From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
To: Matthew Garrett <matthew.garrett@nebula.com>
Cc: linux-kernel@vger.kernel.org, keescook@chromium.org,
gregkh@linuxfoundation.org, hpa@zytor.com,
linux-efi@vger.kernel.org, jmorris@namei.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode
Date: Wed, 26 Feb 2014 22:41:41 +0000 [thread overview]
Message-ID: <20140226224141.1741a746@alan.etchedpixels.co.uk> (raw)
In-Reply-To: <1393445473-15068-13-git-send-email-matthew.garrett@nebula.com>
On Wed, 26 Feb 2014 15:11:13 -0500
Matthew Garrett <matthew.garrett@nebula.com> wrote:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that the kernel prevent userspace from inserting untrusted kernel
> code at runtime. Add a configuration option that enforces this automatically
> when enabled.
I think you have a load more cases to attempt to paper over before you
even pretend to achieve that goal. Firewire for example. Also it only
remotely begins to work if you also force CAP_SYS_RAWIO off globally as
you need to force off things like raw command issuing to various
controllers (especially as some of that code is written on the basis that
'its RAWIO, screw making it secure and doing all the checks we could
bother with'.
RAWIO also disables things like CPU msr access - which is also quite
adequate for subverting a kernel.
Another issue that needs addressing is firmware. Quite a few of our
request_firmware cases load device firmware which is not signed into DMA
capable hardware. Probably also worth checking what the
architectural guarantees on bogus microcode updates is. Maybe we need
firmware signing for such cases to match the mod signing ?
I'm trying to think what else. Possibly disabling it on Pentium-M with
the rep movs erratum (Y19) as it's quite possible to set up suitable
adjacent page sets in user space via the graphics.
Alan
WARNING: multiple messages have this Message-ID (diff)
From: One Thousand Gnomes <gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
To: Matthew Garrett
<matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode
Date: Wed, 26 Feb 2014 22:41:41 +0000 [thread overview]
Message-ID: <20140226224141.1741a746@alan.etchedpixels.co.uk> (raw)
In-Reply-To: <1393445473-15068-13-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
On Wed, 26 Feb 2014 15:11:13 -0500
Matthew Garrett <matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org> wrote:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that the kernel prevent userspace from inserting untrusted kernel
> code at runtime. Add a configuration option that enforces this automatically
> when enabled.
I think you have a load more cases to attempt to paper over before you
even pretend to achieve that goal. Firewire for example. Also it only
remotely begins to work if you also force CAP_SYS_RAWIO off globally as
you need to force off things like raw command issuing to various
controllers (especially as some of that code is written on the basis that
'its RAWIO, screw making it secure and doing all the checks we could
bother with'.
RAWIO also disables things like CPU msr access - which is also quite
adequate for subverting a kernel.
Another issue that needs addressing is firmware. Quite a few of our
request_firmware cases load device firmware which is not signed into DMA
capable hardware. Probably also worth checking what the
architectural guarantees on bogus microcode updates is. Maybe we need
firmware signing for such cases to match the mod signing ?
I'm trying to think what else. Possibly disabling it on Pentium-M with
the rep movs erratum (Y19) as it's quite possible to set up suitable
adjacent page sets in user space via the graphics.
Alan
next prev parent reply other threads:[~2014-02-26 22:41 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2014-02-27 19:02 ` Kees Cook
2014-02-27 19:02 ` Kees Cook
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when " Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 22:41 ` One Thousand Gnomes [this message]
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
2014-02-27 18:48 ` Kees Cook
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-27 9:54 ` Alon Ziv
2014-03-19 17:42 ` Florian Weimer
2014-03-19 17:42 ` Florian Weimer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07 ` Greg KH
2014-02-27 19:11 ` Josh Boyer
2014-02-27 19:11 ` Josh Boyer
2014-02-28 12:50 ` Josh Boyer
2014-02-28 3:03 ` James Morris
2014-02-28 4:52 ` Matthew Garrett
2014-02-28 4:52 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 6:22 ` Kees Cook
2014-03-13 6:22 ` Kees Cook
2014-03-13 9:33 ` James Morris
2014-03-13 9:33 ` James Morris
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 20:37 ` David Lang
2014-03-14 20:37 ` David Lang
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:52 ` Matthew Garrett
2014-03-14 22:52 ` Matthew Garrett
2014-03-19 19:50 ` Kees Cook
2014-03-19 19:50 ` Kees Cook
2014-03-14 23:18 ` Theodore Ts'o
2014-03-14 23:18 ` Theodore Ts'o
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-19 17:49 ` Florian Weimer
2014-03-19 17:49 ` Florian Weimer
2014-03-19 20:16 ` Kees Cook
2014-03-19 20:16 ` Kees Cook
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:55 ` tytso
2014-03-20 14:55 ` tytso
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:31 ` Matthew Garrett
2014-03-13 21:31 ` Matthew Garrett
2015-03-13 21:38 Trusted kernel patchset Matthew Garrett
2015-03-13 21:38 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2015-04-22 11:36 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140226224141.1741a746@alan.etchedpixels.co.uk \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.