Re: [PATCH 26/30] Lock down ftrace

From: Jiri Kosina
Date: Fri Nov 10 2017 - 05:10:33 EST

Next message: Paolo Bonzini: "Re: [PATCH v3 4/4] KVM: Add flush_on_enter before guest enter"
Previous message: Peter Zijlstra: "Re: [PATCH v3 4/4] KVM: Add flush_on_enter before guest enter"
In reply to: David Howells: "Re: [PATCH 26/30] Lock down ftrace"
Next in thread: David Howells: "[PATCH 27/30] Lock down kprobes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 9 Nov 2017, David Howells wrote:

> Disallow the use of ftrace when the kernel is locked down. This patch
> turns off ftrace_enabled late in the kernel boot so that the selftest can
> still be potentially be run.
>
> The sysctl that controls ftrace_enables is also disallowed when the kernel
> is locked down. If the lockdown is lifted, then the sysctl can be used to
> reenable ftrace - if ftrace was compiled with CONFIG_DYNAMIC_FTRACE, that
> is; if it wasn't then it won't be possible to reenable it.
>
> This prevents crypto data theft by analysis of execution patterns, and, if
> in future ftrace also logs the register contents at the time, will prevent
> data theft by that mechanism also.

I fail to see how this fits into the secure boot security model, could you
please explain?

Secure boot is about having a constant proof / verification that the code
you're running in ring0 can be trusted (IOW is the one that has been
signed and verified by the whole boot chain).

Checking execution patterns doesn't seem to fit at all.

Thanks,

--
Jiri Kosina
SUSE Labs

Next message: Paolo Bonzini: "Re: [PATCH v3 4/4] KVM: Add flush_on_enter before guest enter"
Previous message: Peter Zijlstra: "Re: [PATCH v3 4/4] KVM: Add flush_on_enter before guest enter"
In reply to: David Howells: "Re: [PATCH 26/30] Lock down ftrace"
Next in thread: David Howells: "[PATCH 27/30] Lock down kprobes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]