lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <3106532.NfQxgDJQ20@hactar>
Date:   Thu, 08 Sep 2016 16:20:45 -0300
From:   Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     kexec@...ts.infradead.org, linux-security-module@...r.kernel.org,
        linux-ima-devel@...ts.sourceforge.net,
        linuxppc-dev@...ts.ozlabs.org, linux-kernel@...r.kernel.org,
        Dave Young <dyoung@...hat.com>,
        Vivek Goyal <vgoyal@...hat.com>, Baoquan He <bhe@...hat.com>,
        Michael Ellerman <mpe@...erman.id.au>,
        Stewart Smith <stewart@...ux.vnet.ibm.com>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        Eric Richter <erichte@...ux.vnet.ibm.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Balbir Singh <bsingharora@...il.com>
Subject: Re: [PATCH v4 0/5] kexec_file: Add buffer hand-over for the next kernel

Am Mittwoch, 07 September 2016, 09:19:40 schrieb Eric W. Biederman:
> ebiederm@...ssion.com (Eric W. Biederman) writes:
> > Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com> writes:
> >> Hello,
> >> 
> >> The purpose of this new version of the series is to fix a small issue
> >> that I found, which is that the kernel doesn't remove the memory
> >> reservation for the hand-over buffer it received from the previous
> >> kernel in the device tree it sets up for the next kernel. The result
> >> is that for each successive kexec, a stale hand-over buffer is left
> >> behind, wasting memory.
> >> 
> >> This is fixed by changes to kexec_free_handover_buffer and
> >> setup_handover_buffer in patch 2. The other change is to fix checkpatch
> >> warnings in the last patch.
> > 
> > This is fundamentally broken.  You do not increase the integrity of a
> > system by dropping integrity checks.
> > 
> > No. No. No. No.
> > 
> > Nacked-by: "Eric W. Biederman" <ebiederm@...ssion.com>

The IMA measurement list can be verified without the need of a checksum over 
its contents by replaying the PCR extend operations and checking that the 
result matches the registers in the TPM device. So the fact that it is not 
part of the kexec segments checksum verification doesn't actually reduce the 
integrity of the system.

Currently, IMA doesn't perform that verification when it restores the 
measurement list from the kexec handover buffer, so if you believe it's 
necessary to do that check at boot time, we could do one of the following:

1. Have IMA replay the PCR extend operations when it restores the 
measurement list from the handover buffer and validate it against the TPM 
PCRs, or

2. Have a buffer hash in the ima_kexec_hdr that IMA includes in the handover 
buffer, and verify the buffer checksum before restoring the measurement 
list.

What do you think?

> To be constructive the way we have handled similiar situations in the
> past (hotplu memory) is to call kexec_load again.

Thanks for your suggestion. Unfortunately it's always possible for new 
measurements to be added to the measurement list between the kexec_file_load 
and the reboot. We see that happen in practice with system scripts and 
configuration files that are only read or executed during the reboot 
process. They are only measured by IMA as a result of the kexec execute.

-- 
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ