From: Jean Delvare <jdelvare@suse.de>
To: David Howells <dhowells@redhat.com>
Cc: minyard@acm.org, linux-kernel@vger.kernel.org,
gnomes@lxorguk.ukuu.org.uk, Wolfram Sang <wsa@the-dreams.de>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-i2c@vger.kernel.org
Subject: Re: [PATCH 09/39] Annotate hardware config module parameters in drivers/i2c/
Date: Thu, 01 Dec 2016 17:06:44 +0100 [thread overview]
Message-ID: <1480608404.21573.68.camel@chaos.suse> (raw)
In-Reply-To: <23573.1480601572@warthog.procyon.org.uk>
On jeu., 2016-12-01 at 14:12 +0000, David Howells wrote:
> Jean Delvare <jdelvare@suse.de> wrote:
>
> > > Note that we do still need to do the module initialisation because some
> > > drivers have viable defaults set in case parameters aren't specified and
> > > some drivers support automatic configuration (e.g. PNP or PCI) in addition
> > > to manually coded parameters.
> >
> > Initializing the driver when you are not able to honor the user request
> > looks wrong to me. I don't see how some drivers having sane defaults
> > justifies that. Using the defaults when no parameters are passed is one
> > thing (good), still using the defaults when parameters are passed is
> > another (bad), and you should be able to differentiate between these two
> > cases.
>
> Corey Minyard argues the other way:
>
> This would prevent any IPMI interface from working if any address was
> given on the kernel command line. I'm not sure what the best policy
> is, but that sounds like a possible DOS to me.
>
> Your preference allows someone to prevent a driver from initialising - which
> could also be bad. The problem is that I don't think there's any way to do
> both.
I'm not sure what is your threat model, but I'm afraid that if the
attacker can change the kernel command line, he/she has so many ways to
screw up the machine, that removing one won't make a difference.
>> (...)
> > And maybe the following ones, but I'm not sure if forcibly enabling a
> > device is part of what you need to prevent:
> >
> > i2c-piix4.c:module_param (force, int, 0);
> > i2c-sis630.c:module_param(force, bool, 0);
> > i2c-viapro.c:module_param(force, bool, 0);
>
> I don't know either. One could argue it *should* be locked down because its
> need appears to reflect a BIOS bug.
Indeed. OTOH if you remove all kernel code that is there solely due to
BIOS bugs, then you can rename Secure Boot to No Boot. Well that's
certainly one way to be secure ;-)
--
Jean Delvare
SUSE L3 Support
next prev parent reply other threads:[~2016-12-01 16:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <148059537897.31612.9461043954611464597.stgit@warthog.procyon.org.uk>
2016-12-01 12:30 ` [PATCH 09/39] Annotate hardware config module parameters in drivers/i2c/ David Howells
2016-12-01 13:47 ` Jean Delvare
2016-12-01 14:12 ` David Howells
2016-12-01 16:06 ` Jean Delvare [this message]
2016-12-05 21:09 ` One Thousand Gnomes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1480608404.21573.68.camel@chaos.suse \
--to=jdelvare@suse.de \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=keyrings@vger.kernel.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=minyard@acm.org \
--cc=wsa@the-dreams.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).