From: Vivek Goyal <vgoyal@redhat.com>
To: Eric Paris <eparis@parisplace.org>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Jiri Kosina <jkosina@suse.cz>, Oliver Neukum <oneukum@suse.de>,
Chris Friesen <chris.friesen@genband.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Josh Boyer <jwboyer@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Fri, 2 Nov 2012 13:19:53 -0400 [thread overview]
Message-ID: <20121102171952.GK3300@redhat.com> (raw)
In-Reply-To: <CACLa4pu0yoB6CQX=3nuAT2vz4=oTNfM9fjMUvFXKJovYu+y4fw@mail.gmail.com>
On Thu, Nov 01, 2012 at 01:50:08PM -0400, Eric Paris wrote:
[..]
> I've talked with and
> worked with a public cloud operator who wants to prevent even a
> malicious root user from being able to run code in ring 0 inside their
> VM. The hope in that case was that in doing so they can indirectly
> shrink the attack surface between virtual machine and hypervisor.
> They hoped to limit the ways the guest could interact to only those
> methods the linux kernel implemented.
>
> They want to launch a vm running a kernel they chose and make sure
> root inside the vm could not run some other kernel or run arbitrary
> code in kernel space. It's wasn't something they solved completely.
> If it was, all of this secure boot work would be finished. Which is
> why we are having these discussions to understand all of the way that
> you an Alan seem to have to get around the secure boot restrictions.
> And look for solutions to retain functionality which meeting the
> security goal of 'prevent uid=0 to ring 0 privilege escalation.
So will secure boot help with above use case you mentioned? I think
until and unless you lock down user space too on host, it will not be
possible.
On the flip side, one might be able to launch windows in qemu (compromised
noe) and might fool user into thinking it is booted natively and steal
login credentials and other stuff.
Thanks
Vivek
next prev parent reply other threads:[~2012-11-02 17:20 UTC|newest]
Thread overview: 224+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 14:40 [RFC] Second attempt at kernel secure boot support Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 01/10] Secure boot: Add new capability Matthew Garrett
2012-09-28 3:10 ` Serge Hallyn
2012-10-20 0:15 ` joeyli
2012-10-20 9:02 ` Matt Fleming
2012-09-20 14:40 ` [PATCH V2 02/10] PCI: Lock down BAR access in secure boot environments Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 03/10] x86: Lock down IO port " Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem in secure boot setups Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2012-09-20 16:32 ` Greg KH
2012-09-20 17:40 ` Josh Boyer
2012-09-25 13:08 ` [PATCH V3 " Josh Boyer
2012-10-29 9:00 ` joeyli
2012-10-30 17:48 ` Josh Boyer
2012-10-30 19:27 ` joeyli
2012-09-21 8:20 ` [PATCH V2 " joeyli
2012-09-28 3:20 ` Serge Hallyn
2012-09-20 14:41 ` [PATCH V2 08/10] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2012-09-28 3:21 ` Serge Hallyn
2012-10-22 13:22 ` Matt Fleming
2012-09-20 14:41 ` [PATCH V2 09/10] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 10/10] SELinux: define mapping for new Secure Boot capability Matthew Garrett
2012-09-21 22:55 ` [RFC] Second attempt at kernel secure boot support Eric W. Biederman
2012-09-22 15:21 ` Matthew Garrett
2012-10-29 7:49 ` Jiri Kosina
2012-10-29 17:41 ` Matthew Garrett
2012-10-31 14:50 ` Jiri Kosina
2012-10-31 14:54 ` Josh Boyer
2012-10-31 14:59 ` Shea Levy
2012-10-31 15:55 ` Alan Cox
2012-10-31 15:55 ` Jiri Kosina
2012-10-31 17:03 ` Alan Cox
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:17 ` Alan Cox
2012-10-31 17:10 ` Matthew Garrett
2012-10-31 17:21 ` Alan Cox
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:39 ` Alan Cox
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:45 ` Matthew Garrett
2012-10-31 20:14 ` Oliver Neukum
2012-10-31 21:58 ` Chris Friesen
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:19 ` Oliver Neukum
2012-11-01 9:08 ` James Bottomley
2012-11-01 9:20 ` Jiri Kosina
2012-11-01 9:38 ` James Bottomley
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:59 ` James Bottomley
2012-11-01 10:06 ` Jiri Kosina
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:42 ` James Bottomley
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 15:06 ` James Bottomley
2012-11-01 15:17 ` Eric Paris
2012-11-01 16:26 ` Matthew Garrett
2012-11-01 15:06 ` Alan Cox
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:40 ` Alan Cox
2012-11-01 14:59 ` Eric Paris
2012-11-01 15:11 ` Alan Cox
2012-11-01 15:18 ` James Bottomley
2012-11-01 17:50 ` Eric Paris
2012-11-01 21:03 ` James Bottomley
2012-11-01 21:06 ` Matthew Garrett
2012-11-01 21:14 ` James Bottomley
2012-11-01 21:18 ` Matthew Garrett
2012-11-01 21:35 ` Alan Cox
2012-11-01 21:31 ` Alan Cox
2012-11-01 21:28 ` Matthew Garrett
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:34 ` Matthew Garrett
2012-11-01 21:58 ` Alan Cox
2012-11-01 21:57 ` Matthew Garrett
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 14:00 ` Matthew Garrett
2012-11-02 22:03 ` Eric W. Biederman
2012-11-02 22:19 ` Chris Friesen
2012-11-02 23:46 ` Alan Cox
2012-11-03 0:23 ` Matthew Garrett
2012-11-03 0:55 ` Alan Cox
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:47 ` Eric W. Biederman
2012-11-03 1:03 ` Alan Cox
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 16:31 ` Alan Cox
2012-11-03 16:37 ` Matthew Garrett
2012-11-03 16:37 ` Eric Paris
2012-11-03 16:42 ` Matthew Garrett
2012-11-02 17:19 ` Vivek Goyal [this message]
2012-11-01 14:46 ` Alan Cox
2012-11-01 15:04 ` Eric Paris
2012-11-01 20:27 ` Pavel Machek
2012-11-01 21:02 ` Chris Friesen
2012-11-02 15:48 ` Vivek Goyal
2012-11-02 16:54 ` Chris Friesen
2012-11-02 17:03 ` Vivek Goyal
2012-11-03 23:09 ` Jiri Kosina
2012-11-05 6:38 ` Eric W. Biederman
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 15:31 ` Jiri Kosina
2012-11-05 15:37 ` Chris Friesen
2012-11-05 18:22 ` Vivek Goyal
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:52 ` James Bottomley
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 17:48 ` James Bottomley
2012-11-02 17:54 ` Matthew Garrett
2012-11-02 17:57 ` James Bottomley
2012-11-02 18:04 ` Matthew Garrett
2012-11-02 19:18 ` Eric Paris
2012-11-02 23:38 ` James Bottomley
2012-11-03 0:22 ` Matthew Garrett
2012-11-03 12:03 ` James Bottomley
2012-11-03 13:46 ` Matthew Garrett
2012-11-03 22:56 ` James Bottomley
2012-11-04 4:28 ` Matthew Garrett
2012-11-04 9:14 ` James Bottomley
2012-11-04 13:52 ` Matthew Garrett
2012-11-05 6:14 ` Eric W. Biederman
2012-11-05 7:12 ` H. Peter Anvin
2012-11-05 7:24 ` Eric W. Biederman
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 8:50 ` Eric W. Biederman
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 12:38 ` Matthew Garrett
2012-11-05 13:44 ` Alan Cox
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 19:16 ` Eric W. Biederman
2012-11-05 20:25 ` Matthew Garrett
2012-11-06 2:46 ` Eric W. Biederman
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:36 ` Eric W. Biederman
2012-11-06 3:53 ` Matthew Garrett
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:34 ` Matthew Garrett
2012-11-06 7:56 ` Florian Weimer
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:19 ` Jiri Kosina
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:55 ` Matthew Garrett
2012-11-06 22:06 ` Florian Weimer
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:49 ` Alan Cox
2012-11-06 22:47 ` Matthew Garrett
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A@mail.gmail.com>
2012-11-07 14:55 ` Matthew Garrett
2012-11-08 10:18 ` James Courtier-Dutton
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A@mail.gmail.com>
2012-11-08 11:19 ` Alan Cox
2012-11-06 9:12 ` Alan Cox
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 8:13 ` Valdis.Kletnieks
2012-11-05 8:20 ` James Bottomley
2012-11-05 12:36 ` Matthew Garrett
2012-11-04 11:53 ` Pavel Machek
2012-11-05 21:25 ` Florian Weimer
2012-11-02 14:55 ` Vivek Goyal
2012-11-01 10:12 ` Oliver Neukum
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 15:56 ` Matthew Garrett
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Shea Levy
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:10 ` Josh Boyer
2012-10-31 15:02 ` Matthew Garrett
2012-10-31 15:05 ` Shea Levy
2012-10-31 15:09 ` Matthew Garrett
2012-11-02 15:30 ` Vivek Goyal
2012-11-02 15:42 ` Matthew Garrett
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 16:22 ` Jiri Kosina
2012-11-02 18:30 ` Vivek Goyal
2012-11-02 16:35 ` Shuah Khan
2012-11-06 12:51 ` Jiri Kosina
2012-11-06 13:16 ` Matthew Garrett
2012-10-31 17:28 ` Takashi Iwai
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:44 ` Alan Cox
2012-10-31 17:44 ` Matthew Garrett
2012-10-31 18:53 ` Takashi Iwai
2012-11-01 4:21 ` joeyli
2012-11-01 13:18 ` Alan Cox
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:18 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 1/4] scripts/sign-file: Allow specifying hash algorithm via -a option Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 2/4] scripts/sign-file: Support firmware signing Takashi Iwai
2012-11-05 17:20 ` [PATCH RFC 3/4] firmware: Add a signature check Takashi Iwai
2012-11-06 6:03 ` Mimi Zohar
2012-11-05 17:20 ` [PATCH RFC 4/4] firmware: Install signature files automatically Takashi Iwai
2012-11-05 18:12 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 20:43 ` Josh Boyer
2012-11-06 6:46 ` Takashi Iwai
2012-11-06 9:20 ` Alan Cox
2012-11-06 10:05 ` Takashi Iwai
2012-11-06 2:30 ` Ming Lei
2012-11-06 5:46 ` lee joey
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:16 ` Ming Lei
2012-11-06 7:32 ` Takashi Iwai
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:18 ` Takashi Iwai
2012-11-06 10:04 ` Ming Lei
2012-11-06 10:17 ` Takashi Iwai
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 11:03 ` Ming Lei
2012-11-06 11:15 ` Alan Cox
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ@mail.gmail.com>
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:30 ` Ming Lei
2012-11-08 17:35 ` [PATCH RFC v2 " Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 1/4] firmware: Add the firmware signing support to scripts/sign-file Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 2/4] firmware: Add -a option " Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 3/4] firmware: Add support for signature checks Takashi Iwai
2012-11-23 6:56 ` joeyli
2012-11-23 7:34 ` Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 4/4] firmware: Install firmware signature files automatically Takashi Iwai
2012-11-23 6:52 ` joeyli
2012-11-06 0:01 ` [PATCH RFC 0/4] Add firmware signature file check David Howells
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 0:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121102171952.GK3300@redhat.com \
--to=vgoyal@redhat.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chris.friesen@genband.com \
--cc=eparis@parisplace.org \
--cc=jkosina@suse.cz \
--cc=jwboyer@gmail.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=oneukum@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).