tjh.dev
+279
Documentation/process/embargoed-hardware-issues.rst
+279
Documentation/process/embargoed-hardware-issues.rst
···
1
+
Embargoed hardware issues
2
+
=========================
3
+
4
+
Scope
5
+
-----
6
+
7
+
Hardware issues which result in security problems are a different category
8
+
of security bugs than pure software bugs which only affect the Linux
9
+
kernel.
10
+
11
+
Hardware issues like Meltdown, Spectre, L1TF etc. must be treated
12
+
differently because they usually affect all Operating Systems ("OS") and
13
+
therefore need coordination across different OS vendors, distributions,
14
+
hardware vendors and other parties. For some of the issues, software
15
+
mitigations can depend on microcode or firmware updates, which need further
16
+
coordination.
17
+
18
+
.. _Contact:
19
+
20
+
Contact
21
+
-------
22
+
23
+
The Linux kernel hardware security team is separate from the regular Linux
24
+
kernel security team.
25
+
26
+
The team only handles the coordination of embargoed hardware security
27
+
issues. Reports of pure software security bugs in the Linux kernel are not
28
+
handled by this team and the reporter will be guided to contact the regular
29
+
Linux kernel security team (:ref:`Documentation/admin-guide/
30
+
<securitybugs>`) instead.
31
+
32
+
The team can be contacted by email at <hardware-security@kernel.org>. This
33
+
is a private list of security officers who will help you to coordinate an
34
+
issue according to our documented process.
35
+
36
+
The list is encrypted and email to the list can be sent by either PGP or
37
+
S/MIME encrypted and must be signed with the reporter's PGP key or S/MIME
38
+
certificate. The list's PGP key and S/MIME certificate are available from
39
+
https://www.kernel.org/....
40
+
41
+
While hardware security issues are often handled by the affected hardware
42
+
vendor, we welcome contact from researchers or individuals who have
43
+
identified a potential hardware flaw.
44
+
45
+
Hardware security officers
46
+
^^^^^^^^^^^^^^^^^^^^^^^^^^
47
+
48
+
The current team of hardware security officers:
49
+
50
+
- Linus Torvalds (Linux Foundation Fellow)
51
+
- Greg Kroah-Hartman (Linux Foundation Fellow)
52
+
- Thomas Gleixner (Linux Foundation Fellow)
53
+
54
+
Operation of mailing-lists
55
+
^^^^^^^^^^^^^^^^^^^^^^^^^^
56
+
57
+
The encrypted mailing-lists which are used in our process are hosted on
58
+
Linux Foundation's IT infrastructure. By providing this service Linux
59
+
Foundation's director of IT Infrastructure security technically has the
60
+
ability to access the embargoed information, but is obliged to
61
+
confidentiality by his employment contract. Linux Foundation's director of
62
+
IT Infrastructure security is also responsible for the kernel.org
63
+
infrastructure.
64
+
65
+
The Linux Foundation's current director of IT Infrastructure security is
66
+
Konstantin Ryabitsev.
67
+
68
+
69
+
Non-disclosure agreements
70
+
-------------------------
71
+
72
+
The Linux kernel hardware security team is not a formal body and therefore
73
+
unable to enter into any non-disclosure agreements. The kernel community
74
+
is aware of the sensitive nature of such issues and offers a Memorandum of
75
+
Understanding instead.
76
+
77
+
78
+
Memorandum of Understanding
79
+
---------------------------
80
+
81
+
The Linux kernel community has a deep understanding of the requirement to
82
+
keep hardware security issues under embargo for coordination between
83
+
different OS vendors, distributors, hardware vendors and other parties.
84
+
85
+
The Linux kernel community has successfully handled hardware security
86
+
issues in the past and has the necessary mechanisms in place to allow
87
+
community compliant development under embargo restrictions.
88
+
89
+
The Linux kernel community has a dedicated hardware security team for
90
+
initial contact, which oversees the process of handling such issues under
91
+
embargo rules.
92
+
93
+
The hardware security team identifies the developers (domain experts) who
94
+
will form the initial response team for a particular issue. The initial
95
+
response team can bring in further developers (domain experts) to address
96
+
the issue in the best technical way.
97
+
98
+
All involved developers pledge to adhere to the embargo rules and to keep
99
+
the received information confidential. Violation of the pledge will lead to
100
+
immediate exclusion from the current issue and removal from all related
101
+
mailing-lists. In addition, the hardware security team will also exclude
102
+
the offender from future issues. The impact of this consequence is a highly
103
+
effective deterrent in our community. In case a violation happens the
104
+
hardware security team will inform the involved parties immediately. If you
105
+
or anyone becomes aware of a potential violation, please report it
106
+
immediately to the Hardware security officers.
107
+
108
+
109
+
Process
110
+
^^^^^^^
111
+
112
+
Due to the globally distributed nature of Linux kernel development,
113
+
face-to-face meetings are almost impossible to address hardware security
114
+
issues. Phone conferences are hard to coordinate due to time zones and
115
+
other factors and should be only used when absolutely necessary. Encrypted
116
+
email has been proven to be the most effective and secure communication
117
+
method for these types of issues.
118
+
119
+
Start of Disclosure
120
+
"""""""""""""""""""
121
+
122
+
Disclosure starts by contacting the Linux kernel hardware security team by
123
+
email. This initial contact should contain a description of the problem and
124
+
a list of any known affected hardware. If your organization builds or
125
+
distributes the affected hardware, we encourage you to also consider what
126
+
other hardware could be affected.
127
+
128
+
The hardware security team will provide an incident-specific encrypted
129
+
mailing-list which will be used for initial discussion with the reporter,
130
+
further disclosure and coordination.
131
+
132
+
The hardware security team will provide the disclosing party a list of
133
+
developers (domain experts) who should be informed initially about the
134
+
issue after confirming with the developers that they will adhere to this
135
+
Memorandum of Understanding and the documented process. These developers
136
+
form the initial response team and will be responsible for handling the
137
+
issue after initial contact. The hardware security team is supporting the
138
+
response team, but is not necessarily involved in the mitigation
139
+
development process.
140
+
141
+
While individual developers might be covered by a non-disclosure agreement
142
+
via their employer, they cannot enter individual non-disclosure agreements
143
+
in their role as Linux kernel developers. They will, however, agree to
144
+
adhere to this documented process and the Memorandum of Understanding.
145
+
146
+
147
+
Disclosure
148
+
""""""""""
149
+
150
+
The disclosing party provides detailed information to the initial response
151
+
team via the specific encrypted mailing-list.
152
+
153
+
From our experience the technical documentation of these issues is usually
154
+
a sufficient starting point and further technical clarification is best
155
+
done via email.
156
+
157
+
Mitigation development
158
+
""""""""""""""""""""""
159
+
160
+
The initial response team sets up an encrypted mailing-list or repurposes
161
+
an existing one if appropriate. The disclosing party should provide a list
162
+
of contacts for all other parties who have already been, or should be
163
+
informed about the issue. The response team contacts these parties so they
164
+
can name experts who should be subscribed to the mailing-list.
165
+
166
+
Using a mailing-list is close to the normal Linux development process and
167
+
has been successfully used in developing mitigations for various hardware
168
+
security issues in the past.
169
+
170
+
The mailing-list operates in the same way as normal Linux development.
171
+
Patches are posted, discussed and reviewed and if agreed on applied to a
172
+
non-public git repository which is only accessible to the participating
173
+
developers via a secure connection. The repository contains the main
174
+
development branch against the mainline kernel and backport branches for
175
+
stable kernel versions as necessary.
176
+
177
+
The initial response team will identify further experts from the Linux
178
+
kernel developer community as needed and inform the disclosing party about
179
+
their participation. Bringing in experts can happen at any time of the
180
+
development process and often needs to be handled in a timely manner.
181
+
182
+
Coordinated release
183
+
"""""""""""""""""""
184
+
185
+
The involved parties will negotiate the date and time where the embargo
186
+
ends. At that point the prepared mitigations are integrated into the
187
+
relevant kernel trees and published.
188
+
189
+
While we understand that hardware security issues need coordinated embargo
190
+
time, the embargo time should be constrained to the minimum time which is
191
+
required for all involved parties to develop, test and prepare the
192
+
mitigations. Extending embargo time artificially to meet conference talk
193
+
dates or other non-technical reasons is creating more work and burden for
194
+
the involved developers and response teams as the patches need to be kept
195
+
up to date in order to follow the ongoing upstream kernel development,
196
+
which might create conflicting changes.
197
+
198
+
CVE assignment
199
+
""""""""""""""
200
+
201
+
Neither the hardware security team nor the initial response team assign
202
+
CVEs, nor are CVEs required for the development process. If CVEs are
203
+
provided by the disclosing party they can be used for documentation
204
+
purposes.
205
+
206
+
Process ambassadors
207
+
-------------------
208
+
209
+
For assistance with this process we have established ambassadors in various
210
+
organizations, who can answer questions about or provide guidance on the
211
+
reporting process and further handling. Ambassadors are not involved in the
212
+
disclosure of a particular issue, unless requested by a response team or by
213
+
an involved disclosed party. The current ambassadors list:
214
+
215
+
============= ========================================================
216
+
ARM
217
+
AMD
218
+
IBM
219
+
Intel
220
+
Qualcomm
221
+
222
+
Microsoft
223
+
VMware
224
+
XEN
225
+
226
+
Canonical Tyler Hicks <tyhicks@canonical.com>
227
+
Debian Ben Hutchings <ben@decadent.org.uk>
228
+
Oracle Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
229
+
Red Hat Josh Poimboeuf <jpoimboe@redhat.com>
230
+
SUSE Jiri Kosina <jkosina@suse.cz>
231
+
232
+
Amazon
233
+
Google
234
+
============== ========================================================
235
+
236
+
If you want your organization to be added to the ambassadors list, please
237
+
contact the hardware security team. The nominated ambassador has to
238
+
understand and support our process fully and is ideally well connected in
239
+
the Linux kernel community.
240
+
241
+
Encrypted mailing-lists
242
+
-----------------------
243
+
244
+
We use encrypted mailing-lists for communication. The operating principle
245
+
of these lists is that email sent to the list is encrypted either with the
246
+
list's PGP key or with the list's S/MIME certificate. The mailing-list
247
+
software decrypts the email and re-encrypts it individually for each
248
+
subscriber with the subscriber's PGP key or S/MIME certificate. Details
249
+
about the mailing-list software and the setup which is used to ensure the
250
+
security of the lists and protection of the data can be found here:
251
+
https://www.kernel.org/....
252
+
253
+
List keys
254
+
^^^^^^^^^
255
+
256
+
For initial contact see :ref:`Contact`. For incident specific mailing-lists
257
+
the key and S/MIME certificate are conveyed to the subscribers by email
258
+
sent from the specific list.
259
+
260
+
Subscription to incident specific lists
261
+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
262
+
263
+
Subscription is handled by the response teams. Disclosed parties who want
264
+
to participate in the communication send a list of potential subscribers to
265
+
the response team so the response team can validate subscription requests.
266
+
267
+
Each subscriber needs to send a subscription request to the response team
268
+
by email. The email must be signed with the subscriber's PGP key or S/MIME
269
+
certificate. If a PGP key is used, it must be available from a public key
270
+
server and is ideally connected to the Linux kernel's PGP web of trust. See
271
+
also: https://www.kernel.org/signature.html.
272
+
273
+
The response team verifies that the subscriber request is valid and adds
274
+
the subscriber to the list. After subscription the subscriber will receive
275
+
email from the mailing-list which is signed either with the list's PGP key
276
+
or the list's S/MIME certificate. The subscriber's email client can extract
277
+
the PGP key or the S/MIME certificate from the signature so the subscriber
278
+
can send encrypted email to the list.
279
+
+1
Documentation/process/index.rst
+1
Documentation/process/index.rst
+12
MAINTAINERS
+12
MAINTAINERS
···
9229
9229
F: include/linux/libnvdimm.h
9230
9230
F: include/uapi/linux/ndctl.h
9231
9231
9232
+
LICENSES and SPDX stuff
9233
+
M: Thomas Gleixner <tglx@linutronix.de>
9234
+
M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9235
+
L: linux-spdx@vger.kernel.org
9236
+
S: Maintained
9237
+
T: git git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx.git
9238
+
F: COPYING
9239
+
F: Documentation/process/license-rules.rst
9240
+
F: LICENSES/
9241
+
F: scripts/spdxcheck-test.sh
9242
+
F: scripts/spdxcheck.py
9243
+
9232
9244
LIGHTNVM PLATFORM SUPPORT
9233
9245
M: Matias Bjorling <mb@lightnvm.io>
9234
9246
W: http://github/OpenChannelSSD
+7
-4
drivers/fpga/altera-ps-spi.c
+7
-4
drivers/fpga/altera-ps-spi.c
···
210
210
return -EIO;
211
211
}
212
212
213
-
if (!IS_ERR(conf->confd)) {
213
+
if (conf->confd) {
214
214
if (!gpiod_get_raw_value_cansleep(conf->confd)) {
215
215
dev_err(&mgr->dev, "CONF_DONE is inactive!\n");
216
216
return -EIO;
···
289
289
return PTR_ERR(conf->status);
290
290
}
291
291
292
-
conf->confd = devm_gpiod_get(&spi->dev, "confd", GPIOD_IN);
292
+
conf->confd = devm_gpiod_get_optional(&spi->dev, "confd", GPIOD_IN);
293
293
if (IS_ERR(conf->confd)) {
294
-
dev_warn(&spi->dev, "Not using confd gpio: %ld\n",
295
-
PTR_ERR(conf->confd));
294
+
dev_err(&spi->dev, "Failed to get confd gpio: %ld\n",
295
+
PTR_ERR(conf->confd));
296
+
return PTR_ERR(conf->confd);
297
+
} else if (!conf->confd) {
298
+
dev_warn(&spi->dev, "Not using confd gpio");
296
299
}
297
300
298
301
/* Register manager with unique name */
+1
-7
drivers/fsi/fsi-scom.c
+1
-7
drivers/fsi/fsi-scom.c
···
38
38
#define SCOM_STATUS_PIB_RESP_MASK 0x00007000
39
39
#define SCOM_STATUS_PIB_RESP_SHIFT 12
40
40
41
-
#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_ERR_SUMMARY | \
42
-
SCOM_STATUS_PROTECTION | \
41
+
#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_PROTECTION | \
43
42
SCOM_STATUS_PARITY | \
44
43
SCOM_STATUS_PIB_ABORT | \
45
44
SCOM_STATUS_PIB_RESP_MASK)
···
250
251
/* Return -EBUSY on PIB abort to force a retry */
251
252
if (status & SCOM_STATUS_PIB_ABORT)
252
253
return -EBUSY;
253
-
if (status & SCOM_STATUS_ERR_SUMMARY) {
254
-
fsi_device_write(scom->fsi_dev, SCOM_FSI2PIB_RESET_REG, &dummy,
255
-
sizeof(uint32_t));
256
-
return -EIO;
257
-
}
258
254
return 0;
259
255
}
260
256
+10
drivers/hwtracing/intel_th/pci.c
+10
drivers/hwtracing/intel_th/pci.c
···
165
165
.driver_data = (kernel_ulong_t)0,
166
166
},
167
167
{
168
+
/* Lewisburg PCH */
169
+
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa226),
170
+
.driver_data = (kernel_ulong_t)0,
171
+
},
172
+
{
168
173
/* Gemini Lake */
169
174
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
170
175
.driver_data = (kernel_ulong_t)&intel_th_2x,
···
202
197
{
203
198
/* Ice Lake NNPI */
204
199
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5),
200
+
.driver_data = (kernel_ulong_t)&intel_th_2x,
201
+
},
202
+
{
203
+
/* Tiger Lake PCH */
204
+
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6),
205
205
.driver_data = (kernel_ulong_t)&intel_th_2x,
206
206
},
207
207
{ 0 },
-1
drivers/hwtracing/stm/core.c
-1
drivers/hwtracing/stm/core.c
+2
-2
drivers/misc/lkdtm/bugs.c
+2
-2
drivers/misc/lkdtm/bugs.c
···
22
22
* recurse past the end of THREAD_SIZE by default.
23
23
*/
24
24
#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
25
-
#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
25
+
#define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2)
26
26
#else
27
27
#define REC_STACK_SIZE (THREAD_SIZE / 8)
28
28
#endif
···
91
91
92
92
void lkdtm_EXHAUST_STACK(void)
93
93
{
94
-
pr_info("Calling function with %d frame size to depth %d ...\n",
94
+
pr_info("Calling function with %lu frame size to depth %d ...\n",
95
95
REC_STACK_SIZE, recur_count);
96
96
recursive_loop(recur_count);
97
97
pr_info("FAIL: survived without exhausting stack?!\n");
+2
drivers/misc/mei/hw-me-regs.h
+2
drivers/misc/mei/hw-me-regs.h
+2
drivers/misc/mei/pci-me.c
+2
drivers/misc/mei/pci-me.c
+8
-2
drivers/misc/vmw_balloon.c
+8
-2
drivers/misc/vmw_balloon.c
···
691
691
}
692
692
693
693
if (page) {
694
-
vmballoon_mark_page_offline(page, ctl->page_size);
695
694
/* Success. Add the page to the list and continue. */
696
695
list_add(&page->lru, &ctl->pages);
697
696
continue;
···
929
930
930
931
list_for_each_entry_safe(page, tmp, page_list, lru) {
931
932
list_del(&page->lru);
932
-
vmballoon_mark_page_online(page, page_size);
933
933
__free_pages(page, vmballoon_page_order(page_size));
934
934
}
935
935
···
1003
1005
enum vmballoon_page_size_type page_size)
1004
1006
{
1005
1007
unsigned long flags;
1008
+
struct page *page;
1006
1009
1007
1010
if (page_size == VMW_BALLOON_4K_PAGE) {
1008
1011
balloon_page_list_enqueue(&b->b_dev_info, pages);
···
1013
1014
* for the balloon compaction mechanism.
1014
1015
*/
1015
1016
spin_lock_irqsave(&b->b_dev_info.pages_lock, flags);
1017
+
1018
+
list_for_each_entry(page, pages, lru) {
1019
+
vmballoon_mark_page_offline(page, VMW_BALLOON_2M_PAGE);
1020
+
}
1021
+
1016
1022
list_splice_init(pages, &b->huge_pages);
1017
1023
__count_vm_events(BALLOON_INFLATE, *n_pages *
1018
1024
vmballoon_page_in_frames(VMW_BALLOON_2M_PAGE));
···
1060
1056
/* 2MB pages */
1061
1057
spin_lock_irqsave(&b->b_dev_info.pages_lock, flags);
1062
1058
list_for_each_entry_safe(page, tmp, &b->huge_pages, lru) {
1059
+
vmballoon_mark_page_online(page, VMW_BALLOON_2M_PAGE);
1060
+
1063
1061
list_move(&page->lru, pages);
1064
1062
if (++i == n_req_pages)
1065
1063
break;
+4
-2
drivers/misc/vmw_vmci/vmci_doorbell.c
+4
-2
drivers/misc/vmw_vmci/vmci_doorbell.c
···
310
310
311
311
entry = container_of(resource, struct dbell_entry, resource);
312
312
if (entry->run_delayed) {
313
-
schedule_work(&entry->work);
313
+
if (!schedule_work(&entry->work))
314
+
vmci_resource_put(resource);
314
315
} else {
315
316
entry->notify_cb(entry->client_data);
316
317
vmci_resource_put(resource);
···
362
361
atomic_read(&dbell->active) == 1) {
363
362
if (dbell->run_delayed) {
364
363
vmci_resource_get(&dbell->resource);
365
-
schedule_work(&dbell->work);
364
+
if (!schedule_work(&dbell->work))
365
+
vmci_resource_put(&dbell->resource);
366
366
} else {
367
367
dbell->notify_cb(dbell->client_data);
368
368
}