From nobody Fri Dec 19 16:06:35 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1747079810; cv=none; d=zohomail.com; s=zohoarc; b=b4OzodifBu/k1G8JpS46ywzjIXeAjbhlhzAmbTVcxaK4heCkdNyN1RDK0DirbIzAXRWick0SBWQZdb0OsrVMFMMR1AZuaG5S7gMSHClrNShr72tJPXM1B6VjcMic9hDjts8uzLxp4s+0wN8vFDvnXXsBQ9Wph8SgY97wyA01nak= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1747079810; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=vko/TdS4oIy2sjncEqYDjmf9vGJvEJOwtxlN9MhiSlw=; b=Dhf6TQCq7Btxom8zl9ZeQNPYzOzCHBLwCSBhvlqvvcbLukeY/bjvEJpLXvlP0ru4xUAPeEGl8mdhZnsrob2UKXCZxYmD4wwQH0wFG7UPbNsijyzN0ePGnEhflDsu+nvu4hNoke/Cr1SExC9nqCUJXkuQqLlikOUDBx0ziaRHGrc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1747079810494792.4877147411909; Mon, 12 May 2025 12:56:50 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.982145.1368709 (Exim 4.92) (envelope-from ) id 1uEZGP-00076w-8L; Mon, 12 May 2025 19:56:37 +0000 Received: by outflank-mailman (output) from mailman id 982145.1368709; Mon, 12 May 2025 19:56:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGP-00076p-44; Mon, 12 May 2025 19:56:37 +0000 Received: by outflank-mailman (input) for mailman id 982145; Mon, 12 May 2025 19:56:35 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGN-0005qp-OK for xen-devel@lists.xenproject.org; Mon, 12 May 2025 19:56:35 +0000 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [2a00:1450:4864:20::529]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 34bb4ed2-2f6b-11f0-9ffb-bf95429c2676; Mon, 12 May 2025 21:56:34 +0200 (CEST) Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5fc8c68dc9fso2765686a12.1 for ; Mon, 12 May 2025 12:56:34 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ad2197be0c5sm656407366b.153.2025.05.12.12.56.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 12:56:32 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 34bb4ed2-2f6b-11f0-9ffb-bf95429c2676 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1747079793; x=1747684593; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vko/TdS4oIy2sjncEqYDjmf9vGJvEJOwtxlN9MhiSlw=; b=QpOsgWNBG+HpZdKis7dZdD+lE/2t40AiVncjF5CjFZS1k48DyNiG3QaKfOjTimXOTL ousaHz0LDCpUCv5SsuVhdsSOG7+iICE++aTkOsflwm4luwvb4fGv/Qieveecyd9pWSFD swK1tNGUXGv6S3E31LSA4L2NEInPp0899vyqQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747079793; x=1747684593; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vko/TdS4oIy2sjncEqYDjmf9vGJvEJOwtxlN9MhiSlw=; b=FT2hNlcw9VMRpKgO7iFme8HvmuJeVwNT3O8XeqZzrWxekeHNwbE+YhHoXebOTl0Bhd yAVLU5ocS/4OTn5Fg5V5quUxFTZ2+iwa1zR+xftAxs2W4fNheIHPBI8QkllcCmWGht4C x/CCQXZPhi3TNuX2X1NeRx3eF6BIfJbv4aCF2G20hRybJOX1zQFFwBoUp7no2iSrxxM2 dN6ebVmmXXrYlIkkcErqWvnYZmwvD9FXLWwnFP4NkWzgHFsgEzdxNOHdthzoxtH2Ue/U qZMsgyCeHKBy+f21eXoqXTdnnD67IQdfBiXrlPnB/uVaIzVo5Fcqw7dMgQBVRBqXKwoM R2jg== X-Gm-Message-State: AOJu0YxiVhaZpmtIp0QQnVXARGTOOeEi22+UFRbVma5gdHk6jcinXKgV BdUIc24NFMSMupthr0JjCjegyTNwl0EfiWUavG5R0+5hGkx4AnWH/zJKSUerqveED377Z2/ZX61 Y X-Gm-Gg: ASbGnctXUmHbA9OhZs7Uj1J+yhFFQMV1lYFPijnu7Gh9ZIEDa/KTMl7yOHpXBNOm1S8 m0pCzPosdJeLTJ/kUaZdQoS+AdqvzMORl+aWjtds61UPpacV7jdGVnYt7J7itj/KO4b4KVu58Sr E+sbyOsVeFjJczNNCLqHDPKIsScWMsRHeddFgULeNf6Yx67tBv7CskUjEttN42htlz4T9IHrXRU mIEoy0ISZ9I1lbjfVsLJJ5cCikVry5XqGvpCJn2Dvp/XbBio41uFT4jDJnQOCD33ngQgEdd/0Tt 1Pk4NKnI/urM9aoKsb+Y004WvbrPEG8KjLydjFdE8wP2KTtMsAR0CWbldeeTb2CUNCHs X-Google-Smtp-Source: AGHT+IFItN1eCoS5zWKnTx4R48c4D/+++0fMhAhc9k0xKuI6w1wPJMeI2tVFAUnhAnbYmnsQVjeFPg== X-Received: by 2002:a17:907:986:b0:ad4:d9b2:6ee4 with SMTP id a640c23a62f3a-ad4d9b26f2amr35672366b.49.1747079793192; Mon, 12 May 2025 12:56:33 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH 1/3] efi: Add a function to check if Secure Boot mode is enabled Date: Mon, 12 May 2025 20:56:26 +0100 Message-ID: <20250512195628.1728455-2-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250512195628.1728455-1-kevin.lampis@cloud.com> References: <20250512195628.1728455-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1747079811982116600 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall Also cache it to avoid needing to repeatedly ask the firmware. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- xen/common/efi/boot.c | 23 +++++++++++++++++++++++ xen/common/efi/runtime.c | 3 +++ xen/include/xen/efi.h | 6 ++++++ 3 files changed, 32 insertions(+) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index e39fbc3529..7c528cd5dd 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -870,6 +870,27 @@ static void __init pre_parse(const struct file *file) " last line will be ignored.\r\n"); } =20 +static void __init init_secure_boot_mode(void) +{ + EFI_STATUS status; + EFI_GUID gv_uuid =3D EFI_GLOBAL_VARIABLE; + uint8_t data =3D 0; + UINTN size =3D sizeof(data); + UINT32 attr =3D 0; + status =3D efi_rs->GetVariable((CHAR16 *)L"SecureBoot", &gv_uuid, &att= r, + &size, &data); + + if ( status =3D=3D EFI_NOT_FOUND || + (status =3D=3D EFI_SUCCESS && + attr =3D=3D (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNT= IME_ACCESS) && + size =3D=3D 1 && data =3D=3D 0) ) + /* Platform does not support Secure Boot or it's disabled. */ + efi_secure_boot =3D false; + else + /* Everything else play it safe and assume enabled. */ + efi_secure_boot =3D true; +} + static void __init efi_init(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *Syst= emTable) { efi_ih =3D ImageHandle; @@ -884,6 +905,8 @@ static void __init efi_init(EFI_HANDLE ImageHandle, EFI= _SYSTEM_TABLE *SystemTabl =20 StdOut =3D SystemTable->ConOut; StdErr =3D SystemTable->StdErr ?: StdOut; + + init_secure_boot_mode(); } =20 static void __init efi_console_set_mode(void) diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 7e1fce291d..b63d21f16c 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -40,6 +40,9 @@ void efi_rs_leave(struct efi_rs_state *state); unsigned int __read_mostly efi_num_ct; const EFI_CONFIGURATION_TABLE *__read_mostly efi_ct; =20 +#if defined(CONFIG_X86) && !defined(CONFIG_PV_SHIM) +bool __ro_after_init efi_secure_boot; +#endif unsigned int __read_mostly efi_version; unsigned int __read_mostly efi_fw_revision; const CHAR16 *__read_mostly efi_fw_vendor; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..ae10ac62d0 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,6 +40,12 @@ static inline bool efi_enabled(unsigned int feature) } #endif =20 +#if defined(CONFIG_X86) && !defined(CONFIG_PV_SHIM) +extern bool efi_secure_boot; +#else +#define efi_secure_boot false +#endif + void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); bool efi_rs_using_pgtables(void); --=20 2.42.0 From nobody Fri Dec 19 16:06:35 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1747080090; cv=none; d=zohomail.com; s=zohoarc; b=hR1q0ZcKPWytIR3+6GWbsAOOMlHxTqun9RxaKxWgaHcChiJxcYYAZBsneekJq/PE7LSgaOBVaMFMrcQJNXrDiIMdtc0wXGJAibKCchO8MfJ9gI7Yq4zUJ7oIytAU+s0uxSbemcwN6SXH3m1u3l6CBi2yuNKZKo1OJhBZwQWEKl8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1747080090; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=DxvfZ6JaOz1AKjfyZU6YD6lHvWiygKAUYW9D2uA/UGBW2F8cCWUYOmmxUwaBpsliihjek9a1rcoFrnmFyKlHkj95g0KaAbn6AW6H2rujDAf4v0vy9Xp5+IuvUc/ABlqb5OaqWEZdZSilqZuaM1PXRQcrzvun5BXzmtm7mBGLLjk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1747080090462747.9212343636931; Mon, 12 May 2025 13:01:30 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.982190.1368739 (Exim 4.92) (envelope-from ) id 1uEZKq-00022k-9R; Mon, 12 May 2025 20:01:12 +0000 Received: by outflank-mailman (output) from mailman id 982190.1368739; Mon, 12 May 2025 20:01:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZKq-00022d-6L; Mon, 12 May 2025 20:01:12 +0000 Received: by outflank-mailman (input) for mailman id 982190; Mon, 12 May 2025 20:01:11 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGQ-0005qp-AY for xen-devel@lists.xenproject.org; Mon, 12 May 2025 19:56:38 +0000 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [2a00:1450:4864:20::629]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 36326998-2f6b-11f0-9ffb-bf95429c2676; Mon, 12 May 2025 21:56:36 +0200 (CEST) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-ad23c20f977so357194666b.2 for ; Mon, 12 May 2025 12:56:36 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ad2197be0c5sm656407366b.153.2025.05.12.12.56.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 12:56:34 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 36326998-2f6b-11f0-9ffb-bf95429c2676 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1747079796; x=1747684596; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=hW0slmy02z9nMSr6NpDMOgRKWt+vn0KEbENPvnLk8CVFOeBK1qdLfcHJZimRwj3wCN f6vlic5s1RG9hkMJpYEwUdH0VOoKhTScJ1pTTpwdiusdQud2W2vyRjjcJwAkpftj66eH hDjVhnatASd6ZdzXK6FIZvTHj4ewXRUlB3gVg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747079796; x=1747684596; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=fppV3vpLy7lXRd1mFWwOZAmiwVPnyLLQEDMWhewlnBoonObiiaqGsZpwOabohWu2Z3 9bv1jfb6xz53aO19LJ9cOc91n8v6fTNSHHVenW27yfNPgKDX3GpGaNH61LnDCo6wOwBl +kY1JQ9GeE/mrmragx+vC8yln12GdprfalppUeBEIh68nRePCWrxS5V4+mg39MWI9Gb2 sxMEpK6x06z1l4Kp/NfQyxv7CRcapq60bJ2xT9p7c0WqXBL9ecPFyY++Mr5pxumazvyh vVhAQtXJSdnDbyD9psDWtc1BLxWOTfbKVqLN+2J6NreYWqfffyhe2QlYmd9GM6Q/aPcW e2fA== X-Gm-Message-State: AOJu0YxrLgEeGwetfjJDHi2BQLrALYNpNxeghgebkvBXJCDjHt+ymaYV I/2N9G//BV3T7J8lndrlbjDagC0K6m7MB4AH1A4wnovo1AUf3c87Hg6QH8WzPQs3zbeW3M2qRV/ 3 X-Gm-Gg: ASbGncsMlGfT4aBc6Qs+2VvgN50nbnfblh1u1pVsO67m7bacYy2PbcrPhKfy5D73Y/i YIj0PuKxhmXALsV1q1qxnucpFDJvvHojZWqvCEFRxV0Lp8ps4pPcyS62hkcknJx13mGbC7sswjT v9uTNItctpet262I5GIa55tMJgC/54nz48OkBgEcqU1ENGSVn7+xKcLD+WBO8e1TAI1PK4pjM0H UMhYtZLdUQaumziC39wDZQvWxrPRZ0sFAiO3ZDfSR4eIp3AZ5Ef0pxG0oiFUXKISedOnZ5gJ+2B +2mn5eOW78+bQaugjMdCEKpUmmOR+rDE0GHEKoMn8k9RQARwEXvFLkcz5Epb/vjlfflk X-Google-Smtp-Source: AGHT+IHzSIWCtV2mlkh4F8aroWccKmHhvvAB4iWh/zuQL3EraTvCk466NJ4QBWQ1Uke7y85jSA8Flg== X-Received: by 2002:a17:907:a38e:b0:ad2:39a9:f1b8 with SMTP id a640c23a62f3a-ad239aa08eemr842161966b.57.1747079795633; Mon, 12 May 2025 12:56:35 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH 2/3] Add lockdown mode Date: Mon, 12 May 2025 20:56:27 +0100 Message-ID: <20250512195628.1728455-3-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250512195628.1728455-1-kevin.lampis@cloud.com> References: <20250512195628.1728455-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1747080091214019000 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatical= ly when Secure Boot is enabled and it cannot be disabled in that case. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- xen/arch/x86/setup.c | 1 + xen/common/Kconfig | 8 ++++++ xen/common/Makefile | 1 + xen/common/kernel.c | 3 +++ xen/common/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++ xen/include/xen/lockdown.h | 9 +++++++ 6 files changed, 74 insertions(+) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2518954124..276957c4ed 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/common/Kconfig b/xen/common/Kconfig index bf7b081ad0..42b2e4e869 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -565,4 +565,12 @@ config BUDDY_ALLOCATOR_SIZE Amount of memory reserved for the buddy allocator to serve Xen heap, working alongside the colored one. =20 +config LOCKDOWN_DEFAULT + bool "Enable lockdown mode by default" + default n + help + Lockdown mode prevents attacks from a rogue dom0 userspace from + compromising the system. This is automatically enabled when Secure + Boot is enabled. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 98f0873056..b00a8a925a 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) +=3D kexec.o obj-$(CONFIG_KEXEC) +=3D kimage.o obj-$(CONFIG_LIVEPATCH) +=3D livepatch.o livepatch_elf.o obj-$(CONFIG_LLC_COLORING) +=3D llc-coloring.o +obj-y +=3D lockdown.o obj-$(CONFIG_VM_EVENT) +=3D mem_access.o obj-y +=3D memory.o obj-y +=3D multicall.o diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 8b63ca55f1..6658db9514 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline) */ void __init cmdline_parse(const char *cmdline) { + /* Call this early since it affects command-line parsing */ + lockdown_init(cmdline); + if ( opt_builtin_cmdline[0] ) { printk("Built-in command line: %s\n", opt_builtin_cmdline); diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c new file mode 100644 index 0000000000..935911dfd0 --- /dev/null +++ b/xen/common/lockdown.c @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include +#include +#include +#include +#include + +static bool __ro_after_init lockdown =3D IS_ENABLED(CONFIG_LOCKDOWN_DEFAUL= T); +ignore_param("lockdown"); + +bool is_locked_down(void) +{ + return lockdown; +} + +void __init lockdown_init(const char *cmdline) +{ + if ( efi_secure_boot ) + { + printk("Enabling lockdown mode because Secure Boot is enabled\n"); + lockdown =3D true; + } + else + { + while ( *cmdline ) + { + size_t param_len, name_len; + int ret; + + cmdline +=3D strspn(cmdline, " \n\r\t"); + param_len =3D strcspn(cmdline, " \n\r\t"); + name_len =3D strcspn(cmdline, "=3D \n\r\t"); + + if ( !strncmp(cmdline, "lockdown", max(name_len, strlen("lockd= own"))) || + !strncmp(cmdline, "no-lockdown", max(name_len, strlen("no= -lockdown"))) ) + { + ret =3D parse_boolean("lockdown", cmdline, cmdline + param= _len); + if ( ret >=3D 0 ) + { + lockdown =3D ret; + printk("Lockdown mode set from command-line\n"); + break; + } + } + + cmdline +=3D param_len; + } + } + + printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled"); +} diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h new file mode 100644 index 0000000000..b2baa31caa --- /dev/null +++ b/xen/include/xen/lockdown.h @@ -0,0 +1,9 @@ +#ifndef XEN__LOCKDOWN_H +#define XEN__LOCKDOWN_H + +#include + +bool is_locked_down(void); +void lockdown_init(const char *cmdline); + +#endif /* XEN__LOCKDOWN_H */ --=20 2.42.0 From nobody Fri Dec 19 16:06:35 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1747079822; cv=none; d=zohomail.com; s=zohoarc; b=g582PdcdCee8i54Yaq6+0CpBBdsxlto9kiwrDyOG7ROxsWLGe7KHypKDKFRpzi5V2O5sWGwSIWzazGC/q9Vx0o7GTYbqu5KoOKAFk6pk5Y9jo4LVKrJphiV37qKmW/7D7xNFsILOIdiQgSSaGC1CJrXqBx7ZyYgyBD1wtSiB0iw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1747079822; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=UIEKL1OfSXAaAmq1R0BXNcV8CCHP1Evg860PougFuy0=; b=UV0ILWJ/v4wCrxd4q1zmsKsGUfdaMxZgBmPXdPZc84Qv0xDHBJhy+2DUCU3t3QCBFLPMWN8xOyWmbCL/fxzJPWuK09zAGgly3AhyvFA+wU5AluGWeDu12oWaMNqo3W4lgaXvd5mibz7XThRBvP9AygeD1hvD0ZpBTIhuzL9A8TM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 174707982216729.105009783007517; Mon, 12 May 2025 12:57:02 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.982148.1368719 (Exim 4.92) (envelope-from ) id 1uEZGT-0007PJ-EW; Mon, 12 May 2025 19:56:41 +0000 Received: by outflank-mailman (output) from mailman id 982148.1368719; Mon, 12 May 2025 19:56:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGT-0007P8-BC; Mon, 12 May 2025 19:56:41 +0000 Received: by outflank-mailman (input) for mailman id 982148; Mon, 12 May 2025 19:56:39 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGR-00071g-Gy for xen-devel@lists.xenproject.org; Mon, 12 May 2025 19:56:39 +0000 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [2a00:1450:4864:20::62b]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 37977802-2f6b-11f0-9eb6-5ba50f476ded; Mon, 12 May 2025 21:56:39 +0200 (CEST) Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-ad4ce8cc3c1so86461166b.2 for ; Mon, 12 May 2025 12:56:39 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ad2197be0c5sm656407366b.153.2025.05.12.12.56.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 12:56:36 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 37977802-2f6b-11f0-9eb6-5ba50f476ded DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1747079798; x=1747684598; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UIEKL1OfSXAaAmq1R0BXNcV8CCHP1Evg860PougFuy0=; b=XHgoMzbriWRwYW8zBTFYZtDbV7iAqa9yws6NkwjiN7kgrwXx81eJaXhLj88nKrQ+Xh 7USXgvjKwyU10xxP3NyLgrIcR2xuk8HtJvBLt326LaiFwDjKyRJrABXIjbg/fXvTuSkI mtAjRC9A1SVUB8QoA/qdj4feKt6Cb6cbXBe9c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747079798; x=1747684598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UIEKL1OfSXAaAmq1R0BXNcV8CCHP1Evg860PougFuy0=; b=DJ/UiFz6qb+whJW6fITTClhPC6KNRe/PUeOiprVpBoIrB/yl5YWe+8ACfZGp0fC7bi ySTMwkO4sm2BZk3AWtdvOmyMDN41IoP10by7Q5DhI/3TuNGvwfrFTMymkajoNezdabfw jfOfJ0U1y+zwDOnslfSZf4Yu6s9BviLCeZB6RCuzXr0GpnlJb85pBrGlBQqGagmDGknU DdE9CvmqMizR55tTEy5nKrA+YTVyr/8iidFwoKQg/WLKCBaCZ75K+MHDiF/nVC3WZpUu XNcCU7OVEI7mhDSFYvLQsOW+rhrzK2VEVr05wS2T7K2yko/SMImKPMbqK2aL1VpSH7Fx Y5JA== X-Gm-Message-State: AOJu0Yy9zSr7YkRQEKeo/+aN/kBtXkLw4xcd88/uX794y4bnUGYXSv6K NHwBXaWQz2/zspt87GV++z0mbZQXGJESwXarq2A3Nu/RrLfaqJNKm9cQ3HPq3Rzj5ouBYMf/s7o u X-Gm-Gg: ASbGnctX3KBErIfNajWT8cvnpoOPaKlcJqoXBzXQbK9qdfCjZOtJ6SULTmL6TABajYB 3ikijwk8++9YB0zBUiaq2dCB6vhz+2wkpBjFGNZ+NCbYCVZ4ckIP3HVmd0dCwzw9J1q7McQ83yN rhqW69SiODHRvIoViNg8inYGmCI+3C/8/ug30Do68oxQRWhQZh1YivSagmY1RjuqjFApo/VAEhx l6GbdyPRtWOFgu5p/12wVoPfIrlS/6kmmK1DE1l9ShzgYmV3GL80YVl7GdHSA5Krekvr2lSte2l TkhwtC5Jzb4prPpOVguoa5xK1235s3zfhlgZE95RwisK/vb7cSXvSYZYUChlrA22k2Wu X-Google-Smtp-Source: AGHT+IHMfFZDeuVejZ195aNZbQ2arcgWjbG0MNXrusQtmLt8QE5A2GQX7YRk66FdDb4jFkPf96+lwA== X-Received: by 2002:a17:907:60ca:b0:ad2:4fb6:3b93 with SMTP id a640c23a62f3a-ad24fb63e30mr666470766b.28.1747079797720; Mon, 12 May 2025 12:56:37 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Kevin Lampis , Ross Lagerwall Subject: [PATCH 3/3] Disallow most command-line options when lockdown mode is enabled Date: Mon, 12 May 2025 20:56:28 +0100 Message-ID: <20250512195628.1728455-4-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250512195628.1728455-1-kevin.lampis@cloud.com> References: <20250512195628.1728455-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1747079824707116600 Content-Type: text/plain; charset="utf-8" A subset of command-line parameters that are specifically safe to use when lockdown mode is enabled are annotated as such. Signed-off-by: Kevin Lampis Signed-off-by: Ross Lagerwall --- xen/arch/arm/domain_build.c | 4 +-- xen/arch/x86/acpi/cpu_idle.c | 2 +- xen/arch/x86/cpu/amd.c | 2 +- xen/arch/x86/cpu/mcheck/mce.c | 2 +- xen/arch/x86/cpu/microcode/core.c | 2 +- xen/arch/x86/dom0_build.c | 4 +-- xen/arch/x86/hvm/hvm.c | 2 +- xen/arch/x86/irq.c | 2 +- xen/arch/x86/nmi.c | 2 +- xen/arch/x86/setup.c | 2 +- xen/arch/x86/traps.c | 2 +- xen/arch/x86/x86_64/mmconfig-shared.c | 2 +- xen/common/domain.c | 2 +- xen/common/kernel.c | 10 +++++- xen/common/kexec.c | 2 +- xen/common/numa.c | 2 +- xen/common/page_alloc.c | 2 +- xen/common/shutdown.c | 2 +- xen/drivers/char/console.c | 2 +- xen/drivers/char/ns16550.c | 4 +-- xen/drivers/video/vga.c | 2 +- xen/include/xen/param.h | 49 +++++++++++++++++++++------ 22 files changed, 70 insertions(+), 35 deletions(-) diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index b189a7cfae..ef1cba8f0f 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -41,7 +41,7 @@ #include =20 static unsigned int __initdata opt_dom0_max_vcpus; -integer_param("dom0_max_vcpus", opt_dom0_max_vcpus); +integer_secure_param("dom0_max_vcpus", opt_dom0_max_vcpus); =20 /* * If true, the extended regions support is enabled for dom0 and @@ -61,7 +61,7 @@ static int __init parse_dom0_mem(const char *s) =20 return *s ? -EINVAL : 0; } -custom_param("dom0_mem", parse_dom0_mem); +custom_secure_param("dom0_mem", parse_dom0_mem); =20 int __init parse_arch_dom0_param(const char *s, const char *e) { diff --git a/xen/arch/x86/acpi/cpu_idle.c b/xen/arch/x86/acpi/cpu_idle.c index 1dbf15b01e..431fd0c997 100644 --- a/xen/arch/x86/acpi/cpu_idle.c +++ b/xen/arch/x86/acpi/cpu_idle.c @@ -113,7 +113,7 @@ static int __init cf_check parse_cstate(const char *s) max_csubstate =3D simple_strtoul(s + 1, NULL, 0); return 0; } -custom_param("max_cstate", parse_cstate); +custom_secure_param("max_cstate", parse_cstate); =20 static bool __read_mostly local_apic_timer_c2_ok; boolean_param("lapic_timer_c2_ok", local_apic_timer_c2_ok); diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index 37d67dd15c..c36351c968 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -47,7 +47,7 @@ integer_param("cpuid_mask_thermal_ecx", opt_cpuid_mask_th= ermal_ecx); =20 /* 1 =3D allow, 0 =3D don't allow guest creation, -1 =3D don't allow boot = */ int8_t __read_mostly opt_allow_unsafe; -boolean_param("allow_unsafe", opt_allow_unsafe); +boolean_secure_param("allow_unsafe", opt_allow_unsafe); =20 /* Signal whether the ACPI C1E quirk is required. */ bool __read_mostly amd_acpi_c1e_quirk; diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c index 1c348e557d..a229af6fd3 100644 --- a/xen/arch/x86/cpu/mcheck/mce.c +++ b/xen/arch/x86/cpu/mcheck/mce.c @@ -31,7 +31,7 @@ #include "vmce.h" =20 bool __read_mostly opt_mce =3D true; -boolean_param("mce", opt_mce); +boolean_secure_param("mce", opt_mce); bool __read_mostly mce_broadcast; bool is_mc_panic; DEFINE_PER_CPU_READ_MOSTLY(unsigned int, nr_mce_banks); diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode= /core.c index 34a94cd25b..b5b7304ae7 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -160,7 +160,7 @@ static int __init cf_check parse_ucode(const char *s) =20 return rc; } -custom_param("ucode", parse_ucode); +custom_secure_param("ucode", parse_ucode); =20 static struct microcode_ops __ro_after_init ucode_ops; =20 diff --git a/xen/arch/x86/dom0_build.c b/xen/arch/x86/dom0_build.c index 0b467fd4a4..6d42acb661 100644 --- a/xen/arch/x86/dom0_build.c +++ b/xen/arch/x86/dom0_build.c @@ -142,7 +142,7 @@ static int __init cf_check parse_dom0_mem(const char *s) =20 return s[-1] ? -EINVAL : ret; } -custom_param("dom0_mem", parse_dom0_mem); +custom_secure_param("dom0_mem", parse_dom0_mem); =20 static unsigned int __initdata opt_dom0_max_vcpus_min =3D 1; static unsigned int __initdata opt_dom0_max_vcpus_max =3D UINT_MAX; @@ -164,7 +164,7 @@ static int __init cf_check parse_dom0_max_vcpus(const c= har *s) =20 return *s ? -EINVAL : 0; } -custom_param("dom0_max_vcpus", parse_dom0_max_vcpus); +custom_secure_param("dom0_max_vcpus", parse_dom0_max_vcpus); =20 static __initdata unsigned int dom0_nr_pxms; static __initdata unsigned int dom0_pxms[MAX_NUMNODES] =3D diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 4cb2e13046..97afb274fe 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -87,7 +87,7 @@ unsigned long __section(".bss.page_aligned") __aligned(PA= GE_SIZE) =20 /* Xen command-line option to enable HAP */ static bool __initdata opt_hap_enabled =3D true; -boolean_param("hap", opt_hap_enabled); +boolean_secure_param("hap", opt_hap_enabled); =20 #ifndef opt_hvm_fep /* Permit use of the Forced Emulation Prefix in HVM guests */ diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c index 38ac0823d7..453bdb9910 100644 --- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -34,7 +34,7 @@ =20 /* opt_noirqbalance: If true, software IRQ balancing/affinity is disabled.= */ bool __read_mostly opt_noirqbalance; -boolean_param("noirqbalance", opt_noirqbalance); +boolean_secure_param("noirqbalance", opt_noirqbalance); =20 unsigned int __read_mostly nr_irqs_gsi =3D NR_ISA_IRQS; unsigned int __read_mostly nr_irqs; diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 9793fa2316..3735f22e88 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -73,7 +73,7 @@ static int __init cf_check parse_watchdog(const char *s) =20 return 0; } -custom_param("watchdog", parse_watchdog); +custom_secure_param("watchdog", parse_watchdog); =20 /* opt_watchdog_timeout: Number of seconds to wait before panic. */ static unsigned int opt_watchdog_timeout =3D 5; diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 276957c4ed..1018cdb771 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -70,7 +70,7 @@ =20 /* opt_nosmp: If true, secondary processors are ignored. */ static bool __initdata opt_nosmp; -boolean_param("nosmp", opt_nosmp); +boolean_secure_param("nosmp", opt_nosmp); =20 /* maxcpus: maximum number of CPUs to activate. */ static unsigned int __initdata max_cpus; diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 25e0d5777e..1af67d2256 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -86,7 +86,7 @@ static char __read_mostly opt_nmi[10] =3D "dom0"; #else static char __read_mostly opt_nmi[10] =3D "fatal"; #endif -string_param("nmi", opt_nmi); +string_secure_param("nmi", opt_nmi); =20 DEFINE_PER_CPU(uint64_t, efer); static DEFINE_PER_CPU(unsigned long, last_extable_addr); diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mm= config-shared.c index f1a3d42c5b..80cdca7d77 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -60,7 +60,7 @@ static int __init cf_check parse_mmcfg(const char *s) =20 return rc; } -custom_param("mmcfg", parse_mmcfg); +custom_secure_param("mmcfg", parse_mmcfg); =20 static const char *__init cf_check pci_mmcfg_e7520(void) { diff --git a/xen/common/domain.c b/xen/common/domain.c index abf1969e60..c95988c067 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -55,7 +55,7 @@ unsigned int xen_processor_pmbits =3D XEN_PROCESSOR_PM_PX; =20 /* opt_dom0_vcpus_pin: If true, dom0 VCPUs are pinned. */ bool opt_dom0_vcpus_pin; -boolean_param("dom0_vcpus_pin", opt_dom0_vcpus_pin); +boolean_secure_param("dom0_vcpus_pin", opt_dom0_vcpus_pin); =20 /* Protect updates/reads (resp.) of domain_list and domain_hash. */ DEFINE_SPINLOCK(domlist_update_lock); diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 6658db9514..eaa509f317 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -14,6 +14,8 @@ #include #include #include +#include +#include #include #include #include @@ -135,9 +137,15 @@ static int parse_params(const char *cmdline, const str= uct kernel_param *start, } continue; } + found =3D true; + + if ( !param->is_lockdown_safe && is_locked_down() ) + { + printk("Ignoring unsafe cmdline option %s in lockdown mode\n= ", param->name); + break; + } =20 rctmp =3D 0; - found =3D true; switch ( param->type ) { case OPT_STR: diff --git a/xen/common/kexec.c b/xen/common/kexec.c index 84fe8c3597..790839657d 100644 --- a/xen/common/kexec.c +++ b/xen/common/kexec.c @@ -189,7 +189,7 @@ static int __init cf_check parse_crashkernel(const char= *str) =20 return rc; } -custom_param("crashkernel", parse_crashkernel); +custom_secure_param("crashkernel", parse_crashkernel); =20 /* Parse command lines in the format: * diff --git a/xen/common/numa.c b/xen/common/numa.c index ad75955a16..c4981f2ff1 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -687,7 +687,7 @@ static int __init cf_check numa_setup(const char *opt) =20 return 0; } -custom_param("numa", numa_setup); +custom_secure_param("numa", numa_setup); =20 static void cf_check dump_numa(unsigned char key) { diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index e57a287133..a07690d8fd 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -235,7 +235,7 @@ static int __init cf_check parse_bootscrub_param(const = char *s) =20 return 0; } -custom_param("bootscrub", parse_bootscrub_param); +custom_secure_param("bootscrub", parse_bootscrub_param); =20 /* * bootscrub_chunk -> Amount of bytes to scrub lockstep on non-SMT CPUs diff --git a/xen/common/shutdown.c b/xen/common/shutdown.c index c47341b977..231de1454a 100644 --- a/xen/common/shutdown.c +++ b/xen/common/shutdown.c @@ -13,7 +13,7 @@ =20 /* opt_noreboot: If true, machine will need manual reset on error. */ bool __ro_after_init opt_noreboot; -boolean_param("noreboot", opt_noreboot); +boolean_secure_param("noreboot", opt_noreboot); =20 static void noreturn reboot_or_halt(void) { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index c3150fbdb7..45a35903fe 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -43,7 +43,7 @@ =20 /* console: comma-separated list of console outputs. */ static char __initdata opt_console[30] =3D OPT_CONSOLE_STR; -string_param("console", opt_console); +string_secure_param("console", opt_console); =20 /* conswitch: a character pair controlling console switching. */ /* Char 1: CTRL+ is used to switch console input between Xen and DO= M0 */ diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c index eaeb0e09d0..fae509cbd8 100644 --- a/xen/drivers/char/ns16550.c +++ b/xen/drivers/char/ns16550.c @@ -1390,8 +1390,8 @@ static void enable_exar_enhanced_bits(const struct ns= 16550 *uart) */ static char __initdata opt_com1[128] =3D ""; static char __initdata opt_com2[128] =3D ""; -string_param("com1", opt_com1); -string_param("com2", opt_com2); +string_secure_param("com1", opt_com1); +string_secure_param("com2", opt_com2); =20 enum serial_param_type { baud_rate, diff --git a/xen/drivers/video/vga.c b/xen/drivers/video/vga.c index b577b24619..abc6e56aa3 100644 --- a/xen/drivers/video/vga.c +++ b/xen/drivers/video/vga.c @@ -48,7 +48,7 @@ void (*video_puts)(const char *s, size_t nr) =3D vga_noop= _puts; * control of the console to domain 0. */ static char __initdata opt_vga[30] =3D ""; -string_param("vga", opt_vga); +string_secure_param("vga", opt_vga); =20 /* VGA text-mode definitions. */ static unsigned int columns, lines; diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h index 1bdbab34ab..31e7326d88 100644 --- a/xen/include/xen/param.h +++ b/xen/include/xen/param.h @@ -25,6 +25,7 @@ struct kernel_param { void *var; int (*func)(const char *s); } par; + bool is_lockdown_safe; }; =20 /* Maximum length of a single parameter string. */ @@ -44,46 +45,72 @@ extern const struct kernel_param __setup_start[], __set= up_end[]; #define _TEMP_NAME(base, line) __TEMP_NAME(base, line) #define TEMP_NAME(base) _TEMP_NAME(base, __LINE__) =20 -#define custom_param(_name, _var) \ +#define custom_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_CUSTOM, \ - .par.func =3D (_var) } -#define boolean_param(_name, _var) \ + .par.func =3D (_var), \ + .is_lockdown_safe =3D (_sec) } +#define custom_param(_name, _var) \ + custom_param_(_name, _var, false) +#define custom_secure_param(_name, _var) \ + custom_param_(_name, _var, true) +#define boolean_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_BOOL, \ .len =3D sizeof(_var) + \ BUILD_BUG_ON_ZERO(sizeof(_var) !=3D sizeof(bool)), \ - .par.var =3D &(_var) } -#define integer_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define boolean_param(_name, _var) \ + boolean_param_(_name, _var, false) +#define boolean_secure_param(_name, _var) \ + boolean_param_(_name, _var, true) +#define integer_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_UINT, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } -#define size_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define integer_param(_name, _var) \ + integer_param_(_name, _var, false) +#define integer_secure_param(_name, _var) \ + integer_param_(_name, _var, true) +#define size_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_SIZE, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } -#define string_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define size_param(_name, _var) \ + size_param_(_name, _var, false) +#define size_secure_param(_name, _var) \ + size_param_(_name, _var, true) +#define string_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_STR, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define string_param(_name, _var) \ + string_param_(_name, _var, false) +#define string_secure_param(_name, _var) \ + string_param_(_name, _var, true) #define ignore_param(_name) \ __setup_str TEMP_NAME(__setup_str_ign)[] =3D (_name); \ __kparam TEMP_NAME(__setup_ign) =3D \ { .name =3D TEMP_NAME(__setup_str_ign), \ - .type =3D OPT_IGNORE } + .type =3D OPT_IGNORE, \ + .is_lockdown_safe =3D true } =20 #ifdef CONFIG_HYPFS =20 --=20 2.42.0