Bug 1498159

Summary: incorrect downstream-only Platform Reset Attack Mitigation patch in the F24-F26 kernels
Product: [Fedora] Fedora Reporter: Laszlo Ersek <lersek>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: airlied, ajax, bskeggs, eparis, esandeen, hdegoede, ichavero, itamar, jarodwilson, jforbes, jglisse, jonathan, josef, jwboyer, kernel-maint, labbott, linville, mchehab, mjg59, nhorman, quintela, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-4.14.4-200.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 09:57:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laszlo Ersek 2017-10-03 15:05:40 UTC
The patch called "Enable cold boot attack mitigation" (applied as part of "efi-lockdown.patch") is incorrect; it creates the MemoryOverwriteRequestControl UEFI variable even if the firmware platform does not support it. Only the platform firmware should create this variable; the OS kernel should only read and write it, but never create it.

According to the "TCG Platform Reset Attack
Mitigation Specification", version 1.0, May 15, 2008,

5 Interface for UEFI
5.1 UEFI Variable
5.1.1 The MemoryOverwriteRequestControl
Start of informative comment:
[...]
The OS loader should not create the variable. Rather, the firmware is required to create it and must support the semantics described here.
[...]

The patch included by the F24-F26 kernels does not check for the existence of the variable, it only sets the variable. If the variable is missing, then the OS creates it, which is wrong.

- Fedora 26:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=65673e37e61d

- Fedora 25:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=1f4e5e657685

- Fedora 24:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=677765d4db8e

More details:
https://lists.01.org/pipermail/edk2-devel/2017-September/015526.html

An updated variant of the same patch is scheduled for release in the upstream v4.14 kernel (it's part of v4.14-rc1); this version of the patch *does* check for the existence of the UEFI variable.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccc829ba3624b

Please replace the old variant of the patch with the new variant. Thanks.

Comment 1 Laszlo Ersek 2017-12-13 09:43:23 UTC
The upstream patch I mentioned in comment 0 has indeed been released as part of v4.14: commit ccc829ba3624 ("efi/libstub: Enable reset attack mitigation", 2017-08-26).

Comment 2 Laszlo Ersek 2017-12-13 09:52:45 UTC
Fedora 26 was rebased to v4.14 in dist-git commit c75cb4d7fbb5 ("Linux v4.14.4 rebase", 2017-12-08).

Among other things, this dist-git commit modified "efi-lockdown.patch", and removed:

Subject: [PATCH 27/32] Enable cold boot attack mitigation

(see 65673e37e61d in comment 0).

So, I guess this bug is fixed, in Fedora 26.

Fedora 24 is no longer supported, but Fedora 25 appears to be; I'm moving this report to F25 then. (Latest upstream base for F25 seems to be v4.13.16, from dist-git commit c75cb4d7fbb5, "Linux v4.14.4 rebase", 2017-12-08).

... LOL, Bugzilla doesn't let me change the Version field to "25"! What gives?

Comment 3 Laszlo Ersek 2017-12-13 09:57:51 UTC
Sorry, I managed to confuse myself -- F25 reached End-of-Life just yesterday, according to Wikipedia. Closing this one for good.