From nobody Fri Dec 19 17:37:08 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1747080090; cv=none; d=zohomail.com; s=zohoarc; b=hR1q0ZcKPWytIR3+6GWbsAOOMlHxTqun9RxaKxWgaHcChiJxcYYAZBsneekJq/PE7LSgaOBVaMFMrcQJNXrDiIMdtc0wXGJAibKCchO8MfJ9gI7Yq4zUJ7oIytAU+s0uxSbemcwN6SXH3m1u3l6CBi2yuNKZKo1OJhBZwQWEKl8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1747080090; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=DxvfZ6JaOz1AKjfyZU6YD6lHvWiygKAUYW9D2uA/UGBW2F8cCWUYOmmxUwaBpsliihjek9a1rcoFrnmFyKlHkj95g0KaAbn6AW6H2rujDAf4v0vy9Xp5+IuvUc/ABlqb5OaqWEZdZSilqZuaM1PXRQcrzvun5BXzmtm7mBGLLjk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1747080090462747.9212343636931; Mon, 12 May 2025 13:01:30 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.982190.1368739 (Exim 4.92) (envelope-from ) id 1uEZKq-00022k-9R; Mon, 12 May 2025 20:01:12 +0000 Received: by outflank-mailman (output) from mailman id 982190.1368739; Mon, 12 May 2025 20:01:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZKq-00022d-6L; Mon, 12 May 2025 20:01:12 +0000 Received: by outflank-mailman (input) for mailman id 982190; Mon, 12 May 2025 20:01:11 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uEZGQ-0005qp-AY for xen-devel@lists.xenproject.org; Mon, 12 May 2025 19:56:38 +0000 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [2a00:1450:4864:20::629]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 36326998-2f6b-11f0-9ffb-bf95429c2676; Mon, 12 May 2025 21:56:36 +0200 (CEST) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-ad23c20f977so357194666b.2 for ; Mon, 12 May 2025 12:56:36 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ad2197be0c5sm656407366b.153.2025.05.12.12.56.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 12:56:34 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 36326998-2f6b-11f0-9ffb-bf95429c2676 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1747079796; x=1747684596; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=hW0slmy02z9nMSr6NpDMOgRKWt+vn0KEbENPvnLk8CVFOeBK1qdLfcHJZimRwj3wCN f6vlic5s1RG9hkMJpYEwUdH0VOoKhTScJ1pTTpwdiusdQud2W2vyRjjcJwAkpftj66eH hDjVhnatASd6ZdzXK6FIZvTHj4ewXRUlB3gVg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747079796; x=1747684596; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k4Wd8lHyFqDjTXjkxHBdAOOU5VtwxpSw3GkW45s9UOA=; b=fppV3vpLy7lXRd1mFWwOZAmiwVPnyLLQEDMWhewlnBoonObiiaqGsZpwOabohWu2Z3 9bv1jfb6xz53aO19LJ9cOc91n8v6fTNSHHVenW27yfNPgKDX3GpGaNH61LnDCo6wOwBl +kY1JQ9GeE/mrmragx+vC8yln12GdprfalppUeBEIh68nRePCWrxS5V4+mg39MWI9Gb2 sxMEpK6x06z1l4Kp/NfQyxv7CRcapq60bJ2xT9p7c0WqXBL9ecPFyY++Mr5pxumazvyh vVhAQtXJSdnDbyD9psDWtc1BLxWOTfbKVqLN+2J6NreYWqfffyhe2QlYmd9GM6Q/aPcW e2fA== X-Gm-Message-State: AOJu0YxrLgEeGwetfjJDHi2BQLrALYNpNxeghgebkvBXJCDjHt+ymaYV I/2N9G//BV3T7J8lndrlbjDagC0K6m7MB4AH1A4wnovo1AUf3c87Hg6QH8WzPQs3zbeW3M2qRV/ 3 X-Gm-Gg: ASbGncsMlGfT4aBc6Qs+2VvgN50nbnfblh1u1pVsO67m7bacYy2PbcrPhKfy5D73Y/i YIj0PuKxhmXALsV1q1qxnucpFDJvvHojZWqvCEFRxV0Lp8ps4pPcyS62hkcknJx13mGbC7sswjT v9uTNItctpet262I5GIa55tMJgC/54nz48OkBgEcqU1ENGSVn7+xKcLD+WBO8e1TAI1PK4pjM0H UMhYtZLdUQaumziC39wDZQvWxrPRZ0sFAiO3ZDfSR4eIp3AZ5Ef0pxG0oiFUXKISedOnZ5gJ+2B +2mn5eOW78+bQaugjMdCEKpUmmOR+rDE0GHEKoMn8k9RQARwEXvFLkcz5Epb/vjlfflk X-Google-Smtp-Source: AGHT+IHzSIWCtV2mlkh4F8aroWccKmHhvvAB4iWh/zuQL3EraTvCk466NJ4QBWQ1Uke7y85jSA8Flg== X-Received: by 2002:a17:907:a38e:b0:ad2:39a9:f1b8 with SMTP id a640c23a62f3a-ad239aa08eemr842161966b.57.1747079795633; Mon, 12 May 2025 12:56:35 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH 2/3] Add lockdown mode Date: Mon, 12 May 2025 20:56:27 +0100 Message-ID: <20250512195628.1728455-3-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250512195628.1728455-1-kevin.lampis@cloud.com> References: <20250512195628.1728455-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1747080091214019000 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatical= ly when Secure Boot is enabled and it cannot be disabled in that case. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- xen/arch/x86/setup.c | 1 + xen/common/Kconfig | 8 ++++++ xen/common/Makefile | 1 + xen/common/kernel.c | 3 +++ xen/common/lockdown.c | 52 ++++++++++++++++++++++++++++++++++++++ xen/include/xen/lockdown.h | 9 +++++++ 6 files changed, 74 insertions(+) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 2518954124..276957c4ed 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/common/Kconfig b/xen/common/Kconfig index bf7b081ad0..42b2e4e869 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -565,4 +565,12 @@ config BUDDY_ALLOCATOR_SIZE Amount of memory reserved for the buddy allocator to serve Xen heap, working alongside the colored one. =20 +config LOCKDOWN_DEFAULT + bool "Enable lockdown mode by default" + default n + help + Lockdown mode prevents attacks from a rogue dom0 userspace from + compromising the system. This is automatically enabled when Secure + Boot is enabled. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 98f0873056..b00a8a925a 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) +=3D kexec.o obj-$(CONFIG_KEXEC) +=3D kimage.o obj-$(CONFIG_LIVEPATCH) +=3D livepatch.o livepatch_elf.o obj-$(CONFIG_LLC_COLORING) +=3D llc-coloring.o +obj-y +=3D lockdown.o obj-$(CONFIG_VM_EVENT) +=3D mem_access.o obj-y +=3D memory.o obj-y +=3D multicall.o diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 8b63ca55f1..6658db9514 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline) */ void __init cmdline_parse(const char *cmdline) { + /* Call this early since it affects command-line parsing */ + lockdown_init(cmdline); + if ( opt_builtin_cmdline[0] ) { printk("Built-in command line: %s\n", opt_builtin_cmdline); diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c new file mode 100644 index 0000000000..935911dfd0 --- /dev/null +++ b/xen/common/lockdown.c @@ -0,0 +1,52 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include +#include +#include +#include +#include + +static bool __ro_after_init lockdown =3D IS_ENABLED(CONFIG_LOCKDOWN_DEFAUL= T); +ignore_param("lockdown"); + +bool is_locked_down(void) +{ + return lockdown; +} + +void __init lockdown_init(const char *cmdline) +{ + if ( efi_secure_boot ) + { + printk("Enabling lockdown mode because Secure Boot is enabled\n"); + lockdown =3D true; + } + else + { + while ( *cmdline ) + { + size_t param_len, name_len; + int ret; + + cmdline +=3D strspn(cmdline, " \n\r\t"); + param_len =3D strcspn(cmdline, " \n\r\t"); + name_len =3D strcspn(cmdline, "=3D \n\r\t"); + + if ( !strncmp(cmdline, "lockdown", max(name_len, strlen("lockd= own"))) || + !strncmp(cmdline, "no-lockdown", max(name_len, strlen("no= -lockdown"))) ) + { + ret =3D parse_boolean("lockdown", cmdline, cmdline + param= _len); + if ( ret >=3D 0 ) + { + lockdown =3D ret; + printk("Lockdown mode set from command-line\n"); + break; + } + } + + cmdline +=3D param_len; + } + } + + printk("Lockdown mode is %s\n", lockdown ? "enabled" : "disabled"); +} diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h new file mode 100644 index 0000000000..b2baa31caa --- /dev/null +++ b/xen/include/xen/lockdown.h @@ -0,0 +1,9 @@ +#ifndef XEN__LOCKDOWN_H +#define XEN__LOCKDOWN_H + +#include + +bool is_locked_down(void); +void lockdown_init(const char *cmdline); + +#endif /* XEN__LOCKDOWN_H */ --=20 2.42.0