Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp15198213rwb; Mon, 28 Nov 2022 08:58:59 -0800 (PST) X-Google-Smtp-Source: AA0mqf5Z6fzD5bC5wsHAfKIIQLqLFdsLsGr7hPCETLt5dWNs2PrnGqSCOEhvF4wdsQHOUe0Y57h1 X-Received: by 2002:aa7:dbca:0:b0:458:3f65:4e42 with SMTP id v10-20020aa7dbca000000b004583f654e42mr48500946edt.39.1669654739224; Mon, 28 Nov 2022 08:58:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669654739; cv=none; d=google.com; s=arc-20160816; b=LqjTkNJ8kfjzolYW5ckAYnWUoYcvOfuIdLuZnywgvdqXMS1O2QctAoAnlehrBQSEnu RX6mQj0K8zmPB7oea8P1S4di/PddR9TxFSkPV1WWYcTNNhP6y6N2FdUc2WzxiMfuHeMg R8k7GCt2sC5Wg9uPnZkdxUGl/FCmHC83sw8NxOveTIu3jlnLiDxAsGsTayDsqame8+lO xZ7IGmvTG7PeDERF5t/ZzQCDGQn4/0v0w23Tn625wUxtrpZtbIJ042wqrDiZqSCWl8Y7 ZgzTs0M2SPpsaSN66q3GlMFwgZTLv3SSQ9TWsNpNZwCmGJrJBPR/R/TPLS7RYrXC5jsQ BnOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=VJSo1r/E5ZEnf5rrio/thaS/8wkg6HOlbCb8D26LsjI=; b=CmmfjoHc6AZYKbEX8uH3YqxRD3nMfS1OzSIOrghwjxDZBKWtcBkCb6h8NiIItzQY/Q eSiprGo0U/51QMfF611cGR508LQyb+HqdgJYrjakxkVLtjj1IzBS0iO+OboMK36FFjZm emYWy01yph+aLex6zT2Hke7uqECueEa8YPsz2bX73eiXQL8YA31rgGXFIBjOSBSTsQWn t9SwAOsCCe8FIQhtqPRRzTiPn2pQawmdn5b/BjQEKvSnsRQVa9YI9gdyIxpkZHT902/V xowUIlotYForhaitx3GCg4ReKsAF6j6jDZC5a4TdkZCVdMDPzUN/P6evkxj04K5n5Qiz jEbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hv12-20020a17090760cc00b007be1d7d1c22si6617078ejc.32.2022.11.28.08.58.38; Mon, 28 Nov 2022 08:58:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230001AbiK1QmG (ORCPT + 84 others); Mon, 28 Nov 2022 11:42:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231126AbiK1QmE (ORCPT ); Mon, 28 Nov 2022 11:42:04 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADF0F24F3F; Mon, 28 Nov 2022 08:42:03 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 495616126E; Mon, 28 Nov 2022 16:42:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A00CCC433D7; Mon, 28 Nov 2022 16:42:01 +0000 (UTC) Date: Mon, 28 Nov 2022 11:42:00 -0500 From: Steven Rostedt To: Philipp Rudo Cc: Ricardo Ribalda , Eric Biederman , Jonathan Corbet , Sergey Senozhatsky , linux-kernel@vger.kernel.org, kexec@lists.infradead.org, Ross Zwisler , linux-doc@vger.kernel.org, "Joel Fernandes (Google)" Subject: Re: [PATCH v1 2/2] kexec: Introduce kexec_reboot_disabled Message-ID: <20221128114200.72b3e2fe@gandalf.local.home> In-Reply-To: <20221124160115.23ae7928@rotkaeppchen> References: <20221114-disable-kexec-reset-v1-0-fb51d20cf871@chromium.org> <20221114-disable-kexec-reset-v1-2-fb51d20cf871@chromium.org> <20221117160650.16e06b37@rotkaeppchen> <20221121150948.6f7c1f1f@rotkaeppchen> <20221124124000.5af23cad@rotkaeppchen> <20221124160115.23ae7928@rotkaeppchen> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 24 Nov 2022 16:01:15 +0100 Philipp Rudo wrote: > No, I think the implementation is fine. I'm currently only struggling > to understand what problem kexec_reboot_disabled solves that cannot be > solved by kexec_load_disabled. Hi Philipp, Thanks for working with us on this. Let me try to explain our use case. We want kexec/kdump enabled, but we really do not want kexec used for any other purpose. We must have the kexec kernel loaded at boot up and not afterward. Your recommendation of: kexec -p dump_kernel echo 1 > /proc/sys/kernel/kexec_load_disabled can work, and we will probably add it. But we are taking the paranoid approach, and what I learned in security 101 ;-) and that is, only open up the minimal attack surface as possible. Yes, it's highly unlikely that the above would crash. But as with most security vulnerabilities, it's not going to be an attacker that creates a new gadget here, but probably another script in the future that causes this to be delayed or something, and a new window of opportunity will arise for an attacker. Maybe, that new window only works for non panic kernels. Yes, this is a contrived scenario, but the work vs risk is very low in adding this feature. Perhaps the attack surface that a reboot kexec could be, is that the attacker gets the ability at boot up to load the kexec for reboot and not panic. Then the attack must wait for the victim to reboot their machine before they have access to the new kernel. Again, I admit this is contrived, but just because I can't think of a real situation that this could be a problem doesn't mean that one doesn't exist. In other words, if we never want to allow a kexec reboot, why allow it at all from the beginning? The above allows it, until we don't. That alone makes us nervous. Whereas this patch is rather trivial and doesn't add complexity. Thanks for your time, we appreciate it. -- Steve