On Wed, May 12, 2021 at 01:18:48PM -0500, Joseph Reynolds wrote:
> On 5/11/21 8:59 PM, Joseph Reynolds wrote:

[ Copying some stuff from the Google Doc. ]

> Security impacts:

> - Can be used to defeat secureboot.
> - Can this function be disabled?  Via kernel config.  Default?
> - Can restrict which images kexec can load?
> - Recommend?  Validate the kernel signature before kexec’ing it.  But that doesn't stop an attacker who uses wget to get a malicious image which they pass to kexec.
> - Why would an attacker want to use kexec?  Opportunity to modify BMC code, load device drivers, create trojan horse(?) or back doors.
> - How can we force kexec to perform the same signature validation as uboot?  (each part and the whole: kernel, device tree, file system, …)

Some of this is a concern only because the arm32 support for kexec is
far behind the other architectures.  Can someone investigate what, if
anything, is going on upstream to get arm caught up?

On most other architectures there is a new set of system calls, enabled
by KEXEC_FILE, which moves some of the handling done by the kexec
executable into the kernel and has signature verification done there.
arm32 is one of the few architectures that do not currently support this
KConfig.

See:
- https://man7.org/linux/man-pages/man8/kexec.8.html (kexec-syscall-auto).
- http://people.redhat.com/vgoyal/papers-presentations/linux-plumbers-2013/vivek-linux-plumbers-conference-2013-presentation-kexec-secureboot.pdf

-- 
Patrick Williams