lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 23 Jul 2019 10:35:22 -0400
From:   Nayna <nayna@...ux.vnet.ibm.com>
To:     Michael Ellerman <mpe@...erman.id.au>, linuxppc-dev@...abs.org,
        linux-efi@...r.kernel.org, "Oliver O'Halloran" <oohall@...il.com>
Cc:     Nayna Jain <nayna@...ux.ibm.com>, linux-kernel@...r.kernel.org,
        linux-integrity@...r.kernel.org, Paul Mackerras <paulus@...ba.org>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Jeremy Kerr <jk@...abs.org>,
        Matthew Garret <matthew.garret@...ula.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Claudio Carvalho <cclaudio@...ux.ibm.com>,
        George Wilson <gcwilson@...ux.ibm.com>,
        Elaine Palmer <erpalmer@...ibm.com>,
        Eric Ricther <erichte@...ux.ibm.com>
Subject: Re: [PATCH 2/2] powerpc: expose secure variables via sysfs



On 07/05/2019 02:05 AM, Michael Ellerman wrote:
> Hi Nayna,

Hi Michael, Oliver,


>
> Nayna Jain <nayna@...ux.ibm.com> writes:
>> As part of PowerNV secure boot support, OS verification keys are stored
>> and controlled by OPAL as secure variables. These need to be exposed to
>> the userspace so that sysadmins can perform key management tasks.
>>
>> This patch adds the support to expose secure variables via a sysfs
>> interface It reuses the the existing efi defined hooks and backend in
>> order to maintain the compatibility with the userspace tools.
> Which tools? Can you include a log demonstrating how they're used, ie.
> so that I can test the sequence of commands.
>
>> Though it reuses a great deal of efi, POWER platforms do not use EFI.
>> A new config, POWER_SECVAR_SYSFS, is defined to enable this new sysfs
>> interface.
> Sorry I haven't been able to keep up with all the discussions, but I
> thought the consensus was that pretending to be EFI-like was a bad idea,
> because we don't have actual EFI and we're not implementing an entirely
> compatible scheme to EFI anyway.
>
> Greg suggested just putting the variables in sysfs, why does that not
> work? Matthew mentioned "complex semantics around variable deletion and
> immutability" but do we have to emulate those semantics on powerpc?

Sorry for the delay in the response.

Yes, I agree. The purpose of the v2 version of the patchset was to try 
and quickly address Matthew's concerns. This version of the patchset:
* is not using any EFI configs
* is not exposing secure variables via efivarfs
* is based on Greg's suggestion to use sysfs
* is STILL using some of the existing EFI code, that is used by EFI to 
expose its variables via sysfs, to avoid code duplication.
* is using efivar hooks to expose secure variables for tool compatibility

Assuming we all are in agreement, the next version of this patchset will 
further improve upon these changes. It will refactor some of the sysfs 
code from drivers/firmware/efi that is common to both EFI and POWER.  
Since we do not have to emulate the complex semantics of efi on powerpc, 
the sysfs interface should work for us.

As per the tool, it will be efivar. I will provide the log demonstrating 
how it is used with the next version.

Is there something I missed in my understanding ?

Thanks & Regards,
      - Nayna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ