From nobody Fri Oct 31 11:33:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1748872040; cv=none; d=zohomail.com; s=zohoarc; b=fAf2G+KI/JXY/GVn5e4Vt5rxWH/rBnALuXNTsx3eb5nC6v1sXts2osccC1I1Ls4Ja3pHmiHJn6E0Q6DbiwklJhvRYXbqrVTi5MP5EpsxywnMAPsYw3EpbrIgY0q0AUhmazJZrcg+uqFwxuWtN0hr3Gzd7CMBvFifTuNibY37axo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748872040; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=lUY9aLovER8VbMW5czTU1XwpbiLmoqQ0EIkuCpbO60s=; b=hDJtSuhfetO3sfYd7XaU6M2b2nqzA5SNhKcAxByi7yTjJPdgPchDurtN4oN7NqkaSMn7PnEmF2DHGtas7p7QJX62f8SPdwJQVtwHWvLO8te2XWGmnVfbpxmVDgI0SmHzbVru22LQBDywNmykgOODwhaYafh/6uLY0hXaifMnVnU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1748872040205513.8656028814792; Mon, 2 Jun 2025 06:47:20 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1003400.1382954 (Exim 4.92) (envelope-from ) id 1uM5VJ-000757-Nx; Mon, 02 Jun 2025 13:47:05 +0000 Received: by outflank-mailman (output) from mailman id 1003400.1382954; Mon, 02 Jun 2025 13:47:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VJ-00074y-LL; Mon, 02 Jun 2025 13:47:05 +0000 Received: by outflank-mailman (input) for mailman id 1003400; Mon, 02 Jun 2025 13:47:04 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VI-000739-R5 for xen-devel@lists.xenproject.org; Mon, 02 Jun 2025 13:47:04 +0000 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [2a00:1450:4864:20::62c]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 106991bf-3fb8-11f0-b894-0df219b8e170; Mon, 02 Jun 2025 15:47:03 +0200 (CEST) Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-ad88105874aso687584266b.1 for ; Mon, 02 Jun 2025 06:47:03 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ada5dd04591sm790372466b.114.2025.06.02.06.47.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Jun 2025 06:47:01 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 106991bf-3fb8-11f0-b894-0df219b8e170 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1748872022; x=1749476822; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lUY9aLovER8VbMW5czTU1XwpbiLmoqQ0EIkuCpbO60s=; b=iFyzM7Lznth22fYcf40jChkwAIpHkNO+NHUStVwtk9XRMjyevJYfrcTVtjgAsPneDf TIYAqaM5lQLH+zRSRrZEC9DaMhcf8N03Vbb7Hrp8Ftx5Ctl17pRA3XGkWj1zo3SZiApW hw/2epm9t+7zk/BNQ0QH3fh0b1jcfVNMlFvdQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748872022; x=1749476822; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lUY9aLovER8VbMW5czTU1XwpbiLmoqQ0EIkuCpbO60s=; b=sV4SsgxAsu3huvbgWKqWU0xa/XKFAXDoKiRxMLP/Bkx5A+jqheKO+LnraR9jYSMnV0 WWg0RuwJXJEZKzjA/SzhwOILSC4+RwonuLW4fykyq17Sag5ttAMIB0uQpiM8Hh+VN+te uxqC+TaFiuMk+i7TS5P0prE/RWFjQdM5bO786ADW/KKJBoEWkJxcKor9vOzS/5BfgjA3 dujc5W2CT8uHu9KobHQMwW5Lot08wonhOBhRkYo3z+j1nLzO9y/di5kQcpxFPILNP34n YldOLa8Ld7/C0YtxsLJTvgA2fDkgaA9A0L5dz9xlO4QN8/PwDjCo1gD4xBHQaDaV7z/o kKOA== X-Gm-Message-State: AOJu0Yy1YzJc8Jb1Dlwi9LLCmH0Fr65g/SEUiIHWyFBNcFFsFhKUlQRY 5Dema7oB9v1aTav8+I2Tr8lyuE/4p1Jv6Yivc1JbDMr9crhD4eGKiGAF7BHmYtgR4ElunlNldKQ JRsD1 X-Gm-Gg: ASbGncsLhY9+r3qtM7oSvybIK+ENprowwi1S36QziHWotBV0mpzNyzR49tKwD32L6MF oViOZJJYBuJMqTbfgB72ZljLQazq2w/tPQ0koNumS1FfkY++beBIA0R4JBRHcAnfLMB81t9G27b ez+Cr8HD8s1hNF5aIE3vJJ9EgNAqAFFYPXYOuuIsdl8XSsCPv+UmvNxdv0qDO/TNMkTY3Wm8q/V 8PH7D/EFY/lrCiwk8mX4tCvhsQPFWFT9pvZ+cdI7LWtz3QbNzRHPWuVuJIgERpVzUgrqT57wSJh 4SrV5YlF/QG0eCqwSRFKRyWCt6cowryEIt/FqNzf/jItCmbFVT/hps0Gdthtbg7ZbJy2 X-Google-Smtp-Source: AGHT+IE7h0pcwcJQaHNurqLaeDeDGh2s76qegW3LqKsV3t6RmL+M2iTUFPHtBRYNTB/o21N3dUGUNQ== X-Received: by 2002:a17:907:6e86:b0:ad2:2569:696d with SMTP id a640c23a62f3a-adb322d8912mr1203167466b.15.1748872022189; Mon, 02 Jun 2025 06:47:02 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH v2 1/3] efi: Add a function to check if Secure Boot mode is enabled Date: Mon, 2 Jun 2025 14:46:54 +0100 Message-ID: <20250602134656.3836280-2-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250602134656.3836280-1-kevin.lampis@cloud.com> References: <20250602134656.3836280-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1748872041264116600 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall Also cache it to avoid needing to repeatedly ask the firmware. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- Changes in v2: - None --- xen/common/efi/boot.c | 23 +++++++++++++++++++++++ xen/common/efi/runtime.c | 3 +++ xen/include/xen/efi.h | 6 ++++++ 3 files changed, 32 insertions(+) diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c index e39fbc3529..7c528cd5dd 100644 --- a/xen/common/efi/boot.c +++ b/xen/common/efi/boot.c @@ -870,6 +870,27 @@ static void __init pre_parse(const struct file *file) " last line will be ignored.\r\n"); } =20 +static void __init init_secure_boot_mode(void) +{ + EFI_STATUS status; + EFI_GUID gv_uuid =3D EFI_GLOBAL_VARIABLE; + uint8_t data =3D 0; + UINTN size =3D sizeof(data); + UINT32 attr =3D 0; + status =3D efi_rs->GetVariable((CHAR16 *)L"SecureBoot", &gv_uuid, &att= r, + &size, &data); + + if ( status =3D=3D EFI_NOT_FOUND || + (status =3D=3D EFI_SUCCESS && + attr =3D=3D (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNT= IME_ACCESS) && + size =3D=3D 1 && data =3D=3D 0) ) + /* Platform does not support Secure Boot or it's disabled. */ + efi_secure_boot =3D false; + else + /* Everything else play it safe and assume enabled. */ + efi_secure_boot =3D true; +} + static void __init efi_init(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *Syst= emTable) { efi_ih =3D ImageHandle; @@ -884,6 +905,8 @@ static void __init efi_init(EFI_HANDLE ImageHandle, EFI= _SYSTEM_TABLE *SystemTabl =20 StdOut =3D SystemTable->ConOut; StdErr =3D SystemTable->StdErr ?: StdOut; + + init_secure_boot_mode(); } =20 static void __init efi_console_set_mode(void) diff --git a/xen/common/efi/runtime.c b/xen/common/efi/runtime.c index 7e1fce291d..b63d21f16c 100644 --- a/xen/common/efi/runtime.c +++ b/xen/common/efi/runtime.c @@ -40,6 +40,9 @@ void efi_rs_leave(struct efi_rs_state *state); unsigned int __read_mostly efi_num_ct; const EFI_CONFIGURATION_TABLE *__read_mostly efi_ct; =20 +#if defined(CONFIG_X86) && !defined(CONFIG_PV_SHIM) +bool __ro_after_init efi_secure_boot; +#endif unsigned int __read_mostly efi_version; unsigned int __read_mostly efi_fw_revision; const CHAR16 *__read_mostly efi_fw_vendor; diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 160804e294..ae10ac62d0 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -40,6 +40,12 @@ static inline bool efi_enabled(unsigned int feature) } #endif =20 +#if defined(CONFIG_X86) && !defined(CONFIG_PV_SHIM) +extern bool efi_secure_boot; +#else +#define efi_secure_boot false +#endif + void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); bool efi_rs_using_pgtables(void); --=20 2.42.0 From nobody Fri Oct 31 11:33:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1748872043; cv=none; d=zohomail.com; s=zohoarc; b=jiLprHj6XT7vbYq4yciQpf7WrBBT+BeOKqP1AFDytWCzZBn3vNDpv46kAWPUOWMs5rIPoPth54YC1/HpPOxmmJMBwWedfIG52qUGVDd7YI7bhfQ9CUWIqcLzWozYIWe9M5GFne9bDtHY17hlppdUyMaPmNkLsz8ZIFlkOgZPfQo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748872043; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=DNsl+qmQ5Edx6AFkdBoecQBA1Yp0VWudD+lnIUOspSNtju+k6JOZY8mUqPWSOevuWdJ99ulbevI+V3FmuywX20FMf+UYTXRVdXAy+M4X0kL9tgkKgKd3F08ZJmpgSSuE/Jz31HyuI0/gY5LMR9Gdv73iv/NDa5pXQx4q2fOS4GM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1748872043236548.8898257833862; Mon, 2 Jun 2025 06:47:23 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1003402.1382964 (Exim 4.92) (envelope-from ) id 1uM5VQ-0007OS-19; Mon, 02 Jun 2025 13:47:12 +0000 Received: by outflank-mailman (output) from mailman id 1003402.1382964; Mon, 02 Jun 2025 13:47:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VP-0007OL-T9; Mon, 02 Jun 2025 13:47:11 +0000 Received: by outflank-mailman (input) for mailman id 1003402; Mon, 02 Jun 2025 13:47:10 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VO-0006ld-Dp for xen-devel@lists.xenproject.org; Mon, 02 Jun 2025 13:47:10 +0000 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [2a00:1450:4864:20::62c]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 147dc699-3fb8-11f0-a300-13f23c93f187; Mon, 02 Jun 2025 15:47:10 +0200 (CEST) Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-ad1d1f57a01so822134666b.2 for ; Mon, 02 Jun 2025 06:47:10 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ada5dd04591sm790372466b.114.2025.06.02.06.47.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Jun 2025 06:47:08 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 147dc699-3fb8-11f0-a300-13f23c93f187 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1748872029; x=1749476829; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=NEG1N6Achj5DnEPm0LIjxoTTJDZoKwY3I68uSKd5m1Egf+zQjiEaAcw5vvruaDKKYa iN10xSieMXZkA97uWhQyH4OeABYYcS1I+svGFAMiYRfdQuSw4meQug0usKRJo4xP5j9L R6NT+L6cXl3DBQkyEM36lWj05gzJ0lqZi8ovA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748872029; x=1749476829; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=YlpQDRVcXcmJuWEuNEEqs/SFRL0jq916W8VTXRL6xqW8iN6Rb3ur1grlhjd/lUQ5Uy r7vM4oqnATje/onKE8pU/ModTUF0bwHPQ9ZAhTNyLc0D5o0hn8Kaq/MxCnXW5a3gX/1h S6VPxeamo1fLjw9tMi1nLDI73m5JE3zD/zPtwdwUqDYRDRGg8grCQOiXLCkfduVF3pwt HZUKUnhY9Zc3aRR6E1bSNUVWvqKFzdXPj3/pgfX6E5tIopnmHTVBmdAx3a9ajdLb6u1L WYyQd0GXoWHP1C/9WAuEx8HGAjb+9l+sVYetNklFFvzy7lJAvVs/kRu1CLZdVkR4AJcV 8vHA== X-Gm-Message-State: AOJu0Yx7n2w2WU330G8Gs6pSXH5DBYFrTLX/qgDf7fUYZCNyK5YX1Cno g3BjwDuDxy0ug+qpjXWTaxuXtBrj5YFCfyF9aGfyeTaKLFA5f5UAFKuMx2bF99+1hf7hdfcLCzq 5gjOd X-Gm-Gg: ASbGncsU4DrfZlUOim71lB/cyeNv7WAIjrVhd1m3HjQW168SXUCHF5+mSwFK5+6Uac0 N6V0aVh41X8AL1LGzL0EDzjO/eAHFiMKhL8MAGBjLfkKQUDsDAofJZO69FAh3y/XjNH32La4iDc AX6548zIDpLJNnjKad0A2Y/q21lLbf+8lLT8yRC1cE2wK5zWuMVIV8WYuo4D3m58jixx1In98z6 MrnJ+TmK2zeNsFl/pm2pwqdF1de2uvR30Cwon9j5+rtkEOCG/0AEAfud3IVQJl/0+SA0WFg7M6M Bq/PhzGhccd0SJJ2jHjGFe9eVcF9GLkli+00JaqRUHk0qAKaNRVPJ3lCGG/lkX4BFfrhFVfnuLK lUDw= X-Google-Smtp-Source: AGHT+IFdvk3SBy1J7ejqhoPz10BChSbI+ROrbhjjlADH8cMRQufcnFqODx7E3KZLuRuQkai9PazRmg== X-Received: by 2002:a17:907:9404:b0:ad8:8c09:a51a with SMTP id a640c23a62f3a-adb32264c43mr1362741666b.4.1748872028897; Mon, 02 Jun 2025 06:47:08 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH v2 2/3] Add lockdown mode Date: Mon, 2 Jun 2025 14:46:55 +0100 Message-ID: <20250602134656.3836280-3-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250602134656.3836280-1-kevin.lampis@cloud.com> References: <20250602134656.3836280-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1748872049513116600 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatical= ly when Secure Boot is enabled and it cannot be disabled in that case. If enabled from the command-line then it is required to be first in the list otherwise Xen may process some insecure parameters before reaching the lockdown parameter. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- Changes in v2: - Remove custom command line parsing - Print warning if lockdown is not first on command line --- xen/arch/x86/setup.c | 1 + xen/common/Kconfig | 8 ++++++ xen/common/Makefile | 1 + xen/common/kernel.c | 7 +++++ xen/common/lockdown.c | 54 ++++++++++++++++++++++++++++++++++++++ xen/include/xen/lockdown.h | 11 ++++++++ 6 files changed, 82 insertions(+) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 1f5cb67bd0..efeed5eafc 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 0951d4c2f2..33cd669110 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -587,4 +587,12 @@ config BUDDY_ALLOCATOR_SIZE Amount of memory reserved for the buddy allocator to serve Xen heap, working alongside the colored one. =20 +config LOCKDOWN_DEFAULT + bool "Enable lockdown mode by default" + default n + help + Lockdown mode prevents attacks from a rogue dom0 userspace from + compromising the system. This is automatically enabled when Secure + Boot is enabled. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 98f0873056..b00a8a925a 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) +=3D kexec.o obj-$(CONFIG_KEXEC) +=3D kimage.o obj-$(CONFIG_LIVEPATCH) +=3D livepatch.o livepatch_elf.o obj-$(CONFIG_LLC_COLORING) +=3D llc-coloring.o +obj-y +=3D lockdown.o obj-$(CONFIG_VM_EVENT) +=3D mem_access.o obj-y +=3D memory.o obj-y +=3D multicall.o diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 8b63ca55f1..7280da987d 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -199,6 +200,8 @@ static int parse_params(const char *cmdline, const stru= ct kernel_param *start, printk("parameter \"%s\" unknown!\n", key); final_rc =3D -EINVAL; } + + lockdown_clear_first_flag(); } =20 return final_rc; @@ -216,6 +219,9 @@ static void __init _cmdline_parse(const char *cmdline) */ void __init cmdline_parse(const char *cmdline) { + /* Call this early since it affects command-line parsing */ + lockdown_init(cmdline); + if ( opt_builtin_cmdline[0] ) { printk("Built-in command line: %s\n", opt_builtin_cmdline); @@ -227,6 +233,7 @@ void __init cmdline_parse(const char *cmdline) return; =20 safe_strcpy(saved_cmdline, cmdline); + lockdown_set_first_flag(); _cmdline_parse(cmdline); #endif } diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c new file mode 100644 index 0000000000..84eabe9c83 --- /dev/null +++ b/xen/common/lockdown.c @@ -0,0 +1,54 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include +#include +#include + +#define FIRST_ARG_FLAG 2 + +static int __ro_after_init lockdown =3D IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT= ); + +void __init lockdown_set_first_flag(void) +{ + lockdown |=3D FIRST_ARG_FLAG; +} + +void __init lockdown_clear_first_flag(void) +{ + lockdown &=3D ~FIRST_ARG_FLAG; +} + +static int __init parse_lockdown_opt(const char *s) +{ + if ( strncmp("no", s, 2) =3D=3D 0 ) + if ( efi_secure_boot ) + printk("lockdown can't be disabled because Xen booted in Secur= e Boot mode\n"); + else + lockdown =3D 0; + else + { + if ( !(lockdown & FIRST_ARG_FLAG) ) + printk("lockdown was not the first argument, unsafe arguments = may have been already processed\n"); + + lockdown =3D 1; + } + + return 0; +} +custom_param("lockdown", parse_lockdown_opt); + +bool is_locked_down(void) +{ + return lockdown & ~FIRST_ARG_FLAG; +} + +void __init lockdown_init(const char *cmdline) +{ + if ( efi_secure_boot ) + { + printk("Enabling lockdown mode because Secure Boot is enabled\n"); + lockdown =3D 1; + } + + printk("Lockdown mode is %s\n", is_locked_down() ? "enabled" : "disabl= ed"); +} diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h new file mode 100644 index 0000000000..6ae97f9d5f --- /dev/null +++ b/xen/include/xen/lockdown.h @@ -0,0 +1,11 @@ +#ifndef XEN__LOCKDOWN_H +#define XEN__LOCKDOWN_H + +#include + +void lockdown_set_first_flag(void); +void lockdown_clear_first_flag(void); +bool is_locked_down(void); +void lockdown_init(const char *cmdline); + +#endif /* XEN__LOCKDOWN_H */ --=20 2.42.0 From nobody Fri Oct 31 11:33:02 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1748872048; cv=none; d=zohomail.com; s=zohoarc; b=e0BdJx92eJVQQ2ybRBWg28d8FkXfzb7iDc2gaAWnPPTAR5ogeg6U+cnXChEbE+rprvIAOddEnmqpzAa5x3hl9/+/Lns96CkJUeN0qDOb1FTXtfOpXT+lAYPWOdlkkRJHjKrX5Uz+jHLDWzXsTBigLjRBc1b5mID24vigPjRIg78= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748872048; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=jeLh8Ma6G37ySiE9rnwoSsxN+Os3m5e6sWsq/WSV0LI=; b=lPeBdeSidmaY3iI2s7XWFZNpY3KRQ9hIwFI3mo6OjpcuCWoV1x385mzNcTF/4ZvnIanxe42XklyokaJDH1WVVp315It6UxuprcDJZ+oWK1C02eoUm1QNeZJ+KaryNuLbgXyNSNmdCZadZqW4kGdobIieV5ZY6UEOBoMrpvn217I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1748872048072744.2944550175404; Mon, 2 Jun 2025 06:47:28 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1003405.1382974 (Exim 4.92) (envelope-from ) id 1uM5VW-0007lo-6m; Mon, 02 Jun 2025 13:47:18 +0000 Received: by outflank-mailman (output) from mailman id 1003405.1382974; Mon, 02 Jun 2025 13:47:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VW-0007lf-3u; Mon, 02 Jun 2025 13:47:18 +0000 Received: by outflank-mailman (input) for mailman id 1003405; Mon, 02 Jun 2025 13:47:16 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VU-0006ld-JL for xen-devel@lists.xenproject.org; Mon, 02 Jun 2025 13:47:16 +0000 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [2a00:1450:4864:20::629]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 17a390bb-3fb8-11f0-a300-13f23c93f187; Mon, 02 Jun 2025 15:47:15 +0200 (CEST) Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-ad89c32a7b5so711831166b.2 for ; Mon, 02 Jun 2025 06:47:15 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ada5dd04591sm790372466b.114.2025.06.02.06.47.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Jun 2025 06:47:13 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 17a390bb-3fb8-11f0-a300-13f23c93f187 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1748872034; x=1749476834; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jeLh8Ma6G37ySiE9rnwoSsxN+Os3m5e6sWsq/WSV0LI=; b=czLZFUEHgHIbREwRctJWRuZlmhja25ZzL1dFGRaWsDj1seQXhqUUHoKkKSAUIxUJyd TaJJawV+8r4t7zsEubpJlsM+jPOf7oYuLDYTCSLqJYCnFR7Ugrw+lBNAlVnkEMt6e33V G36ddhv+R6+oPivXdtIrmLHq8gjuIeBlV9Pdo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748872034; x=1749476834; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jeLh8Ma6G37ySiE9rnwoSsxN+Os3m5e6sWsq/WSV0LI=; b=GWJsxZrWLzn7atc5Y40Gz5wSBxaK6D7V8KzN5dLmXPM/FFDSbpuwsCI61TQL5MS/Qd kOOfogk9s9DCKrjoibDxKJPEgejXCPfmOPZNqB1mQJe2pVCbXL7HplOccDQqt7E2DQjk UAMDThOq482d60o1SNOjltrYpLsFrgN3+rn71DcF94q9QrkTScVNInzLQOT888qFJ4Q8 +XH+epiQybIWPqxIp8hwZk2VD5JgV/TQQro72IBe5KD+x7L4qfZ68ws/g32Ball4Qt8g AAvVVTBOF5Y7cNFZWLLwIbTmEnxt/qFh33JashfRZIEtC8TSF3FCHGceCkgFSWjbCjx3 kmZw== X-Gm-Message-State: AOJu0YzyUCT4v5uQ/2Xj6aMCuwCJ60BJGmarpMEiKgdvWf75LzhWL7ts mNQTAjUrvHysjNmTkrRtwCtVWZoNBpC6HMKoNb5ozEhPalUxd0qUXN8nVznvNPOwGhjP+LqiXfg Vzk4d X-Gm-Gg: ASbGncsQmjdT68aDl/g4POQtNyBZo/yQxs3tTp5Lo6RcuqrjDcYwh7ZjdZ6GQETkNEa V6CxM2wPPh3tb/Zolb+5LOE36M75CjYXu/N4LjowVCS3k0tgdIkhwtVd38utMUM+tbZtD2HpOAm da8Jlz0nSEtmVlMvnuL9dO6+Ki0zsEOy/Hb1RhSxefss8YHcT9fTCsmwVgCQVsjDIpRxMWbgRSk +0S2Gsa/7E/WIKpUGXtr6cDOZjd9jlUcBafhg6lTGzd1yc4fzfisPmcmWFEpdgk2lLzy9LqrPRT 6gQvNij36CYlWp5rj3Xw3Dh/+hfEkFHYVvgdO4As4cgTgB3CzvcbriXPZjp6bVSeG34e X-Google-Smtp-Source: AGHT+IEYwBX8bu190Ojee9nWXLiHoSLcBexR8JtlLtqIaRnE3WzzQdWdetG4JLk+JnPEyKtmvjLpHQ== X-Received: by 2002:a17:907:971e:b0:ad8:81c2:64e9 with SMTP id a640c23a62f3a-adb322b3326mr1123457566b.8.1748872034117; Mon, 02 Jun 2025 06:47:14 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Kevin Lampis , Ross Lagerwall Subject: [PATCH v2 3/3] Disallow most command-line options when lockdown mode is enabled Date: Mon, 2 Jun 2025 14:46:56 +0100 Message-ID: <20250602134656.3836280-4-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250602134656.3836280-1-kevin.lampis@cloud.com> References: <20250602134656.3836280-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1748872053790116600 Content-Type: text/plain; charset="utf-8" A subset of command-line parameters that are specifically safe to use when lockdown mode is enabled are annotated as such. These are commonly used parameters which have been audited to ensure they cannot be used to undermine the integrity of the system when booted in Secure Boot mode. Signed-off-by: Kevin Lampis Signed-off-by: Ross Lagerwall --- Changes in v2: - Add more information about the safe parameters - Add lockdown section to the command line doc --- docs/misc/xen-command-line.pandoc | 16 +++++++++ xen/arch/arm/domain_build.c | 4 +-- xen/arch/x86/acpi/cpu_idle.c | 2 +- xen/arch/x86/cpu/amd.c | 2 +- xen/arch/x86/cpu/mcheck/mce.c | 2 +- xen/arch/x86/cpu/microcode/core.c | 2 +- xen/arch/x86/dom0_build.c | 4 +-- xen/arch/x86/hvm/hvm.c | 2 +- xen/arch/x86/irq.c | 2 +- xen/arch/x86/nmi.c | 2 +- xen/arch/x86/setup.c | 2 +- xen/arch/x86/traps.c | 2 +- xen/arch/x86/x86_64/mmconfig-shared.c | 2 +- xen/common/domain.c | 2 +- xen/common/kernel.c | 10 +++++- xen/common/kexec.c | 2 +- xen/common/lockdown.c | 2 +- xen/common/numa.c | 2 +- xen/common/page_alloc.c | 2 +- xen/common/shutdown.c | 2 +- xen/drivers/char/console.c | 2 +- xen/drivers/char/ns16550.c | 4 +-- xen/drivers/video/vga.c | 2 +- xen/include/xen/param.h | 49 +++++++++++++++++++++------ 24 files changed, 87 insertions(+), 36 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index b0eadd2c5d..7916875f22 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1798,6 +1798,22 @@ immediately. Specifying `0` will disable all testing= of illegal lock nesting. =20 This option is available for hypervisors built with CONFIG_DEBUG_LOCKS onl= y. =20 +### lockdown +> `=3D ` + +> Default: `false` + +The intention of lockdown mode is to prevent attacks from a rogue dom0 +userspace from compromising the system. It is also enabled automatically +when Secure Boot is enabled and it cannot be disabled in that case. + +After lockdown mode is enabled some unsafe command line options will be +ignored by Xen. + +If enabling lockdown mode via the command line then ensure it is positione= d as +the first option in the command line string otherwise Xen may process unsa= fe +options before reaching the lockdown parameter. + ### loglvl > `=3D [/]` where level is `none | error | warn= ing | info | debug | all` =20 diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index b189a7cfae..ef1cba8f0f 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -41,7 +41,7 @@ #include =20 static unsigned int __initdata opt_dom0_max_vcpus; -integer_param("dom0_max_vcpus", opt_dom0_max_vcpus); +integer_secure_param("dom0_max_vcpus", opt_dom0_max_vcpus); =20 /* * If true, the extended regions support is enabled for dom0 and @@ -61,7 +61,7 @@ static int __init parse_dom0_mem(const char *s) =20 return *s ? -EINVAL : 0; } -custom_param("dom0_mem", parse_dom0_mem); +custom_secure_param("dom0_mem", parse_dom0_mem); =20 int __init parse_arch_dom0_param(const char *s, const char *e) { diff --git a/xen/arch/x86/acpi/cpu_idle.c b/xen/arch/x86/acpi/cpu_idle.c index 1dbf15b01e..431fd0c997 100644 --- a/xen/arch/x86/acpi/cpu_idle.c +++ b/xen/arch/x86/acpi/cpu_idle.c @@ -113,7 +113,7 @@ static int __init cf_check parse_cstate(const char *s) max_csubstate =3D simple_strtoul(s + 1, NULL, 0); return 0; } -custom_param("max_cstate", parse_cstate); +custom_secure_param("max_cstate", parse_cstate); =20 static bool __read_mostly local_apic_timer_c2_ok; boolean_param("lapic_timer_c2_ok", local_apic_timer_c2_ok); diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index 27ae167808..9aab3d05e1 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -47,7 +47,7 @@ integer_param("cpuid_mask_thermal_ecx", opt_cpuid_mask_th= ermal_ecx); =20 /* 1 =3D allow, 0 =3D don't allow guest creation, -1 =3D don't allow boot = */ int8_t __read_mostly opt_allow_unsafe; -boolean_param("allow_unsafe", opt_allow_unsafe); +boolean_secure_param("allow_unsafe", opt_allow_unsafe); =20 /* Signal whether the ACPI C1E quirk is required. */ bool __read_mostly amd_acpi_c1e_quirk; diff --git a/xen/arch/x86/cpu/mcheck/mce.c b/xen/arch/x86/cpu/mcheck/mce.c index 1c348e557d..a229af6fd3 100644 --- a/xen/arch/x86/cpu/mcheck/mce.c +++ b/xen/arch/x86/cpu/mcheck/mce.c @@ -31,7 +31,7 @@ #include "vmce.h" =20 bool __read_mostly opt_mce =3D true; -boolean_param("mce", opt_mce); +boolean_secure_param("mce", opt_mce); bool __read_mostly mce_broadcast; bool is_mc_panic; DEFINE_PER_CPU_READ_MOSTLY(unsigned int, nr_mce_banks); diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode= /core.c index 34a94cd25b..b5b7304ae7 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -160,7 +160,7 @@ static int __init cf_check parse_ucode(const char *s) =20 return rc; } -custom_param("ucode", parse_ucode); +custom_secure_param("ucode", parse_ucode); =20 static struct microcode_ops __ro_after_init ucode_ops; =20 diff --git a/xen/arch/x86/dom0_build.c b/xen/arch/x86/dom0_build.c index 0b467fd4a4..6d42acb661 100644 --- a/xen/arch/x86/dom0_build.c +++ b/xen/arch/x86/dom0_build.c @@ -142,7 +142,7 @@ static int __init cf_check parse_dom0_mem(const char *s) =20 return s[-1] ? -EINVAL : ret; } -custom_param("dom0_mem", parse_dom0_mem); +custom_secure_param("dom0_mem", parse_dom0_mem); =20 static unsigned int __initdata opt_dom0_max_vcpus_min =3D 1; static unsigned int __initdata opt_dom0_max_vcpus_max =3D UINT_MAX; @@ -164,7 +164,7 @@ static int __init cf_check parse_dom0_max_vcpus(const c= har *s) =20 return *s ? -EINVAL : 0; } -custom_param("dom0_max_vcpus", parse_dom0_max_vcpus); +custom_secure_param("dom0_max_vcpus", parse_dom0_max_vcpus); =20 static __initdata unsigned int dom0_nr_pxms; static __initdata unsigned int dom0_pxms[MAX_NUMNODES] =3D diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 4cb2e13046..97afb274fe 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -87,7 +87,7 @@ unsigned long __section(".bss.page_aligned") __aligned(PA= GE_SIZE) =20 /* Xen command-line option to enable HAP */ static bool __initdata opt_hap_enabled =3D true; -boolean_param("hap", opt_hap_enabled); +boolean_secure_param("hap", opt_hap_enabled); =20 #ifndef opt_hvm_fep /* Permit use of the Forced Emulation Prefix in HVM guests */ diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c index 556134f85a..44f39f6ece 100644 --- a/xen/arch/x86/irq.c +++ b/xen/arch/x86/irq.c @@ -34,7 +34,7 @@ =20 /* opt_noirqbalance: If true, software IRQ balancing/affinity is disabled.= */ bool __read_mostly opt_noirqbalance; -boolean_param("noirqbalance", opt_noirqbalance); +boolean_secure_param("noirqbalance", opt_noirqbalance); =20 unsigned int __read_mostly nr_irqs_gsi =3D NR_ISA_IRQS; unsigned int __read_mostly nr_irqs; diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 9793fa2316..3735f22e88 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -73,7 +73,7 @@ static int __init cf_check parse_watchdog(const char *s) =20 return 0; } -custom_param("watchdog", parse_watchdog); +custom_secure_param("watchdog", parse_watchdog); =20 /* opt_watchdog_timeout: Number of seconds to wait before panic. */ static unsigned int opt_watchdog_timeout =3D 5; diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index efeed5eafc..adfaf8667b 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -71,7 +71,7 @@ =20 /* opt_nosmp: If true, secondary processors are ignored. */ static bool __initdata opt_nosmp; -boolean_param("nosmp", opt_nosmp); +boolean_secure_param("nosmp", opt_nosmp); =20 /* maxcpus: maximum number of CPUs to activate. */ static unsigned int __initdata max_cpus; diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 092c7e4197..1a1ce541c3 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -61,7 +61,7 @@ static char __read_mostly opt_nmi[10] =3D "dom0"; #else static char __read_mostly opt_nmi[10] =3D "fatal"; #endif -string_param("nmi", opt_nmi); +string_secure_param("nmi", opt_nmi); =20 DEFINE_PER_CPU(uint64_t, efer); static DEFINE_PER_CPU(unsigned long, last_extable_addr); diff --git a/xen/arch/x86/x86_64/mmconfig-shared.c b/xen/arch/x86/x86_64/mm= config-shared.c index f1a3d42c5b..80cdca7d77 100644 --- a/xen/arch/x86/x86_64/mmconfig-shared.c +++ b/xen/arch/x86/x86_64/mmconfig-shared.c @@ -60,7 +60,7 @@ static int __init cf_check parse_mmcfg(const char *s) =20 return rc; } -custom_param("mmcfg", parse_mmcfg); +custom_secure_param("mmcfg", parse_mmcfg); =20 static const char *__init cf_check pci_mmcfg_e7520(void) { diff --git a/xen/common/domain.c b/xen/common/domain.c index abf1969e60..c95988c067 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -55,7 +55,7 @@ unsigned int xen_processor_pmbits =3D XEN_PROCESSOR_PM_PX; =20 /* opt_dom0_vcpus_pin: If true, dom0 VCPUs are pinned. */ bool opt_dom0_vcpus_pin; -boolean_param("dom0_vcpus_pin", opt_dom0_vcpus_pin); +boolean_secure_param("dom0_vcpus_pin", opt_dom0_vcpus_pin); =20 /* Protect updates/reads (resp.) of domain_list and domain_hash. */ DEFINE_SPINLOCK(domlist_update_lock); diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 7280da987d..923ea43cee 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -136,9 +137,16 @@ static int parse_params(const char *cmdline, const str= uct kernel_param *start, } continue; } + found =3D true; + + if ( !param->is_lockdown_safe && is_locked_down() ) + { + printk("Ignoring unsafe cmdline option %s in lockdown mode= \n", + param->name); + break; + } =20 rctmp =3D 0; - found =3D true; switch ( param->type ) { case OPT_STR: diff --git a/xen/common/kexec.c b/xen/common/kexec.c index 84fe8c3597..790839657d 100644 --- a/xen/common/kexec.c +++ b/xen/common/kexec.c @@ -189,7 +189,7 @@ static int __init cf_check parse_crashkernel(const char= *str) =20 return rc; } -custom_param("crashkernel", parse_crashkernel); +custom_secure_param("crashkernel", parse_crashkernel); =20 /* Parse command lines in the format: * diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c index 84eabe9c83..cd3deeb63e 100644 --- a/xen/common/lockdown.c +++ b/xen/common/lockdown.c @@ -35,7 +35,7 @@ static int __init parse_lockdown_opt(const char *s) =20 return 0; } -custom_param("lockdown", parse_lockdown_opt); +custom_secure_param("lockdown", parse_lockdown_opt); =20 bool is_locked_down(void) { diff --git a/xen/common/numa.c b/xen/common/numa.c index ad75955a16..c4981f2ff1 100644 --- a/xen/common/numa.c +++ b/xen/common/numa.c @@ -687,7 +687,7 @@ static int __init cf_check numa_setup(const char *opt) =20 return 0; } -custom_param("numa", numa_setup); +custom_secure_param("numa", numa_setup); =20 static void cf_check dump_numa(unsigned char key) { diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index e57a287133..a07690d8fd 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -235,7 +235,7 @@ static int __init cf_check parse_bootscrub_param(const = char *s) =20 return 0; } -custom_param("bootscrub", parse_bootscrub_param); +custom_secure_param("bootscrub", parse_bootscrub_param); =20 /* * bootscrub_chunk -> Amount of bytes to scrub lockstep on non-SMT CPUs diff --git a/xen/common/shutdown.c b/xen/common/shutdown.c index c47341b977..231de1454a 100644 --- a/xen/common/shutdown.c +++ b/xen/common/shutdown.c @@ -13,7 +13,7 @@ =20 /* opt_noreboot: If true, machine will need manual reset on error. */ bool __ro_after_init opt_noreboot; -boolean_param("noreboot", opt_noreboot); +boolean_secure_param("noreboot", opt_noreboot); =20 static void noreturn reboot_or_halt(void) { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index 30701ae0b0..4f4f4aab19 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -65,7 +65,7 @@ static void console_send(const char *str, size_t len, uns= igned int flags); =20 /* console: comma-separated list of console outputs. */ static char __initdata opt_console[30] =3D OPT_CONSOLE_STR; -string_param("console", opt_console); +string_secure_param("console", opt_console); =20 /* conswitch: a character pair controlling console switching. */ /* Char 1: CTRL+ is used to switch console input between Xen and DO= M0 */ diff --git a/xen/drivers/char/ns16550.c b/xen/drivers/char/ns16550.c index eaeb0e09d0..fae509cbd8 100644 --- a/xen/drivers/char/ns16550.c +++ b/xen/drivers/char/ns16550.c @@ -1390,8 +1390,8 @@ static void enable_exar_enhanced_bits(const struct ns= 16550 *uart) */ static char __initdata opt_com1[128] =3D ""; static char __initdata opt_com2[128] =3D ""; -string_param("com1", opt_com1); -string_param("com2", opt_com2); +string_secure_param("com1", opt_com1); +string_secure_param("com2", opt_com2); =20 enum serial_param_type { baud_rate, diff --git a/xen/drivers/video/vga.c b/xen/drivers/video/vga.c index b577b24619..abc6e56aa3 100644 --- a/xen/drivers/video/vga.c +++ b/xen/drivers/video/vga.c @@ -48,7 +48,7 @@ void (*video_puts)(const char *s, size_t nr) =3D vga_noop= _puts; * control of the console to domain 0. */ static char __initdata opt_vga[30] =3D ""; -string_param("vga", opt_vga); +string_secure_param("vga", opt_vga); =20 /* VGA text-mode definitions. */ static unsigned int columns, lines; diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h index 1bdbab34ab..31e7326d88 100644 --- a/xen/include/xen/param.h +++ b/xen/include/xen/param.h @@ -25,6 +25,7 @@ struct kernel_param { void *var; int (*func)(const char *s); } par; + bool is_lockdown_safe; }; =20 /* Maximum length of a single parameter string. */ @@ -44,46 +45,72 @@ extern const struct kernel_param __setup_start[], __set= up_end[]; #define _TEMP_NAME(base, line) __TEMP_NAME(base, line) #define TEMP_NAME(base) _TEMP_NAME(base, __LINE__) =20 -#define custom_param(_name, _var) \ +#define custom_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_CUSTOM, \ - .par.func =3D (_var) } -#define boolean_param(_name, _var) \ + .par.func =3D (_var), \ + .is_lockdown_safe =3D (_sec) } +#define custom_param(_name, _var) \ + custom_param_(_name, _var, false) +#define custom_secure_param(_name, _var) \ + custom_param_(_name, _var, true) +#define boolean_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_BOOL, \ .len =3D sizeof(_var) + \ BUILD_BUG_ON_ZERO(sizeof(_var) !=3D sizeof(bool)), \ - .par.var =3D &(_var) } -#define integer_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define boolean_param(_name, _var) \ + boolean_param_(_name, _var, false) +#define boolean_secure_param(_name, _var) \ + boolean_param_(_name, _var, true) +#define integer_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_UINT, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } -#define size_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define integer_param(_name, _var) \ + integer_param_(_name, _var, false) +#define integer_secure_param(_name, _var) \ + integer_param_(_name, _var, true) +#define size_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_SIZE, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } -#define string_param(_name, _var) \ + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define size_param(_name, _var) \ + size_param_(_name, _var, false) +#define size_secure_param(_name, _var) \ + size_param_(_name, _var, true) +#define string_param_(_name, _var, _sec) \ __setup_str __setup_str_##_var[] =3D (_name); \ __kparam __setup_##_var =3D \ { .name =3D __setup_str_##_var, \ .type =3D OPT_STR, \ .len =3D sizeof(_var), \ - .par.var =3D &(_var) } + .par.var =3D &(_var), \ + .is_lockdown_safe =3D (_sec) } +#define string_param(_name, _var) \ + string_param_(_name, _var, false) +#define string_secure_param(_name, _var) \ + string_param_(_name, _var, true) #define ignore_param(_name) \ __setup_str TEMP_NAME(__setup_str_ign)[] =3D (_name); \ __kparam TEMP_NAME(__setup_ign) =3D \ { .name =3D TEMP_NAME(__setup_str_ign), \ - .type =3D OPT_IGNORE } + .type =3D OPT_IGNORE, \ + .is_lockdown_safe =3D true } =20 #ifdef CONFIG_HYPFS =20 --=20 2.42.0