From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
To: Kees Cook <keescook@chromium.org>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jmorris@namei.org" <jmorris@namei.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"jwboyer@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Fri, 14 Mar 2014 16:28:31 +0000 [thread overview]
Message-ID: <20140314162831.1caf342c@alan.etchedpixels.co.uk> (raw)
In-Reply-To: <CAGXu5jLZcWh5WD0L8s3Q-GXdXCMnA57qtjfdFfQbv0fxYcuCTQ@mail.gmail.com>
> The command line problem here is a total red herring. If you've got a
> measured kernel, you have a measured command line. (If not, you don't
That would be the sensible approach, but it has some quite drastic
ramifications.
> have a measured kernel.) Dealing with the command line has nothing to
> do with enforcing the ring0/uid0 boundary which is what this patch
> series does.
It has a huge relevance. You are signing blocks of code and loading them
into your kernel. In case it's escaped your notice those blocks of code
have behaviour which is considerably customisable by passing module
arguments to them. In many cases they don't actually check those
arguments. If I can set module paramters I already 0wn your box so many
different ways its not even funny.
> Right. As mentioned, we've been over all of this before. We cannot
> change the meaning of capabilities (nor expand their coverage to
> existing interfaces) without breaking userspace. Since we cannot break
> userspace, we must create a different policy system that covers this
> new thing we want to do and keeps the new policy distinctly separate.
So you have everything checked twice all over the kernel and you
guarantee that people will get it wrong. I don't see the point of putting
a broken implementation in the kernel. If you want to do security do it
*right* and do it once. You think every single person who adds a driver
is going to muddle through two interfaces (and in future no doubt more if
we don't fix it properly) and get it right each time ?
The 'breaking userspace' argument is bullshit already. The whole *point*
of the measured kernel is to break userspace. You are deliberately
breaking a pile of functionality, much of it undersirable in order to
achieve your measured system.
The only "don't break" case that matters is if the measured stuff isn't
in use. In those cases we don't need to break anything.
Alan
WARNING: multiple messages have this Message-ID (diff)
From: One Thousand Gnomes <gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
To: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Cc: Matthew Garrett
<matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org"
<jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>,
"linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org"
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
"hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org"
<hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>,
"jwboyer-rxtnV0ftBwyoClj4AeEUq9i2O/JbrIOy@public.gmane.org"
<jwboyer-rxtnV0ftBwyoClj4AeEUq9i2O/JbrIOy@public.gmane.org>,
"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org"
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Fri, 14 Mar 2014 16:28:31 +0000 [thread overview]
Message-ID: <20140314162831.1caf342c@alan.etchedpixels.co.uk> (raw)
In-Reply-To: <CAGXu5jLZcWh5WD0L8s3Q-GXdXCMnA57qtjfdFfQbv0fxYcuCTQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
> The command line problem here is a total red herring. If you've got a
> measured kernel, you have a measured command line. (If not, you don't
That would be the sensible approach, but it has some quite drastic
ramifications.
> have a measured kernel.) Dealing with the command line has nothing to
> do with enforcing the ring0/uid0 boundary which is what this patch
> series does.
It has a huge relevance. You are signing blocks of code and loading them
into your kernel. In case it's escaped your notice those blocks of code
have behaviour which is considerably customisable by passing module
arguments to them. In many cases they don't actually check those
arguments. If I can set module paramters I already 0wn your box so many
different ways its not even funny.
> Right. As mentioned, we've been over all of this before. We cannot
> change the meaning of capabilities (nor expand their coverage to
> existing interfaces) without breaking userspace. Since we cannot break
> userspace, we must create a different policy system that covers this
> new thing we want to do and keeps the new policy distinctly separate.
So you have everything checked twice all over the kernel and you
guarantee that people will get it wrong. I don't see the point of putting
a broken implementation in the kernel. If you want to do security do it
*right* and do it once. You think every single person who adds a driver
is going to muddle through two interfaces (and in future no doubt more if
we don't fix it properly) and get it right each time ?
The 'breaking userspace' argument is bullshit already. The whole *point*
of the measured kernel is to break userspace. You are deliberately
breaking a pile of functionality, much of it undersirable in order to
achieve your measured system.
The only "don't break" case that matters is if the measured stuff isn't
in use. In those cases we don't need to break anything.
Alan
next prev parent reply other threads:[~2014-03-14 16:29 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2014-02-27 19:02 ` Kees Cook
2014-02-27 19:02 ` Kees Cook
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when " Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
2014-02-27 18:48 ` Kees Cook
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-27 9:54 ` Alon Ziv
2014-03-19 17:42 ` Florian Weimer
2014-03-19 17:42 ` Florian Weimer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07 ` Greg KH
2014-02-27 19:11 ` Josh Boyer
2014-02-27 19:11 ` Josh Boyer
2014-02-28 12:50 ` Josh Boyer
2014-02-28 3:03 ` James Morris
2014-02-28 4:52 ` Matthew Garrett
2014-02-28 4:52 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 6:22 ` Kees Cook
2014-03-13 6:22 ` Kees Cook
2014-03-13 9:33 ` James Morris
2014-03-13 9:33 ` James Morris
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 16:28 ` One Thousand Gnomes [this message]
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 20:37 ` David Lang
2014-03-14 20:37 ` David Lang
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:52 ` Matthew Garrett
2014-03-14 22:52 ` Matthew Garrett
2014-03-19 19:50 ` Kees Cook
2014-03-19 19:50 ` Kees Cook
2014-03-14 23:18 ` Theodore Ts'o
2014-03-14 23:18 ` Theodore Ts'o
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-19 17:49 ` Florian Weimer
2014-03-19 17:49 ` Florian Weimer
2014-03-19 20:16 ` Kees Cook
2014-03-19 20:16 ` Kees Cook
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:55 ` tytso
2014-03-20 14:55 ` tytso
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:31 ` Matthew Garrett
2014-03-13 21:31 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140314162831.1caf342c@alan.etchedpixels.co.uk \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.