[PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Alexander A. Klimov]

Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  If not .svg:
    For each line:
      If doesn't contain `\bxmlns\b`:
        For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
            If both the HTTP and HTTPS versions
            return 200 OK and serve the same content:
              Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
---
 Continuing my work started at 93431e0607e5.
 See also: git log --oneline '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' v5.7..master
 (Actually letting a shell for loop submit all this stuff for me.)

 If there are any URLs to be removed completely or at least not HTTPSified:
 Just clearly say so and I'll *undo my change*.
 See also: https://lkml.org/lkml/2020/6/27/64

 If there are any valid, but yet not changed URLs:
 See: https://lkml.org/lkml/2020/6/26/837

 If you apply the patch, please let me know.


 drivers/infiniband/ulp/srpt/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index 4b5d9b792cfa..f63b34d9ae32 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -10,4 +10,4 @@ config INFINIBAND_SRPT
 	  that supports the RDMA protocol. Currently the RDMA protocol is
 	  supported by InfiniBand and by iWarp network hardware. More
 	  information about the SRP protocol can be found on the website
-	  of the INCITS T10 technical committee (http://www.t10.org/).
+	  of the INCITS T10 technical committee (https://www.t10.org/).
-- 
2.27.0

Re: [PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Bart Van Assche]

On 2020-07-09 12:48, Alexander A. Klimov wrote:
> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> index 4b5d9b792cfa..f63b34d9ae32 100644
> --- a/drivers/infiniband/ulp/srpt/Kconfig
> +++ b/drivers/infiniband/ulp/srpt/Kconfig
> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>  	  that supports the RDMA protocol. Currently the RDMA protocol is
>  	  supported by InfiniBand and by iWarp network hardware. More
>  	  information about the SRP protocol can be found on the website
> -	  of the INCITS T10 technical committee (http://www.t10.org/).
> +	  of the INCITS T10 technical committee (https://www.t10.org/).

It is not clear to me how modifying an URL in a Kconfig file helps to
reduce the attack surface on kernel devs?

Thanks,

Bart.

Re: [PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Alexander A. Klimov]

Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>> index 4b5d9b792cfa..f63b34d9ae32 100644
>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>   	  that supports the RDMA protocol. Currently the RDMA protocol is
>>   	  supported by InfiniBand and by iWarp network hardware. More
>>   	  information about the SRP protocol can be found on the website
>> -	  of the INCITS T10 technical committee (http://www.t10.org/).
>> +	  of the INCITS T10 technical committee (https://www.t10.org/).
> 
> It is not clear to me how modifying an URL in a Kconfig file helps to
> reduce the attack surface on kernel devs?
Not on all, just on the ones who open it.

> 
> Thanks,
> 
> Bart.
> 
> 

Re: [PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Bart Van Assche]

On 2020-07-10 11:12, Alexander A. Klimov wrote:
> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>>         that supports the RDMA protocol. Currently the RDMA protocol is
>>>         supported by InfiniBand and by iWarp network hardware. More
>>>         information about the SRP protocol can be found on the website
>>> -      of the INCITS T10 technical committee (http://www.t10.org/).
>>> +      of the INCITS T10 technical committee (https://www.t10.org/).
>>
>> It is not clear to me how modifying an URL in a Kconfig file helps to
>> reduce the attack surface on kernel devs?
>
> Not on all, just on the ones who open it.

Is changing every single HTTP URL in the kernel into a HTTPS URL the best
solution? Is this the only solution? Has it been considered to recommend
kernel developers who are concerned about MITM attacks to install a browser
extension like HTTPS Everywhere instead?

Thanks,

Bart.

Re: [PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Alexander A. Klimov]

Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> On 2020-07-10 11:12, Alexander A. Klimov wrote:
>> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>>>          that supports the RDMA protocol. Currently the RDMA protocol is
>>>>          supported by InfiniBand and by iWarp network hardware. More
>>>>          information about the SRP protocol can be found on the website
>>>> -      of the INCITS T10 technical committee (http://www.t10.org/).
>>>> +      of the INCITS T10 technical committee (https://www.t10.org/).
>>>
>>> It is not clear to me how modifying an URL in a Kconfig file helps to
>>> reduce the attack surface on kernel devs?
>>
>> Not on all, just on the ones who open it.
> 
> Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> solution? Is this the only solution? Has it been considered to recommend
> kernel developers who are concerned about MITM attacks to install a browser
> extension like HTTPS Everywhere instead?
I've installed that addon myself.
But IMAO it's just a workaround which is (not available to all browsers, 
not installed by default in any of them and) not even 100% secure unless 
you tick a particular checkbox.

Anyway the majority of maintainers and Torvalds himself agree with my 
solution.

I mean, just look at
git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \
--oneline v5.7..master

Or (better) wait for v5.9-rc1 (and all the yet just applied patches it 
will consist of) *and then* run the command.

> 
> Thanks,
> 
> Bart.
> 

Re: [PATCH] SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones

[Jason Gunthorpe]

On Sun, Jul 12, 2020 at 10:15:29PM +0200, Alexander A. Klimov wrote:
> 
> 
> Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> > On 2020-07-10 11:12, Alexander A. Klimov wrote:
> > > Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> > > > On 2020-07-09 12:48, Alexander A. Klimov wrote:
> > > > > diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > index 4b5d9b792cfa..f63b34d9ae32 100644
> > > > > +++ b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
> > > > >          that supports the RDMA protocol. Currently the RDMA protocol is
> > > > >          supported by InfiniBand and by iWarp network hardware. More
> > > > >          information about the SRP protocol can be found on the website
> > > > > -      of the INCITS T10 technical committee (http://www.t10.org/).
> > > > > +      of the INCITS T10 technical committee (https://www.t10.org/).
> > > > 
> > > > It is not clear to me how modifying an URL in a Kconfig file helps to
> > > > reduce the attack surface on kernel devs?
> > > 
> > > Not on all, just on the ones who open it.
> > 
> > Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> > solution? Is this the only solution? Has it been considered to recommend
> > kernel developers who are concerned about MITM attacks to install a browser
> > extension like HTTPS Everywhere instead?
> I've installed that addon myself.
> But IMAO it's just a workaround which is (not available to all browsers, not
> installed by default in any of them and) not even 100% secure unless you
> tick a particular checkbox.
> 
> Anyway the majority of maintainers and Torvalds himself agree with my
> solution.
> 
> I mean, just look at
> git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \
> 
> Or (better) wait for v5.9-rc1 (and all the yet just applied patches it will
> consist of) *and then* run the command.

Well, if you are going to do this please send just one patch for all
of drivers/infiniband/ and include/rdma

I don't need to see it broken up any more than that

Jason

[PATCH v2] IB: Replace HTTP links with HTTPS ones

[Alexander A. Klimov]

Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  If not .svg:
    For each line:
      If doesn't contain `\bxmlns\b`:
        For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
            If both the HTTP and HTTPS versions
            return 200 OK and serve the same content:
              Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
---
 Just drivers/infiniband. There's nothing for include/rdma.

 drivers/infiniband/ulp/iser/Kconfig | 2 +-
 drivers/infiniband/ulp/srp/Kconfig  | 2 +-
 drivers/infiniband/ulp/srpt/Kconfig | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/ulp/iser/Kconfig b/drivers/infiniband/ulp/iser/Kconfig
index 3016a0c9a9f0..6ba73ae1291b 100644
--- a/drivers/infiniband/ulp/iser/Kconfig
+++ b/drivers/infiniband/ulp/iser/Kconfig
@@ -9,5 +9,5 @@ config INFINIBAND_ISER
 	  that speak iSCSI over iSER over InfiniBand.
 
 	  The iSER protocol is defined by IETF.
-	  See <http://www.ietf.org/rfc/rfc5046.txt>
+	  See <https://www.ietf.org/rfc/rfc5046.txt>
 	  and <http://members.infinibandta.org/kwspub/spec/Annex_iSER.PDF>
diff --git a/drivers/infiniband/ulp/srp/Kconfig b/drivers/infiniband/ulp/srp/Kconfig
index 67cd63d1399c..c33f4e5fa4d7 100644
--- a/drivers/infiniband/ulp/srp/Kconfig
+++ b/drivers/infiniband/ulp/srp/Kconfig
@@ -9,5 +9,5 @@ config INFINIBAND_SRP
 	  InfiniBand.
 
 	  The SRP protocol is defined by the INCITS T10 technical
-	  committee.  See <http://www.t10.org/>.
+	  committee.  See <https://www.t10.org/>.
 
diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index 4b5d9b792cfa..f63b34d9ae32 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -10,4 +10,4 @@ config INFINIBAND_SRPT
 	  that supports the RDMA protocol. Currently the RDMA protocol is
 	  supported by InfiniBand and by iWarp network hardware. More
 	  information about the SRP protocol can be found on the website
-	  of the INCITS T10 technical committee (http://www.t10.org/).
+	  of the INCITS T10 technical committee (https://www.t10.org/).
-- 
2.27.0