[PATCH linux dev-4.18] /dev/mem: add a devmem kernel parameter to activate the device
andrew at aj.id.au
Wed Nov 14 09:59:34 AEDT 2018
On Tue, 13 Nov 2018, at 23:33, Cédric Le Goater wrote:
> On 11/8/18 2:11 AM, Andrew Jeffery wrote:
> > On Mon, 22 Oct 2018, at 08:54, Joel Stanley wrote:
> >> On Fri, 12 Oct 2018 at 18:37, Cédric Le Goater <clg at kaod.org> wrote:
> >>> For security reasons, some configuration needs to run without /dev/mem
> >>> but on some occasions, to debug HW for instance, it's still useful to
> >>> be able to reboot the system with access to physical memory.
> >>> Add a kernel parameter which activates the /dev/mem device only when
> >>> 'mem.devmem' is enabled.
> >>> Signed-off-by: Cédric Le Goater <clg at kaod.org>
> >> Thanks Cédric. I've put this in the 4.18 tree.
> >> Can you submit this upstream too please?
> > Have this been done? Just following up out of interest.
> > I do wonder about it though. /dev/mem is accessible if you're root, but given
> > pretty much everything runs as root on the BMC we turn it off. But if it's just
> > a kernel commandline parameter away, it's also just a
> > `fw_setenv ... && reboot` away, at which point all the security is gone? If
> > you're somehow not root on the BMC then you wouldn't have access even if
> > it were present, and you can't change the u-boot environment either.
> You seem to be suggesting that we should reactivate /dev/mem ?
Not really arguing either way, just observing that the patch doesn't gain any
security over just enabling it outright.
More information about the openbmc