lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20160405100929.GB2701@codeblueprint.co.uk>
Date:	Tue, 5 Apr 2016 11:09:29 +0100
From:	Matt Fleming <matt@...eblueprint.co.uk>
To:	Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc:	"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	joeyli <jlee@...e.com>,
	Kweh Hock Leong <hock.leong.kweh@...el.com>,
	Borislav Petkov <bp@...en8.de>,
	Mark Salter <msalter@...hat.com>,
	Peter Jones <pjones@...hat.com>,
	Bryan O'Donoghue <pure.logic@...us-software.ie>
Subject: Re: [PATCH 2/4] efi: Capsule update support

On Tue, 29 Mar, at 03:50:39PM, Ard Biesheuvel wrote:
> 
> Should we perhaps whitelist rather than blacklist these flags? If a
> 'EFI_CAPSULE_INITIATE_RESET_TOO' surfaces at some point, or flags that
> do other nasty things, at least we won't be caught off guard.
 
I spent a while thinking about this and was originally going to go
with the blacklist. The idea being that we wouldn't need to update the
kernel to allow new capsule flags to be passed through to the
firmware, even when the kernel doesn't care about them.

But then the thought of having to apply patches to stable to disallow
new capsule flags that don't work correctly with the current patches
left me feeling a cold chill.

So yes, it's a good suggestion Ard. Let's go with the whitelist, which
gives us the power to opt-in to any new capsule flags, whatever they
may be.

---

diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c
index dac25208ad5e..0de55944ac0b 100644
--- a/drivers/firmware/efi/capsule.c
+++ b/drivers/firmware/efi/capsule.c
@@ -64,6 +64,17 @@ out:
 	return rv;
 }
 
+/*
+ * Whitelist of EFI capsule flags that we support.
+ *
+ * We do not handle EFI_CAPSULE_INITIATE_RESET because that would
+ * require us to prepare the kernel for reboot. Refuse to load any
+ * capsules with that flag and any other flags that we do not know how
+ * to handle.
+ */
+#define EFI_CAPSULE_SUPPORTED_FLAG_MASK			\
+	(EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE)
+
 /**
  * efi_capsule_supported - does the firmware support the capsule?
  * @guid: vendor guid of capsule
@@ -84,6 +95,9 @@ int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
 	u64 max_size;
 	int rv = 0;
 
+	if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
+		return -EINVAL;
+
 	capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
 	if (!capsule)
 		return -ENOMEM;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ