On 02.06.2025 15:46, Kevin Lampis wrote:
> A subset of command-line parameters that are specifically safe to use when
> lockdown mode is enabled are annotated as such.
>
> These are commonly used parameters which have been audited to ensure they
> cannot be used to undermine the integrity of the system when booted in
> Secure Boot mode.
It's still being left entirely unclear what the criteria are by which an
option can / cannot be marked "safe". For example ...
> --- a/xen/arch/x86/cpu/amd.c
> +++ b/xen/arch/x86/cpu/amd.c
> @@ -47,7 +47,7 @@ integer_param("cpuid_mask_thermal_ecx",
> opt_cpuid_mask_thermal_ecx);
>
> /* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
> int8_t __read_mostly opt_allow_unsafe;
> -boolean_param("allow_unsafe", opt_allow_unsafe);
> +boolean_secure_param("allow_unsafe", opt_allow_unsafe);
... why's this being marked such, when already by its name its use is going
to render the system unsafe.
> --- a/xen/arch/x86/cpu/mcheck/mce.c
> +++ b/xen/arch/x86/cpu/mcheck/mce.c
> @@ -31,7 +31,7 @@
> #include "vmce.h"
>
> bool __read_mostly opt_mce = true;
> -boolean_param("mce", opt_mce);
> +boolean_secure_param("mce", opt_mce);
Similarly I don't think it's a good idea to allow turning of MCE.
I won't go any further until clarification on the criteria was written
down.
Jan
