|
|
Log in / Subscribe / Register

Attacking the kernel via its command line

Attacking the kernel via its command line

Posted Jun 21, 2017 1:03 UTC (Wed) by thestinger (guest, #91827)
In reply to: Attacking the kernel via its command line by corbet
Parent article: Attacking the kernel via its command line

> is based on the clear facts

Those aren't clear facts, they're a distortion of reality. You're making claims and refusing to justify them.

> the developers who have actually done the work to implement secure boot on Linux believe that the system software must remain in control at all times

So all you have is an argument from authority and the implication that I am not a developer that has worked on verified boot, which is completely false. Distributions like Fedora don't currently have a meaningful secure / verified boot implementation. Unlike others, they haven't done the work to ship the feature.

The developers that have actually done the work to implement meaningful secure boot on Linux (i.e. Google and others) don't use this cargo cult definition of it.

> command-line and module parameters that could be used to defeat that control must be disabled

They still can be with every single one of these bugs fixed.

> Given that mindset, this bug must be seen as a security bug.

The logic doesn't follow. It's only a security bug if a meaningful security feature / security boundary is bypassed. In order for that to matter, there would need to be a more complete verified boot implementation and the kernel line would need to be untrusted. The Linux kernel considers it ultimately trusted. There is no code anywhere to change that. The referenced changes about module parameters, etc. do not change that.

> You don't have to believe that mindset. I don't run locked-down kernels on my systems. But developers whose opinion matters do believe that. I cannot grasp the concept that reporting on this is to "leave out entire aspects of the story". This is a story about a command-line parsing bug...

Okay, just an argument from authority then, and no willingness to actually address the issues pointed out with this reasoning.

to post comments

Attacking the kernel via its command line

Posted Jun 21, 2017 7:24 UTC (Wed) by marcH (subscriber, #57642) [Link]

You're right but you talk too much; so people stop paying attention.

A picture is worth thousand words. This type of CVE has been pictured many times already. Just re-share one of these pictures and spend your time more productively: https://www.google.com/search?q=security+gate+fail&tb...

Attacking the kernel via its command line

Posted Jun 21, 2017 12:57 UTC (Wed) by corbet (editor, #1) [Link] (3 responses)

No argument from authority. Just a simple statement that a point of view exists and is reasonably widely held, and that, from that point of view, this bug is a security issue.

I understand that you disagree with that point of view. I have not stated my own position with regard to it, so you do not know where I am coming from. Neither of us knows what the author of the article believes. But the fact that "thestinger" reacts like a battered beehive when that point of view is expressed does not make it — or the disagreement over whether this is a security bug ­— go away.

Attacking the kernel via its command line

Posted Jun 21, 2017 13:14 UTC (Wed) by thestinger (guest, #91827) [Link] (2 responses)

> No argument from authority

That's *exactly* what you were doing.

> is reasonably widely held

I'm sure where you're getting that data from. It's a very small minority opinion based on off-list talk about it, and there aren't people willing to stand behind it and lay out a justification beyond vague claims.

> Neither of us knows what the author of the article believes

The article presents a case and cherry picks supporting information. A security researcher at Google pointed me to it and referred to it as "highly opinionated".

Attacking the kernel via its command line

Posted Jun 21, 2017 18:48 UTC (Wed) by rahvin (guest, #16953) [Link] (1 responses)

If those opinions are the ones held by the kernel development team responsible for these features and this discussion is limited to linux than it really doesn't matter what anyone else thinks because the people in charge are the ones that are going to make the decision.

You're attacking the article for simply reporting that. You're free to disagree and you're still free to try to convince those developers of the error of their ways. None of this changes the fact that the people with control believe a certain way, the article itself makes no claim of whether that's the right path, only that the people in charge believe it is.

In summary, stop attacking the reporting.

Attacking the kernel via its command line

Posted Jun 22, 2017 5:28 UTC (Thu) by thestinger (guest, #91827) [Link]

> If those opinions are the ones held by the kernel development team responsible for these features and this discussion is limited to linux than it really doesn't matter what anyone else thinks because the people in charge are the ones that are going to make the decision.

They aren't opinions held by kernel developers.

> You're attacking the article for simply reporting that. You're free to disagree and you're still free to try to convince those developers of the error of their ways. None of this changes the fact that the people with control believe a certain way, the article itself makes no claim of whether that's the right path, only that the people in charge believe it is.

People in charge of kernel development weren't involved.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds