Kexec Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steven Rostedt <rostedt@goodmis.org>
To: Philipp Rudo <prudo@redhat.com>
Cc: Ricardo Ribalda <ribalda@chromium.org>,
	Eric Biederman <ebiederm@xmission.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
	Ross Zwisler <zwisler@kernel.org>,
	linux-doc@vger.kernel.org,
	"Joel Fernandes (Google)" <joel@joelfernandes.org>
Subject: Re: [PATCH v1 2/2] kexec: Introduce kexec_reboot_disabled
Date: Mon, 28 Nov 2022 11:42:00 -0500	[thread overview]
Message-ID: <20221128114200.72b3e2fe@gandalf.local.home> (raw)
In-Reply-To: <20221124160115.23ae7928@rotkaeppchen>

On Thu, 24 Nov 2022 16:01:15 +0100
Philipp Rudo <prudo@redhat.com> wrote:

> No, I think the implementation is fine. I'm currently only struggling
> to understand what problem kexec_reboot_disabled solves that cannot be
> solved by kexec_load_disabled.

Hi Philipp,

Thanks for working with us on this.

Let me try to explain our use case. We want kexec/kdump enabled, but we
really do not want kexec used for any other purpose. We must have the kexec
kernel loaded at boot up and not afterward.

Your recommendation of:

  kexec -p dump_kernel
  echo 1 > /proc/sys/kernel/kexec_load_disabled

can work, and we will probably add it. But we are taking the paranoid
approach, and what I learned in security 101 ;-) and that is, only open up
the minimal attack surface as possible.

Yes, it's highly unlikely that the above would crash. But as with most
security vulnerabilities, it's not going to be an attacker that creates a
new gadget here, but probably another script in the future that causes this
to be delayed or something, and a new window of opportunity will arise for
an attacker. Maybe, that new window only works for non panic kernels. Yes,
this is a contrived scenario, but the work vs risk is very low in adding
this feature.

Perhaps the attack surface that a reboot kexec could be, is that the
attacker gets the ability at boot up to load the kexec for reboot and not panic.
Then the attack must wait for the victim to reboot their machine before
they have access to the new kernel. Again, I admit this is contrived, but
just because I can't think of a real situation that this could be a problem
doesn't mean that one doesn't exist.

In other words, if we never want to allow a kexec reboot, why allow it at
all from the beginning? The above allows it, until we don't. That alone
makes us nervous. Whereas this patch is rather trivial and doesn't add
complexity.

Thanks for your time, we appreciate it.

-- Steve

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

  parent reply	other threads:[~2022-11-28 16:42 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-14 13:18 [PATCH v1 0/2] kexec: Add new toogle to disable kexec_reboot Ricardo Ribalda
2022-11-14 13:18 ` [PATCH v1 1/2] Documentation: sysctl: Correct kexec_load_disabled Ricardo Ribalda
2022-11-23  9:47   ` Baoquan He
2022-11-14 13:18 ` [PATCH v1 2/2] kexec: Introduce kexec_reboot_disabled Ricardo Ribalda
2022-11-17 15:06   ` Philipp Rudo
2022-11-17 15:15     ` Ricardo Ribalda
2022-11-21 14:09       ` Philipp Rudo
2022-11-23  8:58         ` Ricardo Ribalda
2022-11-24 11:40           ` Philipp Rudo
2022-11-24 12:52             ` Ricardo Ribalda
2022-11-24 15:01               ` Philipp Rudo
2022-11-24 22:32                 ` Ricardo Ribalda
2022-11-28 16:28                   ` Philipp Rudo
2022-11-28 23:37                     ` Steven Rostedt
2022-11-28 16:42                 ` Steven Rostedt [this message]
2022-11-29 13:44                   ` Philipp Rudo
2022-11-29 14:32                     ` Steven Rostedt
2022-12-12 21:43                       ` Ricardo Ribalda
2022-11-23 13:49   ` Baoquan He

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221128114200.72b3e2fe@gandalf.local.home \
    --to=rostedt@goodmis.org \
    --cc=corbet@lwn.net \
    --cc=ebiederm@xmission.com \
    --cc=joel@joelfernandes.org \
    --cc=kexec@lists.infradead.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=prudo@redhat.com \
    --cc=ribalda@chromium.org \
    --cc=senozhatsky@chromium.org \
    --cc=zwisler@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox