Message ID | 20221122020404.3476063-2-Jason@zx2c4.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1952551wrr; Mon, 21 Nov 2022 18:07:00 -0800 (PST) X-Google-Smtp-Source: AA0mqf5lIKQU8iXL7xt06m9MqcccyqCd+wROqye87+Jutw68a39ymsQqibLoTSNjXlf7z2Y6ZWwI X-Received: by 2002:a63:4614:0:b0:46f:8982:cc8a with SMTP id t20-20020a634614000000b0046f8982cc8amr10221566pga.110.1669082819806; Mon, 21 Nov 2022 18:06:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669082819; cv=none; d=google.com; s=arc-20160816; b=Ii4fuNLUoowPi2AX9TuC1+N5tDaRkO19scMTaye/AArHyf+kaUkLrclwm42fpo9hjw QWjDgEkyGSd37eOyoYqjD9bI8hWSQjuXoNHYDysdulNwDFGld443nN4JEWl9JhO+INS4 7RlGQi0mEzybJJPEnWeQC+8G+vzUr2FmPKOv3KZv0ihw3eKsQ8euB3Ui0/Yi/M6tknUZ Lun7YdFygVf+zq9pfvoxgpYz1IDpxq3Pwxcf2Kuyy/oEZqxibTiTujJxJwpSmNmjk+mj gznw4Cl8kvYv1ybLME5TeMfOmMQc0dcZuo+gf8qvv3UqhlPWuCCBRjfPaSOMPhXBMC1T ldxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+rn43NMm2YFbXIKxqcJTRkqXmYYbQTLqTZ42eLiNxak=; b=c54Lg8a8CokvLOtP3d5PxS9N8f0sykAAUodJpTjF1ucaMOZhiH+iP2X+gf3yZBzQNu oHByCEhtGMJAyf2PGQ4XzICtN6GITdBBOhQphHSaaRXIbYhs7o0NPmKKVlQmmZO+gk9k cKgfXuO5awGUKRABB3gpyjIrpQuJtvoIe/iIJKRB4LwS4/AZBNeu/Hjm56llxyj6dni8 P6ykj4JzCAaAabsvG6nsyouzBHhr4caK0MZoTL0ejAp0CI9A34i8hpMgXWmDD5w4+CyP X6CEU0q6yvrMEwRol/T7W14CY+4jcD6y9sj/JLR0Xnc9SpnLm1HXF8fU2VXzOrZrsinC xG7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b="KlNhuaG/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s16-20020a635250000000b0045cc8781244si14492932pgl.220.2022.11.21.18.06.46; Mon, 21 Nov 2022 18:06:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b="KlNhuaG/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232469AbiKVCEX (ORCPT <rfc822;cjcooper78@gmail.com> + 99 others); Mon, 21 Nov 2022 21:04:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232454AbiKVCEU (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 21 Nov 2022 21:04:20 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BC00DEACD; Mon, 21 Nov 2022 18:04:18 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 57F41B818E7; Tue, 22 Nov 2022 02:04:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 51D66C433D7; Tue, 22 Nov 2022 02:04:15 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="KlNhuaG/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1669082654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+rn43NMm2YFbXIKxqcJTRkqXmYYbQTLqTZ42eLiNxak=; b=KlNhuaG/xR8W6HdklgmSDbdvVf1Ip08ubSYsrQvA54zolXDK9aP+NfM+QWweGZzPRuZTa2 /5Pne4xPKavjZtq3w/5BfE4zjdCNtJqln2X/06j78HDEqB9olx1WShnXkfIcl3CI8Zyfit QMAxKaJFxK7lT7dJUoTYQt8MXGtTtzA= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 6a8be201 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 22 Nov 2022 02:04:13 +0000 (UTC) From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: linux-efi@vger.kernel.org, linux-crypto@vger.kernel.org, patches@lists.linux.dev, linux-kernel@vger.kernel.org, ardb@kernel.org Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Subject: [PATCH v3 1/5] efi: vars: prohibit reading random seed variables Date: Tue, 22 Nov 2022 03:04:00 +0100 Message-Id: <20221122020404.3476063-2-Jason@zx2c4.com> In-Reply-To: <20221122020404.3476063-1-Jason@zx2c4.com> References: <20221122020404.3476063-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750160186795399060?= X-GMAIL-MSGID: =?utf-8?q?1750160186795399060?= |
Series |
Use EFI variables for random seed
|
|
Commit Message
Jason A. Donenfeld
Nov. 22, 2022, 2:04 a.m. UTC
In anticipation of putting random seeds in EFI variables, it's important
that the random GUID namespace of variables remains hidden from
userspace. We accomplish this by not populating efivarfs with entries
from that GUID, as well as denying the creation of new ones in that
GUID.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
fs/efivarfs/inode.c | 4 ++++
fs/efivarfs/super.c | 3 +++
2 files changed, 7 insertions(+)
Comments
On Tue, Nov 22, 2022 at 03:04:00AM +0100, Jason A. Donenfeld wrote: > In anticipation of putting random seeds in EFI variables, it's important > that the random GUID namespace of variables remains hidden from > userspace. We accomplish this by not populating efivarfs with entries > from that GUID, as well as denying the creation of new ones in that > GUID. What's the concern here? Booting an older kernel would allow a malicious actor to either read the seed variable or set it to a value under their control, so we can't guarantee that the information is secret.
Hi, On Sun, Nov 27, 2022 at 09:00:40PM +0000, Matthew Garrett wrote: > On Tue, Nov 22, 2022 at 03:04:00AM +0100, Jason A. Donenfeld wrote: > > In anticipation of putting random seeds in EFI variables, it's important > > that the random GUID namespace of variables remains hidden from > > userspace. We accomplish this by not populating efivarfs with entries > > from that GUID, as well as denying the creation of new ones in that > > GUID. > > What's the concern here? Booting an older kernel would allow a malicious > actor to either read the seed variable or set it to a value under their > control, so we can't guarantee that the information is secret. The security model is the same as that of random seed files, on, say, BSD. If you remove the hard drive or change the operating system or what have you, then sure, you can fiddle with the seed and read it. But the running operating system shouldn't show it to you if it can help it. Consider, for example, systemd's use of EFI variables for the SystemToken. There, they have PID 1 take care of chmod'ing it before other processes start. But of course a different OS or even EFI shell could just read it. So, think of this as just basic runtime safety -- like what people do when they set the umask before writing a random seed file -- rather than some type of ultimate secrecy. (And either way, the larger picture is that it's much more important to get as much random data from as many sources as possible as soon as possible, rather than being overly paranoid about every one single source that we start excluding sources. A plethora of sources is better off here.) Jason
diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c index 939e5e242b98..617f3ad2485e 100644 --- a/fs/efivarfs/inode.c +++ b/fs/efivarfs/inode.c @@ -91,6 +91,10 @@ static int efivarfs_create(struct user_namespace *mnt_userns, struct inode *dir, err = guid_parse(dentry->d_name.name + namelen + 1, &var->var.VendorGuid); if (err) goto out; + if (guid_equal(&var->var.VendorGuid, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) { + err = -EPERM; + goto out; + } if (efivar_variable_is_removable(var->var.VendorGuid, dentry->d_name.name, namelen)) diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 6780fc81cc11..07e82e246666 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -116,6 +116,9 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, int err = -ENOMEM; bool is_removable = false; + if (guid_equal(&vendor, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) + return 0; + entry = kzalloc(sizeof(*entry), GFP_KERNEL); if (!entry) return err;