lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 26 Jul 2016 21:03:54 +0000
From:	<Mario_Limonciello@...l.com>
To:	<jdelvare@...e.de>, <Allen_Hung@...l.com>
CC:	<jdelvare@...e.com>, <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/2] dmi-id: add dmi/id/oem group for exporting oem
 strings to sysfs

> -----Original Message-----
> From: Limonciello, Mario
> Sent: Tuesday, July 19, 2016 9:48 AM
> To: 'Jean Delvare' <jdelvare@...e.de>; Hung, Allen <Allen_Hung@...l.com>
> Cc: Jean Delvare <jdelvare@...e.com>; linux-kernel@...r.kernel.org
> Subject: RE: [PATCH 2/2] dmi-id: add dmi/id/oem group for exporting oem
> strings to sysfs
> 
> Hi Jean,
> 
> I worked with Allen on this concept, so I've got some comments below.
> 
> > -----Original Message-----
> > From: Jean Delvare [mailto:jdelvare@...e.de]
> > Sent: Tuesday, July 19, 2016 4:03 AM
> > To: Hung, Allen <Allen_Hung@...l.com>
> > Cc: Jean Delvare <jdelvare@...e.com>; linux-kernel@...r.kernel.org;
> > Limonciello, Mario <Mario_Limonciello@...l.com>
> > Subject: Re: [PATCH 2/2] dmi-id: add dmi/id/oem group for exporting oem
> > strings to sysfs
> >
> > Hello Allen,
> >
> > On Thu, 14 Jul 2016 16:01:23 +0800, Allen Hung wrote:
> > > The oem strings in DMI system identification information of the BIOS
> have
> > > been parsed and stored as dmi devices in dmi_scan.c but they are not
> > > exported to userspace via sysfs.
> >
> > They are intended for internal consumption by the kernel drivers.
> >
> > > The patch intends to export oem strings to sysfs device /sys/class/dmi/id.
> > > As the number of oem strings are dynamic, a group "oem" is added to the
> > > device and the strings will be added to the group as string1, string2, ...,
> > > and stringN.
> >
> > What is the use case? You can already get these strings easily using
> > dmidecode:
> >
> > # dmidecode -qt 11
> > OEM Strings
> > 	String 1: Dell System
> > 	String 2: 1[05A4]
> > 	String 3: 3[1.0]
> > 	String 4: 12[www.dell.com]
> > 	String 5: 14[1]
> > 	String 6: 15[3]
> > 	String 7:
> >
> > If needed, a dedicated option could be added to dmidecode to extract
> > specific OEM strings. Or existing option -s could be extended for that
> > purpose.
> 
> The main purpose was to be able to parse these easily from userspace
> without needing dmidecode installed and handling its output
> (with tools such as grep, sed, and awk).
> 
> For example in an initramfs, typically dmidecode isn't included, but there
> is value to being able to make decisions on things related to the values of
> those OEM strings.
> 
> Instead this allows userspace to iterate the oem/ directory and directly
> look at the values of these strings.
> 
> >
> > Also your code doesn't even build. I won't review this patch until I
> > know why it is needed, and it builds (without warning.)
> >
> 
> Allen had a mistake in that submission when he was refactoring it prior to
> LKML submission.
> He resubmitted it the next day fixing that mistake:
> https://patchwork.kernel.org/patch/9231473/
> 
> > One comment below though:
> >
> > >
> > > Signed-off-by: Allen Hung <allen_hung@...l.com>
> > > ---
> > >  drivers/firmware/dmi-id.c | 108
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > >  1 file changed, 108 insertions(+)
> > >
> > > diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c
> > > index 44c0139..f284a07 100644
> > > --- a/drivers/firmware/dmi-id.c
> > > +++ b/drivers/firmware/dmi-id.c
> > > (...)
> > > +static int __init dmi_id_init_oem_attr_group(void)
> > > +{
> > > +	int i, ret;
> > > +	const struct dmi_device *dev;
> > > +	struct dmi_oem_attribute *oa, *tmp;
> > > +	struct device_attribute dev_attr_tmpl =
> > > +		__ATTR(, 0444, sys_dmi_oem_show, NULL);
> >
> > I'd be very careful about permissions. OEM strings could contain pretty
> > much everything, including serial numbers or passwords. Making these
> > files world-readable doesn't strike me as the best of the ideas.
> >
> 
> At least on Dell systems, the values in these strings are OK to be world
> readable, but I understand this concern and agree that Allen should adjust
> these permissions in the next version if you agree with the concept of this
> patch.
> 
> Thanks,

Hi jean,

Did you have any comments about Allen's updated patch or my above
comments?

If necessary, Allen can resend with the fix to OEM strings permissions
and we can discuss further then.

Thanks,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ