> What is the motivation to do all the work to not have the boot image name in > the measurement? Without containing boot image name in the measurement, Launch Control Policy user don't need to figure out by themselves whether the cmdline includes the boot image name, and what it is(for different boot loaders), only the arguments are measured. And if only the boot image name changed (content is same as before), LCP do not need updated.
If we include image name in cmdline measurement, when tboot user measuring the cmdline, they should know that grub2 cmdline does not pass boot image name to tboot, but other boot loaders do so That will confuse and add extra effort to end user, and it looks like not a very good design for user experience. So to tboot in general, the requirement for this is that no boot image name is required in cmdline measurement and no vulnerability there. There should be various ways to implement it, we just figure out a better way... Thanks, -ning -----Original Message----- From: Ross Philipson [mailto:ross.philip...@gmail.com] Sent: Wednesday, August 12, 2015 9:59 AM To: Sun, Ning; tboot-devel@lists.sourceforge.net Cc: Wei, Gang Subject: Re: [tboot-devel] Follow up on TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels On 08/12/2015 12:50 PM, Sun, Ning wrote: > Hi Ross, > > Thanks your for bring this up, there are some questions for us to understand > your usage scenarios: > > Are you using tboot right now? Yes and I am in the process of upgrading to 1.8.3 which is why this came up. > Do you use Launch Control Policy? No, we rely on extending PCRs during launch and unsealing when we reach a known measurement. > What is your usage model for tboot regarding to avoid this vulnerability? We use the patch that I attached. Our older current version of tboot does not have the fix of yours that I referenced. > > Our solution could be a trade-off, either accept your patch and modify the > user measurement process or do a comparison between 1st and 2nd parameters in > current commandline. I guess what confuses us is why there is any special logic skip any module name when measuring the cmdline that the boot-loader passes in. What is the motivation to do all the work to not have the boot image name in the measurement? > > Thanks, > -ning > > -----Original Message----- > From: Ross Philipson [mailto:ross.philip...@gmail.com] > Sent: Friday, August 07, 2015 12:48 PM > To: tboot-devel@lists.sourceforge.net > Subject: [tboot-devel] Follow up on TBOOT Argument Measurement Vulnerability > for GRUB2 + ELF Kernels > > This is in regards to this vulnerability and the state of current fix for it. > The vuln was reported by James Blake and this is the current fix for it as > far as I can tell: > > http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=0efdaf7c5348 > > In a posted message, it was pointed out that this fix is insufficient and we > believe that to be true too: > > http://sourceforge.net/p/tboot/mailman/message/32760688/ > > It is not clear to me why the first item on the command line has to be > skipped when it happens to be the image file name. The command line is what > the boot-loader passed whether it includes a file name up front or not. It > seems a much simpler and cleaner approach would be like the one from James > Blake that I attached. > > Thanks > > -- > Ross Philipson > -- Ross Philipson ------------------------------------------------------------------------------ _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
