All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Gary Lin <glin-IBi9RG/b67k@public.gmane.org>
Cc: Josh Boyer
	<jwboyer-rxtnV0ftBwyoClj4AeEUq9i2O/JbrIOy@public.gmane.org>,
	x86 <x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
	"Linux-Kernel@Vger. Kernel. Org"
	<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org"
	<linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org>,
	"H. Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>,
	Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>,
	Ard Biesheuvel
	<ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
	Ingo Molnar <mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	Matt Fleming
	<matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>,
	Catalin Marinas <catalin.marinas-5wv7dgnIgG8@public.gmane.org>,
	Will Deacon <will.deacon-5wv7dgnIgG8@public.gmane.org>,
	Joey Lee <jlee-IBi9RG/b67k@public.gmane.org>
Subject: Re: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Wed, 6 Dec 2017 19:37:34 +0100	[thread overview]
Message-ID: <20171206183734.xmgecyrd5suiurm6@gmail.com> (raw)
In-Reply-To: <20171206032437.pifxxcewgozlghfs@GaryWorkstation>


* Gary Lin <glin-IBi9RG/b67k@public.gmane.org> wrote:

> On Tue, Dec 05, 2017 at 04:14:26PM -0500, Josh Boyer wrote:
> > On Tue, Dec 5, 2017 at 5:01 AM, Gary Lin <glin-IBi9RG/b67k@public.gmane.org> wrote:
> > > The series of patches introduce Security Version to EFI stub.
> > >
> > > Security Version is a monotonically increasing number and designed to
> > > prevent the user from loading an insecure kernel accidentally. The
> > > bootloader maintains a list of security versions corresponding to
> > > different distributions. After fixing a critical vulnerability, the
> > > distribution kernel maintainer bumps the "version", and the bootloader
> > > updates the list automatically. When the user tries to load a kernel
> > > with a lower security version, the bootloader shows a warning prompt
> > > to notify the user the potential risk.
> > 
> > If a distribution releases a kernel with a higher security version and
> > that it automatically updated on boot, what happens if that kernel
> > contains a different bug that causes it to fail to boot or break
> > critical functionality?  At that point, the user's machine would be in
> > a state where the higher security version is enforced but the only
> > kernel that provides that is broken.  Wouldn't that make a bad
> > situation even worse by now requiring manual acceptance of the older
> > SV kernel boot physically at the machine?
> > 
> > I feel like I'm missing a detail here or something.
> > 
> If the new kernel fails to boot, then the user has to choose the kernel
> manually anyway, and there will be an option in the warning prompt to
> lower SV.

And what if the firmware does not support a lowering of the SV?

Thanks,

	Ingo

WARNING: multiple messages have this Message-ID (diff)
From: mingo@kernel.org (Ingo Molnar)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Wed, 6 Dec 2017 19:37:34 +0100	[thread overview]
Message-ID: <20171206183734.xmgecyrd5suiurm6@gmail.com> (raw)
In-Reply-To: <20171206032437.pifxxcewgozlghfs@GaryWorkstation>


* Gary Lin <glin@suse.com> wrote:

> On Tue, Dec 05, 2017 at 04:14:26PM -0500, Josh Boyer wrote:
> > On Tue, Dec 5, 2017 at 5:01 AM, Gary Lin <glin@suse.com> wrote:
> > > The series of patches introduce Security Version to EFI stub.
> > >
> > > Security Version is a monotonically increasing number and designed to
> > > prevent the user from loading an insecure kernel accidentally. The
> > > bootloader maintains a list of security versions corresponding to
> > > different distributions. After fixing a critical vulnerability, the
> > > distribution kernel maintainer bumps the "version", and the bootloader
> > > updates the list automatically. When the user tries to load a kernel
> > > with a lower security version, the bootloader shows a warning prompt
> > > to notify the user the potential risk.
> > 
> > If a distribution releases a kernel with a higher security version and
> > that it automatically updated on boot, what happens if that kernel
> > contains a different bug that causes it to fail to boot or break
> > critical functionality?  At that point, the user's machine would be in
> > a state where the higher security version is enforced but the only
> > kernel that provides that is broken.  Wouldn't that make a bad
> > situation even worse by now requiring manual acceptance of the older
> > SV kernel boot physically at the machine?
> > 
> > I feel like I'm missing a detail here or something.
> > 
> If the new kernel fails to boot, then the user has to choose the kernel
> manually anyway, and there will be an option in the warning prompt to
> lower SV.

And what if the firmware does not support a lowering of the SV?

Thanks,

	Ingo

WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Gary Lin <glin@suse.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>, x86 <x86@kernel.org>,
	"Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	"linux-arm-kernel@lists.infradead.org" 
	<linux-arm-kernel@lists.infradead.org>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Ingo Molnar <mingo@redhat.com>,
	Matt Fleming <matt@codeblueprint.co.uk>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>, Joey Lee <jlee@suse.com>
Subject: Re: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Wed, 6 Dec 2017 19:37:34 +0100	[thread overview]
Message-ID: <20171206183734.xmgecyrd5suiurm6@gmail.com> (raw)
In-Reply-To: <20171206032437.pifxxcewgozlghfs@GaryWorkstation>


* Gary Lin <glin@suse.com> wrote:

> On Tue, Dec 05, 2017 at 04:14:26PM -0500, Josh Boyer wrote:
> > On Tue, Dec 5, 2017 at 5:01 AM, Gary Lin <glin@suse.com> wrote:
> > > The series of patches introduce Security Version to EFI stub.
> > >
> > > Security Version is a monotonically increasing number and designed to
> > > prevent the user from loading an insecure kernel accidentally. The
> > > bootloader maintains a list of security versions corresponding to
> > > different distributions. After fixing a critical vulnerability, the
> > > distribution kernel maintainer bumps the "version", and the bootloader
> > > updates the list automatically. When the user tries to load a kernel
> > > with a lower security version, the bootloader shows a warning prompt
> > > to notify the user the potential risk.
> > 
> > If a distribution releases a kernel with a higher security version and
> > that it automatically updated on boot, what happens if that kernel
> > contains a different bug that causes it to fail to boot or break
> > critical functionality?  At that point, the user's machine would be in
> > a state where the higher security version is enforced but the only
> > kernel that provides that is broken.  Wouldn't that make a bad
> > situation even worse by now requiring manual acceptance of the older
> > SV kernel boot physically at the machine?
> > 
> > I feel like I'm missing a detail here or something.
> > 
> If the new kernel fails to boot, then the user has to choose the kernel
> manually anyway, and there will be an option in the warning prompt to
> lower SV.

And what if the firmware does not support a lowering of the SV?

Thanks,

	Ingo

  reply	other threads:[~2017-12-06 18:37 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-05 10:01 [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub Gary Lin
2017-12-05 10:01 ` Gary Lin
2017-12-05 10:01 ` Gary Lin
2017-12-05 10:01 ` [RFC v3 PATCH 1/2] x86/efi: Introduce Security Version to x86 Gary Lin
2017-12-05 10:01   ` Gary Lin
2017-12-05 10:01 ` [RFC v3 PATCH 2/2] arm64/efi: Introduce Security Version to ARM64 Gary Lin
2017-12-05 10:01   ` Gary Lin
2017-12-05 10:01   ` Gary Lin
     [not found] ` <20171205100148.5757-1-glin-IBi9RG/b67k@public.gmane.org>
2017-12-05 21:14   ` [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub Josh Boyer
2017-12-05 21:14     ` Josh Boyer
2017-12-05 21:14     ` Josh Boyer
     [not found]     ` <CA+5PVA4k9RN22i2d=4GCPnm9bwi5KUgp8PiV=9X1pBZxN1xPmg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-06  3:24       ` Gary Lin
2017-12-06  3:24         ` Gary Lin
2017-12-06  3:24         ` Gary Lin
2017-12-06 18:37         ` Ingo Molnar [this message]
2017-12-06 18:37           ` Ingo Molnar
2017-12-06 18:37           ` Ingo Molnar
2017-12-07  1:59           ` Gary Lin
2017-12-07  1:59             ` Gary Lin
2017-12-07  6:09             ` Ingo Molnar
2017-12-07  6:09               ` Ingo Molnar
2017-12-07  7:52               ` Gary Lin
2017-12-07  7:52                 ` Gary Lin
2017-12-07  8:18                 ` Ingo Molnar
2017-12-07  8:18                   ` Ingo Molnar
2017-12-07  8:18                   ` Ingo Molnar
     [not found]                   ` <20171207081816.jy2rw5y5iyxeqw6n-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-12-07 10:27                     ` Gary Lin
2017-12-07 10:27                       ` Gary Lin
2017-12-07 10:27                       ` Gary Lin
2017-12-07 10:35                       ` Ingo Molnar
2017-12-07 10:35                         ` Ingo Molnar
2017-12-07 10:35                         ` Ingo Molnar
2017-12-08  9:00                         ` Gary Lin
2017-12-08  9:00                           ` Gary Lin
2017-12-07 14:26 ` Alan Cox
2017-12-07 14:26   ` Alan Cox
2017-12-07 14:26   ` Alan Cox
2017-12-08 10:03   ` Gary Lin
2017-12-08 10:03     ` Gary Lin
2017-12-08 10:03     ` Gary Lin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171206183734.xmgecyrd5suiurm6@gmail.com \
    --to=mingo-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
    --cc=ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
    --cc=catalin.marinas-5wv7dgnIgG8@public.gmane.org \
    --cc=glin-IBi9RG/b67k@public.gmane.org \
    --cc=hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org \
    --cc=jlee-IBi9RG/b67k@public.gmane.org \
    --cc=jwboyer-rxtnV0ftBwyoClj4AeEUq9i2O/JbrIOy@public.gmane.org \
    --cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
    --cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
    --cc=mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org \
    --cc=will.deacon-5wv7dgnIgG8@public.gmane.org \
    --cc=x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.