From: Ross Lagerwall <ross.lagerwall@citrix.com>
The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Kevin Lampis <kevin.lampis@cloud.com>
---
xen/arch/x86/setup.c | 1 +
xen/common/Kconfig | 8 ++++++
xen/common/Makefile | 1 +
xen/common/kernel.c | 3 +++
xen/common/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++
xen/include/xen/lockdown.h | 9 +++++++
6 files changed, 74 insertions(+)
create mode 100644 xen/common/lockdown.c
create mode 100644 xen/include/xen/lockdown.h
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 2518954124..276957c4ed 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -15,6 +15,7 @@
#include <xen/kexec.h>
#include <xen/keyhandler.h>
#include <xen/lib.h>
+#include <xen/lockdown.h>
#include <xen/multiboot.h>
#include <xen/nodemask.h>
#include <xen/numa.h>
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index bf7b081ad0..42b2e4e869 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -565,4 +565,12 @@ config BUDDY_ALLOCATOR_SIZE
Amount of memory reserved for the buddy allocator to serve Xen heap,
working alongside the colored one.
+config LOCKDOWN_DEFAULT
+ bool "Enable lockdown mode by default"
+ default n
+ help
+ Lockdown mode prevents attacks from a rogue dom0 userspace from
+ compromising the system. This is automatically enabled when Secure
+ Boot is enabled.
+
endmenu
diff --git a/xen/common/Makefile b/xen/common/Makefile
index 98f0873056..b00a8a925a 100644
--- a/xen/common/Makefile
+++ b/xen/common/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) += kexec.o
obj-$(CONFIG_KEXEC) += kimage.o
obj-$(CONFIG_LIVEPATCH) += livepatch.o livepatch_elf.o
obj-$(CONFIG_LLC_COLORING) += llc-coloring.o
+obj-y += lockdown.o
obj-$(CONFIG_VM_EVENT) += mem_access.o
obj-y += memory.o
obj-y += multicall.o
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index 8b63ca55f1..6658db9514 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline)
*/
void __init cmdline_parse(const char *cmdline)
{
+ /* Call this early since it affects command-line parsing */
+ lockdown_init(cmdline);
+
if ( opt_builtin_cmdline[0] )
{
printk("Built-in command line: %s\n", opt_builtin_cmdline);
diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c
new file mode 100644
index 0000000000..935911dfd0
--- /dev/null
+++ b/xen/common/lockdown.c
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <xen/efi.h>
+#include <xen/kernel.h>
+#include <xen/lockdown.h>
+#include <xen/param.h>
+#include <xen/string.h>
+
+static bool __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT);
+ignore_param("lockdown");
+
+bool is_locked_down(void)
+{
+ return lockdown;
+}
+
+void __init lockdown_init(const char *cmdline)
+{
+ if ( efi_secure_boot )
+ {
+ printk("Enabling lockdown mode because Secure Boot is enabled\n");
+ lockdown = true;
+ }
+ else
+ {
+ while ( *cmdline )
+ {
+ size_t param_len, name_len;
+ int ret;
+
+ cmdline += strspn(cmdline, " \n\r\t");
+ param_len = strcspn(cmdline, " \n\r\t");
+ name_len = strcspn(cmdline, "= \n\r\t");
+
+ if ( !strncmp(cmdline, "lockdown", max(name_len, strlen("lockdown"))) ||
+ !strncmp(cmdline, "no-lockdown", max(name_len, strlen("no-lockdown"))) )
+ {
+ ret = parse_boolean("lockdown", cmdline, cmdline + param_len);
+ if ( ret >= 0 )
+ {
+ lockdown = ret;
+ printk("Lockdown mode set from command-line\n");
+ break;
+ }
+ }
+
+ cmdline += param_len;
+ }
+ }
+
+ printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled");
+}
diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h
new file mode 100644
index 0000000000..b2baa31caa
--- /dev/null
+++ b/xen/include/xen/lockdown.h
@@ -0,0 +1,9 @@
+#ifndef XEN__LOCKDOWN_H
+#define XEN__LOCKDOWN_H
+
+#include <xen/types.h>
+
+bool is_locked_down(void);
+void lockdown_init(const char *cmdline);
+
+#endif /* XEN__LOCKDOWN_H */
--
2.42.0From: Ross Lagerwall <ross.lagerwall@citrix.com>
The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.
If enabled from the command-line then it is required to be first in the
list otherwise Xen may process some insecure parameters before reaching
the lockdown parameter.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Kevin Lampis <kevin.lampis@cloud.com>
---
Changes in v2:
- Remove custom command line parsing
- Print warning if lockdown is not first on command line
---
xen/arch/x86/setup.c | 1 +
xen/common/Kconfig | 8 ++++++
xen/common/Makefile | 1 +
xen/common/kernel.c | 6 +++++
xen/common/lockdown.c | 54 ++++++++++++++++++++++++++++++++++++++
xen/include/xen/lockdown.h | 11 ++++++++
6 files changed, 81 insertions(+)
create mode 100644 xen/common/lockdown.c
create mode 100644 xen/include/xen/lockdown.h
diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 2518954124..276957c4ed 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -15,6 +15,7 @@
#include <xen/kexec.h>
#include <xen/keyhandler.h>
#include <xen/lib.h>
+#include <xen/lockdown.h>
#include <xen/multiboot.h>
#include <xen/nodemask.h>
#include <xen/numa.h>
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 6d43be2e6e..c84073563f 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -576,4 +576,12 @@ config BUDDY_ALLOCATOR_SIZE
Amount of memory reserved for the buddy allocator to serve Xen heap,
working alongside the colored one.
+config LOCKDOWN_DEFAULT
+ bool "Enable lockdown mode by default"
+ default n
+ help
+ Lockdown mode prevents attacks from a rogue dom0 userspace from
+ compromising the system. This is automatically enabled when Secure
+ Boot is enabled.
+
endmenu
diff --git a/xen/common/Makefile b/xen/common/Makefile
index 98f0873056..b00a8a925a 100644
--- a/xen/common/Makefile
+++ b/xen/common/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) += kexec.o
obj-$(CONFIG_KEXEC) += kimage.o
obj-$(CONFIG_LIVEPATCH) += livepatch.o livepatch_elf.o
obj-$(CONFIG_LLC_COLORING) += llc-coloring.o
+obj-y += lockdown.o
obj-$(CONFIG_VM_EVENT) += mem_access.o
obj-y += memory.o
obj-y += multicall.o
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index 8b63ca55f1..3538f467ad 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -199,6 +199,8 @@ static int parse_params(const char *cmdline, const struct kernel_param *start,
printk("parameter \"%s\" unknown!\n", key);
final_rc = -EINVAL;
}
+
+ lockdown_clear_first_flag();
}
return final_rc;
@@ -216,6 +218,9 @@ static void __init _cmdline_parse(const char *cmdline)
*/
void __init cmdline_parse(const char *cmdline)
{
+ /* Call this early since it affects command-line parsing */
+ lockdown_init(cmdline);
+
if ( opt_builtin_cmdline[0] )
{
printk("Built-in command line: %s\n", opt_builtin_cmdline);
@@ -227,6 +232,7 @@ void __init cmdline_parse(const char *cmdline)
return;
safe_strcpy(saved_cmdline, cmdline);
+ lockdown_set_first_flag();
_cmdline_parse(cmdline);
#endif
}
diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c
new file mode 100644
index 0000000000..cd3deeb63e
--- /dev/null
+++ b/xen/common/lockdown.c
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <xen/efi.h>
+#include <xen/lockdown.h>
+#include <xen/param.h>
+
+#define FIRST_ARG_FLAG 2
+
+static int __ro_after_init lockdown = IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT);
+
+void __init lockdown_set_first_flag(void)
+{
+ lockdown |= FIRST_ARG_FLAG;
+}
+
+void __init lockdown_clear_first_flag(void)
+{
+ lockdown &= ~FIRST_ARG_FLAG;
+}
+
+static int __init parse_lockdown_opt(const char *s)
+{
+ if ( strncmp("no", s, 2) == 0 )
+ if ( efi_secure_boot )
+ printk("lockdown can't be disabled because Xen booted in Secure Boot mode\n");
+ else
+ lockdown = 0;
+ else
+ {
+ if ( !(lockdown & FIRST_ARG_FLAG) )
+ printk("lockdown was not the first argument, unsafe arguments may have been already processed\n");
+
+ lockdown = 1;
+ }
+
+ return 0;
+}
+custom_secure_param("lockdown", parse_lockdown_opt);
+
+bool is_locked_down(void)
+{
+ return lockdown & ~FIRST_ARG_FLAG;
+}
+
+void __init lockdown_init(const char *cmdline)
+{
+ if ( efi_secure_boot )
+ {
+ printk("Enabling lockdown mode because Secure Boot is enabled\n");
+ lockdown = 1;
+ }
+
+ printk("Lockdown mode is %s\n", is_locked_down() ? "enabled" : "disabled");
+}
diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h
new file mode 100644
index 0000000000..6ae97f9d5f
--- /dev/null
+++ b/xen/include/xen/lockdown.h
@@ -0,0 +1,11 @@
+#ifndef XEN__LOCKDOWN_H
+#define XEN__LOCKDOWN_H
+
+#include <xen/types.h>
+
+void lockdown_set_first_flag(void);
+void lockdown_clear_first_flag(void);
+bool is_locked_down(void);
+void lockdown_init(const char *cmdline);
+
+#endif /* XEN__LOCKDOWN_H */
--
2.42.0On 20.05.2025 13:57, Kevin Lampis wrote: > From: Ross Lagerwall <ross.lagerwall@citrix.com> > > The intention of lockdown mode is to prevent attacks from a rogue dom0 > userspace from compromising the system. Lockdown mode can be controlled by a > Kconfig option and a command-line parameter. It is also enabled automatically > when Secure Boot is enabled and it cannot be disabled in that case. > > If enabled from the command-line then it is required to be first in the > list otherwise Xen may process some insecure parameters before reaching > the lockdown parameter. > > Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> > Signed-off-by: Kevin Lampis <kevin.lampis@cloud.com> > --- > Changes in v2: > - Remove custom command line parsing > - Print warning if lockdown is not first on command line No comments on the patch itself (yet), just a formal remark: I was puzzled by having only v2 2/3 and 3/3 in my inbox. Looks like you sent each as reply on the v1 sub-threads. Very occasionally for a larger series it may be okay to send just a single update that way. Here, however, please re- send as a full, standalone v2 series. Jan
On Tue, May 20, 2025 at 3:23 PM Jan Beulich <jbeulich@suse.com> wrote: > > No comments on the patch itself (yet), just a formal remark: I was puzzled > by having only v2 2/3 and 3/3 in my inbox. Looks like you sent each as > reply on the v1 sub-threads. Very occasionally for a larger series it may > be okay to send just a single update that way. Here, however, please re- > send as a full, standalone v2 series. Sorry I will do that in future.
© 2016 - 2025 Red Hat, Inc.