Received: by 10.223.164.221 with SMTP id h29csp1443524wrb; Fri, 6 Oct 2017 00:48:07 -0700 (PDT) X-Google-Smtp-Source: AOwi7QBVQv9dLsC76JGA+qekistek9TSYU0eUxUEEE8t4F/bBaMMXRYdFuYmVe+GamFjim/mPanN X-Received: by 10.101.86.133 with SMTP id v5mr1260394pgs.249.1507276087040; Fri, 06 Oct 2017 00:48:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1507276087; cv=none; d=google.com; s=arc-20160816; b=cQxePQABfTyZKJr1uKevaUNLGjMAIb+snJMY9GQx8Zgxxi3Up87owPGgdl5038Dym9 XauUyWyIlB4WQvR18MI1D6WQ4pvW+wIs4PTFTPZr4yBQ1LfpOokcMtH7/vfdyiX1cY5g QrKWWCQVQkxF9+ijMwj3xDGlaMuCy7df3rgk0dYaJZM1uM1itN9qIaqWn2Em6lY3Z2zC BK1+aoe3GmNbQbAlElPwQkK19a5lb/uB2NQArDMwTaTJj5wh4IQXi0edqLBltYoSvSl6 1xf1vRBAtyCOhxZbYmprNK5CBUIxeEJ/49z4FrBfKsEzqjGJMkwL5cvOcarmBrgB4hGv 50Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=GzhvjZvujl1Aeof9SUNMCTPOjNSkX0ckFU14h4VW/OE=; b=q4gJty/pOnYYHWcxyaitxuz/tUebt7g3Rn/z/2DyIc0ZhpCyqDHaP1rELtz/NDLepJ 8ldWv78LPePYVnwvy8JDltcwMphHa8kEGFN+iEsvwMq8pDjR64g4XUM0byfCuNq6yVff 9l6CHRbVckuSdXnjemG6D0RV803XyzVrzrldMmztdZR8N9g+FkBD7mrRvuv/v30a1bM8 6Q4yqNqfhhgx9UM8iKldLMlhvjl/Xy411xm+tDQ54/rg5BufYEznm2wEo5Z8sVXW4EE6 QjZ/cDUlULMttoyP6WGdwedrWtjVG52RmLJiGp/Xp9HAFyl5di81Y6B6jrTwS1mSEmrI Ajjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si723837pls.291.2017.10.06.00.47.41; Fri, 06 Oct 2017 00:48:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751535AbdJFHrE (ORCPT + 99 others); Fri, 6 Oct 2017 03:47:04 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:57938 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750791AbdJFHrC (ORCPT ); Fri, 6 Oct 2017 03:47:02 -0400 Received: from linux-l9pv.suse (unknown.telstraglobal.net [134.159.103.118]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Fri, 06 Oct 2017 09:46:55 +0200 Date: Fri, 6 Oct 2017 15:46:49 +0800 From: joeyli To: David Howells Cc: Ard Biesheuvel , mtk.manpages@gmail.com, mcgrof@kernel.org, johannes@sipsolutions.net, linux-man@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Gary Lin , Jann Horn Subject: Re: Draft manpage explaining kernel lockdown Message-ID: <20171006074649.GB3789@linux-l9pv.suse> References: <7969.1507201224@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7969.1507201224@warthog.procyon.org.uk> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, On Thu, Oct 05, 2017 at 12:00:24PM +0100, David Howells wrote: > Hi Ard, Michael, > > Attached is a draft for a manual page (kernel_lockdown.7) that I intend to > point at from messages emitted when the kernel prohibits something because the > kernel is in 'lockdown' mode, typically triggered by EFI secure boot. > > Let me know what you think. > > David > --- [...snip] > When lockdown is in effect, a number of things are disabled or restricted in > use. This includes special device files and kernel services that allow direct > access of the kernel image: > .P > .RS > /dev/mem > .br > /dev/kmem > .br > /dev/kcore > .br > /dev/ioports > .br > BPF memory access functions Some information for note... The BPF functions bpf_probe_read(), bpf_trace_printk() and bpf_probe_write_user() need to be lockdown to avoid accessing arbitrary addess. Our original idea is trying to filter out senstivie data address at runtime by eBPF verifier. But it can not be success. Gary Lin has investigated and comment: Although eBPF verifier can stop the reading from the hard-coded address, it's not able to stop reading arguments in the probed functions. So if the malicious user attaches a eBPF program to a function that is used to process the sensitive data, the eBPF program can print those arguments easily and this might leak the passwords or private keys. If we readlly want to allow eBPF code to access memory, then I think that the bpf bytecode should be signed by trused key in system keyring. > .RE > .P Another function may needs to be restrictred: - The perf_event_open() with PERF_SAMPLE_REGS_INTR Jann Horn raised this concern. The tool can be used to grab register to peep sensitive data. We may need to block this tracing function. Regards Joey Lee From 1580443421766714358@xxx Thu Oct 05 18:31:39 +0000 2017 X-GM-THRID: 1580415097298572743 X-Gmail-Labels: Inbox,Category Forums