Re: [RFC] Second attempt at kernel secure boot support

From: James Bottomley
Date: Thu Nov 01 2012 - 05:08:22 EST

Next message: Shan Wei: "Re: [PATCH 7/9] rcu: use this_cpu_ptr per-cpu helper instead ofper_cpu_ptr(p, raw_smp_processor_id())"
Previous message: Daniel Mack: "Re: [alsa-devel] Idea: dynamic loading of USB quirks"
In reply to: David Howells: "Re: [PATCH RFC 0/4] Add firmware signature file check"
Next in thread: Jiri Kosina: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2012-10-31 at 23:19 +0100, Oliver Neukum wrote:
> On Wednesday 31 October 2012 15:58:05 Chris Friesen wrote:
> > On 10/31/2012 02:14 PM, Oliver Neukum wrote:
>
> > > That would do it on my system.
> > > Maybe in theory you could solve this by the kernel invalidating images
> > > it hasn't written itself and forbidding to change the resume partition from the
> > > kernel command line, but that would break user space hibernation.
> >
> > If the resuming kernel refuses to resume from images it didn't create
> > itself, why do you need to forbid changing the resume partition from the
> > kernel command line?
>
> You don't. Signed images solve the problem.

I really don't think they do. The proposed attack vector is to try to
prevent a local root exploit from running arbitrary in-kernel code,
because that would compromise the secure boot part of the kernel.

I really think that's mythical: a local privilege elevation attack
usually exploits some bug (classically a buffer overflow) which executes
arbitrary code in kernel context. In that case, the same attack vector
can be used to compromise any in-kernel protection mechanism including
turning off the secure boot capability and reading the in-kernel private
signing key.

There have been one or two privilege elevation attacks that didn't
involve in-kernel code (usually by compromising a suid binary or other
cross domain scripting attack) that would only compromise local root and
thus be confined to the secure boot prison but they are, historically, a
minority.

The point I'm making is that given that the majority of exploits will
already be able to execute arbitrary code in-kernel, there's not much
point trying to consider features like this as attacker prevention. We
should really be focusing on discussing why we'd want to prevent a
legitimate local root from writing to the suspend partition in a secure
boot environment.

James

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Shan Wei: "Re: [PATCH 7/9] rcu: use this_cpu_ptr per-cpu helper instead ofper_cpu_ptr(p, raw_smp_processor_id())"
Previous message: Daniel Mack: "Re: [alsa-devel] Idea: dynamic loading of USB quirks"
In reply to: David Howells: "Re: [PATCH RFC 0/4] Add firmware signature file check"
Next in thread: Jiri Kosina: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]