Re: Fixing CVE-2017-15361

From: Matthew Garrett
Date: Wed Oct 25 2017 - 10:17:24 EST

Next message: Kees Cook: "Re: [PATCH] rcu: Convert timers to use timer_setup()"
Previous message: Kees Cook: "Re: [PATCH] usb: usbatm: Convert timers to use timer_setup()"
In reply to: Jarkko Sakkinen: "Fixing CVE-2017-15361"
Next in thread: Jarkko Sakkinen: "Re: Fixing CVE-2017-15361"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 25, 2017 at 6:44 AM, Jarkko Sakkinen
<jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
> I'm implementing a fix for CVE-2017-15361 that simply blacklists
> vulnerable FW versions. I think this is the only responsible action from
> my side that I can do.

I'm not sure this is ideal - do Infineon have any Linux tooling for
performing firmware updates, and if so will that continue working if
the device is blacklisted? It's also a poor user experience to have
systems using TPM-backed disk encryption keys suddenly rendered
unbootable, and making it as easy as possible for people to do an
upgrade and then re-seal secrets with new keys feels like the correct
approach.

Next message: Kees Cook: "Re: [PATCH] rcu: Convert timers to use timer_setup()"
Previous message: Kees Cook: "Re: [PATCH] usb: usbatm: Convert timers to use timer_setup()"
In reply to: Jarkko Sakkinen: "Fixing CVE-2017-15361"
Next in thread: Jarkko Sakkinen: "Re: Fixing CVE-2017-15361"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]