* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
[not found] ` <20190325164221.5d8687bd@shemminger-XPS-13-9360>
@ 2019-03-26 0:10 ` Andy Lutomirski
2019-03-26 18:57 ` James Morris
0 siblings, 1 reply; 8+ messages in thread
From: Andy Lutomirski @ 2019-03-26 0:10 UTC (permalink / raw)
To: Stephen Hemminger, Linux API
Cc: Matthew Garrett, James Morris, LSM List, LKML, David Howells,
Alexei Starovoitov, Network Development, Chun-Yi Lee,
Daniel Borkmann, Kees Cook, Will Drewry
On Mon, Mar 25, 2019 at 4:42 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> On Mon, 25 Mar 2019 15:09:50 -0700
> Matthew Garrett <matthewgarrett@google.com> wrote:
>
> > From: David Howells <dhowells@redhat.com>
> >
> > There are some bpf functions can be used to read kernel memory:
> > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
> > private keys in kernel memory (e.g. the hibernation image signing key) to
> > be read by an eBPF program and kernel memory to be altered without
> > restriction.
> >
> > Completely prohibit the use of BPF when the kernel is locked down.
> >
> > Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> > Signed-off-by: David Howells <dhowells@redhat.com>
> > cc: netdev@vger.kernel.org
> > cc: Chun-Yi Lee <jlee@suse.com>
> > cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
>
> Wouldn't this mean that Seccomp won't work in locked down mode?
I wasn't cc'd on this series, nor was linux-api, so it's awkward to review.
A while back, I suggested an approach to actually make this stuff
mergeable: submit a patch series that adds lockdown mode, enables it
by command line option (and maybe sysctl) *only* and has either no
effect or only a token effect. Then we can add actual features to
lockdown mode one at a time and review them separately.
And I'm going to complain loudly unless two things change about this
whole thing:
1. Lockdown mode becomes three states, not a boolean. The states are:
no lockdown, best-effort-to-protect-kernel-integrity, and
best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF
mess illustrates why: most users will really strongly object to
turning off BPF when they actually just want to protect kernel
integrity. And as far as I know, things like Secure Boot policy will
mostly care about integrity, not secrecy, and tracing and such should
work on a normal locked-down kernel. So I think we need this knob.
2. All the proponents of this series, and the documentation, needs to
document that it's best effort. There will always be security bugs,
and there will always be things we miss.
--Andy
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-26 0:10 ` [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down Andy Lutomirski
@ 2019-03-26 18:57 ` James Morris
2019-03-26 19:22 ` Andy Lutomirski
2019-03-26 20:19 ` Matthew Garrett
0 siblings, 2 replies; 8+ messages in thread
From: James Morris @ 2019-03-26 18:57 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Stephen Hemminger, Linux API, Matthew Garrett, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Mon, 25 Mar 2019, Andy Lutomirski wrote:
> A while back, I suggested an approach to actually make this stuff
> mergeable: submit a patch series that adds lockdown mode, enables it
> by command line option (and maybe sysctl) *only* and has either no
> effect or only a token effect. Then we can add actual features to
> lockdown mode one at a time and review them separately.
This makes sense to me.
>
> And I'm going to complain loudly unless two things change about this
> whole thing:
>
> 1. Lockdown mode becomes three states, not a boolean. The states are:
> no lockdown, best-effort-to-protect-kernel-integrity, and
> best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF
> mess illustrates why: most users will really strongly object to
> turning off BPF when they actually just want to protect kernel
> integrity. And as far as I know, things like Secure Boot policy will
> mostly care about integrity, not secrecy, and tracing and such should
> work on a normal locked-down kernel. So I think we need this knob.
Another approach would be to make this entirely policy based:
- Assign an ID to each lockdown point
- Implement a policy mechanism where each ID is mapped to 0 or 1
- Allow this policy to be specified statically or dynamically
So,
kernel_is_locked_down("ioperm")
becomes
kernel_is_locked_down(LOCKDOWN_IOPERM)
and this function checks e.g.
if (lockdown_polcy[id]) {
fail or warn;
}
Thoughts?
> 2. All the proponents of this series, and the documentation, needs to
> document that it's best effort. There will always be security bugs,
> and there will always be things we miss.
Right. Maintaining this feature will be an ongoing effort, and if its not
actively maintained, it will bitrot and become useless.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-26 18:57 ` James Morris
@ 2019-03-26 19:22 ` Andy Lutomirski
2019-03-28 3:15 ` James Morris
2019-03-26 20:19 ` Matthew Garrett
1 sibling, 1 reply; 8+ messages in thread
From: Andy Lutomirski @ 2019-03-26 19:22 UTC (permalink / raw)
To: James Morris
Cc: Andy Lutomirski, Stephen Hemminger, Linux API, Matthew Garrett,
LSM List, LKML, David Howells, Alexei Starovoitov,
Network Development, Chun-Yi Lee, Daniel Borkmann, Kees Cook,
Will Drewry
On Tue, Mar 26, 2019 at 11:57 AM James Morris <jmorris@namei.org> wrote:
>
> On Mon, 25 Mar 2019, Andy Lutomirski wrote:
>
> > A while back, I suggested an approach to actually make this stuff
> > mergeable: submit a patch series that adds lockdown mode, enables it
> > by command line option (and maybe sysctl) *only* and has either no
> > effect or only a token effect. Then we can add actual features to
> > lockdown mode one at a time and review them separately.
>
> This makes sense to me.
>
> >
> > And I'm going to complain loudly unless two things change about this
> > whole thing:
> >
> > 1. Lockdown mode becomes three states, not a boolean. The states are:
> > no lockdown, best-effort-to-protect-kernel-integrity, and
> > best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF
> > mess illustrates why: most users will really strongly object to
> > turning off BPF when they actually just want to protect kernel
> > integrity. And as far as I know, things like Secure Boot policy will
> > mostly care about integrity, not secrecy, and tracing and such should
> > work on a normal locked-down kernel. So I think we need this knob.
>
> Another approach would be to make this entirely policy based:
>
> - Assign an ID to each lockdown point
> - Implement a policy mechanism where each ID is mapped to 0 or 1
> - Allow this policy to be specified statically or dynamically
>
> So,
>
> kernel_is_locked_down("ioperm")
>
> becomes
>
> kernel_is_locked_down(LOCKDOWN_IOPERM)
>
> and this function checks e.g.
>
> if (lockdown_polcy[id]) {
> fail or warn;
> }
>
> Thoughts?
I'm concerned that this gives too much useless flexibility to
administrators and user code in general. If you can break kernel
integrity, you can break kernel integrity -- it shouldn't really
matter *how* you break it.
--Andy
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-26 18:57 ` James Morris
2019-03-26 19:22 ` Andy Lutomirski
@ 2019-03-26 20:19 ` Matthew Garrett
1 sibling, 0 replies; 8+ messages in thread
From: Matthew Garrett @ 2019-03-26 20:19 UTC (permalink / raw)
To: James Morris
Cc: Andy Lutomirski, Stephen Hemminger, Linux API, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Tue, Mar 26, 2019 at 11:57 AM James Morris <jmorris@namei.org> wrote:
> - Assign an ID to each lockdown point
> - Implement a policy mechanism where each ID is mapped to 0 or 1
> - Allow this policy to be specified statically or dynamically
One of the problems with this approach is what the default behaviour
should be when a new feature is added. If an admin fails to notice
that there's now a new policy element, they run the risk of kernel
integrity being compromised via the new feature even if the rest of
the kernel is locked down.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-26 19:22 ` Andy Lutomirski
@ 2019-03-28 3:15 ` James Morris
2019-03-28 18:07 ` Matthew Garrett
0 siblings, 1 reply; 8+ messages in thread
From: James Morris @ 2019-03-28 3:15 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Stephen Hemminger, Linux API, Matthew Garrett, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Tue, 26 Mar 2019, Andy Lutomirski wrote:
> >
> > kernel_is_locked_down("ioperm")
> >
> > becomes
> >
> > kernel_is_locked_down(LOCKDOWN_IOPERM)
> >
> > and this function checks e.g.
> >
> > if (lockdown_polcy[id]) {
> > fail or warn;
> > }
> >
> > Thoughts?
>
> I'm concerned that this gives too much useless flexibility to
> administrators and user code in general. If you can break kernel
> integrity, you can break kernel integrity -- it shouldn't really
> matter *how* you break it.
OTOH, this seems like a combination of mechanism and policy. The 3 modes
are a help here, but I wonder if they may be too coarse grained still,
e.g. if someone wants to allow a specific mechanism according to their own
threat model and mitigations.
Secure boot gives you some assurance of the static state of the system at
boot time, and lockdown is certainly useful (with or without secure boot),
but it's not a complete solution to runtime kernel integrity protection by
any stretch of the imagination. I'm concerned about it being perceived as
such.
I'm not sure how to think about it architecturally and how it fits as such
in the mainline kernel.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-28 3:15 ` James Morris
@ 2019-03-28 18:07 ` Matthew Garrett
2019-03-28 19:23 ` James Morris
0 siblings, 1 reply; 8+ messages in thread
From: Matthew Garrett @ 2019-03-28 18:07 UTC (permalink / raw)
To: James Morris
Cc: Andy Lutomirski, Stephen Hemminger, Linux API, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Wed, Mar 27, 2019 at 8:15 PM James Morris <jmorris@namei.org> wrote:
> OTOH, this seems like a combination of mechanism and policy. The 3 modes
> are a help here, but I wonder if they may be too coarse grained still,
> e.g. if someone wants to allow a specific mechanism according to their own
> threat model and mitigations.
In general the interfaces blocked by these patches could also be
blocked with an LSM, and I'd guess that people with more fine-grained
requirements would probably take that approach.
> Secure boot gives you some assurance of the static state of the system at
> boot time, and lockdown is certainly useful (with or without secure boot),
> but it's not a complete solution to runtime kernel integrity protection by
> any stretch of the imagination. I'm concerned about it being perceived as
> such.
What do you think the functionality gaps are in terms of ensuring
kernel integrity (other than kernel flaws that allow the restrictions
to be bypassed)?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-28 18:07 ` Matthew Garrett
@ 2019-03-28 19:23 ` James Morris
2019-03-28 20:08 ` Matthew Garrett
0 siblings, 1 reply; 8+ messages in thread
From: James Morris @ 2019-03-28 19:23 UTC (permalink / raw)
To: Matthew Garrett
Cc: Andy Lutomirski, Stephen Hemminger, Linux API, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Thu, 28 Mar 2019, Matthew Garrett wrote:
> On Wed, Mar 27, 2019 at 8:15 PM James Morris <jmorris@namei.org> wrote:
> > OTOH, this seems like a combination of mechanism and policy. The 3 modes
> > are a help here, but I wonder if they may be too coarse grained still,
> > e.g. if someone wants to allow a specific mechanism according to their own
> > threat model and mitigations.
>
> In general the interfaces blocked by these patches could also be
> blocked with an LSM, and I'd guess that people with more fine-grained
> requirements would probably take that approach.
So... I have to ask, why not use LSM for this in the first place?
Either with an existing module or perhaps a lockdown LSM?
>
> > Secure boot gives you some assurance of the static state of the system at
> > boot time, and lockdown is certainly useful (with or without secure boot),
> > but it's not a complete solution to runtime kernel integrity protection by
> > any stretch of the imagination. I'm concerned about it being perceived as
> > such.
>
> What do you think the functionality gaps are in terms of ensuring
> kernel integrity (other than kernel flaws that allow the restrictions
> to be bypassed)?
I don't know of any non-flaw gaps.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
2019-03-28 19:23 ` James Morris
@ 2019-03-28 20:08 ` Matthew Garrett
0 siblings, 0 replies; 8+ messages in thread
From: Matthew Garrett @ 2019-03-28 20:08 UTC (permalink / raw)
To: James Morris
Cc: Andy Lutomirski, Stephen Hemminger, Linux API, LSM List, LKML,
David Howells, Alexei Starovoitov, Network Development,
Chun-Yi Lee, Daniel Borkmann, Kees Cook, Will Drewry
On Thu, Mar 28, 2019 at 12:23 PM James Morris <jmorris@namei.org> wrote:
>
> On Thu, 28 Mar 2019, Matthew Garrett wrote:
>
> > On Wed, Mar 27, 2019 at 8:15 PM James Morris <jmorris@namei.org> wrote:
> > > OTOH, this seems like a combination of mechanism and policy. The 3 modes
> > > are a help here, but I wonder if they may be too coarse grained still,
> > > e.g. if someone wants to allow a specific mechanism according to their own
> > > threat model and mitigations.
> >
> > In general the interfaces blocked by these patches could also be
> > blocked with an LSM, and I'd guess that people with more fine-grained
> > requirements would probably take that approach.
>
> So... I have to ask, why not use LSM for this in the first place?
>
> Either with an existing module or perhaps a lockdown LSM?
Some of it isn't really achievable that way - for instance, enforcing
module or kexec signatures. We have other mechanisms that can be used
to enable that which could be done at the more fine-grained level, but
a design goal was to make it possible to automatically enable a full
set of integrity protections under specified circumstances.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-03-28 20:08 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20190325220954.29054-1-matthewgarrett@google.com>
[not found] ` <20190325220954.29054-24-matthewgarrett@google.com>
[not found] ` <20190325164221.5d8687bd@shemminger-XPS-13-9360>
2019-03-26 0:10 ` [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down Andy Lutomirski
2019-03-26 18:57 ` James Morris
2019-03-26 19:22 ` Andy Lutomirski
2019-03-28 3:15 ` James Morris
2019-03-28 18:07 ` Matthew Garrett
2019-03-28 19:23 ` James Morris
2019-03-28 20:08 ` Matthew Garrett
2019-03-26 20:19 ` Matthew Garrett
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox