From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754459AbaCMP7b (ORCPT ); Thu, 13 Mar 2014 11:59:31 -0400 Received: from mail-bn1blp0189.outbound.protection.outlook.com ([207.46.163.189]:24325 "EHLO na01-bn1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753560AbaCMP71 (ORCPT ); Thu, 13 Mar 2014 11:59:27 -0400 From: Matthew Garrett To: "jmorris@namei.org" CC: "linux-kernel@vger.kernel.org" , "keescook@chromium.org" , "linux-security-module@vger.kernel.org" , "akpm@linux-foundation.org" , "hpa@zytor.com" , "jwboyer@fedoraproject.org" , "linux-efi@vger.kernel.org" , "gregkh@linuxfoundation.org" Subject: Re: Trusted kernel patchset for Secure Boot lockdown Thread-Topic: Trusted kernel patchset for Secure Boot lockdown Thread-Index: AQHPPoSmgdFEpLbAD0ahQ2OJgthmsZrewXAAgABr7YA= Date: Thu, 13 Mar 2014 15:59:24 +0000 Message-ID: <1394726363.25122.16.camel@x230> References: <1393445473-15068-1-git-send-email-matthew.garrett@nebula.com> <1394686919.25122.2.camel@x230> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:470:1f07:1371:6267:20ff:fec3:2318] x-forefront-prvs: 01494FA7F7 x-forefront-antispam-report: SFV:NSPM;SFS:(10009001)(6009001)(428001)(377424004)(24454002)(199002)(189002)(74876001)(81686001)(85852003)(19580405001)(33646001)(83072002)(65816001)(80022001)(79102001)(33716001)(80976001)(76786001)(81816001)(74502001)(97336001)(63696002)(69226001)(83322001)(19580395003)(46102001)(51856001)(31966008)(81342001)(85306002)(59766001)(77982001)(90146001)(4396001)(92726001)(95416001)(93516002)(54316002)(74366001)(93136001)(56776001)(92566001)(47976001)(86362001)(76482001)(77096001)(56816005)(87266001)(76796001)(50986001)(53806001)(54356001)(95666003)(74706001)(94316002)(97186001)(87936001)(2656002)(81542001)(94946001)(47736001)(49866001)(74662001)(3826001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR05MB456;H:BN1PR05MB423.namprd05.prod.outlook.com;CLIP:2001:470:1f07:1371:6267:20ff:fec3:2318;FPR:E1FD7905.8FFA5F0C.71D1997E.4AE5DB71.202C9;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: <4E8F15796680394FA0096755D042D658@namprd05.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: nebula.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id s2DFxcZt010440 On Thu, 2014-03-13 at 20:33 +1100, James Morris wrote: > I'll take it, but there's unanswered review feedback (your response to the > first question), and Alan raised some doubts about the patches which I'm > not sure have been resolved. The remaining opens seem to be CAP_SYS_RAWIO and firmware signing? Ironically, disabling CAP_SYS_RAWIO disables firmware loading… The problem with CAP_SYS_RAWIO is that its semantics were never sufficiently well documented, and as a result it's a mixture of "This is incredibly dangerous" and "We replaced a check for uid 0 with whichever capability seemed to have the most appropriate name". I've gone through all the uses of CAP_SYS_RAWIO and added additional checks to the generic ones that seem appropriate. There's a couple of old drivers that use it to gate access to features that potentially allow arbitrary DMA and it might be worth cleaning those up, but the only general case I haven't modified is the ability to send arbitrary SCSI commands from userspace. My understanding is that endpoints aren't going to be able to DMA to arbitrary addresses, so that doesn't seem like a problem. On the other hand, disabling CAP_SYS_RAWIO *definitely* breaks expected functionality - firmware loading and the fibmap ioctl are probably the most obvious. And changing the use of CAP_SYS_RAWIO potentially breaks userspace expectations, so we're kind of stuck there. As for signed firmware, I'm looking forward to Kees' work on that. -- Matthew Garrett {.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Garrett Subject: Re: Trusted kernel patchset for Secure Boot lockdown Date: Thu, 13 Mar 2014 15:59:24 +0000 Message-ID: <1394726363.25122.16.camel@x230> References: <1393445473-15068-1-git-send-email-matthew.garrett@nebula.com> <1394686919.25122.2.camel@x230> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: Content-Language: en-US Content-ID: <4E8F15796680394FA0096755D042D658@namprd05.prod.outlook.com> Sender: linux-kernel-owner@vger.kernel.org To: "jmorris@namei.org" Cc: "linux-kernel@vger.kernel.org" , "keescook@chromium.org" , "linux-security-module@vger.kernel.org" , "akpm@linux-foundation.org" , "hpa@zytor.com" , "jwboyer@fedoraproject.org" , "linux-efi@vger.kernel.org" , "gregkh@linuxfoundation.org" List-Id: linux-efi@vger.kernel.org T24gVGh1LCAyMDE0LTAzLTEzIGF0IDIwOjMzICsxMTAwLCBKYW1lcyBNb3JyaXMgd3JvdGU6DQoN Cj4gSSdsbCB0YWtlIGl0LCBidXQgdGhlcmUncyB1bmFuc3dlcmVkIHJldmlldyBmZWVkYmFjayAo eW91ciByZXNwb25zZSB0byB0aGUgDQo+IGZpcnN0IHF1ZXN0aW9uKSwgYW5kIEFsYW4gcmFpc2Vk IHNvbWUgZG91YnRzIGFib3V0IHRoZSBwYXRjaGVzIHdoaWNoIEknbSANCj4gbm90IHN1cmUgaGF2 ZSBiZWVuIHJlc29sdmVkLg0KDQpUaGUgcmVtYWluaW5nIG9wZW5zIHNlZW0gdG8gYmUgQ0FQX1NZ U19SQVdJTyBhbmQgZmlybXdhcmUgc2lnbmluZz8NCklyb25pY2FsbHksIGRpc2FibGluZyBDQVBf U1lTX1JBV0lPIGRpc2FibGVzIGZpcm13YXJlIGxvYWRpbmfigKYNCg0KVGhlIHByb2JsZW0gd2l0 aCBDQVBfU1lTX1JBV0lPIGlzIHRoYXQgaXRzIHNlbWFudGljcyB3ZXJlIG5ldmVyDQpzdWZmaWNp ZW50bHkgd2VsbCBkb2N1bWVudGVkLCBhbmQgYXMgYSByZXN1bHQgaXQncyBhIG1peHR1cmUgb2Yg IlRoaXMgaXMNCmluY3JlZGlibHkgZGFuZ2Vyb3VzIiBhbmQgIldlIHJlcGxhY2VkIGEgY2hlY2sg Zm9yIHVpZCAwIHdpdGggd2hpY2hldmVyDQpjYXBhYmlsaXR5IHNlZW1lZCB0byBoYXZlIHRoZSBt b3N0IGFwcHJvcHJpYXRlIG5hbWUiLiBJJ3ZlIGdvbmUgdGhyb3VnaA0KYWxsIHRoZSB1c2VzIG9m IENBUF9TWVNfUkFXSU8gYW5kIGFkZGVkIGFkZGl0aW9uYWwgY2hlY2tzIHRvIHRoZSBnZW5lcmlj DQpvbmVzIHRoYXQgc2VlbSBhcHByb3ByaWF0ZS4gVGhlcmUncyBhIGNvdXBsZSBvZiBvbGQgZHJp dmVycyB0aGF0IHVzZSBpdA0KdG8gZ2F0ZSBhY2Nlc3MgdG8gZmVhdHVyZXMgdGhhdCBwb3RlbnRp YWxseSBhbGxvdyBhcmJpdHJhcnkgRE1BIGFuZCBpdA0KbWlnaHQgYmUgd29ydGggY2xlYW5pbmcg dGhvc2UgdXAsIGJ1dCB0aGUgb25seSBnZW5lcmFsIGNhc2UgSSBoYXZlbid0DQptb2RpZmllZCBp cyB0aGUgYWJpbGl0eSB0byBzZW5kIGFyYml0cmFyeSBTQ1NJIGNvbW1hbmRzIGZyb20gdXNlcnNw YWNlLg0KTXkgdW5kZXJzdGFuZGluZyBpcyB0aGF0IGVuZHBvaW50cyBhcmVuJ3QgZ29pbmcgdG8g YmUgYWJsZSB0byBETUEgdG8NCmFyYml0cmFyeSBhZGRyZXNzZXMsIHNvIHRoYXQgZG9lc24ndCBz ZWVtIGxpa2UgYSBwcm9ibGVtLg0KDQpPbiB0aGUgb3RoZXIgaGFuZCwgZGlzYWJsaW5nIENBUF9T WVNfUkFXSU8gKmRlZmluaXRlbHkqIGJyZWFrcyBleHBlY3RlZA0KZnVuY3Rpb25hbGl0eSAtIGZp cm13YXJlIGxvYWRpbmcgYW5kIHRoZSBmaWJtYXAgaW9jdGwgYXJlIHByb2JhYmx5IHRoZQ0KbW9z dCBvYnZpb3VzLiBBbmQgY2hhbmdpbmcgdGhlIHVzZSBvZiBDQVBfU1lTX1JBV0lPIHBvdGVudGlh bGx5IGJyZWFrcw0KdXNlcnNwYWNlIGV4cGVjdGF0aW9ucywgc28gd2UncmUga2luZCBvZiBzdHVj ayB0aGVyZS4NCg0KQXMgZm9yIHNpZ25lZCBmaXJtd2FyZSwgSSdtIGxvb2tpbmcgZm9yd2FyZCB0 byBLZWVzJyB3b3JrIG9uIHRoYXQuDQoNCi0tIA0KTWF0dGhldyBHYXJyZXR0IDxtYXR0aGV3Lmdh cnJldHRAbmVidWxhLmNvbT4NCg==