lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201209240840.29342.trenn@suse.de>
Date:	Mon, 24 Sep 2012 08:40:28 +0200
From:	Thomas Renninger <trenn@...e.de>
To:	Len Brown <lenb@...nel.org>
Cc:	hpa@...or.com, initramfs@...r.kernel.org, robert.moore@...el.com,
	linux-kernel@...r.kernel.org, linux-acpi@...r.kernel.org,
	yinghai@...nel.org, eric.piel@...mplin-utc.net, vojcek@...n.pl
Subject: Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging

On Sunday 23 September 2012 06:25:40 Len Brown wrote:
> > +config ACPI_INITRD_TABLE_OVERRIDE
> > +       bool
> > +       default y
> 
> Do distros in addition to SuSE concur they want to ship this way?
Whether distros ship this in their enterprise, community or just in
a -debug kernel flavor is up to them.
I cannot see why this cannot be enabled by default on all.
That is what the TAINT flag is for...
 
> The last time we tried to make debugging easier we added
> ACPI_CUSTOM_METHOD, which allowed root to over-ride an AML method
> on a running system.  Distro security-minded people were not amused.
Yep and therefore you have to remove this one from the tools for
ACPI debugging you listed.
The issue is/was, that root can inject code at runtime which is then
executed in kernel environment.
Afaik there are "security" provisions or say setups, which do
hide modprobe/insmod and do not allow root to load any kernel drivers 
or similar.
If one can write the kernel or initrd which gets booted, I guess there
are not much security restrictions anymore you could put on this user...
But thanks for the pointer, I'll go and double check with some
security guys.

> thanks,
> -Len Brown, Intel Open Source Technology Center
> 
> ps I noticed your reference to acpidump in the README.
> That reminded me to push it to the kernel source tree.
> Its new home will be tools/power/acpi
This is the one which I tried to/did adjust to acpica headers?
This sounds like a very good idea. I'll adjust the docs.

pss: Can this tool live there as well:
ftp://ftp.suse.com/pub/people/trenn/sources/ec/ec_access.c
It's the userspace tool for examining EC values (and changes) via
ec_sys debug driver and a corresponding /sys/kernel/debug/.. file.
It's more ore less doing the same what the old thinkpad_acpi driver
could, but offers this to all machines with an EC device.

    Thomas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ