[08/14] taint: add taint for direct hardware access

Message ID	20210130002438.1872527-9-ben.widawsky@intel.com
State	New
Headers	show Return-Path: <linux-acpi-owner@kernel.org> IronPort-SDR: Uc83Y3ukXLDuJd/HgkPVd4KDUXQqmrquaiGh2G1w2YuT8xwxrt70Tgw9ddlp+Tbw+ICeTnPbPu hJNg1/6NyfsQ== IronPort-SDR: m7fLWpnzSaGDDMzkIoKQE1gcfDJtpyuPc8V2ww1bEY8aPomuNC709+efCr5+o4CuEcZOz7049/ ppIAmMFJlyyg== From: Ben Widawsky <ben.widawsky@intel.com> To: linux-cxl@vger.kernel.org Cc: Ben Widawsky <ben.widawsky@intel.com>, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, linux-pci@vger.kernel.org, Bjorn Helgaas <helgaas@kernel.org>, Chris Browy <cbrowy@avery-design.com>, Christoph Hellwig <hch@infradead.org>, Dan Williams <dan.j.williams@intel.com>, Ira Weiny <ira.weiny@intel.com>, Jon Masters <jcm@jonmasters.org>, Jonathan Cameron <Jonathan.Cameron@Huawei.com>, Rafael Wysocki <rafael.j.wysocki@intel.com>, Randy Dunlap <rdunlap@infradead.org>, Vishal Verma <vishal.l.verma@intel.com>, daniel.lll@alibaba-inc.com, "John Groves (jgroves)" <jgroves@micron.com>, "Kelley, Sean V" <sean.v.kelley@intel.com> Subject: [PATCH 08/14] taint: add taint for direct hardware access Date: Fri, 29 Jan 2021 16:24:32 -0800 Message-Id: <20210130002438.1872527-9-ben.widawsky@intel.com> In-Reply-To: <20210130002438.1872527-1-ben.widawsky@intel.com> References: <20210130002438.1872527-1-ben.widawsky@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [02/14] cxl/mem: Map memory device registers [04/14] cxl/mem: Implement polled mode mailbox [06/14] cxl/mem: Add basic IOCTL interface [07/14] cxl/mem: Add send command [08/14] taint: add taint for direct hardware access [09/14] cxl/mem: Add a "RAW" send command [11/14] cxl/mem: Use CEL for enabling commands

Ben Widawsky Jan. 30, 2021, 12:24 a.m. UTC

For drivers that moderate access to the underlying hardware it is
sometimes desirable to allow userspace to bypass restrictions. Once
userspace has done this, the driver can no longer guarantee the sanctity
of either the OS or the hardware. When in this state, it is helpful for
kernel developers to be made aware (via this taint flag) of this fact
for subsequent bug reports.

Example usage:
- Hardware xyzzy accepts 2 commands, waldo and fred.
- The xyzzy driver provides an interface for using waldo, but not fred.
- quux is convinced they really need the fred command.
- xyzzy driver allows quux to frob hardware to initiate fred.
  - kernel gets tainted.
- turns out fred command is borked, and scribbles over memory.
- developers laugh while closing quux's subsequent bug report.

Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
---
 Documentation/admin-guide/sysctl/kernel.rst   | 1 +
 Documentation/admin-guide/tainted-kernels.rst | 6 +++++-
 include/linux/kernel.h                        | 3 ++-
 kernel/panic.c                                | 1 +
 4 files changed, 9 insertions(+), 2 deletions(-)

Konrad Rzeszutek Wilk Feb. 1, 2021, 6:18 p.m. UTC | #1

On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote:
> For drivers that moderate access to the underlying hardware it is

> sometimes desirable to allow userspace to bypass restrictions. Once

> userspace has done this, the driver can no longer guarantee the sanctity

> of either the OS or the hardware. When in this state, it is helpful for

> kernel developers to be made aware (via this taint flag) of this fact

> for subsequent bug reports.

> 

> Example usage:

> - Hardware xyzzy accepts 2 commands, waldo and fred.

> - The xyzzy driver provides an interface for using waldo, but not fred.

> - quux is convinced they really need the fred command.

> - xyzzy driver allows quux to frob hardware to initiate fred.


Would it not be easier to _not_ frob the hardware for fred-operation?
Aka not implement it or just disallow in the first place?


>   - kernel gets tainted.

> - turns out fred command is borked, and scribbles over memory.

> - developers laugh while closing quux's subsequent bug report.


Yeah good luck with that theory in-the-field. The customer won't
care about this and will demand a solution for doing fred-operation.

Just easier to not do fred-operation in the first place,no?

Ben Widawsky Feb. 1, 2021, 6:34 p.m. UTC | #2

On 21-02-01 13:18:45, Konrad Rzeszutek Wilk wrote:
> On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote:

> > For drivers that moderate access to the underlying hardware it is

> > sometimes desirable to allow userspace to bypass restrictions. Once

> > userspace has done this, the driver can no longer guarantee the sanctity

> > of either the OS or the hardware. When in this state, it is helpful for

> > kernel developers to be made aware (via this taint flag) of this fact

> > for subsequent bug reports.

> > 

> > Example usage:

> > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > - The xyzzy driver provides an interface for using waldo, but not fred.

> > - quux is convinced they really need the fred command.

> > - xyzzy driver allows quux to frob hardware to initiate fred.

> 

> Would it not be easier to _not_ frob the hardware for fred-operation?

> Aka not implement it or just disallow in the first place?

Yeah. So the idea is you either are in a transient phase of the command and some
future kernel will have real support for fred - or a vendor is being short
sighted and not adding support for fred.

> 

> 

> >   - kernel gets tainted.

> > - turns out fred command is borked, and scribbles over memory.

> > - developers laugh while closing quux's subsequent bug report.

> 

> Yeah good luck with that theory in-the-field. The customer won't

> care about this and will demand a solution for doing fred-operation.

> 

> Just easier to not do fred-operation in the first place,no?

The short answer is, in an ideal world you are correct. See nvdimm as an example
of the real world.

The longer answer. Unless we want to wait until we have all the hardware we're
ever going to see, it's impossible to have a fully baked, and validated
interface. The RAW interface is my admission that I make no guarantees about
being able to provide the perfect interface and giving the power back to the
hardware vendors and their driver writers.

As an example, suppose a vendor shipped a device with their special vendor
opcode. They can enable their customers to use that opcode on any driver
version. That seems pretty powerful and worthwhile to me.

Or a more realistic example, we ship a driver that adds a command which is
totally broken. Customers can utilize the RAW interface until it gets fixed in a
subsequent release which might be quite a ways out.

I'll say the RAW interface isn't an encouraged usage, but it's one that I expect
to be needed, and if it's not we can always try to kill it later. If nobody is
actually using it, nobody will complain, right :D

Dan Williams Feb. 1, 2021, 7:01 p.m. UTC | #3

On Mon, Feb 1, 2021 at 10:35 AM Ben Widawsky <ben.widawsky@intel.com> wrote:
>

> On 21-02-01 13:18:45, Konrad Rzeszutek Wilk wrote:

> > On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote:

> > > For drivers that moderate access to the underlying hardware it is

> > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > userspace has done this, the driver can no longer guarantee the sanctity

> > > of either the OS or the hardware. When in this state, it is helpful for

> > > kernel developers to be made aware (via this taint flag) of this fact

> > > for subsequent bug reports.

> > >

> > > Example usage:

> > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > - quux is convinced they really need the fred command.

> > > - xyzzy driver allows quux to frob hardware to initiate fred.

> >

> > Would it not be easier to _not_ frob the hardware for fred-operation?

> > Aka not implement it or just disallow in the first place?

>

> Yeah. So the idea is you either are in a transient phase of the command and some

> future kernel will have real support for fred - or a vendor is being short

> sighted and not adding support for fred.

>

> >

> >

> > >   - kernel gets tainted.

> > > - turns out fred command is borked, and scribbles over memory.

> > > - developers laugh while closing quux's subsequent bug report.

> >

> > Yeah good luck with that theory in-the-field. The customer won't

> > care about this and will demand a solution for doing fred-operation.

> >

> > Just easier to not do fred-operation in the first place,no?

>

> The short answer is, in an ideal world you are correct. See nvdimm as an example

> of the real world.

>

> The longer answer. Unless we want to wait until we have all the hardware we're

> ever going to see, it's impossible to have a fully baked, and validated

> interface. The RAW interface is my admission that I make no guarantees about

> being able to provide the perfect interface and giving the power back to the

> hardware vendors and their driver writers.

>

> As an example, suppose a vendor shipped a device with their special vendor

> opcode. They can enable their customers to use that opcode on any driver

> version. That seems pretty powerful and worthwhile to me.

>


Powerful, frightening, and questionably worthwhile when there are
already examples of commands that need extra coordination for whatever
reason. However, I still think the decision tilts towards allowing
this given ongoing spec work.

NVDIMM ended up allowing unfettered vendor passthrough given the lack
of an organizing body to unify vendors. CXL on the other hand appears
to have more gravity to keep vendors honest. A WARN splat with a
taint, and a debugfs knob for the truly problematic commands seems
sufficient protection of system integrity while still following the
Linux ethos of giving system owners enough rope to make their own
decisions.

> Or a more realistic example, we ship a driver that adds a command which is

> totally broken. Customers can utilize the RAW interface until it gets fixed in a

> subsequent release which might be quite a ways out.

>

> I'll say the RAW interface isn't an encouraged usage, but it's one that I expect

> to be needed, and if it's not we can always try to kill it later. If nobody is

> actually using it, nobody will complain, right :D


It might be worthwhile to make RAW support a compile time decision so
that Linux distros can only ship support for the commands the CXL
driver-dev community has blessed, but I'll leave it to a distro
developer to second that approach.

Konrad Rzeszutek Wilk Feb. 2, 2021, 2:49 a.m. UTC | #4

On Mon, Feb 01, 2021 at 11:01:11AM -0800, Dan Williams wrote:
> On Mon, Feb 1, 2021 at 10:35 AM Ben Widawsky <ben.widawsky@intel.com> wrote:

> >

> > On 21-02-01 13:18:45, Konrad Rzeszutek Wilk wrote:

> > > On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote:

> > > > For drivers that moderate access to the underlying hardware it is

> > > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > > userspace has done this, the driver can no longer guarantee the sanctity

> > > > of either the OS or the hardware. When in this state, it is helpful for

> > > > kernel developers to be made aware (via this taint flag) of this fact

> > > > for subsequent bug reports.

> > > >

> > > > Example usage:

> > > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > > - quux is convinced they really need the fred command.

> > > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > >

> > > Would it not be easier to _not_ frob the hardware for fred-operation?

> > > Aka not implement it or just disallow in the first place?

> >

> > Yeah. So the idea is you either are in a transient phase of the command and some

> > future kernel will have real support for fred - or a vendor is being short

> > sighted and not adding support for fred.

> >

> > >

> > >

> > > >   - kernel gets tainted.

> > > > - turns out fred command is borked, and scribbles over memory.

> > > > - developers laugh while closing quux's subsequent bug report.

> > >

> > > Yeah good luck with that theory in-the-field. The customer won't

> > > care about this and will demand a solution for doing fred-operation.

> > >

> > > Just easier to not do fred-operation in the first place,no?

> >

> > The short answer is, in an ideal world you are correct. See nvdimm as an example

> > of the real world.

> >

> > The longer answer. Unless we want to wait until we have all the hardware we're

> > ever going to see, it's impossible to have a fully baked, and validated

> > interface. The RAW interface is my admission that I make no guarantees about

> > being able to provide the perfect interface and giving the power back to the

> > hardware vendors and their driver writers.

> >

> > As an example, suppose a vendor shipped a device with their special vendor

> > opcode. They can enable their customers to use that opcode on any driver

> > version. That seems pretty powerful and worthwhile to me.

> >

> 

> Powerful, frightening, and questionably worthwhile when there are

> already examples of commands that need extra coordination for whatever

> reason. However, I still think the decision tilts towards allowing

> this given ongoing spec work.

> 

> NVDIMM ended up allowing unfettered vendor passthrough given the lack

> of an organizing body to unify vendors. CXL on the other hand appears

> to have more gravity to keep vendors honest. A WARN splat with a

> taint, and a debugfs knob for the truly problematic commands seems

> sufficient protection of system integrity while still following the

> Linux ethos of giving system owners enough rope to make their own

> decisions.

> 

> > Or a more realistic example, we ship a driver that adds a command which is

> > totally broken. Customers can utilize the RAW interface until it gets fixed in a

> > subsequent release which might be quite a ways out.

> >

> > I'll say the RAW interface isn't an encouraged usage, but it's one that I expect

> > to be needed, and if it's not we can always try to kill it later. If nobody is

> > actually using it, nobody will complain, right :D

> 

> It might be worthwhile to make RAW support a compile time decision so

> that Linux distros can only ship support for the commands the CXL

> driver-dev community has blessed, but I'll leave it to a distro

> developer to second that approach.


Couple of thoughts here:

 - As distro developer (well, actually middle manager of distro
   developers) this approach of raw interface is a headache.

   Customers will pick it and use it since it is there and the poor
   support folks will have to go through layers of different devices to
   say (for example) to finally find out that some OEM firmware opcode
   X is a debug facility for inserting corrupted data, while for another vendor
   the same X opcode makes it go super-fast.

   Not that anybody would do that, right? Ha!

 - I will imagine that some of the more vocal folks in the community
   will make it difficult to integrate these patches with these two
   (especially this taint one). This will make the acceptance of these
   patches more difficult than it should be. If you really want them,
   perhaps make them part of another patchset, or a follow up ones.

 - I still don't get why as a brand new community hacks are coming up
   (even when the hardware is not yet there) instead of pushing back at
   the vendors to have a clean up interface. I get in say two or three
   years these things .. but from the start? I get your point about
   flexibility, but it seems to me that the right way is not give open
   RAW interface (big barndoor) but rather maintain the driver and grow
   it (properly constructed doors) as more functionality comes about
   and then adding it in the driver.

Dan Williams Feb. 2, 2021, 5:46 p.m. UTC | #5

On Mon, Feb 1, 2021 at 6:50 PM Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
>

> On Mon, Feb 01, 2021 at 11:01:11AM -0800, Dan Williams wrote:

> > On Mon, Feb 1, 2021 at 10:35 AM Ben Widawsky <ben.widawsky@intel.com> wrote:

> > >

> > > On 21-02-01 13:18:45, Konrad Rzeszutek Wilk wrote:

> > > > On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote:

> > > > > For drivers that moderate access to the underlying hardware it is

> > > > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > > > userspace has done this, the driver can no longer guarantee the sanctity

> > > > > of either the OS or the hardware. When in this state, it is helpful for

> > > > > kernel developers to be made aware (via this taint flag) of this fact

> > > > > for subsequent bug reports.

> > > > >

> > > > > Example usage:

> > > > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > > > - quux is convinced they really need the fred command.

> > > > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > > >

> > > > Would it not be easier to _not_ frob the hardware for fred-operation?

> > > > Aka not implement it or just disallow in the first place?

> > >

> > > Yeah. So the idea is you either are in a transient phase of the command and some

> > > future kernel will have real support for fred - or a vendor is being short

> > > sighted and not adding support for fred.

> > >

> > > >

> > > >

> > > > >   - kernel gets tainted.

> > > > > - turns out fred command is borked, and scribbles over memory.

> > > > > - developers laugh while closing quux's subsequent bug report.

> > > >

> > > > Yeah good luck with that theory in-the-field. The customer won't

> > > > care about this and will demand a solution for doing fred-operation.

> > > >

> > > > Just easier to not do fred-operation in the first place,no?

> > >

> > > The short answer is, in an ideal world you are correct. See nvdimm as an example

> > > of the real world.

> > >

> > > The longer answer. Unless we want to wait until we have all the hardware we're

> > > ever going to see, it's impossible to have a fully baked, and validated

> > > interface. The RAW interface is my admission that I make no guarantees about

> > > being able to provide the perfect interface and giving the power back to the

> > > hardware vendors and their driver writers.

> > >

> > > As an example, suppose a vendor shipped a device with their special vendor

> > > opcode. They can enable their customers to use that opcode on any driver

> > > version. That seems pretty powerful and worthwhile to me.

> > >

> >

> > Powerful, frightening, and questionably worthwhile when there are

> > already examples of commands that need extra coordination for whatever

> > reason. However, I still think the decision tilts towards allowing

> > this given ongoing spec work.

> >

> > NVDIMM ended up allowing unfettered vendor passthrough given the lack

> > of an organizing body to unify vendors. CXL on the other hand appears

> > to have more gravity to keep vendors honest. A WARN splat with a

> > taint, and a debugfs knob for the truly problematic commands seems

> > sufficient protection of system integrity while still following the

> > Linux ethos of giving system owners enough rope to make their own

> > decisions.

> >

> > > Or a more realistic example, we ship a driver that adds a command which is

> > > totally broken. Customers can utilize the RAW interface until it gets fixed in a

> > > subsequent release which might be quite a ways out.

> > >

> > > I'll say the RAW interface isn't an encouraged usage, but it's one that I expect

> > > to be needed, and if it's not we can always try to kill it later. If nobody is

> > > actually using it, nobody will complain, right :D

> >

> > It might be worthwhile to make RAW support a compile time decision so

> > that Linux distros can only ship support for the commands the CXL

> > driver-dev community has blessed, but I'll leave it to a distro

> > developer to second that approach.

>

> Couple of thoughts here:


I am compelled to challenge these assertions because this set is
*more* conservative than the current libnvdimm situation which is
silent by default about the vendor pasthrough. How can this be worse
when the same scope of possible damage is now loudly reported rather
than silent?

>

>  - As distro developer (well, actually middle manager of distro

>    developers) this approach of raw interface is a headache.


You've convinced me that this needs a compile time disable, is that
not sufficient?

>

>    Customers will pick it


Why will they pick it when the kernel screams bloody murder at them
when it gets used?

> and use it since it is there and the poor

>    support folks will have to go through layers of different devices


What layers willl support folks need to dig through when the WARN
splat is clearly present in the log and the taint flag is visible in
any future crash?

>    say (for example) to finally find out that some OEM firmware opcode

>    X is a debug facility for inserting corrupted data, while for another vendor

>    the same X opcode makes it go super-fast.


None of these commands are in the fast path.

>

>    Not that anybody would do that, right? Ha!


We can look to libnvdimm + ndctl to see the trend. I have not
encountered new competing manageability tool efforts, and the existing
collisions between ndctl and ipmctl are resolving to defeature ipmctl
where ndctl and the standard / native command path can do the job.

>

>  - I will imagine that some of the more vocal folks in the community

>    will make it difficult to integrate these patches with these two

>    (especially this taint one). This will make the acceptance of these

>    patches more difficult than it should be. If you really want them,

>    perhaps make them part of another patchset, or a follow up ones.


The patches are out now and no such pushback from others has arisen. I
believe your proposal for compile-time disable is reasonable and would
satisfy those concerns.

>

>  - I still don't get why as a brand new community hacks are coming up

>    (even when the hardware is not yet there) instead of pushing back at

>    the vendors to have a clean up interface. I get in say two or three

>    years these things .. but from the start? I get your point about

>    flexibility, but it seems to me that the right way is not give open

>    RAW interface (big barndoor) but rather maintain the driver and grow

>    it (properly constructed doors) as more functionality comes about

>    and then adding it in the driver.

>


Again, WARN_TAINT and now the threat of vendor tools not being
generally distributable across distro kernels that turn this off, is a
more strict stance than libnvdimm where the worst fears have yet to
come to fruition. In the meantime this enabling is useful for a
validation test bench kernel for new hardware bringup while the
upstream api formalization work continues.

Dan Williams Feb. 8, 2021, 10 p.m. UTC | #6

[ add Jon Corbet as I'd expect him to be Cc'd on anything that
generically touches Documentation/ like this, and add Kees as the last
person who added a taint (tag you're it) ]

Jon, Kees, are either of you willing to ack this concept?

Top-posting to add more context for the below:

This taint is proposed because it has implications for
CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices
implement memory like DDR would, but unlike DDR there are
administrative / configuration commands that demand kernel
coordination before they can be sent. The posture taken with this
taint is "guilty until proven innocent" for commands that have yet to
be explicitly allowed by the driver. This is different than NVME for
example where an errant vendor-defined command could destroy data on
the device, but there is no wider threat to system integrity. The
taint allows a pressure release valve for any and all commands to be
sent, but flagged with WARN_TAINT_ONCE if the driver has not
explicitly enabled it on an allowed list of known-good / kernel
coordinated commands.

On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>

> For drivers that moderate access to the underlying hardware it is

> sometimes desirable to allow userspace to bypass restrictions. Once

> userspace has done this, the driver can no longer guarantee the sanctity

> of either the OS or the hardware. When in this state, it is helpful for

> kernel developers to be made aware (via this taint flag) of this fact

> for subsequent bug reports.

>

> Example usage:

> - Hardware xyzzy accepts 2 commands, waldo and fred.

> - The xyzzy driver provides an interface for using waldo, but not fred.

> - quux is convinced they really need the fred command.

> - xyzzy driver allows quux to frob hardware to initiate fred.

>   - kernel gets tainted.

> - turns out fred command is borked, and scribbles over memory.

> - developers laugh while closing quux's subsequent bug report.

>

> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>

> ---

>  Documentation/admin-guide/sysctl/kernel.rst   | 1 +

>  Documentation/admin-guide/tainted-kernels.rst | 6 +++++-

>  include/linux/kernel.h                        | 3 ++-

>  kernel/panic.c                                | 1 +

>  4 files changed, 9 insertions(+), 2 deletions(-)

>

> diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst

> index 1d56a6b73a4e..3e1eada53504 100644

> --- a/Documentation/admin-guide/sysctl/kernel.rst

> +++ b/Documentation/admin-guide/sysctl/kernel.rst

> @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports.

>   32768  `(K)`  kernel has been live patched

>   65536  `(X)`  Auxiliary taint, defined and used by for distros

>  131072  `(T)`  The kernel was built with the struct randomization plugin

> +262144  `(H)`  The kernel has allowed vendor shenanigans

>  ======  =====  ==============================================================

>

>  See :doc:`/admin-guide/tainted-kernels` for more information.

> diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst

> index ceeed7b0798d..ee2913316344 100644

> --- a/Documentation/admin-guide/tainted-kernels.rst

> +++ b/Documentation/admin-guide/tainted-kernels.rst

> @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned

>  script, but if you need something quick you can use this shell command to check

>  which bits are set::

>

> -       $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

> +       $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

>

>  Table for decoding tainted state

>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> @@ -100,6 +100,7 @@ Bit  Log  Number  Reason that got the kernel tainted

>   15  _/K   32768  kernel has been live patched

>   16  _/X   65536  auxiliary taint, defined for and used by distros

>   17  _/T  131072  kernel was built with the struct randomization plugin

> + 18  _/H  262144  kernel has allowed vendor shenanigans

>  ===  ===  ======  ========================================================

>

>  Note: The character ``_`` is representing a blank in this table to make reading

> @@ -175,3 +176,6 @@ More detailed explanation for tainting

>       produce extremely unusual kernel structure layouts (even performance

>       pathological ones), which is important to know when debugging. Set at

>       build time.

> +

> + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make

> +     any guarantees about the stability of the device or driver.

> diff --git a/include/linux/kernel.h b/include/linux/kernel.h

> index f7902d8c1048..bc95486f817e 100644

> --- a/include/linux/kernel.h

> +++ b/include/linux/kernel.h

> @@ -443,7 +443,8 @@ extern enum system_states {

>  #define TAINT_LIVEPATCH                        15

>  #define TAINT_AUX                      16

>  #define TAINT_RANDSTRUCT               17

> -#define TAINT_FLAGS_COUNT              18

> +#define TAINT_RAW_PASSTHROUGH          18

> +#define TAINT_FLAGS_COUNT              19

>  #define TAINT_FLAGS_MAX                        ((1UL << TAINT_FLAGS_COUNT) - 1)

>

>  struct taint_flag {

> diff --git a/kernel/panic.c b/kernel/panic.c

> index 332736a72a58..dff22bd80eaf 100644

> --- a/kernel/panic.c

> +++ b/kernel/panic.c

> @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {

>         [ TAINT_LIVEPATCH ]             = { 'K', ' ', true },

>         [ TAINT_AUX ]                   = { 'X', ' ', true },

>         [ TAINT_RANDSTRUCT ]            = { 'T', ' ', true },

> +       [ TAINT_RAW_PASSTHROUGH ]       = { 'H', ' ', true },

>  };

>

>  /**

> --

> 2.30.0

>

Kees Cook Feb. 8, 2021, 10:09 p.m. UTC | #7

On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:
> [ add Jon Corbet as I'd expect him to be Cc'd on anything that

> generically touches Documentation/ like this, and add Kees as the last

> person who added a taint (tag you're it) ]

> 

> Jon, Kees, are either of you willing to ack this concept?

> 

> Top-posting to add more context for the below:

> 

> This taint is proposed because it has implications for

> CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices

> implement memory like DDR would, but unlike DDR there are

> administrative / configuration commands that demand kernel

> coordination before they can be sent. The posture taken with this

> taint is "guilty until proven innocent" for commands that have yet to

> be explicitly allowed by the driver. This is different than NVME for

> example where an errant vendor-defined command could destroy data on

> the device, but there is no wider threat to system integrity. The

> taint allows a pressure release valve for any and all commands to be

> sent, but flagged with WARN_TAINT_ONCE if the driver has not

> explicitly enabled it on an allowed list of known-good / kernel

> coordinated commands.

> 

> On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:

> >

> > For drivers that moderate access to the underlying hardware it is

> > sometimes desirable to allow userspace to bypass restrictions. Once

> > userspace has done this, the driver can no longer guarantee the sanctity

> > of either the OS or the hardware. When in this state, it is helpful for

> > kernel developers to be made aware (via this taint flag) of this fact

> > for subsequent bug reports.

> >

> > Example usage:

> > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > - The xyzzy driver provides an interface for using waldo, but not fred.

> > - quux is convinced they really need the fred command.

> > - xyzzy driver allows quux to frob hardware to initiate fred.

> >   - kernel gets tainted.

> > - turns out fred command is borked, and scribbles over memory.

> > - developers laugh while closing quux's subsequent bug report.


But a taint flag only lasts for the current boot. If this is a drive, it
could still be compromised after reboot. It sounds like this taint is
really only for ephemeral things? "vendor shenanigans" is a pretty giant
scope ...

-Kees

> >

> > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>

> > ---

> >  Documentation/admin-guide/sysctl/kernel.rst   | 1 +

> >  Documentation/admin-guide/tainted-kernels.rst | 6 +++++-

> >  include/linux/kernel.h                        | 3 ++-

> >  kernel/panic.c                                | 1 +

> >  4 files changed, 9 insertions(+), 2 deletions(-)

> >

> > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst

> > index 1d56a6b73a4e..3e1eada53504 100644

> > --- a/Documentation/admin-guide/sysctl/kernel.rst

> > +++ b/Documentation/admin-guide/sysctl/kernel.rst

> > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports.

> >   32768  `(K)`  kernel has been live patched

> >   65536  `(X)`  Auxiliary taint, defined and used by for distros

> >  131072  `(T)`  The kernel was built with the struct randomization plugin

> > +262144  `(H)`  The kernel has allowed vendor shenanigans

> >  ======  =====  ==============================================================

> >

> >  See :doc:`/admin-guide/tainted-kernels` for more information.

> > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst

> > index ceeed7b0798d..ee2913316344 100644

> > --- a/Documentation/admin-guide/tainted-kernels.rst

> > +++ b/Documentation/admin-guide/tainted-kernels.rst

> > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned

> >  script, but if you need something quick you can use this shell command to check

> >  which bits are set::

> >

> > -       $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

> > +       $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

> >

> >  Table for decoding tainted state

> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > @@ -100,6 +100,7 @@ Bit  Log  Number  Reason that got the kernel tainted

> >   15  _/K   32768  kernel has been live patched

> >   16  _/X   65536  auxiliary taint, defined for and used by distros

> >   17  _/T  131072  kernel was built with the struct randomization plugin

> > + 18  _/H  262144  kernel has allowed vendor shenanigans

> >  ===  ===  ======  ========================================================

> >

> >  Note: The character ``_`` is representing a blank in this table to make reading

> > @@ -175,3 +176,6 @@ More detailed explanation for tainting

> >       produce extremely unusual kernel structure layouts (even performance

> >       pathological ones), which is important to know when debugging. Set at

> >       build time.

> > +

> > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make

> > +     any guarantees about the stability of the device or driver.

> > diff --git a/include/linux/kernel.h b/include/linux/kernel.h

> > index f7902d8c1048..bc95486f817e 100644

> > --- a/include/linux/kernel.h

> > +++ b/include/linux/kernel.h

> > @@ -443,7 +443,8 @@ extern enum system_states {

> >  #define TAINT_LIVEPATCH                        15

> >  #define TAINT_AUX                      16

> >  #define TAINT_RANDSTRUCT               17

> > -#define TAINT_FLAGS_COUNT              18

> > +#define TAINT_RAW_PASSTHROUGH          18

> > +#define TAINT_FLAGS_COUNT              19

> >  #define TAINT_FLAGS_MAX                        ((1UL << TAINT_FLAGS_COUNT) - 1)

> >

> >  struct taint_flag {

> > diff --git a/kernel/panic.c b/kernel/panic.c

> > index 332736a72a58..dff22bd80eaf 100644

> > --- a/kernel/panic.c

> > +++ b/kernel/panic.c

> > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {

> >         [ TAINT_LIVEPATCH ]             = { 'K', ' ', true },

> >         [ TAINT_AUX ]                   = { 'X', ' ', true },

> >         [ TAINT_RANDSTRUCT ]            = { 'T', ' ', true },

> > +       [ TAINT_RAW_PASSTHROUGH ]       = { 'H', ' ', true },

> >  };

> >

> >  /**

> > --

> > 2.30.0

> >


-- 
Kees Cook

Ben Widawsky Feb. 8, 2021, 11:05 p.m. UTC | #8

On 21-02-08 14:09:19, Kees Cook wrote:
> On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:

> > [ add Jon Corbet as I'd expect him to be Cc'd on anything that

> > generically touches Documentation/ like this, and add Kees as the last

> > person who added a taint (tag you're it) ]

> > 

> > Jon, Kees, are either of you willing to ack this concept?

> > 

> > Top-posting to add more context for the below:

> > 

> > This taint is proposed because it has implications for

> > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices

> > implement memory like DDR would, but unlike DDR there are

> > administrative / configuration commands that demand kernel

> > coordination before they can be sent. The posture taken with this

> > taint is "guilty until proven innocent" for commands that have yet to

> > be explicitly allowed by the driver. This is different than NVME for

> > example where an errant vendor-defined command could destroy data on

> > the device, but there is no wider threat to system integrity. The

> > taint allows a pressure release valve for any and all commands to be

> > sent, but flagged with WARN_TAINT_ONCE if the driver has not

> > explicitly enabled it on an allowed list of known-good / kernel

> > coordinated commands.

> > 

> > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:

> > >

> > > For drivers that moderate access to the underlying hardware it is

> > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > userspace has done this, the driver can no longer guarantee the sanctity

> > > of either the OS or the hardware. When in this state, it is helpful for

> > > kernel developers to be made aware (via this taint flag) of this fact

> > > for subsequent bug reports.

> > >

> > > Example usage:

> > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > - quux is convinced they really need the fred command.

> > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > >   - kernel gets tainted.

> > > - turns out fred command is borked, and scribbles over memory.

> > > - developers laugh while closing quux's subsequent bug report.

> 

> But a taint flag only lasts for the current boot. If this is a drive, it

> could still be compromised after reboot. It sounds like this taint is

> really only for ephemeral things? "vendor shenanigans" is a pretty giant

> scope ...

> 

> -Kees

> 


Good point. Any suggestions?

> > >

> > > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>

> > > ---

> > >  Documentation/admin-guide/sysctl/kernel.rst   | 1 +

> > >  Documentation/admin-guide/tainted-kernels.rst | 6 +++++-

> > >  include/linux/kernel.h                        | 3 ++-

> > >  kernel/panic.c                                | 1 +

> > >  4 files changed, 9 insertions(+), 2 deletions(-)

> > >

> > > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst

> > > index 1d56a6b73a4e..3e1eada53504 100644

> > > --- a/Documentation/admin-guide/sysctl/kernel.rst

> > > +++ b/Documentation/admin-guide/sysctl/kernel.rst

> > > @@ -1352,6 +1352,7 @@ ORed together. The letters are seen in "Tainted" line of Oops reports.

> > >   32768  `(K)`  kernel has been live patched

> > >   65536  `(X)`  Auxiliary taint, defined and used by for distros

> > >  131072  `(T)`  The kernel was built with the struct randomization plugin

> > > +262144  `(H)`  The kernel has allowed vendor shenanigans

> > >  ======  =====  ==============================================================

> > >

> > >  See :doc:`/admin-guide/tainted-kernels` for more information.

> > > diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst

> > > index ceeed7b0798d..ee2913316344 100644

> > > --- a/Documentation/admin-guide/tainted-kernels.rst

> > > +++ b/Documentation/admin-guide/tainted-kernels.rst

> > > @@ -74,7 +74,7 @@ a particular type of taint. It's best to leave that to the aforementioned

> > >  script, but if you need something quick you can use this shell command to check

> > >  which bits are set::

> > >

> > > -       $ for i in $(seq 18); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

> > > +       $ for i in $(seq 19); do echo $(($i-1)) $(($(cat /proc/sys/kernel/tainted)>>($i-1)&1));done

> > >

> > >  Table for decoding tainted state

> > >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > > @@ -100,6 +100,7 @@ Bit  Log  Number  Reason that got the kernel tainted

> > >   15  _/K   32768  kernel has been live patched

> > >   16  _/X   65536  auxiliary taint, defined for and used by distros

> > >   17  _/T  131072  kernel was built with the struct randomization plugin

> > > + 18  _/H  262144  kernel has allowed vendor shenanigans

> > >  ===  ===  ======  ========================================================

> > >

> > >  Note: The character ``_`` is representing a blank in this table to make reading

> > > @@ -175,3 +176,6 @@ More detailed explanation for tainting

> > >       produce extremely unusual kernel structure layouts (even performance

> > >       pathological ones), which is important to know when debugging. Set at

> > >       build time.

> > > +

> > > + 18) ``H`` Kernel has allowed direct access to hardware and can no longer make

> > > +     any guarantees about the stability of the device or driver.

> > > diff --git a/include/linux/kernel.h b/include/linux/kernel.h

> > > index f7902d8c1048..bc95486f817e 100644

> > > --- a/include/linux/kernel.h

> > > +++ b/include/linux/kernel.h

> > > @@ -443,7 +443,8 @@ extern enum system_states {

> > >  #define TAINT_LIVEPATCH                        15

> > >  #define TAINT_AUX                      16

> > >  #define TAINT_RANDSTRUCT               17

> > > -#define TAINT_FLAGS_COUNT              18

> > > +#define TAINT_RAW_PASSTHROUGH          18

> > > +#define TAINT_FLAGS_COUNT              19

> > >  #define TAINT_FLAGS_MAX                        ((1UL << TAINT_FLAGS_COUNT) - 1)

> > >

> > >  struct taint_flag {

> > > diff --git a/kernel/panic.c b/kernel/panic.c

> > > index 332736a72a58..dff22bd80eaf 100644

> > > --- a/kernel/panic.c

> > > +++ b/kernel/panic.c

> > > @@ -386,6 +386,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = {

> > >         [ TAINT_LIVEPATCH ]             = { 'K', ' ', true },

> > >         [ TAINT_AUX ]                   = { 'X', ' ', true },

> > >         [ TAINT_RANDSTRUCT ]            = { 'T', ' ', true },

> > > +       [ TAINT_RAW_PASSTHROUGH ]       = { 'H', ' ', true },

> > >  };

> > >

> > >  /**

> > > --

> > > 2.30.0

> > >

> 

> -- 

> Kees Cook

Dan Williams Feb. 8, 2021, 11:36 p.m. UTC | #9

On Mon, Feb 8, 2021 at 2:09 PM Kees Cook <keescook@chromium.org> wrote:
>

> On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:

> > [ add Jon Corbet as I'd expect him to be Cc'd on anything that

> > generically touches Documentation/ like this, and add Kees as the last

> > person who added a taint (tag you're it) ]

> >

> > Jon, Kees, are either of you willing to ack this concept?

> >

> > Top-posting to add more context for the below:

> >

> > This taint is proposed because it has implications for

> > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices

> > implement memory like DDR would, but unlike DDR there are

> > administrative / configuration commands that demand kernel

> > coordination before they can be sent. The posture taken with this

> > taint is "guilty until proven innocent" for commands that have yet to

> > be explicitly allowed by the driver. This is different than NVME for

> > example where an errant vendor-defined command could destroy data on

> > the device, but there is no wider threat to system integrity. The

> > taint allows a pressure release valve for any and all commands to be

> > sent, but flagged with WARN_TAINT_ONCE if the driver has not

> > explicitly enabled it on an allowed list of known-good / kernel

> > coordinated commands.

> >

> > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:

> > >

> > > For drivers that moderate access to the underlying hardware it is

> > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > userspace has done this, the driver can no longer guarantee the sanctity

> > > of either the OS or the hardware. When in this state, it is helpful for

> > > kernel developers to be made aware (via this taint flag) of this fact

> > > for subsequent bug reports.

> > >

> > > Example usage:

> > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > - quux is convinced they really need the fred command.

> > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > >   - kernel gets tainted.

> > > - turns out fred command is borked, and scribbles over memory.

> > > - developers laugh while closing quux's subsequent bug report.

>

> But a taint flag only lasts for the current boot. If this is a drive, it

> could still be compromised after reboot. It sounds like this taint is

> really only for ephemeral things? "vendor shenanigans" is a pretty giant

> scope ...

>


That is true. This is more about preventing an ecosystem / cottage
industry of tooling built around bypassing the kernel. So the kernel
complains loudly and hopefully prevents vendor tooling from
propagating and instead directs that development effort back to the
native tooling. However for the rare "I know what I'm doing" cases,
this tainted kernel bypass lets some experimentation and debug happen,
but the kernel is transparent that when the capability ships in
production it needs to be a native implementation.

So it's less, "the system integrity is compromised" and more like
"you're bypassing the development process that ensures sanity for CXL
implementations that may take down a system if implemented
incorrectly". For example, NVME reset is a non-invent, CXL reset can
be like surprise removing DDR DIMM.

Should this be more tightly scoped to CXL? I had hoped to use this in
other places in LIBNVDIMM, but I'm ok to lose some generality for the
specific concerns that make CXL devices different than other PCI
endpoints.

Dan Williams Feb. 9, 2021, 1:03 a.m. UTC | #10

On Mon, Feb 8, 2021 at 3:36 PM Dan Williams <dan.j.williams@intel.com> wrote:
>

> On Mon, Feb 8, 2021 at 2:09 PM Kees Cook <keescook@chromium.org> wrote:

> >

> > On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:

> > > [ add Jon Corbet as I'd expect him to be Cc'd on anything that

> > > generically touches Documentation/ like this, and add Kees as the last

> > > person who added a taint (tag you're it) ]

> > >

> > > Jon, Kees, are either of you willing to ack this concept?

> > >

> > > Top-posting to add more context for the below:

> > >

> > > This taint is proposed because it has implications for

> > > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices

> > > implement memory like DDR would, but unlike DDR there are

> > > administrative / configuration commands that demand kernel

> > > coordination before they can be sent. The posture taken with this

> > > taint is "guilty until proven innocent" for commands that have yet to

> > > be explicitly allowed by the driver. This is different than NVME for

> > > example where an errant vendor-defined command could destroy data on

> > > the device, but there is no wider threat to system integrity. The

> > > taint allows a pressure release valve for any and all commands to be

> > > sent, but flagged with WARN_TAINT_ONCE if the driver has not

> > > explicitly enabled it on an allowed list of known-good / kernel

> > > coordinated commands.

> > >

> > > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:

> > > >

> > > > For drivers that moderate access to the underlying hardware it is

> > > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > > userspace has done this, the driver can no longer guarantee the sanctity

> > > > of either the OS or the hardware. When in this state, it is helpful for

> > > > kernel developers to be made aware (via this taint flag) of this fact

> > > > for subsequent bug reports.

> > > >

> > > > Example usage:

> > > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > > - quux is convinced they really need the fred command.

> > > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > > >   - kernel gets tainted.

> > > > - turns out fred command is borked, and scribbles over memory.

> > > > - developers laugh while closing quux's subsequent bug report.

> >

> > But a taint flag only lasts for the current boot. If this is a drive, it

> > could still be compromised after reboot. It sounds like this taint is

> > really only for ephemeral things? "vendor shenanigans" is a pretty giant

> > scope ...

> >

>

> That is true. This is more about preventing an ecosystem / cottage

> industry of tooling built around bypassing the kernel. So the kernel

> complains loudly and hopefully prevents vendor tooling from

> propagating and instead directs that development effort back to the

> native tooling. However for the rare "I know what I'm doing" cases,

> this tainted kernel bypass lets some experimentation and debug happen,

> but the kernel is transparent that when the capability ships in

> production it needs to be a native implementation.

>

> So it's less, "the system integrity is compromised" and more like

> "you're bypassing the development process that ensures sanity for CXL

> implementations that may take down a system if implemented

> incorrectly". For example, NVME reset is a non-invent, CXL reset can

> be like surprise removing DDR DIMM.

>

> Should this be more tightly scoped to CXL? I had hoped to use this in

> other places in LIBNVDIMM, but I'm ok to lose some generality for the

> specific concerns that make CXL devices different than other PCI

> endpoints.


As I type this out it strikes me that plain WARN already does
TAINT_WARN and meets the spirit of what is trying to be achieved.

Appreciate the skeptical eye Kees, we'll drop this one.

Ben Widawsky Feb. 9, 2021, 3:36 a.m. UTC | #11

On 21-02-08 17:03:25, Dan Williams wrote:
> On Mon, Feb 8, 2021 at 3:36 PM Dan Williams <dan.j.williams@intel.com> wrote:

> >

> > On Mon, Feb 8, 2021 at 2:09 PM Kees Cook <keescook@chromium.org> wrote:

> > >

> > > On Mon, Feb 08, 2021 at 02:00:33PM -0800, Dan Williams wrote:

> > > > [ add Jon Corbet as I'd expect him to be Cc'd on anything that

> > > > generically touches Documentation/ like this, and add Kees as the last

> > > > person who added a taint (tag you're it) ]

> > > >

> > > > Jon, Kees, are either of you willing to ack this concept?

> > > >

> > > > Top-posting to add more context for the below:

> > > >

> > > > This taint is proposed because it has implications for

> > > > CONFIG_LOCK_DOWN_KERNEL among other things. These CXL devices

> > > > implement memory like DDR would, but unlike DDR there are

> > > > administrative / configuration commands that demand kernel

> > > > coordination before they can be sent. The posture taken with this

> > > > taint is "guilty until proven innocent" for commands that have yet to

> > > > be explicitly allowed by the driver. This is different than NVME for

> > > > example where an errant vendor-defined command could destroy data on

> > > > the device, but there is no wider threat to system integrity. The

> > > > taint allows a pressure release valve for any and all commands to be

> > > > sent, but flagged with WARN_TAINT_ONCE if the driver has not

> > > > explicitly enabled it on an allowed list of known-good / kernel

> > > > coordinated commands.

> > > >

> > > > On Fri, Jan 29, 2021 at 4:25 PM Ben Widawsky <ben.widawsky@intel.com> wrote:

> > > > >

> > > > > For drivers that moderate access to the underlying hardware it is

> > > > > sometimes desirable to allow userspace to bypass restrictions. Once

> > > > > userspace has done this, the driver can no longer guarantee the sanctity

> > > > > of either the OS or the hardware. When in this state, it is helpful for

> > > > > kernel developers to be made aware (via this taint flag) of this fact

> > > > > for subsequent bug reports.

> > > > >

> > > > > Example usage:

> > > > > - Hardware xyzzy accepts 2 commands, waldo and fred.

> > > > > - The xyzzy driver provides an interface for using waldo, but not fred.

> > > > > - quux is convinced they really need the fred command.

> > > > > - xyzzy driver allows quux to frob hardware to initiate fred.

> > > > >   - kernel gets tainted.

> > > > > - turns out fred command is borked, and scribbles over memory.

> > > > > - developers laugh while closing quux's subsequent bug report.

> > >

> > > But a taint flag only lasts for the current boot. If this is a drive, it

> > > could still be compromised after reboot. It sounds like this taint is

> > > really only for ephemeral things? "vendor shenanigans" is a pretty giant

> > > scope ...

> > >

> >

> > That is true. This is more about preventing an ecosystem / cottage

> > industry of tooling built around bypassing the kernel. So the kernel

> > complains loudly and hopefully prevents vendor tooling from

> > propagating and instead directs that development effort back to the

> > native tooling. However for the rare "I know what I'm doing" cases,

> > this tainted kernel bypass lets some experimentation and debug happen,

> > but the kernel is transparent that when the capability ships in

> > production it needs to be a native implementation.

> >

> > So it's less, "the system integrity is compromised" and more like

> > "you're bypassing the development process that ensures sanity for CXL

> > implementations that may take down a system if implemented

> > incorrectly". For example, NVME reset is a non-invent, CXL reset can

> > be like surprise removing DDR DIMM.

> >

> > Should this be more tightly scoped to CXL? I had hoped to use this in

> > other places in LIBNVDIMM, but I'm ok to lose some generality for the

> > specific concerns that make CXL devices different than other PCI

> > endpoints.

> 

> As I type this out it strikes me that plain WARN already does

> TAINT_WARN and meets the spirit of what is trying to be achieved.

> 

> Appreciate the skeptical eye Kees, we'll drop this one.


So I think this is a good compromise for now. However, the point of this taint
was that it is specifically called out what tainted the kernel. It'd be great to
know when we have a bug report it was this specifically that was the issue.
Rambling further I realize now that taint doesn't tell you which module tainted,
which would be great here. That's actually what I'd like.

End ramble.

[08/14] taint: add taint for direct hardware access

Commit Message

Comments

Patch