lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220209183545.GA14552@srcf.ucam.org>
Date:   Wed, 9 Feb 2022 18:35:45 +0000
From:   Matthew Garrett <mjg59@...f.ucam.org>
To:     Aditya Garg <gargaditya08@...e.com>
Cc:     Ard Biesheuvel <ardb@...nel.org>, Jeremy Kerr <jk@...abs.org>,
        "joeyli.kernel@...il.com" <joeyli.kernel@...il.com>,
        "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "eric.snowberg@...cle.com" <eric.snowberg@...cle.com>,
        "dhowells@...hat.com" <dhowells@...hat.com>,
        "jlee@...e.com" <jlee@...e.com>,
        "James.Bottomley@...senpartnership.com" 
        <James.Bottomley@...senPartnership.com>,
        "jarkko@...nel.org" <jarkko@...nel.org>,
        "mic@...ikod.net" <mic@...ikod.net>,
        "dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        Orlando Chamberlain <redecorating@...tonmail.com>,
        Aun-Ali Zaidi <admin@...eit.net>
Subject: Re: [PATCH] efi: Do not import certificates from UEFI Secure Boot
 for T2 Macs

On Wed, Feb 09, 2022 at 06:02:34PM +0000, Aditya Garg wrote:
> 
> 
> > On 09-Feb-2022, at 10:19 PM, Matthew Garrett <mjg59@...f.ucam.org> wrote:
> > 
> > On Wed, Feb 09, 2022 at 02:27:51PM +0000, Aditya Garg wrote:
> >> From: Aditya Garg <gargaditya08@...e.com>
> >> 
> >> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
> >> macOS and Windows are allowed to boot on these machines. Thus we need to
> >> disable secure boot for Linux. If we boot into Linux after disabling
> >> secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services
> >> fail to start, with the following logs in dmesg
> > 
> > Which specific variable request is triggering the failure? Do any 
> > runtime variable accesses work on these machines?
> Commit f5390cd0b43c2e54c7cf5506c7da4a37c5cef746 in Linus’ tree was also added to force EFI v1.1 on these machines, since v2.4, reported by them was causing kernel panics.
> 
> So, EFI 1.1 without import certificates seems to work and have been able to modify the variables, thus the remaining EFI variable accesses seem to work.

The LOAD_UEFI_KEYS code isn't doing anything special here - it's just 
trying to read some variables. If we simply disable that then the 
expectation would be that reading the same variables from userland would 
trigger the same failure. So the question is which of the variables that 
LOAD_UEFI_KEYS accesses is triggering the failure, and what's special 
about that? If it's a specific variable GUID or name that's failing, we 
should block that on Apple hardware in order to avoid issues caused by 
userland performing equivalent accesses.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ