lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Jun 2021 08:29:44 -0700
From:   "David F." <df7729@...il.com>
To:     "Enrico Weigelt, metux IT consult" <lkml@...ux.net>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: LockDown that allows read of /dev/mem ?

Lockdown required by secure boot and shim signing (prevent acpi
patching), root because it's main use is a utility boot disk.   If
lockdown could be forced when secure boot active but not when not
active, that be best, but I'm not seeing that option.  The other
option maybe to modify open_port on mem.c to do the secure boot check.
However searching EFI_SECURE_BOOT doesn't exist in 5.10.x as in
efi_enabled(EFI_SECURE_BOOT) - It appears that is some other patch
that is not applied to the base, I do see struct boot_params has a
secure_boot field set, but can I access that from mem.c?  If not, is
efi_get_secureboot() function available when /drivers/char/mem.c may
be used?

On Mon, Jun 21, 2021 at 3:27 AM Enrico Weigelt, metux IT consult
<lkml@...ux.net> wrote:
>
> On 20.06.21 01:55, David F. wrote:
>
> > I'm finding that LockDown Integrity prevents blocks things like mdadm,
> > Xvesa, and a couple of my specialized tools.    There should be an
> > option to allow /dev/mem read access.  Is there?  There are no secrets
> > to the boot disk booted environment it's all root.
>
> Looks like conflict of goals. lockdown is used in scenarios where one
> really doesn't take any chance that code running w/ root privileges can
> do such things (there's a lot of security critical information one can
> learn from reading the raw memory).
>
> I wonder what your actual use case is.
>
> * why are you using lockdown and also running everything as root ?
> * why are you still using the old Xvesa instead of using KMS or
>   framebuffer device ?
> * why does mdadm want to access /dev/mem ?
>
>
>
> --mtx
>
> --
> ---
> Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
> werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
> GPG/PGP-Schlüssel zu.
> ---
> Enrico Weigelt, metux IT consult
> Free software and Linux embedded engineering
> info@...ux.net -- +49-151-27565287

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ