lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <512E5B16.4050002@redhat.com>
Date:	Wed, 27 Feb 2013 20:14:30 +0100
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	Chris Friesen <chris.friesen@...band.com>
CC:	Theodore Ts'o <tytso@....edu>, Peter Jones <pjones@...hat.com>,
	Dave Airlie <airlied@...il.com>,
	Greg KH <gregkh@...uxfoundation.org>,
	Matthew Garrett <mjg59@...f.ucam.org>,
	David Howells <dhowells@...hat.com>,
	Florian Weimer <fw@...eb.enyo.de>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Josh Boyer <jwboyer@...hat.com>,
	Vivek Goyal <vgoyal@...hat.com>,
	Kees Cook <keescook@...omium.org>, keyrings@...ux-nfs.org,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries

Il 27/02/2013 18:36, Chris Friesen ha scritto:
> On 02/27/2013 09:24 AM, Theodore Ts'o wrote:
>> On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote:
>>> No, no, no.  Quit saying nobody knows.  We've got a pretty good idea -
>>> we've got a contract with them, and it says they provide the signing
>>> service, and under circumstances where the thing being signed is found
>>> to enable malware that circumvents Secure Boot
>>
>> The question is what does "malware that circuments Secure Boot" mean?
>> Does starting up a hacked KVM and running Windows 8 under KVM so that
>> malare can be injected count as circumenting Secure Boot?  If so, will
>> you have to disable KVM, too?
> 
> I could see an argument for KVM to require either a signed binary or
> else someone at the keyboard to explicitly okay loading the image.
> Anything else breaks the chain of trust.

Not just the executable; the firmware would also need to be signed.

In fact, I think requiring signed KVM binaries and signed VM firmwares
makes sense in the long term, but you have to stop somewhere.

And BTW you can always emulate the instruction set instead of using
hardware virtualization.  This way the kernel is not involved.  It's a
slippery slope and leads you straight to the app store model and
restrictions on interpreters like Apple's.

Certainly an attack using unsigned modules is trivial, unlike one that
virtualizes the victim OS, and also much harder to discover
(virtualization is easy to detect by timing certain operations in the
guest).  Just for this reason, putting unsigned modules on the "no" side
makes much more sense than putting virtualization on the "no" side.

Paolo

> It may be somewhat far-fetched, but I think it would be possible to take
> an existing secure-boot Win 8 install, turn it into a VM but with an
> infected kernel. Then install a signed Linux distro that runs the Win8
> VM as a guest.
> 
> At this point you've got a running infected Win8 install that is running
> on Secure Boot hardware but is actually running malware.
> 
> Admittedly this would be tricky to do reliably in a way that the user
> doesn't notice, so it may not actually be a real-world threat.
> 
> Chris

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ