[OpenPower-Firmware] Implementing Users/Passwords in Petitboot

Samuel Mendoza-Jonas sam at mendozajonas.com
Fri Mar 16 14:52:47 AEDT 2018


On Fri, 2018-03-16 at 09:07 +0800, Jeremy Kerr wrote:
> Hi Sam,
> 
> > In some circles there has been talk of password-protecting Petitboot to
> > restrict access to certain configuration options or the ability to modify disk
> > contents for example.
> 
> OK, we should define what that means first though.
> 
> The examples you have there (protecting configuration and storage
> contents) can easily be bypassed by just booting through petitboot to an
> OS configuration that gives a user direct access to those things. So,
> whatever we implement here will also need to protect against arbitrary
> boot options too.
> 
> That means that whatever protections we implement here should also
> include preventing the user from:
> 
>  1) adding a new boot option and booting that
>      - because an arbitrary booted OS could do anything
> 
>  2) changing boot option arguments
>      - eg, init=/bin/sh allows the console user to do anything
> 
>  3) and possibly: even changing which boot option is selected
>      - eg, pre-exiting 'rescue mode' boot options may allow the console
>        user to do anything
> 
> If we go with (3), then petitboot is essentially read-only while in
> unauthenticated mode. Would we even allow an authenticated user to
> interrupt the boot countdown?

This is a good point; I reckon if we're going to implement any of this we
should go the whole way and get as close to (3) as is reasonable. Perhaps
we would still allow the user to 'pause' a countdown to see system
information or logs - basic information that a normal user may want to
see.

I liked the idea mentioned elsewhere of having pb-discover use the
connecting process's UID to determine privileges, but looking into ways
to do that we'll probably need to keep an eye on portability (eg. ucred
structs).

> 
> > - If "petitboot,password" isn't present do we set some default password?
> 
> I'd say if there is no password set, we just follow existing behaviour.
> 
> Once consideration (for those reading along) is that there is absolutely
> nothing "special" about the environment that petitboot runs in: it's
> just a standard Linux environment, with no additional privileges above
> the OS that it ends up booting.
> 
> Regards,
> 
> 
> Jeremy



More information about the Petitboot mailing list