From nobody Fri Oct 31 18:06:44 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1748872043; cv=none; d=zohomail.com; s=zohoarc; b=jiLprHj6XT7vbYq4yciQpf7WrBBT+BeOKqP1AFDytWCzZBn3vNDpv46kAWPUOWMs5rIPoPth54YC1/HpPOxmmJMBwWedfIG52qUGVDd7YI7bhfQ9CUWIqcLzWozYIWe9M5GFne9bDtHY17hlppdUyMaPmNkLsz8ZIFlkOgZPfQo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748872043; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=DNsl+qmQ5Edx6AFkdBoecQBA1Yp0VWudD+lnIUOspSNtju+k6JOZY8mUqPWSOevuWdJ99ulbevI+V3FmuywX20FMf+UYTXRVdXAy+M4X0kL9tgkKgKd3F08ZJmpgSSuE/Jz31HyuI0/gY5LMR9Gdv73iv/NDa5pXQx4q2fOS4GM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1748872043236548.8898257833862; Mon, 2 Jun 2025 06:47:23 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1003402.1382964 (Exim 4.92) (envelope-from ) id 1uM5VQ-0007OS-19; Mon, 02 Jun 2025 13:47:12 +0000 Received: by outflank-mailman (output) from mailman id 1003402.1382964; Mon, 02 Jun 2025 13:47:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VP-0007OL-T9; Mon, 02 Jun 2025 13:47:11 +0000 Received: by outflank-mailman (input) for mailman id 1003402; Mon, 02 Jun 2025 13:47:10 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uM5VO-0006ld-Dp for xen-devel@lists.xenproject.org; Mon, 02 Jun 2025 13:47:10 +0000 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [2a00:1450:4864:20::62c]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 147dc699-3fb8-11f0-a300-13f23c93f187; Mon, 02 Jun 2025 15:47:10 +0200 (CEST) Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-ad1d1f57a01so822134666b.2 for ; Mon, 02 Jun 2025 06:47:10 -0700 (PDT) Received: from fedora.eng.citrite.net ([185.25.67.249]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ada5dd04591sm790372466b.114.2025.06.02.06.47.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Jun 2025 06:47:08 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 147dc699-3fb8-11f0-a300-13f23c93f187 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1748872029; x=1749476829; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=NEG1N6Achj5DnEPm0LIjxoTTJDZoKwY3I68uSKd5m1Egf+zQjiEaAcw5vvruaDKKYa iN10xSieMXZkA97uWhQyH4OeABYYcS1I+svGFAMiYRfdQuSw4meQug0usKRJo4xP5j9L R6NT+L6cXl3DBQkyEM36lWj05gzJ0lqZi8ovA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748872029; x=1749476829; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cZi9jqmMrV3NUMU+6p8ZI4T+vj2Im9r5MjIQcF216lA=; b=YlpQDRVcXcmJuWEuNEEqs/SFRL0jq916W8VTXRL6xqW8iN6Rb3ur1grlhjd/lUQ5Uy r7vM4oqnATje/onKE8pU/ModTUF0bwHPQ9ZAhTNyLc0D5o0hn8Kaq/MxCnXW5a3gX/1h S6VPxeamo1fLjw9tMi1nLDI73m5JE3zD/zPtwdwUqDYRDRGg8grCQOiXLCkfduVF3pwt HZUKUnhY9Zc3aRR6E1bSNUVWvqKFzdXPj3/pgfX6E5tIopnmHTVBmdAx3a9ajdLb6u1L WYyQd0GXoWHP1C/9WAuEx8HGAjb+9l+sVYetNklFFvzy7lJAvVs/kRu1CLZdVkR4AJcV 8vHA== X-Gm-Message-State: AOJu0Yx7n2w2WU330G8Gs6pSXH5DBYFrTLX/qgDf7fUYZCNyK5YX1Cno g3BjwDuDxy0ug+qpjXWTaxuXtBrj5YFCfyF9aGfyeTaKLFA5f5UAFKuMx2bF99+1hf7hdfcLCzq 5gjOd X-Gm-Gg: ASbGncsU4DrfZlUOim71lB/cyeNv7WAIjrVhd1m3HjQW168SXUCHF5+mSwFK5+6Uac0 N6V0aVh41X8AL1LGzL0EDzjO/eAHFiMKhL8MAGBjLfkKQUDsDAofJZO69FAh3y/XjNH32La4iDc AX6548zIDpLJNnjKad0A2Y/q21lLbf+8lLT8yRC1cE2wK5zWuMVIV8WYuo4D3m58jixx1In98z6 MrnJ+TmK2zeNsFl/pm2pwqdF1de2uvR30Cwon9j5+rtkEOCG/0AEAfud3IVQJl/0+SA0WFg7M6M Bq/PhzGhccd0SJJ2jHjGFe9eVcF9GLkli+00JaqRUHk0qAKaNRVPJ3lCGG/lkX4BFfrhFVfnuLK lUDw= X-Google-Smtp-Source: AGHT+IFdvk3SBy1J7ejqhoPz10BChSbI+ROrbhjjlADH8cMRQufcnFqODx7E3KZLuRuQkai9PazRmg== X-Received: by 2002:a17:907:9404:b0:ad8:8c09:a51a with SMTP id a640c23a62f3a-adb32264c43mr1362741666b.4.1748872028897; Mon, 02 Jun 2025 06:47:08 -0700 (PDT) From: Kevin Lampis To: xen-devel@lists.xenproject.org Cc: Ross Lagerwall , Kevin Lampis Subject: [PATCH v2 2/3] Add lockdown mode Date: Mon, 2 Jun 2025 14:46:55 +0100 Message-ID: <20250602134656.3836280-3-kevin.lampis@cloud.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20250602134656.3836280-1-kevin.lampis@cloud.com> References: <20250602134656.3836280-1-kevin.lampis@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1748872049513116600 Content-Type: text/plain; charset="utf-8" From: Ross Lagerwall The intention of lockdown mode is to prevent attacks from a rogue dom0 userspace from compromising the system. Lockdown mode can be controlled by a Kconfig option and a command-line parameter. It is also enabled automatical= ly when Secure Boot is enabled and it cannot be disabled in that case. If enabled from the command-line then it is required to be first in the list otherwise Xen may process some insecure parameters before reaching the lockdown parameter. Signed-off-by: Ross Lagerwall Signed-off-by: Kevin Lampis --- Changes in v2: - Remove custom command line parsing - Print warning if lockdown is not first on command line --- xen/arch/x86/setup.c | 1 + xen/common/Kconfig | 8 ++++++ xen/common/Makefile | 1 + xen/common/kernel.c | 7 +++++ xen/common/lockdown.c | 54 ++++++++++++++++++++++++++++++++++++++ xen/include/xen/lockdown.h | 11 ++++++++ 6 files changed, 82 insertions(+) create mode 100644 xen/common/lockdown.c create mode 100644 xen/include/xen/lockdown.h diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 1f5cb67bd0..efeed5eafc 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 0951d4c2f2..33cd669110 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -587,4 +587,12 @@ config BUDDY_ALLOCATOR_SIZE Amount of memory reserved for the buddy allocator to serve Xen heap, working alongside the colored one. =20 +config LOCKDOWN_DEFAULT + bool "Enable lockdown mode by default" + default n + help + Lockdown mode prevents attacks from a rogue dom0 userspace from + compromising the system. This is automatically enabled when Secure + Boot is enabled. + endmenu diff --git a/xen/common/Makefile b/xen/common/Makefile index 98f0873056..b00a8a925a 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_KEXEC) +=3D kexec.o obj-$(CONFIG_KEXEC) +=3D kimage.o obj-$(CONFIG_LIVEPATCH) +=3D livepatch.o livepatch_elf.o obj-$(CONFIG_LLC_COLORING) +=3D llc-coloring.o +obj-y +=3D lockdown.o obj-$(CONFIG_VM_EVENT) +=3D mem_access.o obj-y +=3D memory.o obj-y +=3D multicall.o diff --git a/xen/common/kernel.c b/xen/common/kernel.c index 8b63ca55f1..7280da987d 100644 --- a/xen/common/kernel.c +++ b/xen/common/kernel.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -199,6 +200,8 @@ static int parse_params(const char *cmdline, const stru= ct kernel_param *start, printk("parameter \"%s\" unknown!\n", key); final_rc =3D -EINVAL; } + + lockdown_clear_first_flag(); } =20 return final_rc; @@ -216,6 +219,9 @@ static void __init _cmdline_parse(const char *cmdline) */ void __init cmdline_parse(const char *cmdline) { + /* Call this early since it affects command-line parsing */ + lockdown_init(cmdline); + if ( opt_builtin_cmdline[0] ) { printk("Built-in command line: %s\n", opt_builtin_cmdline); @@ -227,6 +233,7 @@ void __init cmdline_parse(const char *cmdline) return; =20 safe_strcpy(saved_cmdline, cmdline); + lockdown_set_first_flag(); _cmdline_parse(cmdline); #endif } diff --git a/xen/common/lockdown.c b/xen/common/lockdown.c new file mode 100644 index 0000000000..84eabe9c83 --- /dev/null +++ b/xen/common/lockdown.c @@ -0,0 +1,54 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include +#include +#include + +#define FIRST_ARG_FLAG 2 + +static int __ro_after_init lockdown =3D IS_ENABLED(CONFIG_LOCKDOWN_DEFAULT= ); + +void __init lockdown_set_first_flag(void) +{ + lockdown |=3D FIRST_ARG_FLAG; +} + +void __init lockdown_clear_first_flag(void) +{ + lockdown &=3D ~FIRST_ARG_FLAG; +} + +static int __init parse_lockdown_opt(const char *s) +{ + if ( strncmp("no", s, 2) =3D=3D 0 ) + if ( efi_secure_boot ) + printk("lockdown can't be disabled because Xen booted in Secur= e Boot mode\n"); + else + lockdown =3D 0; + else + { + if ( !(lockdown & FIRST_ARG_FLAG) ) + printk("lockdown was not the first argument, unsafe arguments = may have been already processed\n"); + + lockdown =3D 1; + } + + return 0; +} +custom_param("lockdown", parse_lockdown_opt); + +bool is_locked_down(void) +{ + return lockdown & ~FIRST_ARG_FLAG; +} + +void __init lockdown_init(const char *cmdline) +{ + if ( efi_secure_boot ) + { + printk("Enabling lockdown mode because Secure Boot is enabled\n"); + lockdown =3D 1; + } + + printk("Lockdown mode is %s\n", is_locked_down() ? "enabled" : "disabl= ed"); +} diff --git a/xen/include/xen/lockdown.h b/xen/include/xen/lockdown.h new file mode 100644 index 0000000000..6ae97f9d5f --- /dev/null +++ b/xen/include/xen/lockdown.h @@ -0,0 +1,11 @@ +#ifndef XEN__LOCKDOWN_H +#define XEN__LOCKDOWN_H + +#include + +void lockdown_set_first_flag(void); +void lockdown_clear_first_flag(void); +bool is_locked_down(void); +void lockdown_init(const char *cmdline); + +#endif /* XEN__LOCKDOWN_H */ --=20 2.42.0