Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6285
| Path | csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod |
|---|---|
| From | Salvatore Bonaccorso <carnil@debian.org> |
| Newsgroups | linux.debian.kernel, linux.debian.security |
| Subject | Re: [arm64] secure boot breach via VFIO_NOIOMMU |
| Date | Thu, 14 Dec 2023 09:30:02 +0100 |
| Message-ID | <HKPgt-dtPi-1@gated-at.bofh.it> (permalink) |
| References | <HKFAu-do4X-5@gated-at.bofh.it> |
| X-Original-To | debian-kernel@lists.debian.org, debian-security@lists.debian.org, debian-efi@lists.debian.org |
| X-Mailbox-Line | From debian-kernel-request@lists.debian.org Thu Dec 14 08:26:53 2023 |
| Old-Return-Path | <carnil@debian.org> |
| X-Amavis-Spam-Status | No, score=-109.42 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=unavailable autolearn_force=no |
| Mail-Followup-To | debian-kernel@lists.debian.org, debian-security@lists.debian.org, debian-efi@lists.debian.org |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| Content-Disposition | inline |
| X-Debian-User | carnil |
| X-Mailing-List | <debian-kernel@lists.debian.org> archive/latest/141028 |
| List-ID | <debian-kernel.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-kernel/> |
| List-Archive | https://lists.debian.org/msgid-search/ZXq8IbpeU5GOD8od@eldamar.lan |
| Approved | robomod@news.nic.it |
| Lines | 26 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Date | Thu, 14 Dec 2023 09:26:09 +0100 |
| X-Original-Message-ID | <ZXq8IbpeU5GOD8od@eldamar.lan> |
| X-Original-References | <20231213214501.33o2akvapj4n3o2r@shell.thinkmo.de> |
| Xref | csiph.com linux.debian.kernel:81209 linux.debian.security:6285 |
Cross-posted to 2 groups.
Show key headers only | View raw
Hi, On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: > Hi > > Over six years ago, support for VFIO without IOMMU was enabled for > arm64. This is a breach of the integrity lockdown requirement of secure > boot. > > VFIO is a framework for handle devices in userspace. To make > this safe, an IOMMU is required by default. Without it, user space can > write everywhere in memory. The code is still not conditional on > lockdown, even if a patch was proposed. > > I intend to disable this option for all supported kernels. Agreed. For the readers reading this along, this was raised in context of https://salsa.debian.org/kernel-team/linux/-/merge_requests/925#note_446730 and https://salsa.debian.org/kernel-team/linux/-/merge_requests/502#note_315464 The proposed patch felt probably trough the cracks. Regards, Salvatore
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
[arm64] secure boot breach via VFIO_NOIOMMU Bastian Blank <waldi@debian.org> - 2023-12-13 23:10 +0100
Re: [arm64] secure boot breach via VFIO_NOIOMMU Salvatore Bonaccorso <carnil@debian.org> - 2023-12-14 09:30 +0100
Re: [arm64] secure boot breach via VFIO_NOIOMMU Steve McIntyre <steve@einval.com> - 2023-12-14 16:10 +0100
csiph-web