Re: [PATCH v3] drm/amdgpu: Gate debugfs MMIO access on kernel lockdown

Tue, 09 Jun 2026 00:16:54 -0700 

On Wed, Jun 03, 2026 at 07:44:59PM +0800, Asad Kamal wrote:
> amdgpu_regs, amdgpu_regs2, and related debugfs nodes allow
> arbitrary MMIO read/write via RREG32/WREG32 without checking
> security_locked_down(). On kernel_lockdown=integrity systems
> this bypasses the same restrictions as /dev/mem and PCI config
> space sysfs.
> 
> Check LOCKDOWN_PCI_ACCESS (matching pci-sysfs) at the entry of every
> debugfs handler that performs direct register access.
> 
> v2: Use consistent check as per previous check to use
> LOCKDOWN_DEBUGFS(Lijo)
> 
> v3: Do not create any entry from amdgpu_debugfs_regs_init() if
> LOCKDOWN_PCI_ACCESS is active and log once. (Lijo)
> 
> Signed-off-by: Asad Kamal <[email protected]>
> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c 
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> index 0ce6e2e4342c..5c4d4ff001ea 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> @@ -26,6 +26,7 @@
>  #include <linux/kthread.h>
>  #include <linux/pci.h>
>  #include <linux/uaccess.h>
> +#include <linux/security.h>
>  #include <linux/pm_runtime.h>
>  
>  #include "amdgpu.h"
> @@ -1739,6 +1740,12 @@ int amdgpu_debugfs_regs_init(struct amdgpu_device 
> *adev)
>       struct dentry *ent, *root = minor->debugfs_root;
>       unsigned int i;
>  
> +     if (security_locked_down(LOCKDOWN_PCI_ACCESS)) {
> +             drm_info(adev_to_drm(adev),
> +                      "amdgpu: HW debugfs nodes disabled (kernel 
> lockdown)\n");
> +             return 0;
> +     }
> +
>       for (i = 0; i < ARRAY_SIZE(debugfs_regs); i++) {
>               ent = debugfs_create_file(debugfs_regs_names[i],
>                                         S_IFREG | 0400, root,
> -- 
> 2.46.0
> 

Hi,

Lockdown denies opening of debugfs files but those with the
following conditions :

- The file must only be opened for reading.
- The file must have mode 00444.
- The file must not have ioctl methods fops.
- The file must not have mmap fops.

I might be missing something, but how are you able to write in those ?

Best regards,

Nicolas

Reply via email to