From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755098AbcGTPu1 (ORCPT ); Wed, 20 Jul 2016 11:50:27 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:51143 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755074AbcGTPuV (ORCPT ); Wed, 20 Jul 2016 11:50:21 -0400 X-IBM-Helo: d24dlp01.br.ibm.com X-IBM-MailFrom: bauerman@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org From: Thiago Jung Bauermann To: Arnd Bergmann Cc: Michael Ellerman , Russell King - ARM Linux , Balbir Singh , Stewart Smith , bhe@redhat.com, kexec@lists.infradead.org, dyoung@redhat.com, Petr Tesarik , linux-kernel@vger.kernel.org, AKASHI Takahiro , "Eric W. Biederman" , linuxppc-dev@lists.ozlabs.org, Vivek Goyal , linux-arm-kernel@lists.infradead.org Subject: Re: [RFC 0/3] extend kexec_file_load system call Date: Wed, 20 Jul 2016 12:50:11 -0300 User-Agent: KMail/4.14.3 (Linux/3.13.0-92-generic; KDE/4.14.13; x86_64; ; ) In-Reply-To: <34243612.Gid3QHG1hd@wuerfel> References: <87twfunneg.fsf@linux.vnet.ibm.com> <20160720083530.GK1041@n2100.armlinux.org.uk> <34243612.Gid3QHG1hd@wuerfel> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16072015-0020-0000-0000-000002240A4F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16072015-0021-0000-0000-000030055085 Message-Id: <2545578.SWp0m9VQX8@hactar> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-07-20_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607200179 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Mittwoch, 20 Juli 2016, 13:12:20 schrieb Arnd Bergmann: > On Wednesday, July 20, 2016 8:47:45 PM CEST Michael Ellerman wrote: > > At least for stdout-path, I can't really see how that would > > significantly help an attacker, but I'm all ears if anyone has ideas. > > That's actually an easy one that came up before: If an attacker controls > a tty device (e.g. network console) that can be used to enter a debugger > (kdb, kgdb, xmon, ...), enabling that to be the console device > gives you a direct attack vector. The same thing will happen if you > have a piece of software that intentially gives extra rights to the > owner of the console device by treating it as "physical presence". I think people are talking past each other a bit in these arguments about what is relevant to security or not. For the kexec maintainers, kexec_file_load has one very specific and narrow purpose: enable Secure Boot as defined by UEFI. And from what I understand of their arguments so far, there is one and only one security concern: when in Secure Boot mode, a system must not allow execution of unsigned code with kernel privileges. So even if one can specify a different root filesystem and do a lot of nasty things to the system with a rogue userspace in that root filesystem, as long as the kernel won't load unsigned modules that's not a problem as far as they're concerned. Also, AFAIK attacks requiring "physical presence" are out of scope for the UEFI Secure Boot security model. Thus an attack that involves control of a console of plugging an USB device is also not a concern. One thing I don't know is whether an attack involving a networked IPMI console or a USB device that can be "plugged" virtually by a managing system (BMC) is considered a physical attack or a remote attack in the context of UEFI Secure Boot. -- []'s Thiago Jung Bauermann IBM Linux Technology Center