From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751637AbcGLVe5 (ORCPT ); Tue, 12 Jul 2016 17:34:57 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:48614 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750784AbcGLVe4 (ORCPT ); Tue, 12 Jul 2016 17:34:56 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Petr Tesarik Cc: Thiago Jung Bauermann , bhe@redhat.com, arnd@arndb.de, linuxppc-dev@lists.ozlabs.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, AKASHI Takahiro , linux-arm-kernel@lists.infradead.org, dyoung@redhat.com, vgoyal@redhat.com References: <20160712014201.11456-1-takahiro.akashi@linaro.org> <87furf7ztv.fsf@x220.int.ebiederm.org> <50662781.Utjsnse3nb@hactar> <20160712225805.0d27fe5d@hananiah.suse.cz> Date: Tue, 12 Jul 2016 16:22:07 -0500 In-Reply-To: <20160712225805.0d27fe5d@hananiah.suse.cz> (Petr Tesarik's message of "Tue, 12 Jul 2016 22:58:05 +0200") Message-ID: <87a8hm1ri8.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1bN5K9-0001Ak-Se;;;mid=<87a8hm1ri8.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19UehE2AUG7KC23SrC68ZI/CELLo5nqtoc= X-SA-Exim-Connect-IP: 67.3.204.119 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Petr Tesarik X-Spam-Relay-Country: X-Spam-Timing: total 783 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 4.0 (0.5%), b_tie_ro: 2.9 (0.4%), parse: 1.37 (0.2%), extract_message_metadata: 37 (4.7%), get_uri_detail_list: 4.7 (0.6%), tests_pri_-1000: 13 (1.6%), tests_pri_-950: 2.0 (0.3%), tests_pri_-900: 1.62 (0.2%), tests_pri_-400: 46 (5.8%), check_bayes: 43 (5.5%), b_tokenize: 16 (2.0%), b_tok_get_all: 12 (1.6%), b_comp_prob: 6 (0.8%), b_tok_touch_all: 4.4 (0.6%), b_finish: 0.93 (0.1%), tests_pri_0: 664 (84.7%), check_dkim_signature: 0.90 (0.1%), check_dkim_adsp: 9 (1.1%), tests_pri_500: 10 (1.3%), poll_dns_idle: 0.29 (0.0%), rewrite_mail: 0.00 (0.0%) Subject: Re: [RFC 0/3] extend kexec_file_load system call X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Petr Tesarik writes: > On Tue, 12 Jul 2016 13:25:11 -0300 > Thiago Jung Bauermann wrote: > >> Hi Eric, >> >> I'm trying to understand your concerns leading to your nack. I hope you >> don't mind expanding your thoughts on them a bit. >> >> Am Dienstag, 12 Juli 2016, 08:25:48 schrieb Eric W. Biederman: >> > AKASHI Takahiro writes: >> > > Device tree blob must be passed to a second kernel on DTB-capable >> > > archs, like powerpc and arm64, but the current kernel interface >> > > lacks this support. >> > > >> > > This patch extends kexec_file_load system call by adding an extra >> > > argument to this syscall so that an arbitrary number of file descriptors >> > > can be handed out from user space to the kernel. >> > > >> > > See the background [1]. >> > > >> > > Please note that the new interface looks quite similar to the current >> > > system call, but that it won't always mean that it provides the "binary >> > > compatibility." >> > > >> > > [1] http://lists.infradead.org/pipermail/kexec/2016-June/016276.html >> > >> > So this design is wrong. The kernel already has the device tree blob, >> > you should not be extracting it from the kernel munging it, and then >> > reinserting it in the kernel if you want signatures and everything to >> > pass. >> >> I don't understand how the kernel signature will be invalidated. >> >> There are some types of boot images that can embed a device tree blob in >> them, but the kernel can also be handed a separate device tree blob from >> firmware, the boot loader, or kexec. This latter case is what we are >> discussing, so we are not talking about modifying an embedded blob in the >> kernel image. >> >> > What x86 does is pass it's equivalent of the device tree blob from one >> > kernel to another directly and behind the scenes. It does not go >> > through userspace for this. >> > >> > Until a persuasive case can be made for going around the kernel and >> > probably adding a feature (like code execution) that can be used to >> > defeat the signature scheme I am going to nack this. >> >> I also don't understand what you mean by code execution. How does passing a >> device tree blob via kexec enables code execution? How can the signature >> scheme be defeated? > > I'm not an expert on DTB, so I can't provide an example of code > execution, but you have already mentioned the /chosen/linux,stdout-path > property. If an attacker redirects the bootloader to an insecure > console, they may get access to the system that would otherwise be > impossible. > > In general, tampering with the hardware inventory of a machine opens up > a security hole, and one must be very cautious which modifications are > allowed. You're giving this power to an (unsigned, hence untrusted) > userspace application; Eric argues that only the kernel should have > this power. At the very least it should be signed. And of course the more signed images we have in different combinations the more easily someone can find a combination that does things the people performing the signing didn't realizing they were allowing. So if we can not add an extra variable into the mix it would be good. Eric