[v1] Add lockdown mode

[PATCH 0/3] Add lockdown mode

Kevin Lampis posted 3 patches 7 months, 1 week ago

Diff against v1 v2
Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20250512195628.1728455-1-kevin.lampis@cloud.com

There is a newer version of this series

xen/arch/arm/domain_build.c           |  4 +--
xen/arch/x86/acpi/cpu_idle.c          |  2 +-
xen/arch/x86/cpu/amd.c                |  2 +-
xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
xen/arch/x86/cpu/microcode/core.c     |  2 +-
xen/arch/x86/dom0_build.c             |  4 +--
xen/arch/x86/hvm/hvm.c                |  2 +-
xen/arch/x86/irq.c                    |  2 +-
xen/arch/x86/nmi.c                    |  2 +-
xen/arch/x86/setup.c                  |  3 +-
xen/arch/x86/traps.c                  |  2 +-
xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
xen/common/Kconfig                    |  8 +++++
xen/common/Makefile                   |  1 +
xen/common/domain.c                   |  2 +-
xen/common/efi/boot.c                 | 23 ++++++++++++
xen/common/efi/runtime.c              |  3 ++
xen/common/kernel.c                   | 13 ++++++-
xen/common/kexec.c                    |  2 +-
xen/common/lockdown.c                 | 52 +++++++++++++++++++++++++++
xen/common/numa.c                     |  2 +-
xen/common/page_alloc.c               |  2 +-
xen/common/shutdown.c                 |  2 +-
xen/drivers/char/console.c            |  2 +-
xen/drivers/char/ns16550.c            |  4 +--
xen/drivers/video/vga.c               |  2 +-
xen/include/xen/efi.h                 |  6 ++++
xen/include/xen/lockdown.h            |  9 +++++
xen/include/xen/param.h               | 49 +++++++++++++++++++------
29 files changed, 176 insertions(+), 35 deletions(-)
create mode 100644 xen/common/lockdown.c
create mode 100644 xen/include/xen/lockdown.h

Expand all Fold all

[PATCH 0/3] Add lockdown mode

Posted by Kevin Lampis 7 months, 1 week ago

The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.

Ross Lagerwall (2):
  efi: Add a function to check if Secure Boot mode is enabled
  Add lockdown mode

Kevin Lampis (1):
  Disallow most command-line options when lockdown mode is enabled

 xen/arch/arm/domain_build.c           |  4 +--
 xen/arch/x86/acpi/cpu_idle.c          |  2 +-
 xen/arch/x86/cpu/amd.c                |  2 +-
 xen/arch/x86/cpu/mcheck/mce.c         |  2 +-
 xen/arch/x86/cpu/microcode/core.c     |  2 +-
 xen/arch/x86/dom0_build.c             |  4 +--
 xen/arch/x86/hvm/hvm.c                |  2 +-
 xen/arch/x86/irq.c                    |  2 +-
 xen/arch/x86/nmi.c                    |  2 +-
 xen/arch/x86/setup.c                  |  3 +-
 xen/arch/x86/traps.c                  |  2 +-
 xen/arch/x86/x86_64/mmconfig-shared.c |  2 +-
 xen/common/Kconfig                    |  8 +++++
 xen/common/Makefile                   |  1 +
 xen/common/domain.c                   |  2 +-
 xen/common/efi/boot.c                 | 23 ++++++++++++
 xen/common/efi/runtime.c              |  3 ++
 xen/common/kernel.c                   | 13 ++++++-
 xen/common/kexec.c                    |  2 +-
 xen/common/lockdown.c                 | 52 +++++++++++++++++++++++++++
 xen/common/numa.c                     |  2 +-
 xen/common/page_alloc.c               |  2 +-
 xen/common/shutdown.c                 |  2 +-
 xen/drivers/char/console.c            |  2 +-
 xen/drivers/char/ns16550.c            |  4 +--
 xen/drivers/video/vga.c               |  2 +-
 xen/include/xen/efi.h                 |  6 ++++
 xen/include/xen/lockdown.h            |  9 +++++
 xen/include/xen/param.h               | 49 +++++++++++++++++++------
 29 files changed, 176 insertions(+), 35 deletions(-)
 create mode 100644 xen/common/lockdown.c
 create mode 100644 xen/include/xen/lockdown.h

-- 
2.42.0

Re: [PATCH 0/3] Add lockdown mode

Posted by Jan Beulich 7 months, 1 week ago

On 12.05.2025 21:56, Kevin Lampis wrote:
> The intention of lockdown mode is to prevent attacks from a rogue dom0
> userspace from compromising the system. Lockdown mode can be controlled by a
> Kconfig option and a command-line parameter. It is also enabled automatically
> when Secure Boot is enabled and it cannot be disabled in that case.
> 
> Ross Lagerwall (2):
>   efi: Add a function to check if Secure Boot mode is enabled
>   Add lockdown mode
> 
> Kevin Lampis (1):
>   Disallow most command-line options when lockdown mode is enabled

This looks to be a plain re-posting, without addressing comments already
given. For my part, I'm not going to repeat them on this (now properly
threaded) re-submission.

Jan

Re: [PATCH 0/3] Add lockdown mode

Posted by Kevin Lampis 7 months, 1 week ago

On Mon, May 12, 2025 at 11:41 AM Jan Beulich <jbeulich@suse.com> wrote:
>
> You want to go into more detail here, specifically to describe the criteria
> of "specifically safe". The command line doc may also want updating.

I do not have a quick answer for you please bear with me.