[Bug 843661] New: Need enable kernel module sign to avoid the signed shim to be an attack vector
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c0 Summary: Need enable kernel module sign to avoid the signed shim to be an attack vector Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: jlee@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Need enable kernel module sign to avoid the openSUSE shim/bootloader/kernel to be an attack vector. We need enable the kernel module sign function in openSUSE kernel to avoid attacker use openSUSE shim/bootloader/kernel to attack other OS. Attacker can add the openSUSE zypper repository for install openSUSE shim/bootloader/kernel to system, then boot to the openSUSE kernel that doesn't have kernel module sign function to verify the malicious kernel module. That means the secure boot of this hacked system become invalid. Due to openSUSE will be an attack vector, that may causes the shim of openSUSE will be list in dbx, revoke by Microsoft. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c Max Lin <mlin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mlin@suse.com Flag| |SHIP_STOPPER? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c1 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coolo@suse.com, | |fcrozat@suse.com, | |mls@suse.com --- Comment #1 from Stephan Kulow <coolo@suse.com> 2013-10-02 11:39:15 CEST --- we had this discussion before and decided not to do that for openSUSE. Just as with the same discussion in 12.3, there is no word in any requirement from Microsoft that the OS needs to be "attack vector free". I'd go for WONTFIX -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c2 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #2 from Ludwig Nussel <lnussel@suse.com> 2013-10-02 11:42:27 CEST --- Ack. To the best of our knowledge adding extra kernel lockdown is not mandated by secure boot. The secure boot protocol ends when the kernel is loaded. Any measurements taken after that point are optional and unrelated to secure boot. So for openSUSE it was decided to not add the massive patches needed for kernel lockdown. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c4 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flag|SHIP_STOPPER? |SHIP_STOPPER- --- Comment #4 from Stephan Kulow <coolo@suse.com> 2013-10-14 10:59:54 CEST --- No lockdown for 13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com AssignedTo|kernel-maintainers@forge.pr |jlee@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843661 https://bugzilla.novell.com/show_bug.cgi?id=843661#c5 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #5 from Joey Lee <jlee@suse.com> 2014-03-18 07:06:57 UTC --- We choice don't enable kernel module sign on openSUSE, but shim will provide a UI when first time installation for user trust/enroll SUSE key to EFI BIOS when secure boot enable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com