lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3ad21332-c58a-46bb-8d3b-8b3d1cd8cb75@amperemail.onmicrosoft.com>
Date: Mon, 15 Jul 2024 14:21:11 -0400
From: Adam Young <admiyo@...eremail.onmicrosoft.com>
To: Dan Williams <dan.j.williams@...el.com>, admiyo@...amperecomputing.com
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 Jeremy Kerr <jk@...econstruct.com.au>,
 Matt Johnston <matt@...econstruct.com.au>,
 "David S . Miller" <davem@...emloft.net>, Eric Dumazet
 <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Sudeep Holla <sudeep.holla@....com>,
 Jonathan Cameron <Jonathan.Cameron@...wei.com>,
 Huisong Li <lihuisong@...wei.com>
Subject: Re: [PATCH v4 0/3] MCTP over PCC

Apologies for not addressing these concerns before updating.  If there 
is a V6 (am sure there will be) I will update the cover.

MCTP is a general purpose  protocol so  it would  be impossible to 
enumerate all the use cases, but some of the ones that are most topical 
are attestation and RAS support.  There are a handful of protocols built 
on top of MCTP, to include PLDM and SPDM, both specified by the DMTF.

https://www.dmtf.org/sites/default/files/standards/documents/DSP0240_1.0.0.pdf
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.0.pd

SPDM entails various usages, including device identity collection, 
device authentication, measurement collection, and device secure session 
establishment.

PLDM is more likely to be used  for hardware support: temperature, 
voltage, or fan sensor control.

At least two companies have devices that can make use of the mechanism. 
One is Ampere Computing, my employer.

The mechanism it uses is called Platform Communication Channels is part 
of the ACPI spec: 
https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html

Since it is a socket interface, the system administrator also has  the 
ability to ignore an MCTP link that they do not want to enable.  This 
link would be exposed to the end user, but would not be usable.

If MCTP support is disabled  in the Kernel, this driver would also be 
disabled.

PCC is based on a shared buffer and a set of I/O mapped memory locations 
that the Spec calls registers.  This mechanism exists regardless of the 
existence of the driver. Thus, if the user has the ability to map these  
physical location to virtual locations, they have the ability to drive 
the hardware.  Thus, there is a security aspect to this mechanism that 
extends beyond the responsibilities of the operating system.

If the hardware does not expose the PCC in the ACPI table, this device 
will never be enabled.  Thus it is only an issue on hard that does 
support PCC.  In that case, it is up to the remote controller to 
sanitize communication; MCTP will be exposed as a socket interface, and 
userland can send any crafted packet it wants.  It would thus also be 
incumbent on the hardware manufacturer to allow the end user to disable 
MCTP over PCC communication if they did not want to expose it.

Does this cover you concerns?


On 7/11/24 12:57, Dan Williams wrote:

> admiyo@ wrote:
>> From: Adam Young<admiyo@...amperecomputing.com>
>>
>> This series adds support for the Management Control Transport Protocol (MCTP)
>> over the Platform Communication Channel (PCC) mechanism.
>>
>> MCTP defines a communication model intended to
>> facilitate communication between Management controllers
>> and other management controllers, and between Management
>> controllers and management devices
>>
>> PCC is a mechanism for communication between components within
>> the  Platform.  It is a composed of shared memory regions,
>> interrupt registers, and status registers.
>>
>> The MCTP over PCC driver makes use of two PCC channels. For
>> sending messages, it uses a Type 3 channel, and for receiving
>> messages it uses the paired Type 4 channel.  The device
>> and corresponding channels are specified via ACPI.
>>
>> The first patch in the series implements a mechanism to allow the driver
>> to indicate whether an ACK should be sent back to the caller
>> after processing the interrupt.  This is an optional feature in
>> the PCC code, but has been made explicitly required in another driver.
>> The implementation here maintains the backwards compatibility of that
>> driver.
>>
>> The second patch in the series is the required change from ACPICA
>> code that will be imported into the Linux kernel when synchronized
>> with the ACPICA repository. It ahs already merged there and will
>> be merged in as is.  It is included here so that the patch series
>> can run and be tested prior to that merge.
> This cover letter looks woefully insufficient.
>
> What is the end user visible effect of merging these patches, or not
> merging these patches?  I.e. what does Linux gain by merging them, what
> pressing end user need goes unsatisfied if these are not merged? What is
> the security model for these commands, i.e. how does a distro judge
> whether this facility allows bypass of Kernel Lockdown protections?
>
> The Kconfig does not help either. All this patch says is "communication
> path exists, plumb it direct to userspace", with no discussion of
> intended use cases, assumptions, or tradeoffs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ