Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 20 Mar 2013, Mimi Zohar wrote: > On Tue, 2013-03-19 at 15:47 +1100, James Morris wrote: > > On Mon, 18 Mar 2013, Matthew Garrett wrote: > > > > > This patch introduces CAP_COMPROMISE_KERNEL. > > > > I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and > > less emoti

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 17:11 -0400, Mimi Zohar wrote: > On Wed, 2013-03-20 at 20:37 +, Matthew Garrett wrote: > > Right, that'd be the rough idea. Any further runtime policy updates > > would presumably need to be signed with a trusted key. > > I'm really sorry to belabor this point, but can ke

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 20:37 +, Matthew Garrett wrote: > On Wed, 2013-03-20 at 15:16 -0400, Mimi Zohar wrote: > > On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote: > > > Well, in the absence of hardcoded in-kernel policy, there needs to be > > > some mechanism for ensuring the integrity

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 15:16 -0400, Mimi Zohar wrote: > On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote: > > Well, in the absence of hardcoded in-kernel policy, there needs to be > > some mechanism for ensuring the integrity of a policy. Shipping a signed > > policy initramfs fragment and h

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote: > On Wed, 2013-03-20 at 14:01 -0400, Mimi Zohar wrote: > > > Sorry, I'm not sure to which work you're referring. If you're referring > > to Dmitry's "initramfs with digital signature protection" patches, then > > we're speaking about enforc

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 14:01 -0400, Mimi Zohar wrote: > Sorry, I'm not sure to which work you're referring. If you're referring > to Dmitry's "initramfs with digital signature protection" patches, then > we're speaking about enforcing integrity, not MAC security. Well, in the absence of hardcode

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 16:49 +, Matthew Garrett wrote: > On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote: > > > Matthrew, perhaps you could clarify whether this will be tied to MAC > > security. Based on the kexec thread, I'm under the impression that is > > not the intention, or at least

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote: > Matthrew, perhaps you could clarify whether this will be tied to MAC > security. Based on the kexec thread, I'm under the impression that is > not the intention, or at least not for kexec. As root isn't trusted, > neither is the boot command

Re: efivarfs: Bad directory entry when variable has / in name

On 2013-03-20 04:41, Matt Fleming wrote: On 03/19/2013 08:36 PM, s...@shealevy.com wrote: Hello, When there is an EFI variable with a forward slash in its name, /sys/firmware/efi/efivars contains a directory entry with a forward slash, which of course causes all sorts of problems (e.g. EINVAL

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On 03/20/2013 08:14 AM, Matthew Garrett wrote: > On Wed, 2013-03-20 at 08:03 -0700, H. Peter Anvin wrote: >> CAP_SYS_RAWIO is definitely inappropriate there. > > Ok. How do we fix that without breaking userspace that expects > CAP_SYS_RAWIO to be sufficient? > I don't think we can to some way, b

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Tue, 2013-03-19 at 15:47 +1100, James Morris wrote: > On Mon, 18 Mar 2013, Matthew Garrett wrote: > > > This patch introduces CAP_COMPROMISE_KERNEL. > > I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and > less emotive. Otherwise I think core kernel developers will be

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Wed, 2013-03-20 at 08:03 -0700, H. Peter Anvin wrote: > CAP_SYS_RAWIO is definitely inappropriate there. Ok. How do we fix that without breaking userspace that expects CAP_SYS_RAWIO to be sufficient? -- Matthew Garrett | mj...@srcf.ucam.org N�r��yb�X��ǧv�^�)޺{.n�+{�y^n�r���z�

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

CAP_SYS_RAWIO is definitely inappropriate there. Matthew Garrett wrote: >On Tue, 2013-03-19 at 18:02 -0700, H. Peter Anvin wrote: > >> Looking at it in detail, EVERYTHING in CAP_SYS_RAWIO has the >possibility >> of compromising the kernel, because they let device drivers be >bypassed, >> which m

Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL

On Tue, 2013-03-19 at 18:02 -0700, H. Peter Anvin wrote: > Looking at it in detail, EVERYTHING in CAP_SYS_RAWIO has the possibility > of compromising the kernel, because they let device drivers be bypassed, > which means arbitrary DMA, which means you have everything. Having checked again, I don'

Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services

On Wed, Mar 20, 2013 at 08:00:03AM +, James Bottomley wrote: > I agree with this. But I do think the volatile secret key scheme, where > you discard the key immediately after use is the more secure one because > it relies on fewer secrets (and, indeed, no secrets at all after the > event). I

Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services

On 03/18/2013 08:40 AM, James Bottomley wrote: > From: James Bottomley > > The object here is to make the NV+BS variables accessible (at least read only) > at runtime so we can get a full picture of the state of the EFI variables for > debugging and secure boot purposes. This should definitely b

Re: EFI: Stash ROMs if they're not in the PCI BAR

On Mon, 2013-03-18 at 16:02 +, Matthew Garrett wrote: > On Mon, 2013-03-18 at 11:36 +, Matt Fleming wrote: > > On Fri, 2013-03-15 at 08:57 +, David Woodhouse wrote: > > > True. It probably doesn't *matter* because the size is zero so the > > > firmware is just going to ignore the pointe

Re: EFI: Stash ROMs if they're not in the PCI BAR

On Wed, Mar 20, 2013 at 08:44:35AM +, Matt Fleming wrote: > On 03/18/2013 04:02 PM, Matthew Garrett wrote: > > On Mon, 2013-03-18 at 11:36 +, Matt Fleming wrote: > >> On Fri, 2013-03-15 at 08:57 +, David Woodhouse wrote: > >>> True. It probably doesn't *matter* because the size is zero

Re: EFI: Stash ROMs if they're not in the PCI BAR

On 03/18/2013 04:02 PM, Matthew Garrett wrote: > On Mon, 2013-03-18 at 11:36 +, Matt Fleming wrote: >> On Fri, 2013-03-15 at 08:57 +, David Woodhouse wrote: >>> True. It probably doesn't *matter* because the size is zero so the >>> firmware is just going to ignore the pointer anyway. Althou

Re: efivarfs: Bad directory entry when variable has / in name

On 03/19/2013 08:36 PM, s...@shealevy.com wrote: > Hello, > > When there is an EFI variable with a forward slash in its name, > /sys/firmware/efi/efivars contains a directory entry with a forward > slash, which of course causes all sorts of problems (e.g. EINVAL from > stat(2)). Off the top of

Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services

On Tue, 2013-03-19 at 23:17 +, Matthew Garrett wrote: > On Tue, Mar 19, 2013 at 11:00:31PM +, James Bottomley wrote: > > On Tue, 2013-03-19 at 18:50 +, Matthew Garrett wrote: > > > Well, that somewhat complicates implementation - we'd be encrypting the > > > entire contents of memory e