| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 May 2014 15:51:17 -0700 From: Mike Waychison <mikew@...gle.com> To: Jean Delvare <jdelvare@...e.de> Cc: Bjorn Helgaas <bhelgaas@...gle.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: Purpose of dmi-sysfs kernel module Hi Jean, On Wed, May 14, 2014 at 12:23 PM, Jean Delvare <jdelvare@...e.de> wrote: > Hi Mike, > > On Wed, 14 May 2014 08:52:36 -0700, Mike Waychison wrote: >> On Wed, May 14, 2014 at 2:23 AM, Jean Delvare <jdelvare@...e.de> wrote: >> > Sorry for joining the party a little late but I am just discovering the >> > dmi-sysfs kernel module. I have to admit that I am very curious about >> > why it was needed. What does it let you achieve that you couldn't >> > already do with dmidecode [1]? >> >> The downside to using dmidecode is that (at least at the time), it >> involved requiring giving access to /dev/mem to the binary so that it >> could grub around in raw memory looking for the records. > > This is still the case indeed. > >> dmi-sysfs >> provides an alternative that allows for kernel-parsed entries to be >> exposed to userland without having to expose /dev/mem and raw IO which >> is insecure. > > Thanks for the explanation. But if access to /dev/mem was your only > concern, your solution seems somewhat overkill. You could have just > exposed the raw SMBIOS entry point and DMI table through sysfs, pretty > much like ACPI does, and leave the rest to dmidecode (or libsmbios.) > That would have avoided reimplementing part of dmidecode and creating > yet another interface to DMI data. I tried to make dmi-sysfs be as dumb as possible, which is why the code doesn't try very hard to actually interpret the individual entries, and instead only exposes them as "raw" files. The only "specialized" type (that actually decodes the entry in kernel-land) is type 15, as this entry provides a level of indirection to get at the system log (which is either elsewhere in raw /dev/mem memory, or only accessible behind IO ports). Again, in this case, only the raw system event log is exposed and the kernel makes no attempt to parse this log, it only exposes the raw read-only bytes. > I'm not maintaining dmi-sysfs, I'm not even using it so far, so I don't > really care, but to be honest I am quite surprised that it was accepted > into the kernel. Well, it solves some real problems for us while locking down userland access to /dev/mem and iopl. I have had several folks ask me in the past as to why dmidecode doesn't work when these facilities are removed from userland, and dmi-sysfs has proven to be a workable alternative for most. That said, dmidecode is the de facto method people use for getting at this data, and I have no intention on replacing it -- rather, I was hoping that at some point dmidecode could be updated to understand how to read the raw sysfs file in lieu of requiring superuser privileges, but I haven't had the opportunity or need to make this happen myself. Mike Waychison -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists