[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel ima
From: |
Michael Chang |
Subject: |
Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image |
Date: |
Thu, 18 Mar 2021 15:04:33 +0800 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Thu, Mar 18, 2021 at 01:22:19AM +0000, Colin Watson wrote:
> On Tue, Mar 02, 2021 at 07:00:08PM +0100, Daniel Kiper wrote:
[snip]
> I believe the practical threshold is 62 512-byte sectors, i.e. 31744
> bytes.
>
> As you can see, the biggest single change was induced by this patch,
> which moves the verifiers API into the kernel image. Makes sense. Is
> there anything we can do about this?
>
> I'm a little confused why this change had to be made in this way.
> grub_load_modules is called pretty early during kernel initialization,
> and it initializes all embedded modules. Wouldn't it have been
> sufficient to leave verifiers as a module and simply include that module
> in all UEFI-platform images?
>
> If that wouldn't have worked for some reason, then perhaps it would be
> possible to restructure things a bit more so that we could leave the
> verifiers API as a module on i386-pc, e.g. by moving it back to
> grub-core/commands/verifiers.c and having conditional code that either
> registers/unregisters the filter in a module or registers it at kernel
> startup, depending on the platform. It wouldn't be especially pretty,
> but I think we could tolerate that for the sake of fixing this
> regression.
I fully concur with Colin's idea. It is unfortunate that short MBR gap
is still used, but it is also unnecessary to increase core image size to
support nonexistent efi lockdown on i386-pc platform. The only consumer
of the verifiers on the i386-pc platform is pgp module so it is good to
keep verifiers as module as long as autoload can keep existing
configuation to work transparently.
For that I've also worked out a patch and will post here for review.
Thanks,
Michael
>
> Thanks,
>
> --
> Colin Watson (he/him) [cjwatson@debian.org]
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
- [SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 002/117] efi: Move the shim_lock verifier to the GRUB core, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 004/117] kern/lockdown: Set a variable if the GRUB is locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 005/117] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 003/117] kern: Add lockdown support, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 010/117] commands/setpci: Restrict setpci command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down, Daniel Kiper, 2021/03/02