From: Matthew Garrett <matthew.garrett@nebula.com>
To: "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>
Cc: "keescook@chromium.org" <keescook@chromium.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>
Subject: Re: Trusted kernel patchset
Date: Mon, 16 Mar 2015 18:15:01 +0000 [thread overview]
Message-ID: <1426529700.22371.20.camel@nebula.com> (raw)
In-Reply-To: <20150316144504.4e013789@lxorguk.ukuu.org.uk>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 4112 bytes --]
On Mon, 2015-03-16 at 14:45 +0000, One Thousand Gnomes wrote:
> On Fri, 13 Mar 2015 11:38:16 -1000
> Matthew Garrett <matthew.garrett@nebula.com> wrote:
>
> > 4) Used the word "measured"
> >
> > Nothing is being measured.
>
> Nothing is being trusted either. It's simple ensuring you probably have
> the same holes as before.
>
> Also the boot loader should be measuring the kernel before it runs it,
> thats how it knows the signature is correct.
That's one implementation. Another is the kernel being stored on
non-volatile media.
> On other points:
>
> - your sysfs node is useless. I can mount over it to fake trusted and
> fool apps even in a supposedly "trusted" environment - it has to be a
> syscall I think so anything sensitive can invoke it directly from
> statically bound code and get a true answer.
The sysfs node isn't intended to be used as a mechanism for userspace to
determine whether the kernel is trustworthy - there's clearly no way to
do that, since anyone able to launch an untrusted kernel can simply
modify it so that it lies there. It exists so that people deploying some
form of trusted boot chain can enable the lockdowns while still within
the trusted codebase. If you want to prove trustworthiness then you're
still going to need something like TPM-based attestation.
> - there are devices that do things triggered on read cycles. It might not
> be a bad idea to lock down reading mem and kmem too
Yeah, at the very least doing that for anything mapped as a device is
entirely reasonable. Let me look at that.
> - All suspend/resumes allow modifying the kernel. I can boot Linux
> suspend, boot windows, modify the Linux restore image, boot Linux and
> own the box. You would need to sign the resume image somehow I think or
> just disable all suspend/resume
I'm kind of torn on this - yes, there are deployment scenarios where
hibernation can be used to circumvent the restrictions, but there are
also scenarios where that can be avoided (eg, the bootloader verifies
some state with respect to the hibernation image).
> - Why pick on ASUS WMI - every magical firmware interface has this
> property, and given how bad most firmware is I'd be more worried about
> access to things like UEFI services or straight forward ACPI methods.
The ASUS WMI driver basically allows the execution of an entirely
unknown set of SMI calls, whereas all the other drivers execute a
curated subset of functions. Specific platforms may have specific bugs,
but in general we control access to firmware calls quite strictly.
> Also consider user access to GPIO pins. You can do some very
> interesting things on certain machines with those, such as glitching
> device power rails for a few microseconds.
Good point. In general there's also the risk that GPIOs may be used for
features like TPM physical presence detection, so exposing those to
userspace does seem like a bad idea.
> What you don't document is the assumption about how the kernel boot
> parameters are handled. A large number of boot parameters allow arbitrary
> I/O access or allow code execution if used with skill and cunning.
Things that spring to mind here:
1) The ability to disable IOMMUs (some handwaving about the number of
machines that still don't have IOMMUs because security is a perfectly
reasonable thing to perform product differentiation on I guess?)
2) Your previous concerns about being able to manipulate the memory map
in hostile ways
3) Drivers that allow users to tell the kernel devices exist at
arbitrary memory addresses and then benefit from probe routines that
write blindly
Are there any other categories you're worried about? I have made an
effort to audit the generic kernel options and the only ones I'm
especially worried about in category (3) are the earlyprintk ones, but
obviously there's a bunch of old drivers that allow arbitrary addresses
to be passed and cleaning those up would be worth it.
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥
next prev parent reply other threads:[~2015-03-16 18:15 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 21:38 Trusted kernel patchset Matthew Garrett
2015-03-13 21:38 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2015-03-13 21:38 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2015-03-13 21:38 ` [PATCH 03/12] PCI: Lock down register access when trusted_kernel is true Matthew Garrett
2015-03-13 21:38 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2015-03-13 21:38 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2015-03-13 21:38 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2015-03-13 21:38 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2015-03-13 21:38 ` [PATCH 08/12] kexec: Disable loading of unverified images Matthew Garrett
2015-03-13 21:38 ` [PATCH 09/12] uswsusp: Disable when trusted_kernel is true Matthew Garrett
2015-03-16 21:36 ` Kees Cook
2015-03-16 21:40 ` Matthew Garrett
2015-03-13 21:38 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2015-03-13 21:38 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2015-03-13 21:38 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2015-04-22 11:36 ` Dan Carpenter
2015-03-15 1:53 ` Trusted kernel patchset Matthew Garrett
2015-03-16 14:45 ` One Thousand Gnomes
2015-03-16 18:15 ` Matthew Garrett [this message]
2015-03-16 20:07 ` One Thousand Gnomes
2015-03-16 20:35 ` David Lang
2015-03-16 20:57 ` One Thousand Gnomes
2015-03-16 21:11 ` Matthew Garrett
2015-03-16 21:29 ` Kees Cook
2015-03-17 17:48 ` One Thousand Gnomes
2015-03-17 20:22 ` Simon McVittie
2015-03-17 20:42 ` Matthew Garrett
2015-03-18 11:34 ` Simon McVittie
2015-03-16 21:54 ` Jiri Kosina
2015-03-18 13:24 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426529700.22371.20.camel@nebula.com \
--to=matthew.garrett@nebula.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=hpa@zytor.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox