Intel Proposes Linux Kernel Driver Allow/Deny Filtering

Written by Michael Larabel in Intel on 4 August 2021 at 02:13 PM EDT. 25 Comments
INTEL
As part of their work around Trust Domain Extensions (TDX) support for Linux, Intel engineers are proposing a driver filter option for Linux to be able to set allow or deny lists of driver(s) that can or cannot be loaded by the booted kernel.

In order to reduce the attack surface within guest virtual machines while still wanting to be able to use the same kernel build between a host and guest, Intel engineers are looking to add this driver filter support to the kernel. When booting the guest, via the kernel command-line they can just specify the specific drivers to allow to be loaded by the kernel or alternatively setting a list of specific drivers that shouldn't be allowed to be loaded by the system.

By default this proposal doesn't change any default behavior of the kernel. The driver filter framework would make use of filter_deny_drivers= and filter_allow_drivers= options for easily specifying what kernel drivers to permit without having to physically remove any modules or rebuild the kernel with a different Kconfig. The driver filter status on a running system with this patch can also be queried via sysfs.

More details on this proposed driver filter framework for the Linux kernel via the kernel mailing list.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week