From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932382AbcGOHc7 (ORCPT ); Fri, 15 Jul 2016 03:32:59 -0400 Received: from mout.kundenserver.de ([217.72.192.74]:59715 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932260AbcGOHcc (ORCPT ); Fri, 15 Jul 2016 03:32:32 -0400 From: Arnd Bergmann To: Thiago Jung Bauermann Cc: Samuel Mendoza-Jonas , Mark Rutland , linuxppc-dev@lists.ozlabs.org, Dave Young , linux-arm-kernel@lists.infradead.org, bhe@redhat.com, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, AKASHI Takahiro , "Eric W. Biederman" , Vivek Goyal , Mimi Zohar , Stewart Smith Subject: Re: [RFC 0/3] extend kexec_file_load system call Date: Fri, 15 Jul 2016 09:31:02 +0200 Message-ID: <5547846.5l81k4b13o@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-28-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: <3520758.yAgMzqF1PF@hactar> References: <20160712014201.11456-1-takahiro.akashi@linaro.org> <4321972.HZgDox36RC@wuerfel> <3520758.yAgMzqF1PF@hactar> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Provags-ID: V03:K0:hcXZT7ogp3ux7WSsmqT0O1PQ8KCsMC+HVjLeDLZYn4deY0mqNeh 3mkIiWp7uYdhV0hMSfS5DtDsIPupiYDlh/zcsUpxmp6RlcyfDQGy840ZWitiRi4kHowXyTl ML1fTC4pp9wjlY+MttwwlZ5oSF5Y58XKxdY2CMpXl/gkz8fQpukwewE3511MO4Zss5sJ5pR 0flMGtlwPQEel0OeNcVRA== X-UI-Out-Filterresults: notjunk:1;V01:K0:b6kEurw1a1w=:vZ6LLkeRMYX40p/UQyObn4 kRwwCNq5CWqnybsxS2gmjyMEkjavKNRVenUBkiAKLDJnCyA+BK17/qlE/z3u1265pVeYXr212 gq/ULwg14Xy4/bc4Edmx3jWVaRUBjvZFIulK4jtDbYq/WPECL4IS2zSnqJSQiWPjwEXNYAWE2 th1TDO7TWekT1nlsWNCj+FxNB01DxS7kCtNrIQillW2NJ2XYe6LJOiZsqnWYF43HEKduK/Spt GTpjipBnQjvo7bjKRZFDmUiEGuEenOVIRedQn2CtjOPQgwxTV5eOVgmOT/sZyjvYxUtKSC3qU J7X737KlXCP0brKn7od0Cm4W+aZC1prhkx95Jmp0kTNdl5BSHQAeaexM3Cx221Z//EADMhycf Vo8g7ObYZYbDrql6+M1gXqstRl0ekyd+tqm4I89eBCdP1vC4pnBZ/+dUJxczuPlRlwzZs56xg b49NneRd5BEPVUaH3Uqy/sqPYzTGGeQmDDEfyoyQR5Ofu9y1MdrO6PjpVFFJaWEmzbzg75343 32NIOi6sLWZtKSx+nsDS+E8qw77bxyvZasL9K/jLTFVPZJbzuL+LOIRYUlINGcb4KLXb4iKyZ Grsc+8SEip021w6LzbWuBf9Rx9aBLaYHSrQ7d/4m/BsXqdvhpaSGqytqX/MDjf8ehSKahl1WX UMD235lF0OgS9ck5iCcqNzBpoIwAru8Q45PAvlTn4VH9FKEEMDyNBGIHApgmpNlkY5AdpiZuR wLZLPyp/D4vecgtg Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, July 14, 2016 10:44:14 PM CEST Thiago Jung Bauermann wrote: > Am Donnerstag, 14 Juli 2016, 10:29:11 schrieb Arnd Bergmann: > > > > Right, but the question remains whether this helps while you allow the > > boot loader to modify the dtb. If an attacker gets in and cannot modify > > the kernel or initid but can modify the DT, a successful attack would > > be a bit harder than having a modified kernel, but you may still need > > to treat the system as compromised. > > Yes, and the same question also remains regarding the kernel command line. > > We can have the kernel perform sanity checks on the device tree, just as the > kernel needs to sanity check the command line. > > There's the point that was raised about not wanting to increase the attack > surface, and that's a valid point. But at least in the way Petitboot works > today, it needs to modify the device tree and pass it to the kernel. > > One thing that is unavoidable to come from userspace is > /chosen/linux,stdout-path, because it's Petitboot that knows from which > console the user is interacting with. The other modification to set > properties in vga@0 can be done in the kernel. > > Given that on DTB-based systems /chosen is an important and established way > to pass information to the operating system being booted, I'd like to > suggest the following, then: > > Extend the syscall as shown in this RFC from Takahiro AKASHI, but instead of > accepting a complete DTB from userspace, the syscall would accept a DTB > containing only a /chosen node. If the DTB contains any other node, the > syscall fails with EINVAL. The kernel can then add the properties in /chosen > to the device tree that it will pass to the next kernel. > > What do you think? I think that helps, as it makes the problem space correspond to that of modifying the command line, but I can still come up with countless attacks based on modifications of the /chosen node and/or the command line, in fact it's probably easier than any other node. What methods to we have in place for command line changes today on other architectures? Arnd