lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1480608404.21573.68.camel@chaos.suse>
Date:   Thu, 01 Dec 2016 17:06:44 +0100
From:   Jean Delvare <jdelvare@...e.de>
To:     David Howells <dhowells@...hat.com>
Cc:     minyard@....org, linux-kernel@...r.kernel.org,
        gnomes@...rguk.ukuu.org.uk, Wolfram Sang <wsa@...-dreams.de>,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        linux-i2c@...r.kernel.org
Subject: Re: [PATCH 09/39] Annotate hardware config module parameters in
 drivers/i2c/

On jeu., 2016-12-01 at 14:12 +0000, David Howells wrote:
> Jean Delvare <jdelvare@...e.de> wrote:
> 
> > > Note that we do still need to do the module initialisation because some
> > > drivers have viable defaults set in case parameters aren't specified and
> > > some drivers support automatic configuration (e.g. PNP or PCI) in addition
> > > to manually coded parameters.
> > 
> > Initializing the driver when you are not able to honor the user request
> > looks wrong to me. I don't see how some drivers having sane defaults
> > justifies that. Using the defaults when no parameters are passed is one
> > thing (good), still using the defaults when parameters are passed is
> > another (bad), and you should be able to differentiate between these two
> > cases.
> 
> Corey Minyard argues the other way:
> 
> 	This would prevent any IPMI interface from working if any address was
> 	given on the kernel command line. I'm not sure what the best policy
> 	is, but that sounds like a possible DOS to me.
> 
> Your preference allows someone to prevent a driver from initialising - which
> could also be bad.  The problem is that I don't think there's any way to do
> both.

I'm not sure what is your threat model, but I'm afraid that if the
attacker can change the kernel command line, he/she has so many ways to
screw up the machine, that removing one won't make a difference.

>> (...)
> > And maybe the following ones, but I'm not sure if forcibly enabling a
> > device is part of what you need to prevent:
> > 
> > i2c-piix4.c:module_param (force, int, 0);
> > i2c-sis630.c:module_param(force, bool, 0);
> > i2c-viapro.c:module_param(force, bool, 0);
> 
> I don't know either.  One could argue it *should* be locked down because its
> need appears to reflect a BIOS bug.

Indeed. OTOH if you remove all kernel code that is there solely due to
BIOS bugs, then you can rename Secure Boot to No Boot. Well that's
certainly one way to be secure ;-)

-- 
Jean Delvare
SUSE L3 Support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ