From: Vivek Goyal <vgoyal@redhat.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
Samuel Mendoza-Jonas <sam@mendozajonas.com>,
Mark Rutland <mark.rutland@arm.com>,
linuxppc-dev@lists.ozlabs.org, Dave Young <dyoung@redhat.com>,
linux-arm-kernel@lists.infradead.org, bhe@redhat.com,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
AKASHI Takahiro <takahiro.akashi@linaro.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Stewart Smith <stewart@linux.vnet.ibm.com>
Subject: Re: [RFC 0/3] extend kexec_file_load system call
Date: Fri, 15 Jul 2016 09:26:10 -0400 [thread overview]
Message-ID: <20160715132610.GD23514@redhat.com> (raw)
In-Reply-To: <5547846.5l81k4b13o@wuerfel>
On Fri, Jul 15, 2016 at 09:31:02AM +0200, Arnd Bergmann wrote:
> On Thursday, July 14, 2016 10:44:14 PM CEST Thiago Jung Bauermann wrote:
> > Am Donnerstag, 14 Juli 2016, 10:29:11 schrieb Arnd Bergmann:
>
> > >
> > > Right, but the question remains whether this helps while you allow the
> > > boot loader to modify the dtb. If an attacker gets in and cannot modify
> > > the kernel or initid but can modify the DT, a successful attack would
> > > be a bit harder than having a modified kernel, but you may still need
> > > to treat the system as compromised.
> >
> > Yes, and the same question also remains regarding the kernel command line.
> >
> > We can have the kernel perform sanity checks on the device tree, just as the
> > kernel needs to sanity check the command line.
> >
> > There's the point that was raised about not wanting to increase the attack
> > surface, and that's a valid point. But at least in the way Petitboot works
> > today, it needs to modify the device tree and pass it to the kernel.
> >
> > One thing that is unavoidable to come from userspace is
> > /chosen/linux,stdout-path, because it's Petitboot that knows from which
> > console the user is interacting with. The other modification to set
> > properties in vga@0 can be done in the kernel.
> >
> > Given that on DTB-based systems /chosen is an important and established way
> > to pass information to the operating system being booted, I'd like to
> > suggest the following, then:
> >
> > Extend the syscall as shown in this RFC from Takahiro AKASHI, but instead of
> > accepting a complete DTB from userspace, the syscall would accept a DTB
> > containing only a /chosen node. If the DTB contains any other node, the
> > syscall fails with EINVAL. The kernel can then add the properties in /chosen
> > to the device tree that it will pass to the next kernel.
> >
> > What do you think?
>
> I think that helps, as it makes the problem space correspond to that
> of modifying the command line, but I can still come up with countless
> attacks based on modifications of the /chosen node and/or the command
> line, in fact it's probably easier than any other node.
I don't know anything about DTB. So here comes a very basic question. Does
DTB allow passing an executable blob to kernel or pass the location of
some unsigned executable code at kernel level. I think from secureboot point of
view that would be a concern. Being able to trick kernel to execute an
unsigned code at privileged level.
Vivek
next prev parent reply other threads:[~2016-07-15 13:26 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 1:41 [RFC 0/3] extend kexec_file_load system call AKASHI Takahiro
2016-07-12 1:41 ` [RFC 1/3] syscall: add kexec_file_load to generic unistd.h AKASHI Takahiro
2016-07-12 1:42 ` [RFC 2/3] kexec: add dtb info to struct kimage AKASHI Takahiro
2016-07-12 1:42 ` [RFC 3/3] kexec: extend kexec_file_load system call AKASHI Takahiro
2016-07-15 13:09 ` Vivek Goyal
2016-07-15 13:19 ` Mark Rutland
2016-07-18 2:30 ` Dave Young
2016-07-18 10:07 ` Mark Rutland
2016-07-19 0:55 ` Dave Young
2016-07-19 10:52 ` Mark Rutland
2016-07-19 12:24 ` Vivek Goyal
2016-07-19 12:47 ` Mark Rutland
2016-07-19 13:26 ` Vivek Goyal
2016-07-20 11:41 ` David Laight
2016-07-21 9:21 ` Russell King - ARM Linux
2016-07-18 2:33 ` Dave Young
2016-07-27 0:24 ` [PATCH v2 " Thiago Jung Bauermann
2016-08-05 20:46 ` Thiago Jung Bauermann
2016-07-12 13:25 ` [RFC 0/3] " Eric W. Biederman
2016-07-12 13:58 ` Thiago Jung Bauermann
2016-07-12 14:02 ` Vivek Goyal
2016-07-12 23:45 ` Stewart Smith
2016-07-13 13:27 ` Vivek Goyal
2016-07-12 14:02 ` Arnd Bergmann
2016-07-12 14:18 ` Vivek Goyal
2016-07-12 14:24 ` Arnd Bergmann
2016-07-12 14:50 ` Mark Rutland
2016-07-13 2:36 ` Dave Young
2016-07-13 8:01 ` Arnd Bergmann
2016-07-13 8:23 ` Stewart Smith
2016-07-13 9:41 ` Mark Rutland
2016-07-13 13:13 ` Arnd Bergmann
2016-07-13 18:45 ` Thiago Jung Bauermann
2016-07-13 19:59 ` Arnd Bergmann
2016-07-14 2:18 ` Thiago Jung Bauermann
2016-07-14 8:29 ` Arnd Bergmann
2016-07-15 1:44 ` Thiago Jung Bauermann
2016-07-15 7:31 ` Arnd Bergmann
2016-07-15 13:26 ` Vivek Goyal [this message]
2016-07-15 13:33 ` Mark Rutland
2016-07-15 15:29 ` Thiago Jung Bauermann
2016-07-15 15:47 ` Mark Rutland
2016-07-15 13:42 ` Russell King - ARM Linux
2016-07-15 20:26 ` Arnd Bergmann
2016-07-15 21:03 ` Thiago Jung Bauermann
2016-07-22 0:09 ` Thiago Jung Bauermann
2016-07-22 0:53 ` Jeremy Kerr
2016-07-22 2:54 ` Michael Ellerman
2016-07-22 20:41 ` Thiago Jung Bauermann
2016-07-15 8:49 ` Russell King - ARM Linux
2016-07-15 13:03 ` Vivek Goyal
2016-07-13 9:34 ` Mark Rutland
2016-07-13 17:38 ` AKASHI Takahiro
2016-07-13 17:58 ` Mark Rutland
2016-07-13 19:57 ` Arnd Bergmann
2016-07-14 12:42 ` Mark Rutland
2016-07-14 1:54 ` Dave Young
2016-07-14 1:50 ` Dave Young
2016-07-12 16:25 ` Thiago Jung Bauermann
2016-07-12 20:58 ` Petr Tesarik
2016-07-12 21:22 ` Eric W. Biederman
2016-07-12 21:36 ` Eric W. Biederman
2016-07-12 21:53 ` Petr Tesarik
2016-07-12 22:18 ` Russell King - ARM Linux
2016-07-13 4:59 ` Stewart Smith
2016-07-13 7:36 ` Russell King - ARM Linux
2016-07-13 7:47 ` Ard Biesheuvel
2016-07-13 8:09 ` Russell King - ARM Linux
2016-07-13 8:20 ` Stewart Smith
2016-07-13 7:55 ` Stewart Smith
2016-07-13 8:26 ` Russell King - ARM Linux
2016-07-13 8:36 ` Dave Young
2016-07-13 8:57 ` Petr Tesarik
2016-07-13 13:03 ` Vivek Goyal
2016-07-13 17:40 ` Russell King - ARM Linux
2016-07-13 18:22 ` Vivek Goyal
2016-07-18 12:46 ` Balbir Singh
2016-07-18 13:26 ` Vivek Goyal
2016-07-18 13:38 ` Vivek Goyal
2016-07-20 3:45 ` Balbir Singh
2016-07-20 8:35 ` Russell King - ARM Linux
2016-07-20 10:47 ` Michael Ellerman
2016-07-20 11:12 ` Arnd Bergmann
2016-07-20 15:50 ` Thiago Jung Bauermann
2016-07-20 12:46 ` Vivek Goyal
2016-07-20 12:27 ` Vivek Goyal
2016-07-12 23:41 ` Stewart Smith
2016-07-13 13:25 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160715132610.GD23514@redhat.com \
--to=vgoyal@redhat.com \
--cc=arnd@arndb.de \
--cc=bauerman@linux.vnet.ibm.com \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mark.rutland@arm.com \
--cc=sam@mendozajonas.com \
--cc=stewart@linux.vnet.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).