Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Salvatore Bonaccorso Newsgroups: linux.debian.kernel,linux.debian.security Subject: Re: [arm64] secure boot breach via VFIO_NOIOMMU Date: Thu, 14 Dec 2023 09:30:02 +0100 Message-ID: References: X-Original-To: debian-kernel@lists.debian.org, debian-security@lists.debian.org, debian-efi@lists.debian.org X-Mailbox-Line: From debian-kernel-request@lists.debian.org Thu Dec 14 08:26:53 2023 Old-Return-Path: X-Amavis-Spam-Status: No, score=-109.42 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=unavailable autolearn_force=no Mail-Followup-To: debian-kernel@lists.debian.org, debian-security@lists.debian.org, debian-efi@lists.debian.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debian-User: carnil X-Mailing-List: archive/latest/141028 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/ZXq8IbpeU5GOD8od@eldamar.lan Approved: robomod@news.nic.it Lines: 26 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Thu, 14 Dec 2023 09:26:09 +0100 X-Original-Message-ID: X-Original-References: <20231213214501.33o2akvapj4n3o2r@shell.thinkmo.de> Xref: csiph.com linux.debian.kernel:81209 linux.debian.security:6285 Hi, On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: > Hi > > Over six years ago, support for VFIO without IOMMU was enabled for > arm64. This is a breach of the integrity lockdown requirement of secure > boot. > > VFIO is a framework for handle devices in userspace. To make > this safe, an IOMMU is required by default. Without it, user space can > write everywhere in memory. The code is still not conditional on > lockdown, even if a patch was proposed. > > I intend to disable this option for all supported kernels. Agreed. For the readers reading this along, this was raised in context of https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730 and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464 The proposed patch felt probably trough the cracks. Regards, Salvatore