Re: [PATCH v3] drm/amdgpu: Gate debugfs MMIO access on kernel lockdown

Wed, 03 Jun 2026 07:20:30 -0700 


Thanks, Tom.


The patch looks good to me -

        Reviewed-by: Lijo Lazar <[email protected]>

Hi Alex/Hawking,

Any concerns on shutting down the interfaces in lockdown mode?

Thanks,
Lijo


On 03-Jun-26 5:59 PM, StDenis, Tom wrote:

HI Asad,

This should be fine for umr.  UMR detects when the lockdown mode isn't "none" 
and warns the user that the tool might not work.

So the net effect of this patch is the debugfs files are just not created at 
all?  That'll likely cause umr discovery to fail (after it prints he warning) 
which is still fine.

Tom


________________________________________
From: Kamal, Asad <[email protected]>
Sent: Wednesday, June 3, 2026 07:44
To: [email protected]
Cc: Lazar, Lijo; Zhang, Hawking; Ma, Le; Zhang, Morris; Deucher, Alexander; 
Wang, Yang(Kevin); Kamal, Asad; StDenis, Tom
Subject: [PATCH v3] drm/amdgpu: Gate debugfs MMIO access on kernel lockdown

amdgpu_regs, amdgpu_regs2, and related debugfs nodes allow
arbitrary MMIO read/write via RREG32/WREG32 without checking
security_locked_down(). On kernel_lockdown=integrity systems
this bypasses the same restrictions as /dev/mem and PCI config
space sysfs.

Check LOCKDOWN_PCI_ACCESS (matching pci-sysfs) at the entry of every
debugfs handler that performs direct register access.

v2: Use consistent check as per previous check to use
LOCKDOWN_DEBUGFS(Lijo)

v3: Do not create any entry from amdgpu_debugfs_regs_init() if
LOCKDOWN_PCI_ACCESS is active and log once. (Lijo)

Signed-off-by: Asad Kamal <[email protected]>
---
  drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c 
b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index 0ce6e2e4342c..5c4d4ff001ea 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -26,6 +26,7 @@
  #include <linux/kthread.h>
  #include <linux/pci.h>
  #include <linux/uaccess.h>
+#include <linux/security.h>
  #include <linux/pm_runtime.h>

  #include "amdgpu.h"
@@ -1739,6 +1740,12 @@ int amdgpu_debugfs_regs_init(struct amdgpu_device *adev)
         struct dentry *ent, *root = minor->debugfs_root;
         unsigned int i;

+       if (security_locked_down(LOCKDOWN_PCI_ACCESS)) {
+               drm_info(adev_to_drm(adev),
+                        "amdgpu: HW debugfs nodes disabled (kernel 
lockdown)\n");
+               return 0;
+       }
+
         for (i = 0; i < ARRAY_SIZE(debugfs_regs); i++) {
                 ent = debugfs_create_file(debugfs_regs_names[i],
                                           S_IFREG | 0400, root,
--
2.46.0

























					Reply via email to