From: joeyli <jlee-IBi9RG/b67k@public.gmane.org>
To: Josh Boyer <jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: "H. Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>,
Matthew Garrett
<matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org
Subject: Re: [PATCH V2 10/10] Add option to automatically enforce module signatures when in Secure Boot mode
Date: Wed, 04 Sep 2013 18:51:17 +0800 [thread overview]
Message-ID: <1378291877.6380.74.camel@linux-s257.site> (raw)
In-Reply-To: <20130830234133.GR20828-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
於 五,2013-08-30 於 19:41 -0400,Josh Boyer 提到:
> On Fri, Aug 30, 2013 at 01:46:30PM -0700, H. Peter Anvin wrote:
> > On 08/29/2013 11:37 AM, Josh Boyer wrote:
> > >> setup_efi_pci(boot_params);
> > >> diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
> > >> index c15ddaf..d35da96 100644
> > >> --- a/arch/x86/include/uapi/asm/bootparam.h
> > >> +++ b/arch/x86/include/uapi/asm/bootparam.h
> > >> @@ -131,7 +131,8 @@ struct boot_params {
> > >> __u8 eddbuf_entries; /* 0x1e9 */
> > >> __u8 edd_mbr_sig_buf_entries; /* 0x1ea */
> > >> __u8 kbd_status; /* 0x1eb */
> > >> - __u8 _pad5[3]; /* 0x1ec */
> > >> + __u8 secure_boot; /* 0x1ec */
> > >> + __u8 _pad5[2]; /* 0x1ec */
> > >> /*
> > >> * The sentinel is set to a nonzero value (0xff) in header.S.
> > >> *
> > >
> > > You need to include the following chunk of code with this, otherwise the
> > > secure_boot variable gets cleared.
> > >
> >
> > Not really.
> >
> > There are three cases:
> >
> > 1. Boot stub only. Here we do the right thing with the bootparams.
> > 2. Boot loader bypasses the boot stub completely. Here we MUST NOT do
> > what you suggest above.
> > 3. Boot stub with a boot_params structure passed in. Here we should
> > run sanitize_boot_params() (an inline for a reason) in the boot
> > stub, before we set the secure_boot field. Once that is done, we
> > again don't need that modification.
>
> OK. If 3 works, then great. All I know is that Fedora has been
> carrying the above hunk for months and it was missing in this patch set.
> So when I went to test it, the patches didn't do anything because the
> secure_boot field was getting cleared.
>
> I'm more than happy to try option 3, and I'll poke at it next week
> unless someone beats me to it.
>
> josh
The secure_boot field cleaned by sanitize_boot_params() when using grub2
linuxefi to load efi stub kernel.
I printed the boot_params->sentinel value, confirm this value is NOT 0
when running grub2 linuxefi path, the entry point is efi_stub_entry.
On the other hand,
the sentinel value is 0 when direct run efi stub kernel in UEFI shell,
the secure_boot field can keep.
Does that mean grub2 should clean the sentinel value? or we move the get
secure_boot value to efi_init()?
Thanks a lot!
Joey Lee
WARNING: multiple messages have this Message-ID (diff)
From: joeyli <jlee@suse.com>
To: Josh Boyer <jwboyer@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
Matthew Garrett <matthew.garrett@nebula.com>,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
keescook@chromium.org
Subject: Re: [PATCH V2 10/10] Add option to automatically enforce module signatures when in Secure Boot mode
Date: Wed, 04 Sep 2013 18:51:17 +0800 [thread overview]
Message-ID: <1378291877.6380.74.camel@linux-s257.site> (raw)
In-Reply-To: <20130830234133.GR20828@hansolo.jdub.homelinux.org>
於 五,2013-08-30 於 19:41 -0400,Josh Boyer 提到:
> On Fri, Aug 30, 2013 at 01:46:30PM -0700, H. Peter Anvin wrote:
> > On 08/29/2013 11:37 AM, Josh Boyer wrote:
> > >> setup_efi_pci(boot_params);
> > >> diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
> > >> index c15ddaf..d35da96 100644
> > >> --- a/arch/x86/include/uapi/asm/bootparam.h
> > >> +++ b/arch/x86/include/uapi/asm/bootparam.h
> > >> @@ -131,7 +131,8 @@ struct boot_params {
> > >> __u8 eddbuf_entries; /* 0x1e9 */
> > >> __u8 edd_mbr_sig_buf_entries; /* 0x1ea */
> > >> __u8 kbd_status; /* 0x1eb */
> > >> - __u8 _pad5[3]; /* 0x1ec */
> > >> + __u8 secure_boot; /* 0x1ec */
> > >> + __u8 _pad5[2]; /* 0x1ec */
> > >> /*
> > >> * The sentinel is set to a nonzero value (0xff) in header.S.
> > >> *
> > >
> > > You need to include the following chunk of code with this, otherwise the
> > > secure_boot variable gets cleared.
> > >
> >
> > Not really.
> >
> > There are three cases:
> >
> > 1. Boot stub only. Here we do the right thing with the bootparams.
> > 2. Boot loader bypasses the boot stub completely. Here we MUST NOT do
> > what you suggest above.
> > 3. Boot stub with a boot_params structure passed in. Here we should
> > run sanitize_boot_params() (an inline for a reason) in the boot
> > stub, before we set the secure_boot field. Once that is done, we
> > again don't need that modification.
>
> OK. If 3 works, then great. All I know is that Fedora has been
> carrying the above hunk for months and it was missing in this patch set.
> So when I went to test it, the patches didn't do anything because the
> secure_boot field was getting cleared.
>
> I'm more than happy to try option 3, and I'll poke at it next week
> unless someone beats me to it.
>
> josh
The secure_boot field cleaned by sanitize_boot_params() when using grub2
linuxefi to load efi stub kernel.
I printed the boot_params->sentinel value, confirm this value is NOT 0
when running grub2 linuxefi path, the entry point is efi_stub_entry.
On the other hand,
the sentinel value is 0 when direct run efi stub kernel in UEFI shell,
the secure_boot field can keep.
Does that mean grub2 should clean the sentinel value? or we move the get
secure_boot value to efi_init()?
Thanks a lot!
Joey Lee
next prev parent reply other threads:[~2013-09-04 10:51 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-19 17:26 [PATCH 0/10] Add additional security checks when module loading is restricted Matthew Garrett
2013-08-19 17:26 ` Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 01/10] Add secure_modules() call Matthew Garrett
[not found] ` <1376933171-9854-2-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-29 15:01 ` Josh Boyer
2013-08-29 15:01 ` Josh Boyer
2013-08-19 17:26 ` [PATCH V2 03/10] x86: Lock down IO port access when module security is enabled Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 07/10] acpi: Ignore acpi_rsdp kernel parameter " Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions Matthew Garrett
[not found] ` <1376933171-9854-9-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-29 15:57 ` Lenny Szubowicz
2013-08-29 15:57 ` Lenny Szubowicz
[not found] ` <410604531.9664777.1377791856786.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-29 18:14 ` Lenny Szubowicz
2013-08-29 18:14 ` Lenny Szubowicz
2013-08-29 18:10 ` Vivek Goyal
2013-08-29 18:10 ` Vivek Goyal
2013-08-19 17:26 ` [PATCH V2 09/10] x86: Restrict MSR access when module loading is restricted Matthew Garrett
[not found] ` <1376933171-9854-1-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-19 17:26 ` [PATCH V2 02/10] PCI: Lock down BAR access when module security is enabled Matthew Garrett
2013-08-19 17:26 ` Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem when module loading is restricted Matthew Garrett
2013-08-19 17:26 ` Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 10/10] Add option to automatically enforce module signatures when in Secure Boot mode Matthew Garrett
2013-08-19 17:26 ` Matthew Garrett
2013-08-29 18:37 ` Josh Boyer
[not found] ` <20130829183713.GT20828-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2013-08-30 20:46 ` H. Peter Anvin
2013-08-30 20:46 ` H. Peter Anvin
[not found] ` <522104A6.5000700-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2013-08-30 23:41 ` Josh Boyer
2013-08-30 23:41 ` Josh Boyer
[not found] ` <20130830234133.GR20828-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2013-09-04 10:51 ` joeyli [this message]
2013-09-04 10:51 ` joeyli
[not found] ` <1378291877.6380.74.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2013-09-04 12:01 ` Josh Boyer
2013-09-04 12:01 ` Josh Boyer
[not found] ` <CA+5PVA4J1mL0o=MHM-D81rcViR+E3JUyGChvHe8P+3+yt3v_qA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-04 13:13 ` joeyli
2013-09-04 13:13 ` joeyli
2013-08-28 22:37 ` [PATCH 0/10] Add additional security checks when module loading is restricted Lenny Szubowicz
2013-08-28 22:37 ` Lenny Szubowicz
[not found] ` <1241952070.8587861.1377729463830.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-28 22:41 ` Matthew Garrett
2013-08-28 22:41 ` Matthew Garrett
2013-08-28 22:58 ` Lenny Szubowicz
2013-08-28 22:58 ` Lenny Szubowicz
[not found] ` <761791749.8594444.1377730692707.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-28 23:05 ` Matthew Garrett
2013-08-28 23:05 ` Matthew Garrett
2013-08-28 23:07 ` Kees Cook
2013-08-28 23:07 ` Kees Cook
2013-08-28 23:12 ` Matthew Garrett
2013-08-28 23:12 ` Matthew Garrett
[not found] ` <CAGXu5jKQtx1OEn8qT8+LgHL+xFgK_pHGrxtdwFfKT1q3FHhaNg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-02 5:22 ` joeyli
2013-09-02 5:22 ` joeyli
2013-08-19 17:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1378291877.6380.74.camel@linux-s257.site \
--to=jlee-ibi9rg/b67k@public.gmane.org \
--cc=hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org \
--cc=jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.