[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKv+Gu-70G-LtEJZpv0kKL_Tb+msyS9iA3yY7phq7+ZJeF1qWA@mail.gmail.com>
Date: Mon, 3 Jul 2017 12:44:52 +0100
From: Ard Biesheuvel <ard.biesheuvel@...aro.org>
To: joeyli <jlee@...e.com>
Cc: Gary Lin <glin@...e.com>, "x86@...nel.org" <x86@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>
Subject: Re: [RFC v2 PATCH] x86/boot: Add the secdata section to the setup header
On 30 June 2017 at 23:52, joeyli <jlee@...e.com> wrote:
> Hi Ard,
>
> On Thu, Jun 01, 2017 at 08:46:26AM +0000, Ard Biesheuvel wrote:
>> On 1 June 2017 at 08:11, Gary Lin <glin@...e.com> wrote:
>> > On Fri, May 12, 2017 at 04:05:34PM +0800, Gary Lin wrote:
>> >> A new section, secdata, in the setup header is introduced to store the
>> >> distro-specific security version which is designed to help the
>> >> bootloader to warn the user when loading a less secure or vulnerable
>> >> kernel. The secdata section can be presented as the following:
>> >>
>> >> struct sec_hdr {
>> >> __u16 header_length;
>> >> __u32 distro_version;
>> >> __u16 security_version;
>> >> } __attribute__((packed));
>> >> char *signer;
>> >>
>> >> It consists of a fixed size structure and a null-terminated string.
>> >> "header_length" is the size of "struct sec_hdr" and can be used as the
>> >> offset to "signer". It also can be a kind of the "header version" to
>> >> detect if any new member is introduced.
>> >>
>> >> The kernel packager of the distribution can put the distro name in
>> >> "signer" and the distro version in "distro_version". When a severe
>> >> vulnerability is fixed, the packager increases "security_version" in
>> >> the kernel build afterward. The bootloader can maintain a list of the
>> >> security versions of the current kernels and only allows the kernel with
>> >> a higher or equal security version to boot. If the user is going to boot
>> >> a kernel with a lower security version, a warning should show to prevent
>> >> the user from loading a vulnerable kernel accidentally.
>> >>
>> >> Enabling UEFI Secure Boot is recommended when using the security version
>> >> or the attacker may alter the security version stealthily.
>> >>
>> > Any comment?
>> >
>>
>> This is now entirely x86-specific. My preference would be to have a
>> generic solution instead.
>>
>> --
>> Ard.
>
> On x86 platform with secure boot, UEFI boot loader (e.g. shim) keeps the
> kernel security version in boot variable for comparing to prevent replay
> attack.
>
> Will ARM platform also apply this approach? Does ARM platform have
> secure boot knob in firmware?
>
Yes, there is no reason to assume ARM differs from x86 in this
respect. Shim can be built for ARM as well as for x86.
Powered by blists - more mailing lists