Re: [RFC v2 PATCH] x86/boot: Add the secdata section to the setup header

From: Ard Biesheuvel
Date: Mon Jul 03 2017 - 07:45:08 EST

Next message: Lee Jones: "Re: [PATCH v2 3/3] cros_ec: Don't signal wake event for non-wake host events"
Previous message: Lee Jones: "Re: [PATCH 5/9] mfd: Drop unnecessary static"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30 June 2017 at 23:52, joeyli <jlee@xxxxxxxx> wrote:
> Hi Ard,
>
> On Thu, Jun 01, 2017 at 08:46:26AM +0000, Ard Biesheuvel wrote:
>> On 1 June 2017 at 08:11, Gary Lin <glin@xxxxxxxx> wrote:
>> > On Fri, May 12, 2017 at 04:05:34PM +0800, Gary Lin wrote:
>> >> A new section, secdata, in the setup header is introduced to store the
>> >> distro-specific security version which is designed to help the
>> >> bootloader to warn the user when loading a less secure or vulnerable
>> >> kernel. The secdata section can be presented as the following:
>> >>
>> >> struct sec_hdr {
>> >> __u16 header_length;
>> >> __u32 distro_version;
>> >> __u16 security_version;
>> >> } __attribute__((packed));
>> >> char *signer;
>> >>
>> >> It consists of a fixed size structure and a null-terminated string.
>> >> "header_length" is the size of "struct sec_hdr" and can be used as the
>> >> offset to "signer". It also can be a kind of the "header version" to
>> >> detect if any new member is introduced.
>> >>
>> >> The kernel packager of the distribution can put the distro name in
>> >> "signer" and the distro version in "distro_version". When a severe
>> >> vulnerability is fixed, the packager increases "security_version" in
>> >> the kernel build afterward. The bootloader can maintain a list of the
>> >> security versions of the current kernels and only allows the kernel with
>> >> a higher or equal security version to boot. If the user is going to boot
>> >> a kernel with a lower security version, a warning should show to prevent
>> >> the user from loading a vulnerable kernel accidentally.
>> >>
>> >> Enabling UEFI Secure Boot is recommended when using the security version
>> >> or the attacker may alter the security version stealthily.
>> >>
>> > Any comment?
>> >
>>
>> This is now entirely x86-specific. My preference would be to have a
>> generic solution instead.
>>
>> --
>> Ard.
>
> On x86 platform with secure boot, UEFI boot loader (e.g. shim) keeps the
> kernel security version in boot variable for comparing to prevent replay
> attack.
>
> Will ARM platform also apply this approach? Does ARM platform have
> secure boot knob in firmware?
>

Yes, there is no reason to assume ARM differs from x86 in this
respect. Shim can be built for ARM as well as for x86.

Next message: Lee Jones: "Re: [PATCH v2 3/3] cros_ec: Don't signal wake event for non-wake host events"
Previous message: Lee Jones: "Re: [PATCH 5/9] mfd: Drop unnecessary static"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]