build.c           |  4 +--
 xen/arch/x86/acpi/cpu_idle.c          |  2 +-
 xen/arch/x86/cpu/amd.c                |  2 +-
 xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
 xen/arch/x86/cpu/microcode/core.c     |  2 +-
 xen/arch/x86/dom0_build.c             |  4 +--
 xen/arch/x86/hvm/hvm.c                |  2 +-
 xen/arch/x86/irq.c                    |  2 +-
 xen/arch/x86/nmi.c                    |  2 +-
 xen/arch/x86/setup.c                  |  3 +-
 xen/arch/x86/traps.c                  |  2 +-
 xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
 xen/common/Kconfig                    |  8 +++++
 xen/common/Makefile                   |  1 +
 xen/common/domain.c                   |  2 +-
 xen/common/efi/boot.c                 | 23 ++++++++++++
 xen/common/efi/runtime.c              |  3 ++
 xen/common/kernel.c                   | 13 ++++++-
 xen/common/kexec.c                    |  2 +-
 xen/common/lockdown.c                 | 52 +++++++++++++++++++++++++++
 xen/common/numa.c                     |  2 +-
 xen/common/page_alloc.c               |  2 +-
 xen/common/shutdown.c                 |  2 +-
 xen/drivers/char/console.c            |  2 +-
 xen/drivers/char/ns16550.c            |  4 +--
 xen/drivers/video/vga.c               |  2 +-
 xen/include/xen/efi.h                 |  6 ++++
 xen/include/xen/lockdown.h            |  9 +++++
 xen/include/xen/param.h               | 49 +++++++++++++++++++------
 xen/include/xen/string.h              |  1 +
 xen/lib/Makefile                      |  1 +
 xen/lib/strcspn.c                     | 22 ++++++++++++
 32 files changed, 200 insertions(+), 35 deletions(-)
 create mode 100644 xen/common/lockdown.c
 create mode 100644 xen/include/xen/lockdown.h
 create mode 100644 xen/lib/strcspn.c

-- 
2.42.0
Re: [PATCH 0/4] Add lockdown mode
Posted by Jan Beulich 5 months, 3 weeks ago 
On 06.05.2025 18:23, Kevin Lampis wrote:
> Add lockdown mode
> 
> The intention of lockdown mode is to prevent attacks from a rogue dom0
> userspace from compromising the system. Lockdown mode can be controlled by a
> Kconfig option and a command-line parameter. It is also enabled automatically
> when Secure Boot is enabled and it cannot be disabled in that case.
> 
> Ross Lagerwall (3):
>   lib: Add strcspn function
>   efi: Add a function to check if Secure Boot mode is enabled
>   Add lockdown mode
> 
> Kevin Lampis (1):
>   Disallow most command-line options when lockdown mode is enabled

Returning from vacation, this series is a mess in my inbox (and also on
https://lists.xen.org/archives/html/xen-devel/2025-05/threads.html): Only
patch 4 is properly threaded. Please can you see about adjusting your
mail configuration?

Jan
Re: [PATCH 0/4] Add lockdown mode
Posted by Andrew Cooper 5 months, 3 weeks ago 
On 12/05/2025 11:27 am, Jan Beulich wrote:
> On 06.05.2025 18:23, Kevin Lampis wrote:
>> Add lockdown mode
>>
>> The intention of lockdown mode is to prevent attacks from a rogue dom0
>> userspace from compromising the system. Lockdown mode can be controlled by a
>> Kconfig option and a command-line parameter. It is also enabled automatically
>> when Secure Boot is enabled and it cannot be disabled in that case.
>>
>> Ross Lagerwall (3):
>>   lib: Add strcspn function
>>   efi: Add a function to check if Secure Boot mode is enabled
>>   Add lockdown mode
>>
>> Kevin Lampis (1):
>>   Disallow most command-line options when lockdown mode is enabled
> Returning from vacation, this series is a mess in my inbox (and also on
> https://lists.xen.org/archives/html/xen-devel/2025-05/threads.html): Only
> patch 4 is properly threaded. Please can you see about adjusting your
> mail configuration?

We had corporate mail problems last week, which was interfering with
posting patches.  It's hopefully been resolved now.

Kevin: It will be best to resend the series in full.

~Andrew
Re: [PATCH 0/4] Add lockdown mode
Posted by Kevin Lampis 5 months, 3 weeks ago 
On Mon, May 12, 2025 at 12:51 PM Andrew Cooper
<andrew.cooper3@citrix.com> wrote:
>
> Kevin: It will be best to resend the series in full.

Ok.
Re: [PATCH 0/4] Add lockdown mode
Posted by Teddy Astie 5 months, 3 weeks ago 
Hello Kevin,

> The intention of lockdown mode is to prevent attacks from a rogue dom0
> userspace from compromising the system.

Do we consider Dom0 kernel-space as well (thus Dom0 as a whole), or only 
userland, what about privcmd device (which can issue hypercalls) ?

Teddy


Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.