From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: David Howells <dhowells@redhat.com>,
linux-kernel@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
minyard@acm.org
Subject: Re: [PATCH 01/39] Annotate module params that specify hardware parameters (eg. ioport)
Date: Fri, 2 Dec 2016 07:12:46 +0000 [thread overview]
Message-ID: <20161202071246.GA27889@srcf.ucam.org> (raw)
In-Reply-To: <20161202065530.GA19753@kroah.com>
On Fri, Dec 02, 2016 at 07:55:30AM +0100, Greg KH wrote:
> On Fri, Dec 02, 2016 at 03:07:00AM +0000, Matthew Garrett wrote:
> > If root is able to modify the behaviour of verified code after it was
> > verified, then the value of that verification is reduced. Ensuring that
> > the code remains trustworthy is vital in a number of security use cases.
>
> Ok, but why are you now deciding to somehow try to "classify" the types
> of module parameters? Why would you want to allow irqs to change, but
> not iobase? Or something else? Who is going to do this "I want you and
> you but not you" decision? Why not just forbid all module parameters at
> all if they are so dangerous?
If the parameters plausibly make it possible for root to modify the
kernel in interesting ways, then restricting them makes sense. My gut
sense is that parameters that allow the alteration of the base address
of memory mapped devices are clearly a problem in this respect, but port
io and IRQs *probably* aren't. On the other hand, blocking mmio base
addresses and not blocking the others is kind of inconsistent.
> > If root can tell a driver to probe for hardware at a specific address,
> > and that driver will then blindly do so, root is trivially able to
> > modify arbitrary kernel memory and disable arbitrary security features.
> > IRQ or io port attacks are much more difficult to take advantage of, but
> > I could imagine that some of them are still plausible.
>
> Then just mark them all as "bad", why pick and choose?
Most parameters are going to be fine, but sure, flagging all
IRQ/mmio/pio address parameters seems reasonable.
> > Here's an example. The sysfs option to enable module signing is write
> > once. If root sets that, root can't unset it. Except there's a whole
> > bunch of ways that root *can* unset it, including kexec
> > (https://mjg59.dreamwidth.org/28746.html) and a bunch of other things
> > that are disabled by this patchset. That feature is entirely useless as
> > is. This patchset helps make it useful.
>
> "this" patchset does nothing to disable anything, so I can't speak to
> any of the other goals you might have for that code, that's not what we
> are reviewing here.
This is prep work that makes it possible to block module parameters that
would otherwise make it possible to avoid those restrictions.
> > Right now, the secure boot patchset is shipped by basically every single
> > mainstream Linux distribution (and a whole bunch that are niche). Right
> > now they're having to do extra work to rebase it and ensure that fixes
> > get distributed to everyone. There's clearly demand, and Linus has been
> > clear that features that are shipped by everyone should just go into
> > mainline, so if there are *technical* objections then let's figure them
> > out and otherwise just get this stuff merged.
>
> "this stuff" is brand new things, that no one is shipping. And nothing
> "just goes" into mainline, no matter what foolish stuff distros end up
> shipping (an example, do you want the giant Xen kernel patchset that
> SuSE has been dragging around for 10+ years?)
This is a logical extension to the base patchset, and one maintainer has
NAKed the base patchset due to it lacking this feature. If you don't
care about this then just tell Alan that you want the base patchset
merged anyway and we'll go from there. Let's not get into a situation
where people are being given incompatible requirements before
something's merged.
--
Matthew Garrett | mjg59@srcf.ucam.org
next prev parent reply other threads:[~2016-12-02 7:12 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-01 12:29 [PATCH 00/39] Annotate hw config module params for future lockdown David Howells
2016-12-01 12:29 ` [PATCH 01/39] Annotate module params that specify hardware parameters (eg. ioport) David Howells
2016-12-01 15:01 ` Greg KH
2016-12-02 3:07 ` Matthew Garrett
2016-12-02 6:55 ` Greg KH
2016-12-02 7:12 ` Matthew Garrett [this message]
2016-12-05 21:26 ` One Thousand Gnomes
2016-12-02 14:59 ` David Howells
2016-12-05 15:47 ` Greg KH
2016-12-06 10:54 ` David Howells
2016-12-01 16:02 ` David Howells
2016-12-05 21:12 ` One Thousand Gnomes
2016-12-06 7:11 ` Greg KH
2016-12-06 10:42 ` David Howells
2016-12-06 10:50 ` Greg KH
2016-12-01 12:29 ` [PATCH 02/39] Annotate hardware config module parameters in arch/x86/mm/ David Howells
2016-12-01 12:30 ` [PATCH 03/39] Annotate hardware config module parameters in drivers/char/ipmi/ David Howells
2016-12-01 13:14 ` Corey Minyard
2016-12-01 12:30 ` [PATCH 04/39] Annotate hardware config module parameters in drivers/char/mwave/ David Howells
2016-12-01 12:30 ` [PATCH 05/39] Annotate hardware config module parameters in drivers/char/ David Howells
2016-12-01 12:30 ` [PATCH 06/39] Annotate hardware config module parameters in drivers/clocksource/ David Howells
2016-12-01 12:30 ` [PATCH 07/39] Annotate hardware config module parameters in drivers/cpufreq/ David Howells
2016-12-01 14:02 ` Rafael J. Wysocki
2016-12-01 14:19 ` David Howells
2016-12-01 14:21 ` Rafael J. Wysocki
2016-12-01 12:30 ` [PATCH 08/39] Annotate hardware config module parameters in drivers/gpio/ David Howells
2016-12-01 13:49 ` William Breathitt Gray
2016-12-02 12:55 ` Linus Walleij
2016-12-01 12:30 ` [PATCH 09/39] Annotate hardware config module parameters in drivers/i2c/ David Howells
2016-12-01 13:47 ` Jean Delvare
2016-12-01 14:12 ` David Howells
2016-12-01 16:06 ` Jean Delvare
2016-12-05 21:09 ` One Thousand Gnomes
2016-12-01 12:30 ` [PATCH 10/39] Annotate hardware config module parameters in drivers/iio/ David Howells
2016-12-01 13:50 ` William Breathitt Gray
2016-12-03 9:05 ` Jonathan Cameron
2016-12-07 13:43 ` David Howells
2016-12-01 12:31 ` [PATCH 11/39] Annotate hardware config module parameters in drivers/input/ David Howells
2016-12-03 18:51 ` Dmitry Torokhov
2016-12-01 12:31 ` [PATCH 12/39] Annotate hardware config module parameters in drivers/isdn/ David Howells
2016-12-01 12:31 ` [PATCH 13/39] Annotate hardware config module parameters in drivers/media/ David Howells
2016-12-01 12:31 ` [PATCH 14/39] Annotate hardware config module parameters in drivers/misc/ David Howells
2016-12-01 12:31 ` [PATCH 15/39] Annotate hardware config module parameters in drivers/mmc/host/ David Howells
2016-12-01 12:31 ` [PATCH 16/39] Annotate hardware config module parameters in drivers/net/appletalk/ David Howells
2016-12-01 12:31 ` [PATCH 17/39] Annotate hardware config module parameters in drivers/net/arcnet/ David Howells
2016-12-01 12:32 ` [PATCH 18/39] Annotate hardware config module parameters in drivers/net/can/ David Howells
2016-12-01 13:05 ` Marc Kleine-Budde
2016-12-01 12:32 ` [PATCH 19/39] Annotate hardware config module parameters in drivers/net/ethernet/ David Howells
2016-12-01 12:32 ` [PATCH 20/39] Annotate hardware config module parameters in drivers/net/hamradio/ David Howells
2016-12-01 12:32 ` [PATCH 21/39] Annotate hardware config module parameters in drivers/net/irda/ David Howells
2016-12-01 12:32 ` [PATCH 22/39] Annotate hardware config module parameters in drivers/net/wan/ David Howells
2016-12-01 12:32 ` [PATCH 23/39] Annotate hardware config module parameters in drivers/net/wireless/ David Howells
2016-12-02 5:04 ` Kalle Valo
2016-12-07 13:45 ` David Howells
2016-12-01 12:32 ` [PATCH 24/39] Annotate hardware config module parameters in drivers/parport/ David Howells
2016-12-01 12:32 ` [PATCH 25/39] Annotate hardware config module parameters in drivers/pci/hotplug/ David Howells
2016-12-07 18:34 ` Bjorn Helgaas
2016-12-01 12:33 ` [PATCH 26/39] Annotate hardware config module parameters in drivers/pcmcia/ David Howells
2016-12-01 12:33 ` [PATCH 27/39] Annotate hardware config module parameters in drivers/scsi/ David Howells
2016-12-01 22:05 ` Finn Thain
2017-04-05 14:33 ` David Howells
2016-12-01 12:33 ` [PATCH 28/39] Annotate hardware config module parameters in drivers/staging/i4l/ David Howells
2016-12-01 12:33 ` [PATCH 29/39] Annotate hardware config module parameters in drivers/staging/media/ David Howells
2016-12-01 14:54 ` Mauro Carvalho Chehab
2016-12-01 14:59 ` David Howells
2016-12-01 15:17 ` Mauro Carvalho Chehab
2016-12-01 12:33 ` [PATCH 30/39] Annotate hardware config module parameters in drivers/staging/speakup/ David Howells
2016-12-01 12:33 ` [PATCH 31/39] Annotate hardware config module parameters in drivers/staging/vme/ David Howells
2016-12-01 12:33 ` [PATCH 32/39] Annotate hardware config module parameters in drivers/tty/ David Howells
2016-12-01 15:02 ` Greg Kroah-Hartman
2016-12-01 12:34 ` [PATCH 33/39] Annotate hardware config module parameters in drivers/video/ David Howells
2016-12-01 12:34 ` [PATCH 34/39] Annotate hardware config module parameters in drivers/watchdog/ David Howells
2016-12-01 12:58 ` Guenter Roeck
2016-12-01 12:34 ` [PATCH 35/39] Annotate hardware config module parameters in fs/pstore/ David Howells
2016-12-01 12:34 ` [PATCH 36/39] Annotate hardware config module parameters in sound/drivers/ David Howells
2016-12-01 12:34 ` [PATCH 37/39] Annotate hardware config module parameters in sound/isa/ David Howells
2016-12-01 12:34 ` [PATCH 38/39] Annotate hardware config module parameters in sound/oss/ David Howells
2016-12-01 12:34 ` [PATCH 39/39] Annotate hardware config module parameters in sound/pci/ David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161202071246.GA27889@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=minyard@acm.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).