All of lore.kernel.org
 help / color / mirror / Atom feed
From: Gary Lin <glin@suse.com>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: linux-efi@vger.kernel.org,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Matt Fleming <matt@codeblueprint.co.uk>,
	Catalin Marinas <catalin.marinas@arm.com>,
	x86@kernel.org, Will Deacon <will.deacon@arm.com>,
	linux-kernel@vger.kernel.org, Joey Lee <jlee@suse.com>,
	Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Fri, 8 Dec 2017 18:03:02 +0800	[thread overview]
Message-ID: <20171208100302.an3bi3baewifcakc@GaryWorkstation> (raw)
In-Reply-To: <20171207142657.52e1363a@alans-desktop>

On Thu, Dec 07, 2017 at 02:26:57PM +0000, Alan Cox wrote:
> On Tue,  5 Dec 2017 18:01:46 +0800
> Gary Lin <glin@suse.com> wrote:
> 
> > The series of patches introduce Security Version to EFI stub.
> > 
> > Security Version is a monotonically increasing number and designed to
> > prevent the user from loading an insecure kernel accidentally. The
> > bootloader maintains a list of security versions corresponding to
> > different distributions. After fixing a critical vulnerability, the
> > distribution kernel maintainer bumps the "version", and the bootloader
> > updates the list automatically. 
> 
> This seems a mindbogglingly complicated way to implement something you
> could do with a trivial script in the package that updates the list of
> iffy kernels and when generating the new grub.conf puts them in a menu
> of 'old insecure' kernels.
> 
Ya, a menu for those kernels is also a kind of warning to the users.
Thanks for pointing the direction.

> Why do you even need this in the EFI stub ?
> 
For 2 reasons.

1. We want the version number being unalterable. In a system with UEFI
   Secure Boot, the signature appended to the kernel guarantees that the
   version number is genuine.

2. For the cross-architecture support. Since the version number could be
   anywhere in the image file, we need at least a offset to point to the
   version number. That's why I choose the resource section/table in the
   EFI header. It exists as long as the EFI stub exists. The design of
   the directory allows different data stored separately.

If there is a better place for the version number, I'd be glad to adopt
it.

> What happens if you want to invalidate an old kernel but not push a new
> one ? Today if you've got a package that maintains the list of 'iffy'
> kernels you can push a tiny package, under your scheme you've got to push
> new kernels which is an un-necessary and high risk OS change.
> 
The idea is that the security version only bumps only when it's really
necessary. For example, the new kernel fixes a severe bug that invalidates
the signature check of the modules. Or, the distro makes an official
release and would like to obsolete the alpha/beta/RC kernel. Anyway, it
depends on the distro policy.

Actually, our main target is only for the enterprise server, and the
kernel update path is relatively simple. Since it may bring some
confusion in a multi-boot system, we are currently not planning to
enable SV for the community distro, i.e. openSUSE.

Thanks,

Gary Lin

WARNING: multiple messages have this Message-ID (diff)
From: glin@suse.com (Gary Lin)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Fri, 8 Dec 2017 18:03:02 +0800	[thread overview]
Message-ID: <20171208100302.an3bi3baewifcakc@GaryWorkstation> (raw)
In-Reply-To: <20171207142657.52e1363a@alans-desktop>

On Thu, Dec 07, 2017 at 02:26:57PM +0000, Alan Cox wrote:
> On Tue,  5 Dec 2017 18:01:46 +0800
> Gary Lin <glin@suse.com> wrote:
> 
> > The series of patches introduce Security Version to EFI stub.
> > 
> > Security Version is a monotonically increasing number and designed to
> > prevent the user from loading an insecure kernel accidentally. The
> > bootloader maintains a list of security versions corresponding to
> > different distributions. After fixing a critical vulnerability, the
> > distribution kernel maintainer bumps the "version", and the bootloader
> > updates the list automatically. 
> 
> This seems a mindbogglingly complicated way to implement something you
> could do with a trivial script in the package that updates the list of
> iffy kernels and when generating the new grub.conf puts them in a menu
> of 'old insecure' kernels.
> 
Ya, a menu for those kernels is also a kind of warning to the users.
Thanks for pointing the direction.

> Why do you even need this in the EFI stub ?
> 
For 2 reasons.

1. We want the version number being unalterable. In a system with UEFI
   Secure Boot, the signature appended to the kernel guarantees that the
   version number is genuine.

2. For the cross-architecture support. Since the version number could be
   anywhere in the image file, we need at least a offset to point to the
   version number. That's why I choose the resource section/table in the
   EFI header. It exists as long as the EFI stub exists. The design of
   the directory allows different data stored separately.

If there is a better place for the version number, I'd be glad to adopt
it.

> What happens if you want to invalidate an old kernel but not push a new
> one ? Today if you've got a package that maintains the list of 'iffy'
> kernels you can push a tiny package, under your scheme you've got to push
> new kernels which is an un-necessary and high risk OS change.
> 
The idea is that the security version only bumps only when it's really
necessary. For example, the new kernel fixes a severe bug that invalidates
the signature check of the modules. Or, the distro makes an official
release and would like to obsolete the alpha/beta/RC kernel. Anyway, it
depends on the distro policy.

Actually, our main target is only for the enterprise server, and the
kernel update path is relatively simple. Since it may bring some
confusion in a multi-boot system, we are currently not planning to
enable SV for the community distro, i.e. openSUSE.

Thanks,

Gary Lin

WARNING: multiple messages have this Message-ID (diff)
From: Gary Lin <glin@suse.com>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Ingo Molnar <mingo@redhat.com>,
	Matt Fleming <matt@codeblueprint.co.uk>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>, Joey Lee <jlee@suse.com>
Subject: Re: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub
Date: Fri, 8 Dec 2017 18:03:02 +0800	[thread overview]
Message-ID: <20171208100302.an3bi3baewifcakc@GaryWorkstation> (raw)
In-Reply-To: <20171207142657.52e1363a@alans-desktop>

On Thu, Dec 07, 2017 at 02:26:57PM +0000, Alan Cox wrote:
> On Tue,  5 Dec 2017 18:01:46 +0800
> Gary Lin <glin@suse.com> wrote:
> 
> > The series of patches introduce Security Version to EFI stub.
> > 
> > Security Version is a monotonically increasing number and designed to
> > prevent the user from loading an insecure kernel accidentally. The
> > bootloader maintains a list of security versions corresponding to
> > different distributions. After fixing a critical vulnerability, the
> > distribution kernel maintainer bumps the "version", and the bootloader
> > updates the list automatically. 
> 
> This seems a mindbogglingly complicated way to implement something you
> could do with a trivial script in the package that updates the list of
> iffy kernels and when generating the new grub.conf puts them in a menu
> of 'old insecure' kernels.
> 
Ya, a menu for those kernels is also a kind of warning to the users.
Thanks for pointing the direction.

> Why do you even need this in the EFI stub ?
> 
For 2 reasons.

1. We want the version number being unalterable. In a system with UEFI
   Secure Boot, the signature appended to the kernel guarantees that the
   version number is genuine.

2. For the cross-architecture support. Since the version number could be
   anywhere in the image file, we need at least a offset to point to the
   version number. That's why I choose the resource section/table in the
   EFI header. It exists as long as the EFI stub exists. The design of
   the directory allows different data stored separately.

If there is a better place for the version number, I'd be glad to adopt
it.

> What happens if you want to invalidate an old kernel but not push a new
> one ? Today if you've got a package that maintains the list of 'iffy'
> kernels you can push a tiny package, under your scheme you've got to push
> new kernels which is an un-necessary and high risk OS change.
> 
The idea is that the security version only bumps only when it's really
necessary. For example, the new kernel fixes a severe bug that invalidates
the signature check of the modules. Or, the distro makes an official
release and would like to obsolete the alpha/beta/RC kernel. Anyway, it
depends on the distro policy.

Actually, our main target is only for the enterprise server, and the
kernel update path is relatively simple. Since it may bring some
confusion in a multi-boot system, we are currently not planning to
enable SV for the community distro, i.e. openSUSE.

Thanks,

Gary Lin

  reply	other threads:[~2017-12-08 10:03 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-05 10:01 [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub Gary Lin
2017-12-05 10:01 ` Gary Lin
2017-12-05 10:01 ` Gary Lin
2017-12-05 10:01 ` [RFC v3 PATCH 1/2] x86/efi: Introduce Security Version to x86 Gary Lin
2017-12-05 10:01   ` Gary Lin
2017-12-05 10:01 ` [RFC v3 PATCH 2/2] arm64/efi: Introduce Security Version to ARM64 Gary Lin
2017-12-05 10:01   ` Gary Lin
2017-12-05 10:01   ` Gary Lin
     [not found] ` <20171205100148.5757-1-glin-IBi9RG/b67k@public.gmane.org>
2017-12-05 21:14   ` [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub Josh Boyer
2017-12-05 21:14     ` Josh Boyer
2017-12-05 21:14     ` Josh Boyer
     [not found]     ` <CA+5PVA4k9RN22i2d=4GCPnm9bwi5KUgp8PiV=9X1pBZxN1xPmg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-06  3:24       ` Gary Lin
2017-12-06  3:24         ` Gary Lin
2017-12-06  3:24         ` Gary Lin
2017-12-06 18:37         ` Ingo Molnar
2017-12-06 18:37           ` Ingo Molnar
2017-12-06 18:37           ` Ingo Molnar
2017-12-07  1:59           ` Gary Lin
2017-12-07  1:59             ` Gary Lin
2017-12-07  6:09             ` Ingo Molnar
2017-12-07  6:09               ` Ingo Molnar
2017-12-07  7:52               ` Gary Lin
2017-12-07  7:52                 ` Gary Lin
2017-12-07  8:18                 ` Ingo Molnar
2017-12-07  8:18                   ` Ingo Molnar
2017-12-07  8:18                   ` Ingo Molnar
     [not found]                   ` <20171207081816.jy2rw5y5iyxeqw6n-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-12-07 10:27                     ` Gary Lin
2017-12-07 10:27                       ` Gary Lin
2017-12-07 10:27                       ` Gary Lin
2017-12-07 10:35                       ` Ingo Molnar
2017-12-07 10:35                         ` Ingo Molnar
2017-12-07 10:35                         ` Ingo Molnar
2017-12-08  9:00                         ` Gary Lin
2017-12-08  9:00                           ` Gary Lin
2017-12-07 14:26 ` Alan Cox
2017-12-07 14:26   ` Alan Cox
2017-12-07 14:26   ` Alan Cox
2017-12-08 10:03   ` Gary Lin [this message]
2017-12-08 10:03     ` Gary Lin
2017-12-08 10:03     ` Gary Lin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171208100302.an3bi3baewifcakc@GaryWorkstation \
    --to=glin@suse.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=catalin.marinas@arm.com \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=hpa@zytor.com \
    --cc=jlee@suse.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matt@codeblueprint.co.uk \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=will.deacon@arm.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.