Andrew Donnellan <ajd@xxxxxxxxxxxxx> writes:
> On Tue, 2023-01-24 at 14:36 +1000, Nicholas Piggin wrote:
>>
>> > + prop = of_find_property(of_chosen, "ibm,plpks-pw", &len);
>> > + if (prop) {
>> > + ospasswordlength = (u16)len;
>> > + ospassword = kzalloc(ospasswordlength, GFP_KERNEL);
>> > + if (!ospassword) {
>> > + of_remove_property(of_chosen, prop);
>> > + return -ENOMEM;
>> > + }
>> > + memcpy(ospassword, prop->value, len);
>> > + return of_remove_property(of_chosen, prop);
>>
>> Why do you remove the property afterward?
>
> Because otherwise the password will be sitting around in /proc/device-
> tree for the world to go and read.
The above removes it from the unflattened tree, but it will still exist
in the flattened tree, which is readable by root in /sys/firmware/fdt.
I'm not sure if that's a major security problem, but it does seem risky.
To scrub it from the flat tree you'd need to have an early_init_dt style
routine that finds the password early, saves the value somewhere for the
plpks driver, and then zeroes out the value in the flat tree. See the
example of rng-seed in early_init_dt_scan_chosen().
cheers
