Re: Kernel drivers and IOCTLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Valdis,

On 1/23/2020 10:49 AM, Valdis Klētnieks wrote:

On Tue, 21 Jan 2020 22:27:01 -0600, WyoFlippa said:


I'm working on a driver that would verify a Linux or U-Boot image is
secure and I need to pass parameters such as the public key, starting
address, etc.

This is actually a lot harder to do properly than it looks, especially if
you're trying to export the information to userspace - a compromised kernel can
simply hijack your ioctl or /proc or /sys file and output that it's not
compromised. You can't even easily use public/private keys to sign the
statement it's not compromised, because if the legit kernel has access to the
public key, the compromised code probably does too.....

And if you're defending against sufficiently well-financed attackers, it may
even be difficult for a driver to verify the rest of the kernel isn't
compromised. As a fairly obvious attack, consider a kernel with 2 sets of page
table mappings. First, a set that contains the original kernel code and is
mapped in when your driver is executing, and then the *real* set that maps in
other physical pages containing the skullduggery code, which gets mapped in
when there's something evil being done....

So what *actual* problem are you trying to solve by using a driver to verify
the image is "secure" (which needs further definition, but you probably already
knew that if your skill level is up to doing this right...)?  In particular, what are
you trying to do that various secure boot schemes don't address?


Thank you for the response and sorry for the delay in replying.
I'm actually happy with the existing boot schemes. In this case, the driver is going to validate a signed image (U-Boot or Linux) before it is programmed into the flash memory. Although the image is validated when booting, it is one additional check to avoid surprises.
Since Linux is validated, the driver should be trusted but you make a good point about the application accessing the driver in userspace. In addition to that problem, I'm wrestling with the method of getting the image to the driver. It looks like reading a file from the kernel is frowned upon except in the firmware case which is special. So I'll need to think about that some more. 



_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]

  Powered by Linux