lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 4 Apr 2018 09:39:08 -0700
From:   Andy Lutomirski <luto@...nel.org>
To:     Matthew Garrett <mjg59@...gle.com>
Cc:     "Ted Ts'o" <tytso@....edu>, David Howells <dhowells@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrew Lutomirski <luto@...nel.org>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        James Morris <jmorris@...ei.org>,
        Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Justin Forbes <jforbes@...hat.com>,
        linux-man <linux-man@...r.kernel.org>, joeyli <jlee@...e.com>,
        LSM List <linux-security-module@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        Kees Cook <keescook@...omium.org>,
        linux-efi <linux-efi@...r.kernel.org>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot

On Wed, Apr 4, 2018 at 9:22 AM, Matthew Garrett <mjg59@...gle.com> wrote:
> On Wed, Apr 4, 2018 at 6:52 AM Theodore Y. Ts'o <tytso@....edu> wrote:
>
>> On Wed, Apr 04, 2018 at 02:33:37PM +0100, David Howells wrote:
>> > Theodore Y. Ts'o <tytso@....edu> wrote:
>> >
>> > > Whoa.  Why doesn't lockdown prevent kexec?  Put another away, why
>> > > isn't this a problem for people who are fearful that Linux could be
>> > > used as part of a Windows boot virus in a Secure UEFI context?
>> >
>> > Lockdown mode restricts kexec to booting an authorised image (where the
>> > authorisation may be by signature or by IMA).
>
>> If that's true, then Matthew's assertion that lockdown w/o secure boot
>> is insecure goes away, no?
>
> If you don't have secure boot then an attacker with root can modify your
> bootloader or kernel, and on next boot lockdown can be silently disabled.

This has been rebutted over and over and over.  Secure boot is not the
only verified boot mechanism in the world.  Other, better, much more
auditable, and much simpler mechanisms have been around for a long,
long time.

>> The fact that this Verified Boot on, lockdown off causes trouble
>> points to a clear problem.   User owns the hardware they should have
>> the right to defeat secureboot if they wish to.
>
> Which is why Shim allows you to disable validation if you prove physical
> user presence.

And that's a giant hack.  The actual feature should be that a user
proves physical presence and thus disables lockdown *without*
disabling verification.

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ