From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Stewart Smith <stewart@linux.vnet.ibm.com>,
bhe@redhat.com, Michael Ellerman <mpe@ellerman.id.au>,
Balbir Singh <bsingharora@gmail.com>,
linuxppc-dev@lists.ozlabs.org, kexec@lists.infradead.org,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Petr Tesarik <ptesarik@suse.cz>,
linux-kernel@vger.kernel.org,
AKASHI Takahiro <takahiro.akashi@linaro.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
dyoung@redhat.com, Vivek Goyal <vgoyal@redhat.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC 0/3] extend kexec_file_load system call
Date: Wed, 20 Jul 2016 12:50:11 -0300 [thread overview]
Message-ID: <2545578.SWp0m9VQX8@hactar> (raw)
In-Reply-To: <34243612.Gid3QHG1hd@wuerfel>
Am Mittwoch, 20 Juli 2016, 13:12:20 schrieb Arnd Bergmann:
> On Wednesday, July 20, 2016 8:47:45 PM CEST Michael Ellerman wrote:
> > At least for stdout-path, I can't really see how that would
> > significantly help an attacker, but I'm all ears if anyone has ideas.
>
> That's actually an easy one that came up before: If an attacker controls
> a tty device (e.g. network console) that can be used to enter a debugger
> (kdb, kgdb, xmon, ...), enabling that to be the console device
> gives you a direct attack vector. The same thing will happen if you
> have a piece of software that intentially gives extra rights to the
> owner of the console device by treating it as "physical presence".
I think people are talking past each other a bit in these arguments about
what is relevant to security or not.
For the kexec maintainers, kexec_file_load has one very specific and narrow
purpose: enable Secure Boot as defined by UEFI.
And from what I understand of their arguments so far, there is one and only
one security concern: when in Secure Boot mode, a system must not allow
execution of unsigned code with kernel privileges. So even if one can
specify a different root filesystem and do a lot of nasty things to the
system with a rogue userspace in that root filesystem, as long as the kernel
won't load unsigned modules that's not a problem as far as they're
concerned.
Also, AFAIK attacks requiring "physical presence" are out of scope for the
UEFI Secure Boot security model. Thus an attack that involves control of a
console of plugging an USB device is also not a concern.
One thing I don't know is whether an attack involving a networked IPMI
console or a USB device that can be "plugged" virtually by a managing system
(BMC) is considered a physical attack or a remote attack in the context of
UEFI Secure Boot.
--
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Michael Ellerman <mpe@ellerman.id.au>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Balbir Singh <bsingharora@gmail.com>,
Stewart Smith <stewart@linux.vnet.ibm.com>,
bhe@redhat.com, kexec@lists.infradead.org, dyoung@redhat.com,
Petr Tesarik <ptesarik@suse.cz>,
linux-kernel@vger.kernel.org,
AKASHI Takahiro <takahiro.akashi@linaro.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linuxppc-dev@lists.ozlabs.org, Vivek Goyal <vgoyal@redhat.com>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC 0/3] extend kexec_file_load system call
Date: Wed, 20 Jul 2016 12:50:11 -0300 [thread overview]
Message-ID: <2545578.SWp0m9VQX8@hactar> (raw)
In-Reply-To: <34243612.Gid3QHG1hd@wuerfel>
Am Mittwoch, 20 Juli 2016, 13:12:20 schrieb Arnd Bergmann:
> On Wednesday, July 20, 2016 8:47:45 PM CEST Michael Ellerman wrote:
> > At least for stdout-path, I can't really see how that would
> > significantly help an attacker, but I'm all ears if anyone has ideas.
>
> That's actually an easy one that came up before: If an attacker controls
> a tty device (e.g. network console) that can be used to enter a debugger
> (kdb, kgdb, xmon, ...), enabling that to be the console device
> gives you a direct attack vector. The same thing will happen if you
> have a piece of software that intentially gives extra rights to the
> owner of the console device by treating it as "physical presence".
I think people are talking past each other a bit in these arguments about
what is relevant to security or not.
For the kexec maintainers, kexec_file_load has one very specific and narrow
purpose: enable Secure Boot as defined by UEFI.
And from what I understand of their arguments so far, there is one and only
one security concern: when in Secure Boot mode, a system must not allow
execution of unsigned code with kernel privileges. So even if one can
specify a different root filesystem and do a lot of nasty things to the
system with a rogue userspace in that root filesystem, as long as the kernel
won't load unsigned modules that's not a problem as far as they're
concerned.
Also, AFAIK attacks requiring "physical presence" are out of scope for the
UEFI Secure Boot security model. Thus an attack that involves control of a
console of plugging an USB device is also not a concern.
One thing I don't know is whether an attack involving a networked IPMI
console or a USB device that can be "plugged" virtually by a managing system
(BMC) is considered a physical attack or a remote attack in the context of
UEFI Secure Boot.
--
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center
WARNING: multiple messages have this Message-ID (diff)
From: bauerman@linux.vnet.ibm.com (Thiago Jung Bauermann)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC 0/3] extend kexec_file_load system call
Date: Wed, 20 Jul 2016 12:50:11 -0300 [thread overview]
Message-ID: <2545578.SWp0m9VQX8@hactar> (raw)
In-Reply-To: <34243612.Gid3QHG1hd@wuerfel>
Am Mittwoch, 20 Juli 2016, 13:12:20 schrieb Arnd Bergmann:
> On Wednesday, July 20, 2016 8:47:45 PM CEST Michael Ellerman wrote:
> > At least for stdout-path, I can't really see how that would
> > significantly help an attacker, but I'm all ears if anyone has ideas.
>
> That's actually an easy one that came up before: If an attacker controls
> a tty device (e.g. network console) that can be used to enter a debugger
> (kdb, kgdb, xmon, ...), enabling that to be the console device
> gives you a direct attack vector. The same thing will happen if you
> have a piece of software that intentially gives extra rights to the
> owner of the console device by treating it as "physical presence".
I think people are talking past each other a bit in these arguments about
what is relevant to security or not.
For the kexec maintainers, kexec_file_load has one very specific and narrow
purpose: enable Secure Boot as defined by UEFI.
And from what I understand of their arguments so far, there is one and only
one security concern: when in Secure Boot mode, a system must not allow
execution of unsigned code with kernel privileges. So even if one can
specify a different root filesystem and do a lot of nasty things to the
system with a rogue userspace in that root filesystem, as long as the kernel
won't load unsigned modules that's not a problem as far as they're
concerned.
Also, AFAIK attacks requiring "physical presence" are out of scope for the
UEFI Secure Boot security model. Thus an attack that involves control of a
console of plugging an USB device is also not a concern.
One thing I don't know is whether an attack involving a networked IPMI
console or a USB device that can be "plugged" virtually by a managing system
(BMC) is considered a physical attack or a remote attack in the context of
UEFI Secure Boot.
--
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center
next prev parent reply other threads:[~2016-07-20 15:50 UTC|newest]
Thread overview: 265+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 1:41 [RFC 0/3] extend kexec_file_load system call AKASHI Takahiro
2016-07-12 1:41 ` AKASHI Takahiro
2016-07-12 1:41 ` AKASHI Takahiro
2016-07-12 1:41 ` [RFC 1/3] syscall: add kexec_file_load to generic unistd.h AKASHI Takahiro
2016-07-12 1:41 ` AKASHI Takahiro
2016-07-12 1:41 ` AKASHI Takahiro
2016-07-12 1:42 ` [RFC 2/3] kexec: add dtb info to struct kimage AKASHI Takahiro
2016-07-12 1:42 ` AKASHI Takahiro
2016-07-12 1:42 ` AKASHI Takahiro
2016-07-12 1:42 ` [RFC 3/3] kexec: extend kexec_file_load system call AKASHI Takahiro
2016-07-12 1:42 ` AKASHI Takahiro
2016-07-12 1:42 ` AKASHI Takahiro
2016-07-15 13:09 ` Vivek Goyal
2016-07-15 13:09 ` Vivek Goyal
2016-07-15 13:09 ` Vivek Goyal
2016-07-15 13:19 ` Mark Rutland
2016-07-15 13:19 ` Mark Rutland
2016-07-15 13:19 ` Mark Rutland
2016-07-18 2:30 ` Dave Young
2016-07-18 2:30 ` Dave Young
2016-07-18 2:30 ` Dave Young
2016-07-18 10:07 ` Mark Rutland
2016-07-18 10:07 ` Mark Rutland
2016-07-18 10:07 ` Mark Rutland
2016-07-19 0:55 ` Dave Young
2016-07-19 0:55 ` Dave Young
2016-07-19 0:55 ` Dave Young
2016-07-19 10:52 ` Mark Rutland
2016-07-19 10:52 ` Mark Rutland
2016-07-19 10:52 ` Mark Rutland
2016-07-19 12:24 ` Vivek Goyal
2016-07-19 12:24 ` Vivek Goyal
2016-07-19 12:24 ` Vivek Goyal
2016-07-19 12:47 ` Mark Rutland
2016-07-19 12:47 ` Mark Rutland
2016-07-19 12:47 ` Mark Rutland
2016-07-19 13:26 ` Vivek Goyal
2016-07-19 13:26 ` Vivek Goyal
2016-07-19 13:26 ` Vivek Goyal
2016-07-20 11:41 ` David Laight
2016-07-20 11:41 ` David Laight
2016-07-20 11:41 ` David Laight
2016-07-20 11:41 ` David Laight
2016-07-21 9:21 ` Russell King - ARM Linux
2016-07-21 9:21 ` Russell King - ARM Linux
2016-07-21 9:21 ` Russell King - ARM Linux
2016-07-18 2:33 ` Dave Young
2016-07-18 2:33 ` Dave Young
2016-07-18 2:33 ` Dave Young
2016-07-27 0:24 ` [PATCH v2 " Thiago Jung Bauermann
2016-07-27 0:24 ` Thiago Jung Bauermann
2016-07-27 0:24 ` Thiago Jung Bauermann
2016-08-05 20:46 ` Thiago Jung Bauermann
2016-08-05 20:46 ` Thiago Jung Bauermann
2016-08-05 20:46 ` Thiago Jung Bauermann
2016-07-12 13:25 ` [RFC 0/3] " Eric W. Biederman
2016-07-12 13:25 ` Eric W. Biederman
2016-07-12 13:25 ` Eric W. Biederman
2016-07-12 13:58 ` Thiago Jung Bauermann
2016-07-12 13:58 ` Thiago Jung Bauermann
2016-07-12 13:58 ` Thiago Jung Bauermann
2016-07-12 14:02 ` Vivek Goyal
2016-07-12 14:02 ` Vivek Goyal
2016-07-12 14:02 ` Vivek Goyal
2016-07-12 23:45 ` Stewart Smith
2016-07-12 23:45 ` Stewart Smith
2016-07-12 23:45 ` Stewart Smith
2016-07-13 13:27 ` Vivek Goyal
2016-07-13 13:27 ` Vivek Goyal
2016-07-13 13:27 ` Vivek Goyal
2016-07-12 14:02 ` Arnd Bergmann
2016-07-12 14:02 ` Arnd Bergmann
2016-07-12 14:02 ` Arnd Bergmann
2016-07-12 14:18 ` Vivek Goyal
2016-07-12 14:18 ` Vivek Goyal
2016-07-12 14:18 ` Vivek Goyal
2016-07-12 14:24 ` Arnd Bergmann
2016-07-12 14:24 ` Arnd Bergmann
2016-07-12 14:24 ` Arnd Bergmann
2016-07-12 14:50 ` Mark Rutland
2016-07-12 14:50 ` Mark Rutland
2016-07-12 14:50 ` Mark Rutland
2016-07-13 2:36 ` Dave Young
2016-07-13 2:36 ` Dave Young
2016-07-13 2:36 ` Dave Young
2016-07-13 8:01 ` Arnd Bergmann
2016-07-13 8:01 ` Arnd Bergmann
2016-07-13 8:01 ` Arnd Bergmann
2016-07-13 8:23 ` Stewart Smith
2016-07-13 8:23 ` Stewart Smith
2016-07-13 8:23 ` Stewart Smith
2016-07-13 9:41 ` Mark Rutland
2016-07-13 9:41 ` Mark Rutland
2016-07-13 9:41 ` Mark Rutland
2016-07-13 13:13 ` Arnd Bergmann
2016-07-13 13:13 ` Arnd Bergmann
2016-07-13 13:13 ` Arnd Bergmann
2016-07-13 18:45 ` Thiago Jung Bauermann
2016-07-13 18:45 ` Thiago Jung Bauermann
2016-07-13 18:45 ` Thiago Jung Bauermann
2016-07-13 19:59 ` Arnd Bergmann
2016-07-13 19:59 ` Arnd Bergmann
2016-07-13 19:59 ` Arnd Bergmann
2016-07-14 2:18 ` Thiago Jung Bauermann
2016-07-14 2:18 ` Thiago Jung Bauermann
2016-07-14 2:18 ` Thiago Jung Bauermann
2016-07-14 8:29 ` Arnd Bergmann
2016-07-14 8:29 ` Arnd Bergmann
2016-07-14 8:29 ` Arnd Bergmann
2016-07-15 1:44 ` Thiago Jung Bauermann
2016-07-15 1:44 ` Thiago Jung Bauermann
2016-07-15 1:44 ` Thiago Jung Bauermann
2016-07-15 7:31 ` Arnd Bergmann
2016-07-15 7:31 ` Arnd Bergmann
2016-07-15 7:31 ` Arnd Bergmann
2016-07-15 13:26 ` Vivek Goyal
2016-07-15 13:26 ` Vivek Goyal
2016-07-15 13:26 ` Vivek Goyal
2016-07-15 13:33 ` Mark Rutland
2016-07-15 13:33 ` Mark Rutland
2016-07-15 13:33 ` Mark Rutland
2016-07-15 15:29 ` Thiago Jung Bauermann
2016-07-15 15:29 ` Thiago Jung Bauermann
2016-07-15 15:29 ` Thiago Jung Bauermann
2016-07-15 15:47 ` Mark Rutland
2016-07-15 15:47 ` Mark Rutland
2016-07-15 15:47 ` Mark Rutland
2016-07-15 13:42 ` Russell King - ARM Linux
2016-07-15 13:42 ` Russell King - ARM Linux
2016-07-15 13:42 ` Russell King - ARM Linux
2016-07-15 20:26 ` Arnd Bergmann
2016-07-15 20:26 ` Arnd Bergmann
2016-07-15 20:26 ` Arnd Bergmann
2016-07-15 21:03 ` Thiago Jung Bauermann
2016-07-15 21:03 ` Thiago Jung Bauermann
2016-07-15 21:03 ` Thiago Jung Bauermann
2016-07-22 0:09 ` Thiago Jung Bauermann
2016-07-22 0:09 ` Thiago Jung Bauermann
2016-07-22 0:09 ` Thiago Jung Bauermann
2016-07-22 0:53 ` Jeremy Kerr
2016-07-22 0:53 ` Jeremy Kerr
2016-07-22 0:53 ` Jeremy Kerr
2016-07-22 2:54 ` Michael Ellerman
2016-07-22 2:54 ` Michael Ellerman
2016-07-22 2:54 ` Michael Ellerman
2016-07-22 20:41 ` Thiago Jung Bauermann
2016-07-22 20:41 ` Thiago Jung Bauermann
2016-07-22 20:41 ` Thiago Jung Bauermann
2016-07-15 8:49 ` Russell King - ARM Linux
2016-07-15 8:49 ` Russell King - ARM Linux
2016-07-15 8:49 ` Russell King - ARM Linux
2016-07-15 13:03 ` Vivek Goyal
2016-07-15 13:03 ` Vivek Goyal
2016-07-15 13:03 ` Vivek Goyal
2016-07-13 9:34 ` Mark Rutland
2016-07-13 9:34 ` Mark Rutland
2016-07-13 9:34 ` Mark Rutland
2016-07-13 17:38 ` AKASHI Takahiro
2016-07-13 17:38 ` AKASHI Takahiro
2016-07-13 17:38 ` AKASHI Takahiro
2016-07-13 17:58 ` Mark Rutland
2016-07-13 17:58 ` Mark Rutland
2016-07-13 17:58 ` Mark Rutland
2016-07-13 19:57 ` Arnd Bergmann
2016-07-13 19:57 ` Arnd Bergmann
2016-07-13 19:57 ` Arnd Bergmann
2016-07-14 12:42 ` Mark Rutland
2016-07-14 12:42 ` Mark Rutland
2016-07-14 12:42 ` Mark Rutland
2016-07-14 1:54 ` Dave Young
2016-07-14 1:54 ` Dave Young
2016-07-14 1:54 ` Dave Young
2016-07-14 1:50 ` Dave Young
2016-07-14 1:50 ` Dave Young
2016-07-14 1:50 ` Dave Young
2016-07-12 16:25 ` Thiago Jung Bauermann
2016-07-12 16:25 ` Thiago Jung Bauermann
2016-07-12 16:25 ` Thiago Jung Bauermann
2016-07-12 20:58 ` Petr Tesarik
2016-07-12 20:58 ` Petr Tesarik
2016-07-12 20:58 ` Petr Tesarik
2016-07-12 21:22 ` Eric W. Biederman
2016-07-12 21:22 ` Eric W. Biederman
2016-07-12 21:22 ` Eric W. Biederman
2016-07-12 21:36 ` Eric W. Biederman
2016-07-12 21:36 ` Eric W. Biederman
2016-07-12 21:36 ` Eric W. Biederman
2016-07-12 21:53 ` Petr Tesarik
2016-07-12 21:53 ` Petr Tesarik
2016-07-12 21:53 ` Petr Tesarik
2016-07-12 22:18 ` Russell King - ARM Linux
2016-07-12 22:18 ` Russell King - ARM Linux
2016-07-12 22:18 ` Russell King - ARM Linux
2016-07-13 4:59 ` Stewart Smith
2016-07-13 4:59 ` Stewart Smith
2016-07-13 4:59 ` Stewart Smith
2016-07-13 7:36 ` Russell King - ARM Linux
2016-07-13 7:36 ` Russell King - ARM Linux
2016-07-13 7:36 ` Russell King - ARM Linux
2016-07-13 7:47 ` Ard Biesheuvel
2016-07-13 7:47 ` Ard Biesheuvel
2016-07-13 7:47 ` Ard Biesheuvel
2016-07-13 8:09 ` Russell King - ARM Linux
2016-07-13 8:09 ` Russell King - ARM Linux
2016-07-13 8:09 ` Russell King - ARM Linux
2016-07-13 8:20 ` Stewart Smith
2016-07-13 8:20 ` Stewart Smith
2016-07-13 8:20 ` Stewart Smith
2016-07-13 7:55 ` Stewart Smith
2016-07-13 7:55 ` Stewart Smith
2016-07-13 7:55 ` Stewart Smith
2016-07-13 8:26 ` Russell King - ARM Linux
2016-07-13 8:26 ` Russell King - ARM Linux
2016-07-13 8:26 ` Russell King - ARM Linux
2016-07-13 8:36 ` Dave Young
2016-07-13 8:36 ` Dave Young
2016-07-13 8:36 ` Dave Young
2016-07-13 8:57 ` Petr Tesarik
2016-07-13 8:57 ` Petr Tesarik
2016-07-13 8:57 ` Petr Tesarik
2016-07-13 13:03 ` Vivek Goyal
2016-07-13 13:03 ` Vivek Goyal
2016-07-13 13:03 ` Vivek Goyal
2016-07-13 17:40 ` Russell King - ARM Linux
2016-07-13 17:40 ` Russell King - ARM Linux
2016-07-13 17:40 ` Russell King - ARM Linux
2016-07-13 18:22 ` Vivek Goyal
2016-07-13 18:22 ` Vivek Goyal
2016-07-13 18:22 ` Vivek Goyal
2016-07-18 12:46 ` Balbir Singh
2016-07-18 12:46 ` Balbir Singh
2016-07-18 12:46 ` Balbir Singh
2016-07-18 13:26 ` Vivek Goyal
2016-07-18 13:26 ` Vivek Goyal
2016-07-18 13:26 ` Vivek Goyal
2016-07-18 13:38 ` Vivek Goyal
2016-07-18 13:38 ` Vivek Goyal
2016-07-18 13:38 ` Vivek Goyal
2016-07-20 3:45 ` Balbir Singh
2016-07-20 3:45 ` Balbir Singh
2016-07-20 3:45 ` Balbir Singh
2016-07-20 8:35 ` Russell King - ARM Linux
2016-07-20 8:35 ` Russell King - ARM Linux
2016-07-20 8:35 ` Russell King - ARM Linux
2016-07-20 10:47 ` Michael Ellerman
2016-07-20 10:47 ` Michael Ellerman
2016-07-20 10:47 ` Michael Ellerman
2016-07-20 11:12 ` Arnd Bergmann
2016-07-20 11:12 ` Arnd Bergmann
2016-07-20 11:12 ` Arnd Bergmann
2016-07-20 15:50 ` Thiago Jung Bauermann [this message]
2016-07-20 15:50 ` Thiago Jung Bauermann
2016-07-20 15:50 ` Thiago Jung Bauermann
2016-07-20 12:46 ` Vivek Goyal
2016-07-20 12:46 ` Vivek Goyal
2016-07-20 12:46 ` Vivek Goyal
2016-07-20 12:27 ` Vivek Goyal
2016-07-20 12:27 ` Vivek Goyal
2016-07-20 12:27 ` Vivek Goyal
2016-07-12 23:41 ` Stewart Smith
2016-07-12 23:41 ` Stewart Smith
2016-07-12 23:41 ` Stewart Smith
2016-07-13 13:25 ` Vivek Goyal
2016-07-13 13:25 ` Vivek Goyal
2016-07-13 13:25 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2545578.SWp0m9VQX8@hactar \
--to=bauerman@linux.vnet.ibm.com \
--cc=arnd@arndb.de \
--cc=bhe@redhat.com \
--cc=bsingharora@gmail.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=ptesarik@suse.cz \
--cc=stewart@linux.vnet.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.