From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mFYtC-0006d6-53 for mharc-grub-devel@gnu.org; Mon, 16 Aug 2021 05:26:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53702) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mFYtA-0006cg-MW for grub-devel@gnu.org; Mon, 16 Aug 2021 05:26:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:40576) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mFYt8-0003Et-89 for grub-devel@gnu.org; Mon, 16 Aug 2021 05:26:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 43BE461B60 for ; Mon, 16 Aug 2021 09:26:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629105992; bh=W2UNHTctKvDXezN/qoGZ8soQRVkAYNbW4fN7AvllfvQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ESdbdvrckFzajJGk2WoUARI8sIvZiF/BuZRidCnQdrnrWYVdY7ggVUqnbp6eeShlT oW/J5EPBVU2O3Hmrdg5P/uxZyYFrD48Jw13VlTSkHSDDp8+zkzW08wdnjyi0ebyDCC lIU81B9gKs34aLTsrbn9nv3jL68BlasBf/APVVKLlG+LeFcMKtmaFDzQRhdegb3Z+n Jrrn5xo+ergZxJ9hdFcTKdiWfv+rPFYZtqJVlX2Hnf4oxIVyjbNk3Vu9uRCM3HWSOe IupPkkFYMiB4M32TuGyaafNcmJOvEbxz5J+EkbPDpvxKoYqVVBOD2eTFxv4M5GAPMj z6aNTqngW5kNQ== Received: by mail-oi1-f175.google.com with SMTP id bd1so18354660oib.3 for ; Mon, 16 Aug 2021 02:26:32 -0700 (PDT) X-Gm-Message-State: AOAM532L9RomD0QZdjAO0jo0fdwF2w7qZBY1PFtN3+mUV2XDmqPLey9x FXoYvXkcbrDfGZ5tjQetrSfTGr9QCGO5plW51kA= X-Google-Smtp-Source: ABdhPJwnEmO/hvhuHU0SLnESm0XzMVFYQJi5TFbSfPAk2kdr/7uHHz0kz0ElxMqYrRspxwN72Ik0XeXc9ZaestsM6Eg= X-Received: by 2002:a05:6808:2219:: with SMTP id bd25mr10874601oib.33.1629105991591; Mon, 16 Aug 2021 02:26:31 -0700 (PDT) MIME-Version: 1.0 References: <20210204131558.1048-1-xypron.glpk@gmx.de> <175518e1-9d7a-0f69-41c7-042ba55bf87d@canonical.com> <20210802151842.2ycunjvbuulvwb34@tomti.i.net-space.pl> <67c43f0c-ff15-26d3-06a1-e00a553c0a07@canonical.com> <20210813202249.zwknppfd4lyoxmym@tomti.i.net-space.pl> <720C236D-B532-48F4-AD30-1B8DD88797E8@gmx.de> In-Reply-To: From: Ard Biesheuvel Date: Mon, 16 Aug 2021 11:26:20 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 0/2] efi: device tree fix-up To: Heinrich Schuchardt Cc: Daniel Kiper , Leif Lindholm , Grant Likely , The development of GNU GRUB , Nikita Ermakov , Heinrich Schuchardt Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=198.145.29.99; envelope-from=ardb@kernel.org; helo=mail.kernel.org X-Spam_score_int: -77 X-Spam_score: -7.8 X-Spam_bar: ------- X-Spam_report: (-7.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.699, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Aug 2021 09:26:36 -0000 On Mon, 16 Aug 2021 at 10:58, Heinrich Schuchardt wrote: > > On 8/16/21 9:04 AM, Ard Biesheuvel wrote: > > On Sat, 14 Aug 2021 at 00:39, Heinrich Schuchardt wrote: > >> > >> Am 13. August 2021 22:22:49 MESZ schrieb Daniel Kiper : > >>> On Fri, Aug 13, 2021 at 06:22:49PM +0200, Heinrich Schuchardt wrote: > >>>> On 8/2/21 5:18 PM, Daniel Kiper wrote: > >>>>> Hi Heinrich, > >>>>> > >>>>> On Mon, Aug 02, 2021 at 03:00:55PM +0200, Heinrich Schuchardt wrote: > >>>>>> Hello Daniel, > >>>>>> > >>>>>> I sent this series when you were in the middle of getting GRUB-2.06 out. > >>>>>> Unfortunately I did not see any feedback yet. Could you, please, share your > >>>>>> thoughts. > >>>>> > >>>>> Sure, I will try to do that next week. > >>>>> > >>>>> Daniel > >>>>> > >>>> > >>>> The series conflicts with the RISC-V series patch > >>>> "linux: ignore FDT unless we need to modify it" > >>>> https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00010.html > >>>> > >>>> My priority would be to have the RISC-V series merged first. Then I can > >>>> rebase my series upon it. > >>> > >>> OK... > >>> > >>>> But anyhow feedback for the concept of devicetree fixups will be helpful. > >>> > >>> At first sight it looks good to me. Though it would be nice if somebody > >>> more familiar with DT than I would check the patches too. Leif? > >>> > >>> Heinrich, are you aware that devicetree command is disabled when UEFI > >>> Secure Boot is enabled? I think you should take into account that > >>> somehow in the next version of the patches. > >> > >> I wonder why the devicetree command is disabled while the initrd command is not. For an attacker the initrd is much more attractive. > >> > > > > The initrd is user space, whereas the DT affects the internal plumbing > > of the kernel. > > If you are able to modify initrd, you will gain root access. Who would > call this secure? > Gaining root access is very different from having direct control over code which runs with kernel privileges. initrd signing may be problematic in distro deployment scenarios, where initrd measurements involving a TPM are more suitable. The reason is that the initrd is generated on the target, and so the signing key should be available on the target as well, which is obviously not feasible for distros. > > > >> For both the initrd and the dt it would be good to introduce signatures. > >> > > > > How the kernel authenticates the initrd is out of scope for secure boot. > > Does it authenticate initrd? I don't understand the question. Secure boot can be deployed in many different ways: some deployments may decide to authenticate the initrd by relying on public key crypto, others may tie the root filesystem decryption key to a successful measurement of the initrd into the TPM.