Re: [PATCH v2 2/6] driver core: Add common support to skip probe for... | virtualization

(off-list ancestor, not in this archive)

On Thu, Sep 30, 2021 at 11:35:09AM -0400, Alan Stern wrote:
On Thu, Sep 30, 2021 at 10:58:07AM -0400, Michael S. Tsirkin wrote:
On Thu, Sep 30, 2021 at 10:43:05AM -0400, Alan Stern wrote:
I don't see any point in talking about "untrusted drivers".  If a 
driver isn't trusted then it doesn't belong in your kernel.  Period.  
When you load a driver into your kernel, you are implicitly trusting 
it (aside from limitations imposed by security modules).
Trusting it to do what? Historically a ton of drivers did not
validate input from devices they drive. Most still don't.
Trusting it to behave properly (i.e., not destroy your system, among 
other things).
I don't think the current mitigations under discussion here are about
keeping the system working. In fact most encrypted VM configs tend to
stop booting as a preferred way to handle security issues.

The fact that many drivers haven't been trustworthy is beside the 
point.  By loading them into your kernel, you are trusting them 
regardless.  In the end, you may regret having done so.  :-(

Alan Stern

-- 
MST

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help