* Kernel drivers and IOCTLs @ 2020-01-22 4:27 WyoFlippa 2020-01-22 19:04 ` Greg KH 2020-01-23 16:49 ` Valdis Klētnieks 0 siblings, 2 replies; 5+ messages in thread From: WyoFlippa @ 2020-01-22 4:27 UTC (permalink / raw) To: kernelnewbies Hi, I'm working on a driver that would verify a Linux or U-Boot image is secure and I need to pass parameters such as the public key, starting address, etc. I'd heard in talking to developers that IOCTLs are frowned upon. I also found this article that seems to indicate that using sysfs or proc is a better way to go. https://www.linuxjournal.com/article/8110 but then I see this article from 2013 which is more recent than the article. https://www.kernel.org/doc/html/latest/process/botching-up-ioctls.html So are IOCTLs discouraged or not? Thanks, TW _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Kernel drivers and IOCTLs 2020-01-22 4:27 Kernel drivers and IOCTLs WyoFlippa @ 2020-01-22 19:04 ` Greg KH 2020-01-23 16:49 ` Valdis Klētnieks 1 sibling, 0 replies; 5+ messages in thread From: Greg KH @ 2020-01-22 19:04 UTC (permalink / raw) To: WyoFlippa; +Cc: kernelnewbies On Tue, Jan 21, 2020 at 10:27:01PM -0600, WyoFlippa wrote: > Hi, > > I'm working on a driver that would verify a Linux or U-Boot image is secure > and I need to pass parameters such as the public key, starting address, etc. > I'd heard in talking to developers that IOCTLs are frowned upon. I also > found this article that seems to indicate that using sysfs or proc is a > better way to go. > > https://www.linuxjournal.com/article/8110 > > > but then I see this article from 2013 which is more recent than the article. > > https://www.kernel.org/doc/html/latest/process/botching-up-ioctls.html > > > So are IOCTLs discouraged or not? They are discouraged, except when they are necessary :) It all depends on exactly what you are trying to do. greg k-h _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Kernel drivers and IOCTLs 2020-01-22 4:27 Kernel drivers and IOCTLs WyoFlippa 2020-01-22 19:04 ` Greg KH @ 2020-01-23 16:49 ` Valdis Klētnieks 2020-02-05 2:57 ` WyoFlippa 1 sibling, 1 reply; 5+ messages in thread From: Valdis Klētnieks @ 2020-01-23 16:49 UTC (permalink / raw) To: WyoFlippa; +Cc: kernelnewbies [-- Attachment #1.1: Type: text/plain, Size: 1453 bytes --] On Tue, 21 Jan 2020 22:27:01 -0600, WyoFlippa said: > I'm working on a driver that would verify a Linux or U-Boot image is > secure and I need to pass parameters such as the public key, starting > address, etc. This is actually a lot harder to do properly than it looks, especially if you're trying to export the information to userspace - a compromised kernel can simply hijack your ioctl or /proc or /sys file and output that it's not compromised. You can't even easily use public/private keys to sign the statement it's not compromised, because if the legit kernel has access to the public key, the compromised code probably does too..... And if you're defending against sufficiently well-financed attackers, it may even be difficult for a driver to verify the rest of the kernel isn't compromised. As a fairly obvious attack, consider a kernel with 2 sets of page table mappings. First, a set that contains the original kernel code and is mapped in when your driver is executing, and then the *real* set that maps in other physical pages containing the skullduggery code, which gets mapped in when there's something evil being done.... So what *actual* problem are you trying to solve by using a driver to verify the image is "secure" (which needs further definition, but you probably already knew that if your skill level is up to doing this right...)? In particular, what are you trying to do that various secure boot schemes don't address? [-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Kernel drivers and IOCTLs 2020-01-23 16:49 ` Valdis Klētnieks @ 2020-02-05 2:57 ` WyoFlippa 2020-02-05 4:01 ` Valdis Klētnieks 0 siblings, 1 reply; 5+ messages in thread From: WyoFlippa @ 2020-02-05 2:57 UTC (permalink / raw) To: Valdis Klētnieks; +Cc: kernelnewbies Hi Valdis, On 1/23/2020 10:49 AM, Valdis Klētnieks wrote: > On Tue, 21 Jan 2020 22:27:01 -0600, WyoFlippa said: > >> I'm working on a driver that would verify a Linux or U-Boot image is >> secure and I need to pass parameters such as the public key, starting >> address, etc. > This is actually a lot harder to do properly than it looks, especially if > you're trying to export the information to userspace - a compromised kernel can > simply hijack your ioctl or /proc or /sys file and output that it's not > compromised. You can't even easily use public/private keys to sign the > statement it's not compromised, because if the legit kernel has access to the > public key, the compromised code probably does too..... > > And if you're defending against sufficiently well-financed attackers, it may > even be difficult for a driver to verify the rest of the kernel isn't > compromised. As a fairly obvious attack, consider a kernel with 2 sets of page > table mappings. First, a set that contains the original kernel code and is > mapped in when your driver is executing, and then the *real* set that maps in > other physical pages containing the skullduggery code, which gets mapped in > when there's something evil being done.... > > So what *actual* problem are you trying to solve by using a driver to verify > the image is "secure" (which needs further definition, but you probably already > knew that if your skill level is up to doing this right...)? In particular, what are > you trying to do that various secure boot schemes don't address? Thank you for the response and sorry for the delay in replying. I'm actually happy with the existing boot schemes. In this case, the driver is going to validate a signed image (U-Boot or Linux) before it is programmed into the flash memory. Although the image is validated when booting, it is one additional check to avoid surprises. Since Linux is validated, the driver should be trusted but you make a good point about the application accessing the driver in userspace. In addition to that problem, I'm wrestling with the method of getting the image to the driver. It looks like reading a file from the kernel is frowned upon except in the firmware case which is special. So I'll need to think about that some more. _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Kernel drivers and IOCTLs 2020-02-05 2:57 ` WyoFlippa @ 2020-02-05 4:01 ` Valdis Klētnieks 0 siblings, 0 replies; 5+ messages in thread From: Valdis Klētnieks @ 2020-02-05 4:01 UTC (permalink / raw) To: WyoFlippa; +Cc: kernelnewbies [-- Attachment #1.1: Type: text/plain, Size: 855 bytes --] On Tue, 04 Feb 2020 20:57:24 -0600, WyoFlippa said: > I'm actually happy with the existing boot schemes. In this case, the > driver is going to validate a signed image (U-Boot or Linux) before it > is programmed into the flash memory. Although the image is validated > when booting, it is one additional check to avoid surprises. Is there a reason you're trying to do it from a driver rather than from userspace? Under what realistic conditions will the kernel be trustable to do the validation while userspace isn't? What's the threat model here - in other words, what attack(s) are you trying to stop? (This is a lot trickier than it looks - over the decades, I've seen plenty of "Let's do this cargo-cult thing to stop attack X", while overlooking the fact that any attacker who can do X can equally easily do Y and still pwn the entire box.....) [-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-02-05 4:01 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-01-22 4:27 Kernel drivers and IOCTLs WyoFlippa 2020-01-22 19:04 ` Greg KH 2020-01-23 16:49 ` Valdis Klētnieks 2020-02-05 2:57 ` WyoFlippa 2020-02-05 4:01 ` Valdis Klētnieks
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).