From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1p7lZe-00073x-Fp
	for mharc-grub-devel@gnu.org; Tue, 20 Dec 2022 17:59:02 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rharwood@redhat.com>)
 id 1p7lZc-00073j-Lc
 for grub-devel@gnu.org; Tue, 20 Dec 2022 17:59:00 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rharwood@redhat.com>)
 id 1p7lZa-0006TO-LZ
 for grub-devel@gnu.org; Tue, 20 Dec 2022 17:59:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1671577137;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=6/3lPhdRqpKO7MO4JUFDY3yvE3AXUQMvcirslh7At2c=;
 b=c5tpDC7Vq3YpJ4ptVGB4dxEbW35+gNiPf6B3T+XdBY8d4ps3iP4l6LRz6eufEwvz0KzsqL
 dp4RbSsnVExxZYwbVmlzCiZdNrivvHwJXFN9cwwpY8bJEnXfAteis7C9nk+48tZyO7saVz
 7ZTgleDO+lH3bfe+F3qoPd+XSYLYqFI=
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-332-HzfTPcipP5KpSqnGGGt6Og-1; Tue, 20 Dec 2022 17:58:55 -0500
X-MC-Unique: HzfTPcipP5KpSqnGGGt6Og-1
Received: by mail-qv1-f72.google.com with SMTP id
 oo9-20020a056214450900b004cfdcb99fa5so7841993qvb.13
 for <grub-devel@gnu.org>; Tue, 20 Dec 2022 14:58:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=mime-version:message-id:date:references:in-reply-to:subject:cc:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=6/3lPhdRqpKO7MO4JUFDY3yvE3AXUQMvcirslh7At2c=;
 b=yZFeWwxSvxq9B7kBcmOk0JNfP18USrxtv6zZ57IpC+kBpawre/L6O8l7QFZz5prfZO
 y7UlFh4Wwv/Y1AxRKGYoyJ5GIJ6lOPVFNybiDl5pFQfsiQCOatS2lHOLjhzfdfnhBNZf
 vK0TuMbCaM4jfq09S0zB7fuZcYhSLK8dP0b+8qIX0us5Z3Ybih8iMW3qV/bgyzDwr5Oh
 /9uuRK8MgZMVZrv9sfYAYbK0QkDr0eG8thLSyXxb66aaiPCD38YA6GEDcB9sqziq3lEU
 g7cDFsugQy+OZYU8XXnMeCpGBKXt9z/vSrJjmK1jhBsvmLx7CqkILPLNMsLAjBUPY6cJ
 i9Iw==
X-Gm-Message-State: ANoB5pmNCx6sVcA8zc5WVblfpteegZvqueYPHVLLb78JfiaIOOqx2Xkm
 Nqd4YAFhDjyACLo3QCBH4BK2nPhjYHV2ni7gj/Cvi9TNQ7r7/0xRFDnPM4EI4nmGmXPH9bOg8Qi
 RCaqZvzClE8g=
X-Received: by 2002:a05:622a:4018:b0:3a8:175a:fd48 with SMTP id
 cf24-20020a05622a401800b003a8175afd48mr47211645qtb.64.1671577134589; 
 Tue, 20 Dec 2022 14:58:54 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4EcCd4BlBhOUCNhzqF/kZf4bKxf7ngSf5jyoz8K6IkM6A3gk4cEKvuGOSY6TIA6CscCc+M9w==
X-Received: by 2002:a05:622a:4018:b0:3a8:175a:fd48 with SMTP id
 cf24-20020a05622a401800b003a8175afd48mr47211624qtb.64.1671577134115; 
 Tue, 20 Dec 2022 14:58:54 -0800 (PST)
Received: from localhost ([2600:4040:520a:8800:7d1c:f0a7:5c44:ed0e])
 by smtp.gmail.com with ESMTPSA id
 n19-20020a05622a11d300b003a7eb5baf3csm8450135qtk.69.2022.12.20.14.58.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 20 Dec 2022 14:58:53 -0800 (PST)
From: Robbie Harwood <rharwood@redhat.com>
To: Zhang Boyang <zhangboyang.id@gmail.com>, grub-devel@gnu.org
Cc: Zhang Boyang <zhangboyang.id@gmail.com>
Subject: Re: [RFC PATCH] kern/dl: Add module version check
In-Reply-To: <20221219153329.154238-1-zhangboyang.id@gmail.com>
References: <20221219153329.154238-1-zhangboyang.id@gmail.com>
Date: Tue, 20 Dec 2022 17:58:50 -0500
Message-ID: <jlgo7rxk7h1.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=170.10.133.124; envelope-from=rharwood@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2022 22:59:00 -0000

--=-=-=
Content-Type: text/plain

Zhang Boyang <zhangboyang.id@gmail.com> writes:

> This patch add version information to GRUB modules. Specifically,
> PACKAGE_VERSION is embedded as null-terminated string in .modver
> section. This string is checked at module loading time. That module will
> be rejected if mismatch is found. This will prevent loading modules from
> different versions of GRUB.
>
> It should be pointed out that the version string is only consisted of
> PACKAGE_VERSION. Any difference not reflected in PACKAGE_VERSION is not
> noticed by version check (e.g. configure options).

Right now, this only affects non-secureboot scenarios (because we don't
have external signed module support).  I would want to see a resolution
to the external module signing question first so that we don't paint
ourselves into a corner with something like this.

I share Glenn's confusion about what real-world problems this addresses:
my understanding is that grub modules mostly register callbacks, so the
possibility of disaster is low (unless the callback interfaces change of
course, but that generally has not happened).

The combination of those two things leads me to suspect this is not the
right approach.  It seems likely that if we want to down the road of
versionlocking, something like the kernel's ephemeral key approach would
be better suited - and if we want external modules (which I don't think
we do), full SBAT support.

Be well,
--Robbie

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmOiPioUHHJoYXJ3b29k
QHJlZGhhdC5jb20ACgkQJTL5F2qVpELNrw/9Gd2oiivWTIxJ5+hFQ4c0KBcepdYr
EatDjaNL98xNRp78ScivGngjCr/Wm6h2YyKq0XGHuKrXppPk9f0DkKVD+ColNCIA
4wl+/GAdHwQdxupliIhGEJxlyR33N4y5/SgxpwWs43KXz3dzXXL8ZPKhsyXEWK9X
dZIfPW+kxiqi2pKFO4fTvVw1lvui41x5uhk38uXPvrPTaSbK+0K+iOX9sb+lAE0v
AdRu2XTCFR98eWSJ1i1p8uhLj8PQGxvnipPeArDzH8aY9te3tXAdk9uezORmE23H
arrCnXkyw3vjOVIZsauHOJco/Lhz5BuhSjx217ujj7l33e1jPa43Sas7Cn+F2WLw
mOEb9Gdyc7df5Y8Hhsa1YbPVtyj6L5C0CqLnjV1FQv4T+JJnj9ZoxqU5fQTNfSQ2
KwvH+0pPIZBw1g8w1h3npQIbovbnrXLNB+6cyBO6vZOa+qYbY9h1XlNTYjVMwgEY
qKIqYjHchalJJ3n9wH3pI/8O7SuHIPbXKb0i4CmzaTQG15AekAtPJhfnBsxNqB6X
rOhBea2WwYkM9Sh/DtSjKKSVwwtUyFCkOZECezJb3oek0UPj6t4JBXUsaM13IArG
zlveHpd9gwRrNL6NzJ06dlqwO/mvOAO4gyISU4RDiN9s1JByvwjYAXI31nh1LMcw
/lsiYKjeakETy2E=
=N0D0
-----END PGP SIGNATURE-----
--=-=-=--