From: Lennart Poettering <mzxreary@0pointer.de>
To: Jan Hendrik Farr <kernel@jfarr.cc>
Cc: Philipp Rudo <prudo@redhat.com>, Ard Biesheuvel <ardb@kernel.org>,
Pingfan Liu <piliu@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Baoquan He <bhe@redhat.com>, Dave Young <dyoung@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
kexec@lists.infradead.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFCv2 0/9] UEFI emulator for kexec
Date: Tue, 10 Sep 2024 09:54:56 +0200 [thread overview]
Message-ID: <Zt_7UEdDfTAQKp4I@gardel-login> (raw)
In-Reply-To: <Zt7RJepoCiCMRZSu@archlinux>
On Mo, 09.09.24 12:42, Jan Hendrik Farr (kernel@jfarr.cc) wrote:
> On 09 11:48:30, Lennart Poettering wrote:
> > On Fr, 06.09.24 12:54, Philipp Rudo (prudo@redhat.com) wrote:
> >
> > > I mostly agree on what you have wrote. But I see a big problem in
> > > running the EFI emulator in user space when it comes to secure boot.
> > > The chain of trust ends in the kernel. So it's the kernel that needs to
> > > verify that the image to be loaded can be trusted. But when the EFI
> > > runtime is in user space the kernel simply cannot do that. Which means,
> > > if we want to go this way, we would need to extend the chain of trust
> > > to user space. Which will be a whole bucket of worms, not just a
> > > can.
> >
> > May it would be nice to have a way to "zap" userspace away, i.e. allow
> > the kernel to get rid of all processes in some way, reliable. And then
> > simply start a new userspace, from a trusted definition. Or in other
> > words: if you don't want to trust the usual userspace, then let's
> > maybe just terminate it, and create it anew, with a clean, pristine
> > definition the old userspace cannot get access to.
>
> Well, this is an interesting idea!
>
> However, I'm sceptical if this could be done in a secure way. How do we
> ensure that nothing the old userspace did with the various interfaces to
> the kernel has no impact on the new userspace? Maybe others can chime in
> on this? Does kernel_lockdown give more guarantees related to this?
Yeah, it's not a trivial thing. I.e. I guess things like sysfs and
procfs will retain ownership/access mode. sysctls and sysfs attrs are
going to retain their most recently written contents and things like
that. Synthetic network interfaces, DM devices, loopback devices all
would survive this.
So, no idea how realistic this is, but I would *love* it, not only for
this purpose here, but also for the "soft-reboot" logic we have in
system these days, which shuts down userspace and starts it up again,
as a form of super-fast reboot that doesn't replace the kernel. If we
could reliably reset sysfs/sysctl/procfs/… during this, this would be
really lovely.
Lennart
--
Lennart Poettering, Berlin
next prev parent reply other threads:[~2024-09-10 7:54 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-19 14:53 [RFCv2 0/9] UEFI emulator for kexec Pingfan Liu
2024-08-19 14:53 ` [RFCv2 1/9] efi/libstub: Ask efi_random_alloc() to skip unusable memory Pingfan Liu
2024-08-19 18:00 ` Jarkko Sakkinen
2024-08-20 0:58 ` Pingfan Liu
2024-08-28 13:28 ` Ard Biesheuvel
2024-08-19 14:53 ` [RFCv2 2/9] efi/libstub: Complete efi_simple_text_output_protocol Pingfan Liu
2024-08-19 14:53 ` [RFCv2 3/9] efi/emulator: Initial rountines to emulate EFI boot time service Pingfan Liu
2024-08-19 14:53 ` [RFCv2 4/9] efi/emulator: Turn on mmu for arm64 Pingfan Liu
2024-08-19 14:53 ` [RFCv2 5/9] kexec: Introduce kexec_pe_image to parse and load PE file Pingfan Liu
2024-08-19 14:53 ` [RFCv2 6/9] arm64: kexec: Introduce a new member param_mem to kimage_arch Pingfan Liu
2024-08-19 14:53 ` [RFCv2 7/9] arm64: mm: Change to prototype of Pingfan Liu
2024-08-19 14:53 ` [RFCv2 8/9] arm64: kexec: Prepare page table for emulator Pingfan Liu
2024-08-19 14:53 ` [RFCv2 9/9] arm64: kexec: Enable kexec_pe_image Pingfan Liu
2024-08-21 14:27 ` [RFCv2 0/9] UEFI emulator for kexec Lennart Poettering
2024-08-22 5:42 ` Pingfan Liu
2024-08-22 6:16 ` Dave Young
2024-08-22 10:51 ` Pingfan Liu
2024-08-22 11:54 ` Dave Young
2024-08-22 10:56 ` Jan Hendrik Farr
2024-08-22 12:04 ` Dave Young
2024-08-22 8:23 ` Lennart Poettering
2024-08-22 10:45 ` Pingfan Liu
2024-08-22 11:42 ` Jan Hendrik Farr
2024-08-22 11:45 ` Lennart Poettering
2024-08-22 14:29 ` Pingfan Liu
2024-08-26 13:39 ` Lennart Poettering
2024-09-09 13:38 ` Pingfan Liu
2024-09-10 7:06 ` Lennart Poettering
2024-08-28 17:08 ` Ard Biesheuvel
2024-09-02 5:40 ` Pingfan Liu
2024-09-06 10:54 ` Philipp Rudo
2024-09-07 11:27 ` Jarkko Sakkinen
2024-09-07 11:31 ` Jarkko Sakkinen
2024-09-07 11:41 ` Jarkko Sakkinen
2024-09-09 13:55 ` Philipp Rudo
2024-09-09 17:09 ` Jarkko Sakkinen
2024-09-09 9:48 ` Lennart Poettering
2024-09-09 10:42 ` Jan Hendrik Farr
2024-09-09 13:49 ` Philipp Rudo
2024-09-09 14:04 ` Ard Biesheuvel
2024-09-09 14:37 ` Jan Hendrik Farr
2024-09-10 7:54 ` Lennart Poettering [this message]
2024-10-08 11:59 ` Pingfan Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zt_7UEdDfTAQKp4I@gardel-login \
--to=mzxreary@0pointer.de \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jarkko@kernel.org \
--cc=kernel@jfarr.cc \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=piliu@redhat.com \
--cc=prudo@redhat.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox