* /dev/mem and secure boot
@ 2019-09-06 11:02 Jean Delvare
2019-09-06 12:15 ` Greg Kroah-Hartman
0 siblings, 1 reply; 7+ messages in thread
From: Jean Delvare @ 2019-09-06 11:02 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Thomas; +Cc: LKML
I've been bitten recently by mcelog not working on machines started in
secure boot mode. mcelog tries to read DMI information from /dev/mem
and fails to open it.
This made me wonder: if not even root can read /dev/mem (nor, I
suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
creating these device nodes at all in the first place? Can't we detect
that we are in secure boot mode and skip that step, and reap the rewards
(faster boot, lower memory footprint and less confusion)?
Thanks,
--
Jean Delvare
SUSE L3 Support
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: /dev/mem and secure boot
2019-09-06 11:02 /dev/mem and secure boot Jean Delvare
@ 2019-09-06 12:15 ` Greg Kroah-Hartman
2019-09-06 15:07 ` Jean Delvare
2019-09-09 13:09 ` Jean Delvare
0 siblings, 2 replies; 7+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-06 12:15 UTC (permalink / raw)
To: Jean Delvare; +Cc: Arnd Bergmann, Thomas, LKML
On Fri, Sep 06, 2019 at 01:02:21PM +0200, Jean Delvare wrote:
> I've been bitten recently by mcelog not working on machines started in
> secure boot mode. mcelog tries to read DMI information from /dev/mem
> and fails to open it.
What do you mean by "secure boot"? Is this matthew's patchset that
restricts /dev/mem/ or something else?
> This made me wonder: if not even root can read /dev/mem (nor, I
> suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
> creating these device nodes at all in the first place? Can't we detect
> that we are in secure boot mode and skip that step, and reap the rewards
> (faster boot, lower memory footprint and less confusion)?
Sure, feel free to not register it at all if the mode is enabled.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: /dev/mem and secure boot
2019-09-06 12:15 ` Greg Kroah-Hartman
@ 2019-09-06 15:07 ` Jean Delvare
2019-09-06 15:08 ` Jean Delvare
2019-09-09 13:09 ` Jean Delvare
1 sibling, 1 reply; 7+ messages in thread
From: Jean Delvare @ 2019-09-06 15:07 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Arnd Bergmann, Thomas, LKML
On Fri, 6 Sep 2019 14:15:10 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 06, 2019 at 01:02:21PM +0200, Jean Delvare wrote:
> > I've been bitten recently by mcelog not working on machines started in
> > secure boot mode. mcelog tries to read DMI information from /dev/mem
> > and fails to open it.
>
> What do you mean by "secure boot"? Is this matthew's patchset that
> restricts /dev/mem/ or something else?
I mean that early in the kernel log is:
Secure boot enabled and kernel locked down
> > This made me wonder: if not even root can read /dev/mem (nor, I
> > suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
> > creating these device nodes at all in the first place? Can't we detect
> > that we are in secure boot mode and skip that step, and reap the rewards
> > (faster boot, lower memory footprint and less confusion)?
>
> Sure, feel free to not register it at all if the mode is enabled.
>
> thanks,
>
> greg k-h
--
Jean Delvare
SUSE L3 Support
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: /dev/mem and secure boot
2019-09-06 12:15 ` Greg Kroah-Hartman
2019-09-06 15:07 ` Jean Delvare
@ 2019-09-09 13:09 ` Jean Delvare
2019-09-12 10:44 ` Thomas Renninger
2019-09-16 9:38 ` David Howells
1 sibling, 2 replies; 7+ messages in thread
From: Jean Delvare @ 2019-09-09 13:09 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Arnd Bergmann, Thomas, LKML, David Howells
Hi Greg,
On Fri, 6 Sep 2019 14:15:10 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 06, 2019 at 01:02:21PM +0200, Jean Delvare wrote:
> > I've been bitten recently by mcelog not working on machines started in
> > secure boot mode. mcelog tries to read DMI information from /dev/mem
> > and fails to open it.
>
> What do you mean by "secure boot"? Is this matthew's patchset that
> restricts /dev/mem/ or something else?
I mean that early in the kernel log is:
Secure boot enabled and kernel locked down
Digging it up, I found that this comes from a patch in our SLES kernel,
that's not upstream (yet). It is from a patch set by David Howells
(Cc'd) posted in April 2017:
https://patchwork.kernel.org/patch/9665591/
https://patchwork.kernel.org/patch/9665015/
I wrongly assumed it had been merged upstream meanwhile but I was
wrong. David, any reason why this didn't happen? Out of curiosity, are
these patches in RHEL kernels?
> > This made me wonder: if not even root can read /dev/mem (nor, I
> > suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
> > creating these device nodes at all in the first place? Can't we detect
> > that we are in secure boot mode and skip that step, and reap the rewards
> > (faster boot, lower memory footprint and less confusion)?
>
> Sure, feel free to not register it at all if the mode is enabled.
Now I feel sorry that I asked my question upstream when there's nothing
to be done there. I'll go bother SUSE kernel folks instead, sorry for
the noise. And thanks for the advice.
--
Jean Delvare
SUSE L3 Support
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: /dev/mem and secure boot
2019-09-09 13:09 ` Jean Delvare
@ 2019-09-12 10:44 ` Thomas Renninger
2019-09-16 9:38 ` David Howells
1 sibling, 0 replies; 7+ messages in thread
From: Thomas Renninger @ 2019-09-12 10:44 UTC (permalink / raw)
To: Jean Delvare; +Cc: Greg Kroah-Hartman, Arnd Bergmann, LKML, David Howells
On Monday, September 9, 2019 3:09:57 PM CEST Jean Delvare wrote:
> Hi Greg,
...
> > Sure, feel free to not register it at all if the mode is enabled.
> Now I feel sorry that I asked my question upstream when there's nothing
> to be done there. I'll go bother SUSE kernel folks instead, sorry for
> the noise. And thanks for the advice.
I also/still think /dev/mem should vanish in secure boot mode, also upstream.
There may have been strong reasons why it has been restricted to /dev/ioport
which I do not know.
Whatever the exact definition for kernel behaviour in secure boot mode in the
UEFI books is (if there is any), it should close quite some possible doors
for hijacking a machine or read sensible data and if anyhow possible secure
boot mode should head for this feature (IMHO): Get rid of /dev/mem.
Thanks for bringing this up,
Thomas
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: /dev/mem and secure boot
2019-09-09 13:09 ` Jean Delvare
2019-09-12 10:44 ` Thomas Renninger
@ 2019-09-16 9:38 ` David Howells
1 sibling, 0 replies; 7+ messages in thread
From: David Howells @ 2019-09-16 9:38 UTC (permalink / raw)
To: Jean Delvare; +Cc: dhowells, Greg Kroah-Hartman, Arnd Bergmann, Thomas, LKML
Jean Delvare <jdelvare@suse.de> wrote:
> I wrongly assumed it had been merged upstream meanwhile but I was
> wrong. David, any reason why this didn't happen?
There were last-minute objections.
The patches got redesigned somewhat by Matthew Garrett and are now pending
pulling once again:
https://lore.kernel.org/linux-security-module/alpine.LRH.2.21.1909101402230.20291@namei.org/T/#u
> Out of curiosity, are these patches in RHEL kernels?
Fedora, yes, my patchset; RHEL-7 and RHEL-8, no.
David
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-09-16 9:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-06 11:02 /dev/mem and secure boot Jean Delvare
2019-09-06 12:15 ` Greg Kroah-Hartman
2019-09-06 15:07 ` Jean Delvare
2019-09-06 15:08 ` Jean Delvare
2019-09-09 13:09 ` Jean Delvare
2019-09-12 10:44 ` Thomas Renninger
2019-09-16 9:38 ` David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox