Re: [PATCH V3 08/11] kexec: Disable at runtime if the kernel enforces module loading restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Sep 8, 2013 at 12:24 AM, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> On Sun, Sep 08, 2013 at 06:44:08AM +0000, Matthew Garrett wrote:
>> On Sat, 2013-09-07 at 23:40 -0700, Greg KH wrote:
>> > If you apply this, you break everyone who is currently relying on kexec
>> > (i.e. kdump, bootloaders, etc.), from using signed kernel modules, which
>> > personally, seems like a very bad idea.
>>
>> Enforcing signed modules provides you with no additional security if you
>> have kexec enabled. It's better to make that obvious.
>
> Then document the heck out of it, don't disable a valid use case just
> because it possibly could be used in some way that is different from the
> original system.
>
> If you take this to an extreme, kexec shouldn't be here at all, as it
> can do anything in the kernel wherever it wants to.
>
> kexec has nothing to do with signed modules, don't tie them together.

It's not accurate to say it has "nothing to do" with signed modules.
The purpose of signed modules is to ensure the integrity of the
running system against the root user.

It was, however, incomplete. Terrible analogy follows: signed modules
was locking the front door, but we have all sorts of windows still
open. This closes those windows. You're trying to say that shutting
windows has nothing to do with lumber locks. While technically true,
this is about the intent of the barriers.

Anyone currently using signed modules (with sig_enforce) AND kexec is
deluding themselves about what the state of their system's ring-0
security stance is. Those people should be running without
sig_enforce, and if they want both sig_enforce and kexec, then I would
expect a follow-up patch from them to provide signed kexec support.

-Kees

-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux