From: Andy Lutomirski <luto@amacapital.net>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>,
Sarah Sharp <sarah@minilop.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
Julia Lawall <julia.lawall@lip6.fr>,
Darren Hart <darren@dvhart.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [Ksummit-discuss] [CORE TOPIC] Kernel tinification: shrinking the kernel and avoiding size regressions
Date: Fri, 9 May 2014 13:37:22 -0700 [thread overview]
Message-ID: <CALCETrVr=Tv+LyTRPg-ntTJPKtO3aQWEoDEVSwCm5RpOStkWPA@mail.gmail.com> (raw)
In-Reply-To: <536D1CCE.3060708@zytor.com>
On Fri, May 9, 2014 at 11:22 AM, H. Peter Anvin <hpa@zytor.com> wrote:
> On 05/06/2014 10:31 AM, Andy Lutomirski wrote:
>>
>> I have two main objections to "root != kernel". The bigger is that
>> I'd like to see the security argument for it so that people can think
>> about whether it makes sense. The smaller is that "root != kernel"
>> isn't necessarily well-defined.
>>
>> For example, should root be able to write to the filesystem from which
>> the kernel loads? Should root be able to kexec a new kernel, if that
>> clears some key known to the current kernel in the process? Should
>> root be able to start a KVM instance that passes essentially all
>> hardware through? Should root be able to talk directly to the
>> system's embedded controller? Should root be able to read all
>> physical memory? How about reading just enough to learn the kernel's
>> semi-secret randomized addresses? How about running perf without
>> restrictions?
>>
>> In the past, the actual security goal seems to have been "root shall
>> not be able to do anything that would anger Microsoft and/or
>> Verisign", which is far-enough removed from actual security that I
>> don't want it anywhere near my system. But if I could have a
>> reasonable policy that "root shall not be able to persistently
>> compromise the machine", then I think this could be great.
>>
>> Note that the latter goal does not actually require that root be
>> unable to modify the running kernel.
>>
>
> The first aspect of this is that the kernel needs to *be able to* lock
> out root from select functions. These things will be system
> configuration dependent.
>
I'm still unconvinced. For Chrome OS-style security, I think that
root just needs to be prevented from doing anything that will
interfere with the verified boot process the next time the machine
boots. The kernel doesn't need any particular security feature for
this: the kernel can't change the verified boot keys either. If an
attacker controls root on a Chromebook, the attacker has already won,
at least until the next reboot.
If the idea is to have a verified boot without any hardware or
firmware support, then, yes, the kernel needs to enforce that the
verification path can't be tampered with. But I think we're talking
about Secure Boot here, and on a correct Secure Boot implementation*,
the worst that the kernel can do is to prevent the box from booting
next time.
The best arguments I've heard so far for why the kernel needs to try
to protect itself against root are:
1. MS/Verisign demand it.
2. It's annoying to fool a user into thinking that they just booted
Some Other OS when they're really running Linux without kernel help.
NB: no one has claimed that it's impossible AFAIK, just that it's
annoyingly complicated.
I like neither of these arguments. #1 is politics, not security, and
#2 seems like security by annoying the attacker.
To be clear, I don't object on principle to making it possible for the
kernel to defend itself against root. But it's hard, doing it right
will require a lot of care, and I don't think it's worth doing unless
there's a good reason. If there's a good reason that I don't know
about, please tell me!
* The recent MITRE paper suggests that very few of these exist.
That's a separate issue.
--Andy
next prev parent reply other threads:[~2014-05-09 20:37 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 16:44 Josh Triplett
2014-05-02 17:11 ` Dave Jones
2014-05-02 17:20 ` James Bottomley
2014-05-02 17:33 ` Dave Jones
2014-05-02 17:46 ` Josh Boyer
2014-05-02 18:50 ` H. Peter Anvin
2014-05-02 19:02 ` Josh Boyer
2014-05-02 19:03 ` Michael Kerrisk (man-pages)
2014-05-02 19:33 ` Theodore Ts'o
2014-05-02 19:38 ` Jiri Kosina
2014-05-02 19:49 ` Dave Jones
2014-05-02 20:06 ` Steven Rostedt
2014-05-02 20:41 ` Theodore Ts'o
2014-05-02 21:01 ` Dave Jones
2014-05-02 21:19 ` Josh Boyer
2014-05-02 21:23 ` Jiri Kosina
2014-05-02 21:36 ` Josh Boyer
2014-05-02 21:27 ` James Bottomley
2014-05-02 21:39 ` Josh Boyer
2014-05-02 22:35 ` Andy Lutomirski
2014-05-06 17:18 ` josh
2014-05-06 17:31 ` Andy Lutomirski
2014-05-09 18:22 ` H. Peter Anvin
2014-05-09 20:37 ` Andy Lutomirski [this message]
2014-05-09 22:50 ` Josh Triplett
2014-05-10 0:23 ` James Bottomley
2014-05-10 0:38 ` Andy Lutomirski
2014-05-10 3:44 ` Josh Triplett
2014-05-03 17:30 ` James Bottomley
2014-05-02 21:56 ` tytso
2014-05-02 20:45 ` Ben Hutchings
2014-05-02 21:03 ` Dave Jones
2014-05-03 13:37 ` Michael Kerrisk (man-pages)
2014-05-03 13:35 ` Michael Kerrisk (man-pages)
2014-05-03 13:32 ` Michael Kerrisk (man-pages)
2014-05-02 19:03 ` Mark Brown
2014-05-02 19:45 ` Luck, Tony
2014-05-02 21:03 ` Mark Brown
2014-05-02 21:08 ` Dave Jones
2014-05-02 21:14 ` Andy Lutomirski
2014-05-02 21:21 ` Luck, Tony
2014-05-02 21:38 ` H. Peter Anvin
2014-05-03 1:21 ` Mark Brown
2014-05-07 12:35 ` David Woodhouse
2014-05-09 15:51 ` Mark Brown
2014-05-02 17:33 ` Guenter Roeck
2014-05-02 17:44 ` Steven Rostedt
2014-05-07 11:32 ` David Woodhouse
2014-05-07 16:38 ` James Bottomley
2014-05-02 22:04 ` Jan Kara
2014-05-05 23:45 ` Bird, Tim
2014-05-06 2:14 ` H. Peter Anvin
2014-05-09 16:22 ` Josh Triplett
2014-05-09 16:59 ` Bird, Tim
2014-05-09 17:23 ` josh
2014-05-08 15:52 ` Christoph Lameter
2014-05-12 17:35 ` Wolfram Sang
2014-05-13 16:36 ` Bird, Tim
2014-05-13 18:00 ` josh
2014-05-14 1:04 ` Julia Lawall
2014-08-17 9:45 ` [Ksummit-discuss] tiny.wiki.kernel.org Josh Triplett
2014-05-08 16:24 [Ksummit-discuss] [CORE TOPIC] Kernel tinification: shrinking the kernel and avoiding size regressions Christoph Lameter
2014-05-09 0:31 ` James Bottomley
2014-05-09 14:48 ` Christoph Lameter
2014-05-09 16:24 ` Steven Rostedt
2014-05-09 16:55 ` Christoph Lameter
2014-05-09 17:21 ` josh
2014-05-09 17:42 ` James Bottomley
2014-05-09 17:52 ` Christoph Lameter
2014-05-09 18:32 ` Steven Rostedt
2014-05-09 19:02 ` Julia Lawall
2014-05-09 20:31 ` Steven Rostedt
2014-05-09 17:52 ` Matthew Wilcox
2014-05-12 18:06 ` Dave Hansen
2014-05-12 20:20 ` Roland Dreier
2014-05-14 2:37 ` Li Zefan
2014-05-15 19:41 ` H. Peter Anvin
2014-05-15 20:00 ` Greg KH
2014-05-15 20:29 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrVr=Tv+LyTRPg-ntTJPKtO3aQWEoDEVSwCm5RpOStkWPA@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=dan.carpenter@oracle.com \
--cc=darren@dvhart.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=julia.lawall@lip6.fr \
--cc=jwboyer@fedoraproject.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=sarah@minilop.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox