lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CABgObfYRFsL__HCEb+AyzR2xfS_XAJHqnqtMef7bhuPWJOW6Cw@mail.gmail.com>
Date:   Wed, 19 Jul 2023 17:11:07 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Luca Boccassi <bluca@...ian.org>
Cc:     Daniel P. Berrangé <berrange@...hat.com>,
        Ard Biesheuvel <ardb@...nel.org>,
        Emanuele Giuseppe Esposito <eesposit@...hat.com>,
        x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
        lennart@...ttering.net, Ingo Molnar <mingo@...hat.com>,
        Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

On Wed, Jul 19, 2023 at 3:34 PM Luca Boccassi <bluca@...ian.org> wrote:
> > Right, but that also requires a central authority that makes up these
> > revocation indices. This is unlikely to happen for Linux. :)
>
> It will happen, the only question is how painful it is going to be to
> maintain it. The revocation payload is unique and global, and it could
> not be otherwise. Just like DBX is published centrally, and just like
> Shim signing is done centrally.

If you are intending to go with the generation number, that
essentially means tracking vulnerabilities and that's a business that
Linux developers don't want to be in. And in fact, neither DBX nor
shim signing is managed by (upstream) open source projects. That
raises many other questions:

- What is the right place for that generation number authority and for
the registry of vulnerable kernel versions? Is it shim/mokutil, and if
so are the developers on board with doing that? How are SBAT updates
currently distributed?

- Distros will have to be the ones setting the SBAT policy. If the
central authority will use the "exploit in active use" policy (which
IMNSHO is nothing but security theater), are all distros that consume
ukify fine with that or do they want to actually start tracking kernel
vulnerabilities?

- Sorry for beating on the "Linux is different" dead horse, but what
happens if people for whatever reason don't want to run the latest
kernel? If a stable kernel update breaks hotplugging of external
displays and fixes a code execution vulnerability in a weird device
driver, do I have to fiddle with mokutil in order to keep my external
display working? Or replace "breaks hotplugging of external displays"
with "breaks the NVIDIA driver".

In any case, I think there's agreement that it's not a Linux developer
problem, so the discussion can continue elsewhere.

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ