From: Joseph Reynolds <jrey@linux.ibm.com>
To: Patrick Williams <patrick@stwcx.xyz>
Cc: openbmc@lists.ozlabs.org
Subject: Re: Security Working Group - Wednesday May 12 - results
Date: Fri, 14 May 2021 13:26:25 -0500 [thread overview]
Message-ID: <cb761cb4-56d8-35ab-c2b6-097e96833260@linux.ibm.com> (raw)
In-Reply-To: <YJw9I+q6RYpr1UO6@heinlein>
On 5/12/21 3:40 PM, Patrick Williams wrote:
> On Wed, May 12, 2021 at 01:18:48PM -0500, Joseph Reynolds wrote:
>> On 5/11/21 8:59 PM, Joseph Reynolds wrote:
> [ Copying some stuff from the Google Doc. ]
>
>> Security impacts:
>> - Can be used to defeat secureboot.
>> - Can this function be disabled? Via kernel config. Default?
>> - Can restrict which images kexec can load?
>> - Recommend? Validate the kernel signature before kexec’ing it. But that doesn't stop an attacker who uses wget to get a malicious image which they pass to kexec.
>> - Why would an attacker want to use kexec? Opportunity to modify BMC code, load device drivers, create trojan horse(?) or back doors.
>> - How can we force kexec to perform the same signature validation as uboot? (each part and the whole: kernel, device tree, file system, …)
> Some of this is a concern only because the arm32 support for kexec is
> far behind the other architectures. Can someone investigate what, if
> anything, is going on upstream to get arm caught up?
>
> On most other architectures there is a new set of system calls, enabled
> by KEXEC_FILE, which moves some of the handling done by the kexec
> executable into the kernel and has signature verification done there.
> arm32 is one of the few architectures that do not currently support this
> KConfig.
>
> See:
> - https://man7.org/linux/man-pages/man8/kexec.8.html (kexec-syscall-auto).
> - http://people.redhat.com/vgoyal/papers-presentations/linux-plumbers-2013/vivek-linux-plumbers-conference-2013-presentation-kexec-secureboot.pdf
>
Patrick,
Thanks for the info! (I'm learning as I go.) I'll ask my people to
look into this (with no promises).
- Joseph
next prev parent reply other threads:[~2021-05-14 18:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 1:59 Security Working Group - Wednesday May 12 Joseph Reynolds
2021-05-12 18:18 ` Security Working Group - Wednesday May 12 - results Joseph Reynolds
2021-05-12 20:40 ` Patrick Williams
2021-05-14 18:26 ` Joseph Reynolds [this message]
2021-05-12 21:35 ` Michael Richardson
2021-05-14 18:50 ` Joseph Reynolds
2021-05-13 0:25 ` Andrew Jeffery
2021-05-14 19:02 ` Joseph Reynolds
2021-05-16 23:15 ` Andrew Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cb761cb4-56d8-35ab-c2b6-097e96833260@linux.ibm.com \
--to=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
--cc=patrick@stwcx.xyz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.