[PATCH v5 2/2] powerpc/xmon: Restrict when kernel is locked down
Christopher M Riedl
cmr at informatik.wtf
Thu Aug 29 22:36:21 AEST 2019
> On August 29, 2019 at 2:43 AM Daniel Axtens <dja at axtens.net> wrote:
>
>
> Hi,
>
> > Xmon should be either fully or partially disabled depending on the
> > kernel lockdown state.
>
> I've been kicking the tyres of this, and it seems to work well:
>
> Tested-by: Daniel Axtens <dja at axtens.net>
>
Thank you for taking the time to test this!
>
> I have one small nit: if I enter confidentiality mode and then try to
> enter xmon, I get 32 messages about clearing the breakpoints each time I
> try to enter xmon:
>
Ugh, that's annoying. I tested this on a vm w/ 2 vcpus but should have
considered the case of more vcpus :(
>
> root at dja-guest:~# echo confidentiality > /sys/kernel/security/lockdown
> root at dja-guest:~# echo x >/proc/sysrq-trigger
> [ 489.585400] sysrq: Entering xmon
> xmon: Disabled due to kernel lockdown
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> xmon: All breakpoints cleared
> ...
>
> Investigating, I see that this is because my vm has 32 vcpus, and I'm
> getting one per CPU.
>
> Looking at the call sites, there's only one other caller, so I think you
> might be better served with this:
>
> diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
> index 94a5fada3034..fcaf1d568162 100644
> --- a/arch/powerpc/xmon/xmon.c
> +++ b/arch/powerpc/xmon/xmon.c
> @@ -3833,10 +3833,6 @@ static void clear_all_bpt(void)
> iabr = NULL;
> dabr.enabled = 0;
> }
> -
> - get_output_lock();
> - printf("xmon: All breakpoints cleared\n");
> - release_output_lock();
> }
>
> #ifdef CONFIG_DEBUG_FS
> @@ -3846,8 +3842,13 @@ static int xmon_dbgfs_set(void *data, u64 val)
> xmon_init(xmon_on);
>
> /* make sure all breakpoints removed when disabling */
> - if (!xmon_on)
> + if (!xmon_on) {
> clear_all_bpt();
> + get_output_lock();
> + printf("xmon: All breakpoints cleared\n");
> + release_output_lock();
> + }
> +
> return 0;
> }
>
Good point, I will add this to the next version, thanks!
>
> Apart from that:
> Reviewed-by: Daniel Axtens <dja at axtens.net>
>
> Regards,
> Daniel
>
More information about the Linuxppc-dev
mailing list