From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
security@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v5] security/keys: rewrite all of big_key crypto
Date: Sun, 17 Sep 2017 11:50:40 +0000 [thread overview]
Message-ID: <CAHmME9rjrz2Pn39ay3myApBeBtQAPNt0C+NvmFoV28NeT4_zLg@mail.gmail.com> (raw)
In-Reply-To: <20170917060457.GB10599@zzz.localdomain>
On Sun, Sep 17, 2017 at 8:04 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> This should jump to 'err_enckey', otherwise it will leak 'enckey'.
Yikes, good catch, thanks!
>
> Otherwise the changes all look good; after fixing the above, feel free to add my
> Reviewed-by.
Ack.
> Yes, AES-GCM is the right choice here. It is, however, almost
> certainly the case that if someone can modify your swap partition, they can
> already own your system in many other ways, so the "authenticated" portion of
> "authenticated encryption" may not actually buy much in this situation :-)
True, though this is slightly different from people putting their
big_keys on NFS, I guess (but who would do such a thing anyway?).
> The patch is a little long and perhaps should be split into several patches,
> each of which fixes one bug; but see what David thinks.
Meh, it's a rewrite, so sure, it's long. I saw a bunch of bugs and
rewrote the whole thing rather than going one-by-one with the bugs,
which would have produced a series. Personally I'd prefer to keep it
like this than spending the time needling away with git and extra
commit messages and struggling to make them each build separately.
Seems like very very little gain for the time required to do that
right. *shrug* Will wait to hear from David.
> I should also note, that while there definitely were some inadmissible bugs
> here, the support for encrypting big_key's was only added recently, in the v4.7
> kernel. And obviously not encrypting at all is at least as much as a
> "vulnerability" as using weak encryption.
Yea that's fair. I'm mostly just running around like a headless
chicken after seeing ECB and wondering how this got committed in the
first place, but nobody really takes chickens seriously. But yes, I
suppose one way of considering this is just to say, "big_keys did not
use encryption before 4.14, even though the code was really
complicated."
> I'm also a little skeptical that
> people actually care enough about big_key's for it to be worthwhile to mark a
> rewrite like this for stable, though I suppose it wouldn't be *too* hard to at
> least cherry-pick this to 4.9 if you wanted. (There is a small conflict so
> you'd have to send the backport yourself after this goes into mainline.)
I imagine the conflicts will be moving back from get_random_bytes_wait
to get_random_bytes and maybe the loff_t/kernel_{read,write} thing. Is
this what you had in mind too? I should be able to handle those fairly
easily and send it to Greg manually after this lands.
Thanks again for the review, very appreciated.
Regards,
Jason
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
security@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v5] security/keys: rewrite all of big_key crypto
Date: Sun, 17 Sep 2017 13:50:40 +0200 [thread overview]
Message-ID: <CAHmME9rjrz2Pn39ay3myApBeBtQAPNt0C+NvmFoV28NeT4_zLg@mail.gmail.com> (raw)
In-Reply-To: <20170917060457.GB10599@zzz.localdomain>
On Sun, Sep 17, 2017 at 8:04 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> This should jump to 'err_enckey', otherwise it will leak 'enckey'.
Yikes, good catch, thanks!
>
> Otherwise the changes all look good; after fixing the above, feel free to add my
> Reviewed-by.
Ack.
> Yes, AES-GCM is the right choice here. It is, however, almost
> certainly the case that if someone can modify your swap partition, they can
> already own your system in many other ways, so the "authenticated" portion of
> "authenticated encryption" may not actually buy much in this situation :-)
True, though this is slightly different from people putting their
big_keys on NFS, I guess (but who would do such a thing anyway?).
> The patch is a little long and perhaps should be split into several patches,
> each of which fixes one bug; but see what David thinks.
Meh, it's a rewrite, so sure, it's long. I saw a bunch of bugs and
rewrote the whole thing rather than going one-by-one with the bugs,
which would have produced a series. Personally I'd prefer to keep it
like this than spending the time needling away with git and extra
commit messages and struggling to make them each build separately.
Seems like very very little gain for the time required to do that
right. *shrug* Will wait to hear from David.
> I should also note, that while there definitely were some inadmissible bugs
> here, the support for encrypting big_key's was only added recently, in the v4.7
> kernel. And obviously not encrypting at all is at least as much as a
> "vulnerability" as using weak encryption.
Yea that's fair. I'm mostly just running around like a headless
chicken after seeing ECB and wondering how this got committed in the
first place, but nobody really takes chickens seriously. But yes, I
suppose one way of considering this is just to say, "big_keys did not
use encryption before 4.14, even though the code was really
complicated."
> I'm also a little skeptical that
> people actually care enough about big_key's for it to be worthwhile to mark a
> rewrite like this for stable, though I suppose it wouldn't be *too* hard to at
> least cherry-pick this to 4.9 if you wanted. (There is a small conflict so
> you'd have to send the backport yourself after this goes into mainline.)
I imagine the conflicts will be moving back from get_random_bytes_wait
to get_random_bytes and maybe the loff_t/kernel_{read,write} thing. Is
this what you had in mind too? I should be able to handle those fairly
easily and send it to Greg manually after this lands.
Thanks again for the review, very appreciated.
Regards,
Jason
WARNING: multiple messages have this Message-ID (diff)
From: Jason@zx2c4.com (Jason A. Donenfeld)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5] security/keys: rewrite all of big_key crypto
Date: Sun, 17 Sep 2017 13:50:40 +0200 [thread overview]
Message-ID: <CAHmME9rjrz2Pn39ay3myApBeBtQAPNt0C+NvmFoV28NeT4_zLg@mail.gmail.com> (raw)
In-Reply-To: <20170917060457.GB10599@zzz.localdomain>
On Sun, Sep 17, 2017 at 8:04 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> This should jump to 'err_enckey', otherwise it will leak 'enckey'.
Yikes, good catch, thanks!
>
> Otherwise the changes all look good; after fixing the above, feel free to add my
> Reviewed-by.
Ack.
> Yes, AES-GCM is the right choice here. It is, however, almost
> certainly the case that if someone can modify your swap partition, they can
> already own your system in many other ways, so the "authenticated" portion of
> "authenticated encryption" may not actually buy much in this situation :-)
True, though this is slightly different from people putting their
big_keys on NFS, I guess (but who would do such a thing anyway?).
> The patch is a little long and perhaps should be split into several patches,
> each of which fixes one bug; but see what David thinks.
Meh, it's a rewrite, so sure, it's long. I saw a bunch of bugs and
rewrote the whole thing rather than going one-by-one with the bugs,
which would have produced a series. Personally I'd prefer to keep it
like this than spending the time needling away with git and extra
commit messages and struggling to make them each build separately.
Seems like very very little gain for the time required to do that
right. *shrug* Will wait to hear from David.
> I should also note, that while there definitely were some inadmissible bugs
> here, the support for encrypting big_key's was only added recently, in the v4.7
> kernel. And obviously not encrypting at all is at least as much as a
> "vulnerability" as using weak encryption.
Yea that's fair. I'm mostly just running around like a headless
chicken after seeing ECB and wondering how this got committed in the
first place, but nobody really takes chickens seriously. But yes, I
suppose one way of considering this is just to say, "big_keys did not
use encryption before 4.14, even though the code was really
complicated."
> I'm also a little skeptical that
> people actually care enough about big_key's for it to be worthwhile to mark a
> rewrite like this for stable, though I suppose it wouldn't be *too* hard to at
> least cherry-pick this to 4.9 if you wanted. (There is a small conflict so
> you'd have to send the backport yourself after this goes into mainline.)
I imagine the conflicts will be moving back from get_random_bytes_wait
to get_random_bytes and maybe the loff_t/kernel_{read,write} thing. Is
this what you had in mind too? I should be able to handle those fairly
easily and send it to Greg manually after this lands.
Thanks again for the review, very appreciated.
Regards,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kirill Marinushkin <k.marinushkin@gmail.com>,
security@kernel.org, stable@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH v5] security/keys: rewrite all of big_key crypto
Date: Sun, 17 Sep 2017 13:50:40 +0200 [thread overview]
Message-ID: <CAHmME9rjrz2Pn39ay3myApBeBtQAPNt0C+NvmFoV28NeT4_zLg@mail.gmail.com> (raw)
In-Reply-To: <20170917060457.GB10599@zzz.localdomain>
On Sun, Sep 17, 2017 at 8:04 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> This should jump to 'err_enckey', otherwise it will leak 'enckey'.
Yikes, good catch, thanks!
>
> Otherwise the changes all look good; after fixing the above, feel free to add my
> Reviewed-by.
Ack.
> Yes, AES-GCM is the right choice here. It is, however, almost
> certainly the case that if someone can modify your swap partition, they can
> already own your system in many other ways, so the "authenticated" portion of
> "authenticated encryption" may not actually buy much in this situation :-)
True, though this is slightly different from people putting their
big_keys on NFS, I guess (but who would do such a thing anyway?).
> The patch is a little long and perhaps should be split into several patches,
> each of which fixes one bug; but see what David thinks.
Meh, it's a rewrite, so sure, it's long. I saw a bunch of bugs and
rewrote the whole thing rather than going one-by-one with the bugs,
which would have produced a series. Personally I'd prefer to keep it
like this than spending the time needling away with git and extra
commit messages and struggling to make them each build separately.
Seems like very very little gain for the time required to do that
right. *shrug* Will wait to hear from David.
> I should also note, that while there definitely were some inadmissible bugs
> here, the support for encrypting big_key's was only added recently, in the v4.7
> kernel. And obviously not encrypting at all is at least as much as a
> "vulnerability" as using weak encryption.
Yea that's fair. I'm mostly just running around like a headless
chicken after seeing ECB and wondering how this got committed in the
first place, but nobody really takes chickens seriously. But yes, I
suppose one way of considering this is just to say, "big_keys did not
use encryption before 4.14, even though the code was really
complicated."
> I'm also a little skeptical that
> people actually care enough about big_key's for it to be worthwhile to mark a
> rewrite like this for stable, though I suppose it wouldn't be *too* hard to at
> least cherry-pick this to 4.9 if you wanted. (There is a small conflict so
> you'd have to send the backport yourself after this goes into mainline.)
I imagine the conflicts will be moving back from get_random_bytes_wait
to get_random_bytes and maybe the loff_t/kernel_{read,write} thing. Is
this what you had in mind too? I should be able to handle those fairly
easily and send it to Greg manually after this lands.
Thanks again for the review, very appreciated.
Regards,
Jason
next prev parent reply other threads:[~2017-09-17 11:50 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-16 13:00 [PATCH v4] security/keys: rewrite all of big_key crypto Jason A. Donenfeld
2017-09-16 13:00 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-16 13:00 ` Jason A. Donenfeld
2017-09-16 13:00 ` Jason A. Donenfeld
2017-09-16 13:05 ` [PATCH v5] " Jason A. Donenfeld
2017-09-16 13:05 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-16 13:05 ` Jason A. Donenfeld
2017-09-16 13:05 ` Jason A. Donenfeld
2017-09-17 6:04 ` Eric Biggers
2017-09-17 6:04 ` [kernel-hardening] " Eric Biggers
2017-09-17 6:04 ` Eric Biggers
2017-09-17 6:04 ` Eric Biggers
2017-09-17 11:50 ` Jason A. Donenfeld [this message]
2017-09-17 11:50 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-17 11:50 ` Jason A. Donenfeld
2017-09-17 11:50 ` Jason A. Donenfeld
2017-09-17 11:52 ` [PATCH v6] " Jason A. Donenfeld
2017-09-17 11:52 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-17 11:52 ` Jason A. Donenfeld
2017-09-17 11:52 ` Jason A. Donenfeld
2017-09-20 5:30 ` Stephan Mueller
2017-09-20 5:30 ` [kernel-hardening] " Stephan Mueller
2017-09-20 5:30 ` Stephan Mueller
2017-09-20 5:30 ` Stephan Mueller
2017-09-20 10:52 ` Jason A. Donenfeld
2017-09-20 10:52 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-20 10:52 ` Jason A. Donenfeld
2017-09-20 10:52 ` Jason A. Donenfeld
2017-09-20 13:45 ` Stephan Mueller
2017-09-20 13:45 ` [kernel-hardening] " Stephan Mueller
2017-09-20 13:45 ` Stephan Mueller
2017-09-20 13:45 ` Stephan Mueller
2017-09-20 14:01 ` Jason A. Donenfeld
2017-09-20 14:01 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-20 14:01 ` Jason A. Donenfeld
2017-09-20 14:01 ` Jason A. Donenfeld
2017-09-20 14:06 ` Stephan Mueller
2017-09-20 14:06 ` [kernel-hardening] " Stephan Mueller
2017-09-20 14:06 ` Stephan Mueller
2017-09-20 14:06 ` Stephan Mueller
2017-09-20 14:09 ` Jason A. Donenfeld
2017-09-20 14:09 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-20 14:09 ` Jason A. Donenfeld
2017-09-20 14:09 ` Jason A. Donenfeld
2017-09-19 15:38 ` David Howells
2017-09-19 15:38 ` [kernel-hardening] " David Howells
2017-09-19 15:38 ` David Howells
2017-09-19 15:38 ` David Howells
2017-09-20 14:56 ` Jason A. Donenfeld
2017-09-20 14:56 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-20 14:56 ` Jason A. Donenfeld
2017-09-20 14:56 ` Jason A. Donenfeld
2017-09-18 8:49 ` [PATCH v4] " Stephan Mueller
2017-09-18 8:49 ` [kernel-hardening] " Stephan Mueller
2017-09-18 8:49 ` Stephan Mueller
2017-09-18 8:49 ` Stephan Mueller
2017-09-18 9:04 ` [kernel-hardening] " Greg KH
2017-09-18 9:04 ` Greg KH
2017-09-18 9:04 ` Greg KH
2017-09-18 9:12 ` Stephan Mueller
2017-09-18 9:12 ` Stephan Mueller
2017-09-18 9:12 ` Stephan Mueller
2017-09-18 11:24 ` Jason A. Donenfeld
2017-09-18 11:24 ` [kernel-hardening] " Jason A. Donenfeld
2017-09-18 11:24 ` Jason A. Donenfeld
2017-09-18 11:24 ` Jason A. Donenfeld
2017-09-19 13:39 ` Theodore Ts'o
2017-09-19 13:39 ` [kernel-hardening] " Theodore Ts'o
2017-09-19 13:39 ` Theodore Ts'o
2017-09-19 13:39 ` Theodore Ts'o
2017-09-19 19:04 ` [kernel-hardening] " Sandy Harris
2017-09-19 19:04 ` Sandy Harris
2017-09-19 19:04 ` Sandy Harris
2017-09-19 19:17 ` Jason A. Donenfeld
2017-09-19 19:17 ` Jason A. Donenfeld
2017-09-19 19:17 ` Jason A. Donenfeld
2017-09-20 1:16 ` Theodore Ts'o
2017-09-20 1:16 ` Theodore Ts'o
2017-09-20 1:16 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9rjrz2Pn39ay3myApBeBtQAPNt0C+NvmFoV28NeT4_zLg@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=dhowells@redhat.com \
--cc=ebiggers3@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=k.marinushkin@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.