Bug 1498159 - incorrect downstream-only Platform Reset Attack Mitigation patch in the F24-F26 kernels
Summary: incorrect downstream-only Platform Reset Attack Mitigation patch in the F24-F...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-03 15:05 UTC by Laszlo Ersek
Modified: 2017-12-13 09:57 UTC (History)
22 users (show)

Fixed In Version: kernel-4.14.4-200.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-13 09:57:51 UTC
Type: Bug


Attachments (Terms of Use)

Description Laszlo Ersek 2017-10-03 15:05:40 UTC
The patch called "Enable cold boot attack mitigation" (applied as part of "efi-lockdown.patch") is incorrect; it creates the MemoryOverwriteRequestControl UEFI variable even if the firmware platform does not support it. Only the platform firmware should create this variable; the OS kernel should only read and write it, but never create it.

According to the "TCG Platform Reset Attack
Mitigation Specification", version 1.0, May 15, 2008,

5 Interface for UEFI
5.1 UEFI Variable
5.1.1 The MemoryOverwriteRequestControl
Start of informative comment:
[...]
The OS loader should not create the variable. Rather, the firmware is required to create it and must support the semantics described here.
[...]

The patch included by the F24-F26 kernels does not check for the existence of the variable, it only sets the variable. If the variable is missing, then the OS creates it, which is wrong.

- Fedora 26:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=65673e37e61d

- Fedora 25:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=1f4e5e657685

- Fedora 24:
  https://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git/commit/?id=677765d4db8e

More details:
https://lists.01.org/pipermail/edk2-devel/2017-September/015526.html

An updated variant of the same patch is scheduled for release in the upstream v4.14 kernel (it's part of v4.14-rc1); this version of the patch *does* check for the existence of the UEFI variable.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccc829ba3624b

Please replace the old variant of the patch with the new variant. Thanks.

Comment 1 Laszlo Ersek 2017-12-13 09:43:23 UTC
The upstream patch I mentioned in comment 0 has indeed been released as part of v4.14: commit ccc829ba3624 ("efi/libstub: Enable reset attack mitigation", 2017-08-26).

Comment 2 Laszlo Ersek 2017-12-13 09:52:45 UTC
Fedora 26 was rebased to v4.14 in dist-git commit c75cb4d7fbb5 ("Linux v4.14.4 rebase", 2017-12-08).

Among other things, this dist-git commit modified "efi-lockdown.patch", and removed:

Subject: [PATCH 27/32] Enable cold boot attack mitigation

(see 65673e37e61d in comment 0).

So, I guess this bug is fixed, in Fedora 26.

Fedora 24 is no longer supported, but Fedora 25 appears to be; I'm moving this report to F25 then. (Latest upstream base for F25 seems to be v4.13.16, from dist-git commit c75cb4d7fbb5, "Linux v4.14.4 rebase", 2017-12-08).

... LOL, Bugzilla doesn't let me change the Version field to "25"! What gives?

Comment 3 Laszlo Ersek 2017-12-13 09:57:51 UTC
Sorry, I managed to confuse myself -- F25 reached End-of-Life just yesterday, according to Wikipedia. Closing this one for good.


Note You need to log in before you can comment on or make changes to this bug.