lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171026170359.v3f7od6hagrt2pv7@linux.intel.com>
Date:   Thu, 26 Oct 2017 19:03:59 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Michal Suchánek <msuchanek@...e.de>
Cc:     Peter Huewe <peterhuewe@....de>,
        Matthew Garrett <mjg59@...gle.com>,
        linux-integrity <linux-integrity@...r.kernel.org>,
        Kari Hiitola <kari@...aani.com>, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Alexander Steffen <Alexander.Steffen@...ineon.com>
Subject: Re: Fixing CVE-2017-15361

On Thu, Oct 26, 2017 at 07:02:37PM +0200, Jarkko Sakkinen wrote:
> On Thu, Oct 26, 2017 at 04:57:48PM +0200, Michal Suchánek wrote:
> > On Thu, 26 Oct 2017 16:06:02 +0200
> > Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com> wrote:
> > 
> > > On Thu, Oct 26, 2017 at 02:59:02PM +0200, Michal Suchánek wrote:
> > > > It does not really matter. People ignore the messages unless looking
> > > > for something specific as you already noticed. Warn seems adequate
> > > > because the cipher is weaker than expected but not known to
> > > > be compromised. People who care can look up the message. People who
> > > > don't care will ignore it even if it's crit.  
> > > 
> > > Is it worth of trouble to do any driver changes then (open question to
> > > everyone)? I'm not sure it is worth of trouble to add cruft to the
> > > driver code for a warning that will likely be ignored anyway.
> > 
> > If the kernel can reliably detect the affected TPMs it saves the
> > user the work of figuring out where the firmware revision is accessible
> > on the running machine and what firmware revisions are affected.
> > 
> > Thanks
> > 
> > Michal
> 
> Just giving the warning does not require any kernel functionality. If
> nothing proactive is required from the kernel I'd move the
> responsibility to the user space. Nothing in the kernel is broken an
> kernel cannot workaround the issue by ay means.
> 
> /Jarkko

I.e. I'm not going to fix a bug if there is no bug to fix.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ