Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750999AbdIKEWj (ORCPT ); Mon, 11 Sep 2017 00:22:39 -0400 Received: from prv3-mh.provo.novell.com ([137.65.250.26]:56068 "EHLO prv3-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750969AbdIKEWh (ORCPT ); Mon, 11 Sep 2017 00:22:37 -0400 Date: Mon, 11 Sep 2017 12:22:27 +0800 From: Gary Lin To: hpa@zytor.com Cc: Ard Biesheuvel , "x86@kernel.org" , "linux-kernel@vger.kernel.org" , Thomas Gleixner , Ingo Molnar , Joey Lee Subject: Re: [RFC v2 PATCH] x86/boot: Add the secdata section to the setup header Message-ID: <20170911042227.4df7hb5sxezr46lo@localhost> References: <20170512080534.4085-1-glin@suse.com> <20170601081136.ruiao3w2wfc3hftg@GaryWorkstation> <20170907094451.2h2cbxpfmtga7buf@localhost> <2683B4EE-9BC5-4FCB-B880-C1A97163B24E@zytor.com> <20170908094510.puqif3gvzms6hwrn@GaryWorkstation> <3A9D519A-BD72-4E59-AA69-B85CACD3E37A@zytor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3A9D519A-BD72-4E59-AA69-B85CACD3E37A@zytor.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4572 Lines: 134 On Fri, Sep 08, 2017 at 01:59:00PM -0700, hpa@zytor.com wrote: > On September 8, 2017 2:45:10 AM PDT, Gary Lin wrote: > >On Thu, Sep 07, 2017 at 02:16:21PM -0700, hpa@zytor.com wrote: > >> On September 7, 2017 2:44:51 AM PDT, Gary Lin wrote: > >> >On Thu, Jun 01, 2017 at 08:46:26AM +0000, Ard Biesheuvel wrote: > >> >> On 1 June 2017 at 08:11, Gary Lin wrote: > >> >> > On Fri, May 12, 2017 at 04:05:34PM +0800, Gary Lin wrote: > >> >> >> A new section, secdata, in the setup header is introduced to > >store > >> >the > >> >> >> distro-specific security version which is designed to help the > >> >> >> bootloader to warn the user when loading a less secure or > >> >vulnerable > >> >> >> kernel. The secdata section can be presented as the following: > >> >> >> > >> >> >> struct sec_hdr { > >> >> >> __u16 header_length; > >> >> >> __u32 distro_version; > >> >> >> __u16 security_version; > >> >> >> } __attribute__((packed)); > >> >> >> char *signer; > >> >> >> > >> >> >> It consists of a fixed size structure and a null-terminated > >> >string. > >> >> >> "header_length" is the size of "struct sec_hdr" and can be used > >as > >> >the > >> >> >> offset to "signer". It also can be a kind of the "header > >version" > >> >to > >> >> >> detect if any new member is introduced. > >> >> >> > >> >> >> The kernel packager of the distribution can put the distro name > >in > >> >> >> "signer" and the distro version in "distro_version". When a > >severe > >> >> >> vulnerability is fixed, the packager increases > >"security_version" > >> >in > >> >> >> the kernel build afterward. The bootloader can maintain a list > >of > >> >the > >> >> >> security versions of the current kernels and only allows the > >> >kernel with > >> >> >> a higher or equal security version to boot. If the user is > >going > >> >to boot > >> >> >> a kernel with a lower security version, a warning should show > >to > >> >prevent > >> >> >> the user from loading a vulnerable kernel accidentally. > >> >> >> > >> >> >> Enabling UEFI Secure Boot is recommended when using the > >security > >> >version > >> >> >> or the attacker may alter the security version stealthily. > >> >> >> > >> >> > Any comment? > >> >> > > >> >> > >> >> This is now entirely x86-specific. My preference would be to have > >a > >> >> generic solution instead. > >> >> > >> >After check the headers again, another idea came to my mind: the > >MS-DOS > >> >stub. It's designed to show a warning while the image is loaded in > >> >DOS(*), > >> >but I wonder if it still matters. In the x86 linux efi header, the > >stub > >> >is just a 3-lines message, while arm64 completely ignores the stub. > >> > > >> >Since there is a offset to the PE header at 0x3c, we can > >theoretically > >> >put any thing between 0x40 and the PE header without affecting the > >> >current settings. > >> > > >> >HPA, > >> > > >> >Does the MS-DOS stub raise any concern to you? > >> > > >> >Thanks, > >> > > >> >Gary Lin > >> > > >> >(*) > >> > >>https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#ms-dos_stub__image_only_ > >> > > >> >> -- > >> >> Ard. > >> >> > >> >> > >> >> >> v2: > >> >> >> - Decrease the size of secdata_offset to 2 bytes since the > >setup > >> >header > >> >> >> is limited to around 32KB. > >> >> >> - Restructure the secdata section. The signer is now a > >> >null-terminated > >> >> >> string. The type of distro_version changes to u32 in case the > >> >distro > >> >> >> uses a long version. > >> >> >> - Modify the Kconfig names and add help. > >> >> >> - Remove the signer name hack in build.c. > >> >> >> > >> >> >> Cc: Ard Biesheuvel > >> >> >> Cc: "H. Peter Anvin" > >> >> >> Cc: Thomas Gleixner > >> >> >> Cc: Ingo Molnar > >> >> >> Cc: Joey Lee > >> >> >> Signed-off-by: Gary Lin > >> >> >> --- > >[snip] > >> >> >> -- > >> >> >> 2.12.2 > >> >> >> > >> >> > >> > >> I really don't think that is a good idea. I would much rather keep > >this in a space we fully own. > >Fine. I'll find another place for ARM64 (probably append the structure > >right after the PE-header and denote the 2-byte offset in the reserved > >fields in the first 64 bytes header). > > > >Thanks, > > > >Gary Lin > > Another "safe" option would be to put it in a COFF segment; then it would be system-independent. Creating a new COFF section looks promising. Thanks for pointing the direction. Gary Lin