From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Daniel Kiper <dkiper@net-space.pl>,
Leif Lindholm <leif@nuviainc.com>,
Grant Likely <grant.likely@arm.com>,
The development of GNU GRUB <grub-devel@gnu.org>,
Nikita Ermakov <arei@altlinux.org>,
Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: Re: [PATCH 0/2] efi: device tree fix-up
Date: Mon, 16 Aug 2021 10:58:47 +0200 [thread overview]
Message-ID: <fa8dcb35-84bb-8e1a-441d-57b4e8670699@canonical.com> (raw)
In-Reply-To: <CAMj1kXFb20khjaWEw3yVKxHT2q0-i4JJurfh5vREykvNRr=M1A@mail.gmail.com>
On 8/16/21 9:04 AM, Ard Biesheuvel wrote:
> On Sat, 14 Aug 2021 at 00:39, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>>
>> Am 13. August 2021 22:22:49 MESZ schrieb Daniel Kiper <dkiper@net-space.pl>:
>>> On Fri, Aug 13, 2021 at 06:22:49PM +0200, Heinrich Schuchardt wrote:
>>>> On 8/2/21 5:18 PM, Daniel Kiper wrote:
>>>>> Hi Heinrich,
>>>>>
>>>>> On Mon, Aug 02, 2021 at 03:00:55PM +0200, Heinrich Schuchardt wrote:
>>>>>> Hello Daniel,
>>>>>>
>>>>>> I sent this series when you were in the middle of getting GRUB-2.06 out.
>>>>>> Unfortunately I did not see any feedback yet. Could you, please, share your
>>>>>> thoughts.
>>>>>
>>>>> Sure, I will try to do that next week.
>>>>>
>>>>> Daniel
>>>>>
>>>>
>>>> The series conflicts with the RISC-V series patch
>>>> "linux: ignore FDT unless we need to modify it"
>>>> https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00010.html
>>>>
>>>> My priority would be to have the RISC-V series merged first. Then I can
>>>> rebase my series upon it.
>>>
>>> OK...
>>>
>>>> But anyhow feedback for the concept of devicetree fixups will be helpful.
>>>
>>> At first sight it looks good to me. Though it would be nice if somebody
>>> more familiar with DT than I would check the patches too. Leif?
>>>
>>> Heinrich, are you aware that devicetree command is disabled when UEFI
>>> Secure Boot is enabled? I think you should take into account that
>>> somehow in the next version of the patches.
>>
>> I wonder why the devicetree command is disabled while the initrd command is not. For an attacker the initrd is much more attractive.
>>
>
> The initrd is user space, whereas the DT affects the internal plumbing
> of the kernel.
If you are able to modify initrd, you will gain root access. Who would
call this secure?
>
>> For both the initrd and the dt it would be good to introduce signatures.
>>
>
> How the kernel authenticates the initrd is out of scope for secure boot.
Does it authenticate initrd?
Best regards
Heinrich
>
>> A devicetree before fixups is invariant and could be signed together with the kernel and checked against shims certificate database.
>>
>> Best regards
>>
>> Heinrich
>>
next prev parent reply other threads:[~2021-08-16 8:58 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-04 13:15 [PATCH 0/2] efi: device tree fix-up Heinrich Schuchardt
2021-02-04 13:15 ` [PATCH 1/2] efi: EFI Device Tree Fixup Protocol Heinrich Schuchardt
2021-02-04 13:15 ` [PATCH 2/2] 10_linux: support loading device trees Heinrich Schuchardt
2021-08-02 13:00 ` [PATCH 0/2] efi: device tree fix-up Heinrich Schuchardt
2021-08-02 15:18 ` Daniel Kiper
2021-08-13 16:22 ` Heinrich Schuchardt
2021-08-13 20:22 ` Daniel Kiper
2021-08-13 22:38 ` Heinrich Schuchardt
2021-08-16 7:04 ` Ard Biesheuvel
2021-08-16 8:58 ` Heinrich Schuchardt [this message]
2021-08-16 9:26 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa8dcb35-84bb-8e1a-441d-57b4e8670699@canonical.com \
--to=heinrich.schuchardt@canonical.com \
--cc=ardb@kernel.org \
--cc=arei@altlinux.org \
--cc=dkiper@net-space.pl \
--cc=grant.likely@arm.com \
--cc=grub-devel@gnu.org \
--cc=leif@nuviainc.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.