On Tue, 21 Jan 2020 22:27:01 -0600, WyoFlippa said: > I'm working on a driver that would verify a Linux or U-Boot image is > secure and I need to pass parameters such as the public key, starting > address, etc. This is actually a lot harder to do properly than it looks, especially if you're trying to export the information to userspace - a compromised kernel can simply hijack your ioctl or /proc or /sys file and output that it's not compromised. You can't even easily use public/private keys to sign the statement it's not compromised, because if the legit kernel has access to the public key, the compromised code probably does too..... And if you're defending against sufficiently well-financed attackers, it may even be difficult for a driver to verify the rest of the kernel isn't compromised. As a fairly obvious attack, consider a kernel with 2 sets of page table mappings. First, a set that contains the original kernel code and is mapped in when your driver is executing, and then the *real* set that maps in other physical pages containing the skullduggery code, which gets mapped in when there's something evil being done.... So what *actual* problem are you trying to solve by using a driver to verify the image is "secure" (which needs further definition, but you probably already knew that if your skill level is up to doing this right...)? In particular, what are you trying to do that various secure boot schemes don't address?
Attachment:
pgpyaV4ZRZa39.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
