From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
Cc: Grant Likely
<grant.likely-s3s/WqlpOiPyB63q8FvJNQ@public.gmane.org>,
"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Jon Masters <jcm-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Leif Lindholm
<leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Ard Biesheuvel
<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Peter Jones <pjones-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: MemoryOverwriteRequestControl
Date: Mon, 04 Jul 2016 18:03:55 -0700 [thread overview]
Message-ID: <1467680635.2288.36.camel@HansenPartnership.com> (raw)
In-Reply-To: <20160704222609.GB5160-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
On Mon, 2016-07-04 at 23:26 +0100, Matthew Garrett wrote:
> On Mon, Jul 04, 2016 at 02:31:57PM -0700, James Bottomley wrote:
>
> > Currently, the kernel does nothing with this, but you'd more expect
> > something in userspace to do something with it, probably a
> > component of
> > the TSS.
>
> The OS loader is expected to set MOR to 1, so given the boot stub
> there's need for kernel support. A "correct" implementation would
> also involve the kernel clearing all its secrets before reboot and
> then setting it back to 0, so I don't think we can just punt
> responsibility to userspace.
Yes, but the whole thing is a bit of a windows ism. In windows,
bitlocker is invoked from the loader, which is when the secret they're
worried about is unbound. Windows has to operate like this because of
the drive letter problem.
It's perhaps arguable that for parity we should set it when an
encrypted filesystem is mounted and unset it when they're all unmounted
(that implementation could be an entirely in-os thing for us ...
probably implemented as some type of "secrets held" reference count).
However, the point I was making is that anything that wants access to
a sealed or bound secret would likely also like to control this, so it
should be a property of the TSS (or at least the TSS should be a
participant in the implementation).
To be honest, this is all a bit smoke and mirrors security until we've
got a way to protect secrets across suspend/resume because that's the
biggest vulnerability window for theft and the MOR protocols do nothing
to protect this.
James
next prev parent reply other threads:[~2016-07-05 1:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-04 19:37 MemoryOverwriteRequestControl Grant Likely
[not found] ` <CACxGe6s7rgTBUf7jtN6J3i3w-HvAm2rFnjjwCtWRS6oHx3ZB5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-04 21:31 ` MemoryOverwriteRequestControl James Bottomley
[not found] ` <1467667917.2288.23.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-04 22:26 ` MemoryOverwriteRequestControl Matthew Garrett
[not found] ` <20160704222609.GB5160-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2016-07-05 1:03 ` James Bottomley [this message]
[not found] ` <1467680635.2288.36.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-05 1:06 ` MemoryOverwriteRequestControl Matthew Garrett
[not found] ` <20160705010622.GA7974-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2016-07-05 2:35 ` MemoryOverwriteRequestControl James Bottomley
[not found] ` <1467686108.2288.43.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-05 2:40 ` MemoryOverwriteRequestControl Matthew Garrett
[not found] ` <20160705024022.GA9292-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2016-07-05 2:58 ` MemoryOverwriteRequestControl James Bottomley
[not found] ` <1467687531.2288.51.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-05 3:03 ` MemoryOverwriteRequestControl Matthew Garrett
[not found] ` <20160705030314.GA9597-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2016-07-05 4:24 ` MemoryOverwriteRequestControl James Bottomley
2016-07-04 22:20 ` MemoryOverwriteRequestControl Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467680635.2288.36.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=grant.likely-s3s/WqlpOiPyB63q8FvJNQ@public.gmane.org \
--cc=jcm-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=leif.lindholm-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org \
--cc=pjones-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.