1. Forum
  2. Usenet
  3. LINUX.DEBIAN.KERNEL

  • [arm64] secure boot breach via VFIO_NOIOMMU

    From Bastian Blank@21:1/5 to All on Wed Dec 13 23:10:02 2023
    XPost: linux.debian.security

    Hi

    Over six years ago, support for VFIO without IOMMU was enabled for
    arm64. This is a breach of the integrity lockdown requirement of secure
    boot.

    VFIO is a framework for handle devices in userspace. To make
    this safe, an IOMMU is required by default. Without it, user space can
    write everywhere in memory. The code is still not conditional on
    lockdown, even if a patch was proposed.

    I intend to disable this option for all supported kernels.

    Regards,
    Bastian

    --
    Spock: The odds of surviving another attack are 13562190123 to 1, Captain.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Bastian Blank on Thu Dec 14 09:30:02 2023
    XPost: linux.debian.security

    Hi,

    On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote:
    Hi

    Over six years ago, support for VFIO without IOMMU was enabled for
    arm64. This is a breach of the integrity lockdown requirement of secure boot.

    VFIO is a framework for handle devices in userspace. To make
    this safe, an IOMMU is required by default. Without it, user space can
    write everywhere in memory. The code is still not conditional on
    lockdown, even if a patch was proposed.

    I intend to disable this option for all supported kernels.

    Agreed.

    For the readers reading this along, this was raised in context of https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730
    and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464

    The proposed patch felt probably trough the cracks.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Salvatore Bonaccorso on Thu Dec 14 16:10:01 2023
    XPost: linux.debian.security

    On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote:
    Hi,

    On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote:
    Hi

    Over six years ago, support for VFIO without IOMMU was enabled for
    arm64. This is a breach of the integrity lockdown requirement of secure
    boot.

    VFIO is a framework for handle devices in userspace. To make
    this safe, an IOMMU is required by default. Without it, user space can
    write everywhere in memory. The code is still not conditional on
    lockdown, even if a patch was proposed.

    I intend to disable this option for all supported kernels.

    Definitely.

    Agreed.

    For the readers reading this along, this was raised in context of >https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730 >and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464

    The proposed patch felt probably trough the cracks.

    Nod.

    --
    Steve McIntyre, Cambridge, UK. [email protected] The two hard things in computing:
    * naming things
    * cache invalidation
    * off-by-one errors -- Stig Sandbeck Mathisen

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)