lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Dec 2017 14:26:57 +0000 From: Alan Cox <gnomes@...rguk.ukuu.org.uk> To: Gary Lin <glin@...e.com> Cc: x86@...nel.org, linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Ingo Molnar <mingo@...hat.com>, Matt Fleming <matt@...eblueprint.co.uk>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>, Joey Lee <jlee@...e.com> Subject: Re: [RFC v3 PATCH 0/2] Introduce Security Version to EFI Stub On Tue, 5 Dec 2017 18:01:46 +0800 Gary Lin <glin@...e.com> wrote: > The series of patches introduce Security Version to EFI stub. > > Security Version is a monotonically increasing number and designed to > prevent the user from loading an insecure kernel accidentally. The > bootloader maintains a list of security versions corresponding to > different distributions. After fixing a critical vulnerability, the > distribution kernel maintainer bumps the "version", and the bootloader > updates the list automatically. This seems a mindbogglingly complicated way to implement something you could do with a trivial script in the package that updates the list of iffy kernels and when generating the new grub.conf puts them in a menu of 'old insecure' kernels. Why do you even need this in the EFI stub ? What happens if you want to invalidate an old kernel but not push a new one ? Today if you've got a package that maintains the list of 'iffy' kernels you can push a tiny package, under your scheme you've got to push new kernels which is an un-necessary and high risk OS change. It just feels like an attempt to solve the problem in completely the wrong place. Alan
Powered by blists - more mailing lists