Security Working Group - Wednesday May 12 - results

[Joseph Reynolds]

On 5/12/21 3:40 PM, Patrick Williams wrote:
> On Wed, May 12, 2021 at 01:18:48PM -0500, Joseph Reynolds wrote:
>> On 5/11/21 8:59 PM, Joseph Reynolds wrote:
> [ Copying some stuff from the Google Doc. ]
>
>> Security impacts:
>> - Can be used to defeat secureboot.
>> - Can this function be disabled?  Via kernel config.  Default?
>> - Can restrict which images kexec can load?
>> - Recommend?  Validate the kernel signature before kexec’ing it.  But that doesn't stop an attacker who uses wget to get a malicious image which they pass to kexec.
>> - Why would an attacker want to use kexec?  Opportunity to modify BMC code, load device drivers, create trojan horse(?) or back doors.
>> - How can we force kexec to perform the same signature validation as uboot?  (each part and the whole: kernel, device tree, file system, …)
> Some of this is a concern only because the arm32 support for kexec is
> far behind the other architectures.  Can someone investigate what, if
> anything, is going on upstream to get arm caught up?
>
> On most other architectures there is a new set of system calls, enabled
> by KEXEC_FILE, which moves some of the handling done by the kexec
> executable into the kernel and has signature verification done there.
> arm32 is one of the few architectures that do not currently support this
> KConfig.
>
> See:
> - https://man7.org/linux/man-pages/man8/kexec.8.html (kexec-syscall-auto).
> - http://people.redhat.com/vgoyal/papers-presentations/linux-plumbers-2013/vivek-linux-plumbers-conference-2013-presentation-kexec-secureboot.pdf
>

Patrick,

Thanks for the info!  (I'm learning as I go.)  I'll ask my people to 
look into this (with no promises).

- Joseph