From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754505AbbIRPgZ (ORCPT ); Fri, 18 Sep 2015 11:36:25 -0400 Received: from mail-ig0-f170.google.com ([209.85.213.170]:37842 "EHLO mail-ig0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752633AbbIRPgX (ORCPT ); Fri, 18 Sep 2015 11:36:23 -0400 Subject: Re: Failover root devices To: =?UTF-8?Q?Ortwin_Gl=c3=bcck?= , Drew DeVault , Richard Weinberger References: <55FAA6BB.3060008@odi.ch> <20150917114955.GA2600@homura> <55FAFD1D.8030305@cmpwn.com> <55FAFDE1.2020707@nod.at> <55FB00E6.3090801@cmpwn.com> <55FB03B8.2000101@nod.at> <55FB03E8.3000604@cmpwn.com> <55FB0441.6040709@nod.at> <55FB0498.9060301@cmpwn.com> <55FB0531.3050006@nod.at> <55FB0646.1020704@cmpwn.com> <55FC26B5.7080308@odi.ch> <55FC2701.8070300@cmpwn.com> <55FC2815.7070806@odi.ch> Cc: "linux-kernel@vger.kernel.org" From: Austin S Hemmelgarn Message-ID: <55FC2F69.9030609@gmail.com> Date: Fri, 18 Sep 2015 11:36:09 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55FC2815.7070806@odi.ch> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms050109070109030403070203" X-Antivirus: avast! (VPS 150918-0, 2015-09-18), Outbound message X-Antivirus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms050109070109030403070203 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-09-18 11:04, Ortwin Gl=C3=BCck wrote: >> If you have physical access then the machine is yours to do with as >> you please. > > Thinking of ATMs or voting machines that is a bold statement :-) Many voting machines already have known ACE exploits already (I=20 distinctly remember a while back some CS students demonstrated a=20 'modern' voting machine playing PAC-Man without modifying any of the=20 hardware at all), and those that have network access or other accessible = peripheral connections are inherently insecure, period. And most ATM's (at least in the US) run Windows (_shivers_) XP or=20 eCommStation (the current commercial version of OS/2 (yes it still lives = on), neither of which is particularly secure even when it comes to=20 remote access to the system, and even then, the kind of access you need=20 would involve3 directly tampering with the system. Irrespective of that, neither one should be configured to work like=20 that. The intent is for custom setups primarily, if some company=20 decides to use this in an insecure way, that's their problem, not ours=20 (it's really easy to use a wide number of kernel features in ways that=20 compromise security, that doesn't mean we should just rip those out). > > Thinking of mobile phones it depends on your jurisdiction. This isn't a legal ruling, it's a simple statement of fact, if someone=20 has physical access to a system, they effectively have root access,=20 period. While this is not probably what the above comment was directly=20 referring to, it is an established fact. --------------ms050109070109030403070203 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Brgwgga0MIIEnKADAgECAgMQblUwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTUwMzI1MTkzNDM4WhcNMTUwOTIxMTkzNDM4WjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j b20wDQYJKoZIhvcNAQENBQADggIBABr5e8W+NiTER+Q/7wiA2LxWN3UdhT3eZJjqqSlP370P KL5iWqeTfxQ67Ai/mHbJcT2PgAJ+/D2Ji+aRR03UWnU/vtOwzyDLUMstqnfl0Zs+sz/CJe7x nBA5jlpjC2DKuMVfbPze7eySaen7XSGFHKE1QoVIIpQ2kVjC4nbbJQnUbAVX1Iz29WxeVGt9 XYigz3tDPf3tglN+q23E7YjQl4abTIoM7i98yV1H9gfY8lFfKZ6jREB9+n6ie2EwS3Kat2mG tl2wBx4MfRnoSQSKsLKQ5oTwhWf0JqlFwpLfl374p0Njcykej9/jnWG8Ks1V/AXTHqI4eyIP Mf5yMZkPv7n7LS9WWKdG4Nd38iv4T2EiAaWsmgu+r81qL5CJu9AyA0SBS4ttKf6k3e63w2Mv N9R45vpQ3QhAhfWyFxFhZN95APe3YECDG3+XIRJpRYPEtHuIsOyzI70ajF93gg/BidvqKsmV MM2ccktDMfqwZXea6zey7F8Geu9R7BqjXmG2HlNuXu7e/xnHOgXf5D3wPmnRLlBhXL1Ch97a w2KjaupjpAHfFjv5kGnZXN87UvvlwzIZiKXwa3vTDwK+rrKn/sHPkfDZPSiyt/ZBIK6lX83P 34H/CzGg+Kx57rHYOIHGumIvpDa5vfWp8O0sGgawb1C2Aae4sTUVIWmIjVuGI062MYIE0TCC BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwOTE4MTUzNjA5WjBPBgkq hkiG9w0BCQQxQgRABznYqsll8xgEv44w1dSan5ZGVLagQzRoYvqWsbApUTdp8qhEzX9pQHEj Lby9IwP7I1oVoQxkbuWlNRFNKKrTVTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmcCAxBuVTCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTAN BgkqhkiG9w0BAQEFAASCAgBEQ9+b81PfcTdFEd4E+6KcXw4U5MzkhQxbHaGZZBntJAgoCknS 4hjlqXwLDJaaksc/LRXckQy6xY/jZ0bPbe848uIobElTZioWGZyekEV9hauZFI8gbLFa/yFH DwLJKIVo8UV2ha0gMNB7WJfBesG0PFHYhB2D2juPJwNy7XrC8MVSuDkV2e5mmX86IQfuQOuV 51ofZN1TtrryufFtw6tgJvlGh5kg0nYB/6aBxzz6EzAtP2NNABOKF9k3pCggcfgZbJuiaCXF Ln1eCGiyqGjog0BV+MVatYN3F7Ie2vc899CbjZGSD7IRd26Vrzqw6uZDKDEgIwZ0uh1flwTG PPSod2cC27x6aBzw3uN7oiVBAVp9a5W/wcMcUJcfx0HvX8dhZq3TUdYlie6/2KAuctO3yGXM laAltxDUX+nzJAd6Gx36QhUqud4IrDFgNEsRpYi5LJyProLfivc3rWxkBbX8087ZcsBHYIit r3ky5mR+33fRQT1oas2jt8aWIDnBDY5HqPrh5X9lXWH4yOrgh2FTLYzz2WmyFip0HpMfnnV8 rlTFno1Ut4jsMJZJ7JarErPT7kWl4XtqwshUBclkDrliD9mILKjtCzLWesP54rtILvmNDNWm pVjGeVU0q3dN2rinStS2K1vASxsGc0QudoOALKKlmHGeIeABbMFSD2zLeQAAAAAAAA== --------------ms050109070109030403070203--