From: Matthew Garrett <matthew.garrett@nebula.com>
To: "jmorris@namei.org" <jmorris@namei.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"jwboyer@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Thu, 13 Mar 2014 15:59:24 +0000 [thread overview]
Message-ID: <1394726363.25122.16.camel@x230> (raw)
In-Reply-To: <alpine.LRH.2.02.1403132031460.11638@tundra.namei.org>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1688 bytes --]
On Thu, 2014-03-13 at 20:33 +1100, James Morris wrote:
> I'll take it, but there's unanswered review feedback (your response to the
> first question), and Alan raised some doubts about the patches which I'm
> not sure have been resolved.
The remaining opens seem to be CAP_SYS_RAWIO and firmware signing?
Ironically, disabling CAP_SYS_RAWIO disables firmware loading…
The problem with CAP_SYS_RAWIO is that its semantics were never
sufficiently well documented, and as a result it's a mixture of "This is
incredibly dangerous" and "We replaced a check for uid 0 with whichever
capability seemed to have the most appropriate name". I've gone through
all the uses of CAP_SYS_RAWIO and added additional checks to the generic
ones that seem appropriate. There's a couple of old drivers that use it
to gate access to features that potentially allow arbitrary DMA and it
might be worth cleaning those up, but the only general case I haven't
modified is the ability to send arbitrary SCSI commands from userspace.
My understanding is that endpoints aren't going to be able to DMA to
arbitrary addresses, so that doesn't seem like a problem.
On the other hand, disabling CAP_SYS_RAWIO *definitely* breaks expected
functionality - firmware loading and the fibmap ioctl are probably the
most obvious. And changing the use of CAP_SYS_RAWIO potentially breaks
userspace expectations, so we're kind of stuck there.
As for signed firmware, I'm looking forward to Kees' work on that.
--
Matthew Garrett <matthew.garrett@nebula.com>
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthew.garrett@nebula.com>
To: "jmorris@namei.org" <jmorris@namei.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"jwboyer@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Thu, 13 Mar 2014 15:59:24 +0000 [thread overview]
Message-ID: <1394726363.25122.16.camel@x230> (raw)
In-Reply-To: <alpine.LRH.2.02.1403132031460.11638@tundra.namei.org>
On Thu, 2014-03-13 at 20:33 +1100, James Morris wrote:
> I'll take it, but there's unanswered review feedback (your response to the
> first question), and Alan raised some doubts about the patches which I'm
> not sure have been resolved.
The remaining opens seem to be CAP_SYS_RAWIO and firmware signing?
Ironically, disabling CAP_SYS_RAWIO disables firmware loading…
The problem with CAP_SYS_RAWIO is that its semantics were never
sufficiently well documented, and as a result it's a mixture of "This is
incredibly dangerous" and "We replaced a check for uid 0 with whichever
capability seemed to have the most appropriate name". I've gone through
all the uses of CAP_SYS_RAWIO and added additional checks to the generic
ones that seem appropriate. There's a couple of old drivers that use it
to gate access to features that potentially allow arbitrary DMA and it
might be worth cleaning those up, but the only general case I haven't
modified is the ability to send arbitrary SCSI commands from userspace.
My understanding is that endpoints aren't going to be able to DMA to
arbitrary addresses, so that doesn't seem like a problem.
On the other hand, disabling CAP_SYS_RAWIO *definitely* breaks expected
functionality - firmware loading and the fibmap ioctl are probably the
most obvious. And changing the use of CAP_SYS_RAWIO potentially breaks
userspace expectations, so we're kind of stuck there.
As for signed firmware, I'm looking forward to Kees' work on that.
--
Matthew Garrett <matthew.garrett@nebula.com>
next prev parent reply other threads:[~2014-03-13 15:59 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2014-02-27 19:02 ` Kees Cook
2014-02-27 19:02 ` Kees Cook
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when " Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
2014-02-27 18:48 ` Kees Cook
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-27 9:54 ` Alon Ziv
2014-03-19 17:42 ` Florian Weimer
2014-03-19 17:42 ` Florian Weimer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07 ` Greg KH
2014-02-27 19:11 ` Josh Boyer
2014-02-27 19:11 ` Josh Boyer
2014-02-28 12:50 ` Josh Boyer
2014-02-28 3:03 ` James Morris
2014-02-28 4:52 ` Matthew Garrett
2014-02-28 4:52 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 6:22 ` Kees Cook
2014-03-13 6:22 ` Kees Cook
2014-03-13 9:33 ` James Morris
2014-03-13 9:33 ` James Morris
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:59 ` Matthew Garrett [this message]
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 20:37 ` David Lang
2014-03-14 20:37 ` David Lang
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:52 ` Matthew Garrett
2014-03-14 22:52 ` Matthew Garrett
2014-03-19 19:50 ` Kees Cook
2014-03-19 19:50 ` Kees Cook
2014-03-14 23:18 ` Theodore Ts'o
2014-03-14 23:18 ` Theodore Ts'o
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-19 17:49 ` Florian Weimer
2014-03-19 17:49 ` Florian Weimer
2014-03-19 20:16 ` Kees Cook
2014-03-19 20:16 ` Kees Cook
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:55 ` tytso
2014-03-20 14:55 ` tytso
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:31 ` Matthew Garrett
2014-03-13 21:31 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394726363.25122.16.camel@x230 \
--to=matthew.garrett@nebula.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.