Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757106AbdIHVDl convert rfc822-to-8bit (ORCPT <rfc822;w@1wt.eu>);
        Fri, 8 Sep 2017 17:03:41 -0400
Received: from terminus.zytor.com ([65.50.211.136]:41241 "EHLO mail.zytor.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1756063AbdIHVDj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Sep 2017 17:03:39 -0400
Date: Fri, 08 Sep 2017 13:59:00 -0700
User-Agent: K-9 Mail for Android
In-Reply-To: <20170908094510.puqif3gvzms6hwrn@GaryWorkstation>
References: <20170512080534.4085-1-glin@suse.com> <20170601081136.ruiao3w2wfc3hftg@GaryWorkstation> <CAKv+Gu8ipMN=NnEs-XVwNBH4dbmt+YQMEbziYTZ8Q7su=V76AA@mail.gmail.com> <20170907094451.2h2cbxpfmtga7buf@localhost> <2683B4EE-9BC5-4FCB-B880-C1A97163B24E@zytor.com> <20170908094510.puqif3gvzms6hwrn@GaryWorkstation>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: 8BIT
Subject: Re: [RFC v2 PATCH] x86/boot: Add the secdata section to the setup header
To: Gary Lin <glin@suse.com>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        "x86@kernel.org" <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
        Joey Lee <jlee@suse.com>
From: hpa@zytor.com
Message-ID: <3A9D519A-BD72-4E59-AA69-B85CACD3E37A@zytor.com>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4233
Lines: 131

On September 8, 2017 2:45:10 AM PDT, Gary Lin <glin@suse.com> wrote:
>On Thu, Sep 07, 2017 at 02:16:21PM -0700, hpa@zytor.com wrote:
>> On September 7, 2017 2:44:51 AM PDT, Gary Lin <glin@suse.com> wrote:
>> >On Thu, Jun 01, 2017 at 08:46:26AM +0000, Ard Biesheuvel wrote:
>> >> On 1 June 2017 at 08:11, Gary Lin <glin@suse.com> wrote:
>> >> > On Fri, May 12, 2017 at 04:05:34PM +0800, Gary Lin wrote:
>> >> >> A new section, secdata, in the setup header is introduced to
>store
>> >the
>> >> >> distro-specific security version which is designed to help the
>> >> >> bootloader to warn the user when loading a less secure or
>> >vulnerable
>> >> >> kernel. The secdata section can be presented as the following:
>> >> >>
>> >> >> struct sec_hdr {
>> >> >>       __u16 header_length;
>> >> >>       __u32 distro_version;
>> >> >>       __u16 security_version;
>> >> >> } __attribute__((packed));
>> >> >> char *signer;
>> >> >>
>> >> >> It consists of a fixed size structure and a null-terminated
>> >string.
>> >> >> "header_length" is the size of "struct sec_hdr" and can be used
>as
>> >the
>> >> >> offset to "signer". It also can be a kind of the "header
>version"
>> >to
>> >> >> detect if any new member is introduced.
>> >> >>
>> >> >> The kernel packager of the distribution can put the distro name
>in
>> >> >> "signer" and the distro version in "distro_version". When a
>severe
>> >> >> vulnerability is fixed, the packager increases
>"security_version"
>> >in
>> >> >> the kernel build afterward. The bootloader can maintain a list
>of
>> >the
>> >> >> security versions of the current kernels and only allows the
>> >kernel with
>> >> >> a higher or equal security version to boot. If the user is
>going
>> >to boot
>> >> >> a kernel with a lower security version, a warning should show
>to
>> >prevent
>> >> >> the user from loading a vulnerable kernel accidentally.
>> >> >>
>> >> >> Enabling UEFI Secure Boot is recommended when using the
>security
>> >version
>> >> >> or the attacker may alter the security version stealthily.
>> >> >>
>> >> > Any comment?
>> >> >
>> >> 
>> >> This is now entirely x86-specific. My preference would be to have
>a
>> >> generic solution instead.
>> >> 
>> >After check the headers again, another idea came to my mind: the
>MS-DOS
>> >stub. It's designed to show a warning while the image is loaded in
>> >DOS(*),
>> >but I wonder if it still matters. In the x86 linux efi header, the
>stub
>> >is just a 3-lines message, while arm64 completely ignores the stub.
>> >
>> >Since there is a offset to the PE header at 0x3c, we can
>theoretically
>> >put any thing between 0x40 and the PE header without affecting the
>> >current settings.
>> >
>> >HPA,
>> >
>> >Does the MS-DOS stub raise any concern to you?
>> >
>> >Thanks,
>> >
>> >Gary Lin
>> >
>> >(*)
>>
>>https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#ms-dos_stub__image_only_
>> >
>> >> -- 
>> >> Ard.
>> >> 
>> >> 
>> >> >> v2:
>> >> >> - Decrease the size of secdata_offset to 2 bytes since the
>setup
>> >header
>> >> >>   is limited to around 32KB.
>> >> >> - Restructure the secdata section. The signer is now a
>> >null-terminated
>> >> >>   string. The type of distro_version changes to u32 in case the
>> >distro
>> >> >>   uses a long version.
>> >> >> - Modify the Kconfig names and add help.
>> >> >> - Remove the signer name hack in build.c.
>> >> >>
>> >> >> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> >> >> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> >> >> Cc: Thomas Gleixner <tglx@linutronix.de>
>> >> >> Cc: Ingo Molnar <mingo@redhat.com>
>> >> >> Cc: Joey Lee <jlee@suse.com>
>> >> >> Signed-off-by: Gary Lin <glin@suse.com>
>> >> >> ---
>[snip]
>> >> >> --
>> >> >> 2.12.2
>> >> >>
>> >> 
>> 
>> I really don't think that is a good idea.  I would much rather keep
>this in a space we fully own.
>Fine. I'll find another place for ARM64 (probably append the structure
>right after the PE-header and denote the 2-byte offset in the reserved
>fields in the first 64 bytes header).
>
>Thanks,
>
>Gary Lin

Another "safe" option would be to put it in a COFF segment; then it would be system-independent.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.