From 89961ef822f46fd1b89b81a6b259840d9d8ab6d0 Mon Sep 17 00:00:00 2001 From: bluhm Date: Sun, 1 Sep 2024 17:13:46 +0000 Subject: [PATCH] Pledge "vmm" for ccp(4) ioctl(2). Limit ccp ioctls to processes that pledge vmm. Specific psp device ioctls for AMD SEV will allowed for vmd(8). from hshoexer@; input deraadt@ jsg@ --- sys/arch/amd64/include/conf.h | 5 ++++- sys/dev/ic/ccp.c | 23 +++++++++++++++++++++-- sys/kern/kern_pledge.c | 15 ++++++++++++++- sys/sys/pledge.h | 3 ++- 4 files changed, 41 insertions(+), 5 deletions(-) diff --git a/sys/arch/amd64/include/conf.h b/sys/arch/amd64/include/conf.h index 5a2b10fe45b..730a5b2c249 100644 --- a/sys/arch/amd64/include/conf.h +++ b/sys/arch/amd64/include/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.9 2022/06/28 14:43:50 visa Exp $ */ +/* $OpenBSD: conf.h,v 1.10 2024/09/01 17:13:46 bluhm Exp $ */ /* $NetBSD: conf.h,v 1.2 1996/05/05 19:28:34 christos Exp $ */ /* @@ -54,3 +54,6 @@ cdev_decl(pctr); #include "vmm.h" cdev_decl(vmm); + +#include "ccp.h" +cdev_decl(psp); diff --git a/sys/dev/ic/ccp.c b/sys/dev/ic/ccp.c index 0625b905a24..6829f81e50f 100644 --- a/sys/dev/ic/ccp.c +++ b/sys/dev/ic/ccp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ccp.c,v 1.7 2024/09/01 03:08:56 jsg Exp $ */ +/* $OpenBSD: ccp.c,v 1.8 2024/09/01 17:13:46 bluhm Exp $ */ /* * Copyright (c) 2018 David Gwynne @@ -24,6 +24,7 @@ #include #include #include +#include #include @@ -646,12 +647,30 @@ pspioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) psp_snp_get_pstatus((struct psp_snp_platform_status *)data); break; default: - printf("%s: unknown ioctl code 0x%lx\n", __func__, cmd); ret = ENOTTY; + break; } rw_exit_write(&ccp_softc->sc_lock); return (ret); } + +int +pledge_ioctl_psp(struct proc *p, long com) +{ + switch (com) { + case PSP_IOC_GET_PSTATUS: + case PSP_IOC_DF_FLUSH: + case PSP_IOC_GET_GSTATUS: + case PSP_IOC_LAUNCH_START: + case PSP_IOC_LAUNCH_UPDATE_DATA: + case PSP_IOC_LAUNCH_MEASURE: + case PSP_IOC_LAUNCH_FINISH: + case PSP_IOC_ACTIVATE: + return (0); + default: + return (pledge_fail(p, EPERM, PLEDGE_VMM)); + } +} #endif /* __amd64__ */ diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 6ee11243037..0a3d65ce1b5 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.316 2024/06/03 03:41:47 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.317 2024/09/01 17:13:46 bluhm Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -76,6 +76,7 @@ #if NVMM > 0 #include #endif +#include "ccp.h" #endif #include "drm.h" @@ -1349,6 +1350,18 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) } #endif +#if defined(__amd64__) && NCCP > 0 && NVMM > 0 + if ((pledge & PLEDGE_VMM)) { + if ((fp->f_type == DTYPE_VNODE) && + (vp->v_type == VCHR) && + (cdevsw[major(vp->v_rdev)].d_open == pspopen)) { + error = pledge_ioctl_psp(p, com); + if (error == 0) + return (0); + } + } +#endif + return pledge_fail(p, error, PLEDGE_TTY); } diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h index 073ad9a050a..7f6fbc9273d 100644 --- a/sys/sys/pledge.h +++ b/sys/sys/pledge.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pledge.h,v 1.48 2023/06/02 17:44:29 cheloha Exp $ */ +/* $OpenBSD: pledge.h,v 1.49 2024/09/01 17:13:46 bluhm Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -134,6 +134,7 @@ int pledge_socket(struct proc *p, int domain, unsigned int state); int pledge_ioctl(struct proc *p, long com, struct file *); int pledge_ioctl_drm(struct proc *p, long com, dev_t device); int pledge_ioctl_vmm(struct proc *p, long com); +int pledge_ioctl_psp(struct proc *p, long com); int pledge_flock(struct proc *p); int pledge_fcntl(struct proc *p, int cmd); int pledge_swapctl(struct proc *p, int cmd); -- 2.20.1