diff mbox

[dpdk-dev,v2] igb_uio: fail and log if kernel lock down is enabled

Message ID 20180516101851.2443-1-ferruh.yigit@intel.com (mailing list archive)
State Superseded, archived
Delegated to: Thomas Monjalon
Headers

Checks

Context Check Description
ci/checkpatch warning coding style issues
ci/Intel-compilation fail Compilation issues

Commit Message

Ferruh Yigit May 16, 2018, 10:18 a.m. UTC 
  When EFI secure boot is enabled, it is possible to lock down kernel and
prevent accessing device BARs and this makes igb_uio unusable.

Lock down patches are not part of the vanilla kernel but they are
applied and used by some distros already [1].

It is not possible to fix this issue, but intention of this patch is to
detect and log if kernel lock down enabled and don't insert the module
for that case.

The challenge is since this feature enabled by distros, they have
different config options and APIs for it. This patch is done based on
Fedora and Ubuntu kernel source, may needs to add more distro specific
support.

[1]
kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/?id=99f9ef18d5b6
And a few more patches to

Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
---
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Cc: Luca Boccassi <bluca@debian.org>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>

v2:
* remove distro comments from checks
Note:
Since kernel_is_locked_down() is macro in one case, it can be used for
comparison:
 #ifdef kernel_is_locked_down
   kernel_is_locked_down(NULL)
 #else
   kernel_is_locked_down()

This will force all non macro defined cases to else and this may be
broken in the feature if macro changed.

To be more protective for changes, since this patch is not upstreamed to
kernel yet, will keep config check although it is ugly.
---
 kernel/linux/igb_uio/compat.h  | 25 +++++++++++++++++++++----
 kernel/linux/igb_uio/igb_uio.c |  5 +++++
 2 files changed, 26 insertions(+), 4 deletions(-)

Comments

Luca Boccassi May 16, 2018, 10:50 a.m. UTC | #1 
On Wed, 2018-05-16 at 11:18 +0100, Ferruh Yigit wrote:
> When EFI secure boot is enabled, it is possible to lock down kernel
> and
> prevent accessing device BARs and this makes igb_uio unusable.
> 
> Lock down patches are not part of the vanilla kernel but they are
> applied and used by some distros already [1].
> 
> It is not possible to fix this issue, but intention of this patch is
> to
> detect and log if kernel lock down enabled and don't insert the
> module
> for that case.
> 
> The challenge is since this feature enabled by distros, they have
> different config options and APIs for it. This patch is done based on
> Fedora and Ubuntu kernel source, may needs to add more distro
> specific
> support.
> 
> [1]
> kernel.ubuntu.com/git/ubuntu/ubuntu-
> artful.git/commit/?id=99f9ef18d5b6
> And a few more patches to
> 
> Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
> ---
> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> Cc: Luca Boccassi <bluca@debian.org>
> Cc: Maxime Coquelin <maxime.coquelin@redhat.com>
> Cc: Neil Horman <nhorman@tuxdriver.com>
> Cc: Stephen Hemminger <stephen@networkplumber.org>
> 
> v2:
> * remove distro comments from checks
> Note:
> Since kernel_is_locked_down() is macro in one case, it can be used
> for
> comparison:
>  #ifdef kernel_is_locked_down
>    kernel_is_locked_down(NULL)
>  #else
>    kernel_is_locked_down()
> 
> This will force all non macro defined cases to else and this may be
> broken in the feature if macro changed.
> 
> To be more protective for changes, since this patch is not upstreamed
> to
> kernel yet, will keep config check although it is ugly.
> ---

Acked-by: Luca Boccassi <bluca@debian.org>
diff mbox

Patch

diff --git a/kernel/linux/igb_uio/compat.h b/kernel/linux/igb_uio/compat.h
index d9f4d29fc..5befec588 100644
--- a/kernel/linux/igb_uio/compat.h
+++ b/kernel/linux/igb_uio/compat.h
@@ -125,10 +125,6 @@  static bool pci_check_and_mask_intx(struct pci_dev *pdev)
 #define HAVE_PCI_IS_BRIDGE_API 1
 #endif
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
-#define HAVE_ALLOC_IRQ_VECTORS 1
-#endif
-
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
 #define HAVE_MSI_LIST_IN_GENERIC_DEVICE 1
 #endif
@@ -136,3 +132,24 @@  static bool pci_check_and_mask_intx(struct pci_dev *pdev)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
 #define HAVE_PCI_MSI_MASK_IRQ 1
 #endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
+#define HAVE_ALLOC_IRQ_VECTORS 1
+#endif
+
+static inline bool igbuio_kernel_is_locked_down(void)
+{
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+#ifdef kernel_is_locked_down
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+	return kernel_is_locked_down(NULL);
+#elif CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
+	return kernel_is_locked_down();
+#else
+	return false;
+#endif
+#else
+	return false;
+#endif
+
+}
diff --git a/kernel/linux/igb_uio/igb_uio.c b/kernel/linux/igb_uio/igb_uio.c
index cd9b7e721..b3233f18e 100644
--- a/kernel/linux/igb_uio/igb_uio.c
+++ b/kernel/linux/igb_uio/igb_uio.c
@@ -621,6 +621,11 @@  igbuio_pci_init_module(void)
 {
 	int ret;
 
+	if (igbuio_kernel_is_locked_down()) {
+		pr_err("Not able to use module, kernel lock down is enabled\n");
+		return -EINVAL;
+	}
+
 	ret = igbuio_config_intr_mode(intr_mode);
 	if (ret < 0)
 		return ret;