lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 31 May 2019 11:07:37 -0700
From:   Joe Richey <joerichey@...gle.com>
To:     Matthew Garrett <matthewgarrett@...gle.com>
Cc:     linux-integrity@...r.kernel.org, peterhuewe@....de,
        jarkko.sakkinen@...ux.intel.com, jgg@...pe.ca,
        roberto.sassu@...wei.com, linux-efi@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        ThiƩbaud Weksteen <tweek@...gle.com>,
        bsz@...ihalf.com
Subject: Re: [PATCH V7 0/4] Add support for crypto agile logs

On Mon, May 20, 2019 at 1:56 PM Matthew Garrett
<matthewgarrett@...gle.com> wrote:
>
> Identical to previous version except without the KSAN workaround - Ard
> has a better solution for that.

I just tested this on x86_64 with the systemd-boot (previously gummiboot)
bootloader. For context, this bootloader is essentially just an EFI
chainloader. This bootloader measures the kernel cmdline into PCR 8.
However, it calls GetEventLog before calling HashLogExtendEvent, intending
to have the log entry written to the "EFI TCG 2.0 final events table". See:
    https://github.com/systemd/systemd/blob/75e40119a471454516ad0acc96f6f4094e7fb652/src/boot/efi/measure.c#L212-L227

With the current patchset, this log entry appears _twice_ in the sysfs file.
This is caused by the fact that the sysfs event log unconditionally appends
the entire final event log to the output of GetEventLog. However, the correct
behavior would be to append only the _new_ entries that appear in the final
event log to the output of GetEventLog.

This could be done by first calculating the length of the final events log
table, then recalculating the length of the final events log after the
kernel calls ExitBootServices. This would let us know for sure that we are
only appending new log entries.

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4849 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ