RE: [PATCH] intel_txt: add s3 userspace memory integrityverification

From: Cihula, Joseph
Date: Fri Dec 04 2009 - 12:41:31 EST

Next message: H Hartley Sweeten: "pnx4008_wdt.c: use resource_size()"
Previous message: H Hartley Sweeten: "omap_wdt.c: use resource_size()"
In reply to: Andi Kleen: "Re: [PATCH] intel_txt: add s3 userspace memory integrity verification"
Next in thread: Andi Kleen: "Re: [PATCH] intel_txt: add s3 userspace memory integrityverification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Andi Kleen [mailto:andi@xxxxxxxxxxxxxx]
> Sent: Friday, December 04, 2009 9:14 AM
>
> > "bad stuff" would be the execution of any code (or use of any data that affects execution)
> that was not verified by tboot. As long as panic() is within the code ranges MAC'ed by tboot
> (see above), it would be covered. Do you know of some panic() code paths that are outside of
> this?
>
> Not code path, but the code called by panic (console drivers, debuggers etc.)
> can well use data that is stored >4GB
>
> This can include structures with indirect pointers, like notifier chains.
>
> Notifier chains have a special checker than can check
> for <4GB, but there are other call vectors too.

Since, as you pointed out in a previous email, it is doubtful that there will be any user-visible output at this point, we can change this path to a tboot reset (which will give us some serial output at least). Is it going to be similarly unsafe to do a printk()?

> > > > > checksummed by tboot, attacker may be able to hijack code execution
> > > > > and bypass your protection, no?
> > > > Yes, kernel code is audited by tboot before resume.
> > >
> > > So no, you did not audit do_suspend_lowlevel to make sure it does not
> > > follow function pointers. Bad.
> >
> > We aren't aware of any code or data used by the resume path that is outside of the tboot-
> MAC'ed regions above--if you can point out any then we will gladly address them.
>
> Code coverage is not enough, you need data coverage too. If someone
> modifies kernel data it's typically easy to subvert code as a next step.

Agreed, which is why I said "code or data". We'll take another look at the couple of fns that are within this path, but if you have any specific examples can you please post them.

>
>
> -Andi
> --
> ak@xxxxxxxxxxxxxxx -- Speaking for myself only.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H Hartley Sweeten: "pnx4008_wdt.c: use resource_size()"
Previous message: H Hartley Sweeten: "omap_wdt.c: use resource_size()"
In reply to: Andi Kleen: "Re: [PATCH] intel_txt: add s3 userspace memory integrity verification"
Next in thread: Andi Kleen: "Re: [PATCH] intel_txt: add s3 userspace memory integrityverification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]