| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 May 2018 22:06:39 +0200
From: Lukas Wunner <lukas@...ner.de>
To: Andy Lutomirski <luto@...nel.org>
Cc: Hans de Goede <hdegoede@...hat.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
"Luis R. Rodriguez" <mcgrof@...nel.org>,
Greg KH <gregkh@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Peter Jones <pjones@...hat.com>,
dave@...aar.me, Will Deacon <will.deacon@....com>,
Matt Fleming <matt@...eblueprint.co.uk>,
David Howells <dhowells@...hat.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Josh Triplett <josh@...htriplett.org>,
Dmitry Torokhov <dmitry.torokhov@...il.com>,
Martin Fuzzey <mfuzzey@...keon.com>,
Kalle Valo <kvalo@...eaurora.org>,
Arend Van Spriel <arend.vanspriel@...adcom.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
nbroeking@...com, Bjorn Andersson <bjorn.andersson@...aro.org>,
duwe@...e.de, Kees Cook <keescook@...omium.org>,
X86 ML <x86@...nel.org>, linux-efi <linux-efi@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support
On Tue, May 01, 2018 at 07:29:19PM +0000, Andy Lutomirski wrote:
> On Sun, Apr 29, 2018 at 2:36 AM Hans de Goede <hdegoede@...hat.com> wrote:
> > + for (i = 0; i < size; i += 8) {
> > + if (*((u64 *)(mem + i)) != *((u64 *)desc->prefix))
> > + continue;
> > +
> > + /* Seed with ~0, invert to match crc32 userspace utility
> */
> > + crc = ~crc32(~0, mem + i, desc->length);
> > + if (crc == desc->crc)
> > + break;
> > + }
>
> I hate to play the security card, but this stinks a bit. The kernel
> obviously needs to trust the EFI boot services code since the EFI boot
> services code is free to modify the kernel image. But your patch is not
> actually getting this firmware blob from the boot services code via any
> defined interface -- you're literally snarfing up the blob from a range of
> memory. I fully expect there to be any number of ways for untrustworthy
> entities to inject malicious blobs into this memory range on quite a few
> implementations.
[snip]
> It would be really nice if there was a way to pull a blob out of EFI space
> that is marked, by EFI, as belonging to a particular device.
Upthread I suggested to read the firmware from the EFI Firmware Volume.
>From my point of view that would fulfill your requirements:
https://lkml.org/lkml/2018/4/3/568
In the case of Hans' HID device, the firmware is embedded as a binary
array in the EFI driver for the device. So the kernel would read the
driver from the Firmware Volume, but it would still have to extract
the firmware from the driver, either by scanning for the 8 byte magic
or by hardcoding the offset and length in the kernel.
An attacker would have to modify the Firmware Volume as opposed to
just modifying a particular space in memory.
My suggestion was dismissed by Hans and Peter Jones on the grounds of
causing additional work without perceived benefit, given that a working
(albeit admitted to be hackish) solution exists.
Moreover Ard criticized that the EFI Firmware Volume Protocol is not
part of the UEFI spec.
I agree with you completely BTW.
Thanks,
Lukas
Powered by blists - more mailing lists