public inbox for linux-efi@vger.kernel.org
 help / color / mirror / Atom feed
From: Matthew Garrett <matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
To: Lenny Szubowicz <lszubowi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
	<jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	"keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org"
	<keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Subject: Re: [PATCH 0/10] Add additional security checks when module loading is restricted
Date: Wed, 28 Aug 2013 23:05:51 +0000	[thread overview]
Message-ID: <1377731151.27493.9.camel@x230> (raw)
In-Reply-To: <761791749.8594444.1377730692707.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On Wed, 2013-08-28 at 18:58 -0400, Lenny Szubowicz wrote:

> I'm root. So I can write anything I want to the swap file that looks
> like a valid hibernate image but is code of my choosing. I can read
> anything I need from /dev/mem or /dev/kmem to help me do that.
> I can then immediately initiate a reboot.

No, you're blocked from /dev/mem and /dev/kmem. That doesn't make it
impossible, but it does make it much harder. A more realistic attack is
to write something that looks like (but isn't) a hibernation image which
effectively jumps back into the resume kernel after modifying it, but
you'd still need to generate a bunch of kernel state.

The need for a reboot makes it a less significant attack than the others
that this patchset protects against, which all allow the modification of
the already running kernel. If you also want to protect against attacks
involving reboots then you need to secure the on-disk representation of
the kernel as well, which means Secure Boot, and that also means you
want encrypted hibernation support.

If you need something for the short term then I'd suggest just adding a
config option that disables hibernation when a system is in Secure Boot
mode, but the best plan is pretty much to review the encrypted
hibernation patches that got posted recently. It'd be easy to tie those
into appropriate policy.
-- 
Matthew Garrett <matthew.garrett@nebula.com>

  parent reply	other threads:[~2013-08-28 23:05 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-19 17:26 [PATCH 0/10] Add additional security checks when module loading is restricted Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 01/10] Add secure_modules() call Matthew Garrett
     [not found]   ` <1376933171-9854-2-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-29 15:01     ` Josh Boyer
2013-08-19 17:26 ` [PATCH V2 03/10] x86: Lock down IO port access when module security is enabled Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 07/10] acpi: Ignore acpi_rsdp kernel parameter " Matthew Garrett
2013-08-19 17:26 ` [PATCH V2 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions Matthew Garrett
     [not found]   ` <1376933171-9854-9-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-29 15:57     ` Lenny Szubowicz
     [not found]       ` <410604531.9664777.1377791856786.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-29 18:14         ` Lenny Szubowicz
2013-08-29 18:10     ` Vivek Goyal
2013-08-19 17:26 ` [PATCH V2 09/10] x86: Restrict MSR access when module loading is restricted Matthew Garrett
2013-08-19 17:34 ` [PATCH 0/10] Add additional security checks " Kees Cook
     [not found] ` <1376933171-9854-1-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-19 17:26   ` [PATCH V2 02/10] PCI: Lock down BAR access when module security is enabled Matthew Garrett
2013-08-19 17:26   ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem when module loading is restricted Matthew Garrett
2013-08-19 17:26   ` [PATCH V2 10/10] Add option to automatically enforce module signatures when in Secure Boot mode Matthew Garrett
2013-08-29 18:37     ` Josh Boyer
     [not found]       ` <20130829183713.GT20828-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2013-08-30 20:46         ` H. Peter Anvin
     [not found]           ` <522104A6.5000700-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2013-08-30 23:41             ` Josh Boyer
     [not found]               ` <20130830234133.GR20828-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2013-09-04 10:51                 ` joeyli
     [not found]                   ` <1378291877.6380.74.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2013-09-04 12:01                     ` Josh Boyer
     [not found]                       ` <CA+5PVA4J1mL0o=MHM-D81rcViR+E3JUyGChvHe8P+3+yt3v_qA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-04 13:13                         ` joeyli
2013-08-28 22:37   ` [PATCH 0/10] Add additional security checks when module loading is restricted Lenny Szubowicz
     [not found]     ` <1241952070.8587861.1377729463830.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-28 22:41       ` Matthew Garrett
2013-08-28 22:58         ` Lenny Szubowicz
     [not found]           ` <761791749.8594444.1377730692707.JavaMail.root-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-08-28 23:05             ` Matthew Garrett [this message]
2013-08-28 23:07             ` Kees Cook
2013-08-28 23:12               ` Matthew Garrett
     [not found]               ` <CAGXu5jKQtx1OEn8qT8+LgHL+xFgK_pHGrxtdwFfKT1q3FHhaNg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-02  5:22                 ` joeyli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1377731151.27493.9.camel@x230 \
    --to=matthew.garrett-05xso3yj/jvqt0dzr+alfa@public.gmane.org \
    --cc=jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
    --cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=lszubowi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox