lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 18 Apr 2023 10:43:17 -0500
From:   Jorge Lopez <jorgealtxwork@...il.com>
To:     Thomas Weißschuh <thomas@...ch.de>
Cc:     hdegoede@...hat.com, platform-driver-x86@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v9] HP BIOSCFG driver - Documentation

Hi Thomas,

On Fri, Apr 14, 2023 at 3:36 PM Thomas Weißschuh <thomas@...ch.de> wrote:
>
> On 2023-04-14 15:00:02-0500, Jorge Lopez wrote:
> > On Fri, Apr 14, 2023 at 10:27 AM <thomas@...ch.de> wrote:
> > > On 2023-04-12 09:48:21-0500, Jorge Lopez wrote:
> > > > [..]
> > > >
> > > > +What:                /sys/class/firmware-attributes/*/authentication/SPM/statusbin
> > > > +Date:                March 29
> > > > +KernelVersion:       5.18
> > > > +Contact:     "Jorge Lopez" <jorge.lopez2@...com>
> > > > +Description: 'statusbin' is a read-only file that returns 'status' information
> > > > +             in binary format. This file provides a mechanism for components
> > > > +             downstream (e.g. Recovery Agent) can read the status and public
> > > > +             key modulus.
> > >
> > > This is still missing docs about how to interpret the contents of the
> > > "statusbin" file.
> > >
> > > "components downstream" -> userspace.
> > >
> >
> > I will provide the details in Version 10.   Additionally, I am working
> > with the architect to understand the need for 'statusbin' in their
> > upcoming features.

Statusbin is one attribute we can drop but will require changes how
'status' data is reported (JSON format).
>
> If the userspace component is not ready maybe this can be delayed for a
> future patchset?
> The basic features should already be useful with a generic client like
> fwupd.
> Doing it in steps should be faster both in development and wall time.

The interaction with fwupd and support is a goal for future  patches
for hp-bioscfg.  Initially, We want to establish the proper and basic
framework to enable the security and BIOS configuration features by
leveraging firmware-attributes framework.    No testing with fwupd
tool has taken place since hp-bioscfg is not associated with a
specific device
>
> > > I think we can start with the code review.
> > >
> >
> > I will send all files with Version 10.   To aid in the review process,
> > I will keep all ..c in separate reviews.  It is less confusing that
> > way since there is commonality between them
> >
> > > Could you also provide a sample of the attribute files?
> > > I'm especially curious about the different instances of the sure-start
> > > attributes, including current_value, possible_values and the auditlog
> > > properties.
> > >
> >
> > What type of sample are you looking for.?   I can provide you with a
> > tree display of all attributes and some output samples for different
> > attribute types.
>
> That sounds great.

Attached is a copy of three files for your review.
tree-view.log              -- tree view of all
attributes/authentication files reported by hp-bioscfg
authentication.log      -- List of all authentication attributes and
corresponding file output.  The data includes SPM (statusbin, status)
attributes-sample.log --  Reduced list of attributes including a
sample output for each attribute type. (string, enumeration,
ordered-list, integer, Sure_Start, pending_reboot)   Sure_Start
includes the output captured for audit_log_entries and
audit_log_entry_count.

In addition, I captured the hex output for  statusbin and
audit_log_entries if you are interested to go over them.
Binary-dump-statusbin-auditlog.log

>
> > I will include sure-start  attributes, including current_value,
> > possible_values and the audit log properties.  Please let me know if
> > there is anything else you want to see.
>
> I want to get a feeling for the exposed bios settings and how the
> sure-start stuff works.
>
> > > Also is the userspace component for this published somewhere?
> > > If so it would be useful to refer to it from the commit message.
> >
> > Linux components are under development and not published yet.  The
> > only linux component at this time is the driver (hp bioscfg).
> > The only published components are under Windows ONLY.
>
> Maybe mention this in the commit message.

The text will be added as part of the commit message.

>
> Also it would be useful to test the new driver with fwupd which is the
> existing userspace user of this ABI.
> Just to make sure that nothing is obviously broken there.
> (And mention this in the commit message)
>
> Thomas

Download attachment "Binary-dump-statusbin-auditlog.log" of type "application/octet-stream" (34264 bytes)

Download attachment "attributes-examples.log" of type "application/octet-stream" (9244 bytes)

Download attachment "tree-view.log" of type "application/octet-stream" (108061 bytes)

Download attachment "authentication.log" of type "application/octet-stream" (4848 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ