lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 25 Feb 2018 10:56:22 +0000
From:   Ard Biesheuvel <ard.biesheuvel@...aro.org>
To:     Alan Cox <gnomes@...rguk.ukuu.org.uk>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        "Luck, Tony" <tony.luck@...el.com>,
        Joe Konno <joe.konno@...ux.intel.com>,
        "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Matthew Garrett <matthew.garrett@...ula.com>,
        Jeremy Kerr <jk@...abs.org>, Andi Kleen <ak@...ux.intel.com>,
        Matthew Garrett <mjg59@...gle.com>,
        Peter Jones <pjones@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        James Bottomley <james.bottomley@...senpartnership.com>
Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions

On 24 February 2018 at 20:06, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote:
> On Wed, 21 Feb 2018 09:03:00 +0000
>> The thing I like about rate limiting (for everyone including root) is
>> that it does not break anybody's workflow (unless EFI variable access
>> occurs on a hot path, in which case you're either a) asking for it, or
>> b) the guy trying to DoS us), and that it can make exploitation of any
>> potential Spectre v1 vulnerabilities impractical at the same time. At
>
> b) doesn't make spectre v1 much harder alas. What matters there is that
> you turn on the right CPU protections before calling into EFI and turn
> them off afterwards. EFI firmware internally isn't built with retpoline
> anyway.
>

Well, that is exactly my concern. The parsing code in the
authenticated variable routines in UEFI may well contain sequences
that are exploitable, due to UEFI's heavy reliance on protocols
involving function pointers, and the fact that a variable update is
structured data (with bounds that may need checking). Also, this code
is highly likely to remain unpatched on many systems, and it usually
appears in the same place in memory regardless of KASLR. However, only
root can call SetVariable(), so perhaps the risk is limited after all?

I had a stab (for arm64) at unmapping the kernel while UEFI calls are
in progress, which is a fairly big hammer, but effective, given that
UEFI itself does not keep any secrets in the first place, and so if
the kernel isn't mapped, there isn't anything to steal to begin with.
Note that on arm64, Spectre v2 should not be a concern, due to the
branch predictor maintenance that takes place when entering the
kernel. But Spectre v1 in UEFI runtime service code is currently
unmitigated, and I wonder what the risk level really is.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ