diff mbox series

core/fast-reboot: disable fast-reboot when firmware secureboot is enabled

Message ID 20200408221420.1087-1-erichte@linux.ibm.com
State Rejected
Headers show
Series core/fast-reboot: disable fast-reboot when firmware secureboot is enabled | expand

Checks

Context Check Description
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco success Signed-off-by present
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot fail Test snowpatch/job/snowpatch-skiboot on branch master
snowpatch_ozlabs/apply_patch success Successfully applied on branch master (e991415a88dbfd6c1690c5c2d8840288f45ec925)

Commit Message

Eric Richter April 8, 2020, 10:14 p.m. UTC
The possible impact of the current fast-reboot design on secure/trusted
boot is unclear, and will likely need additional review and testing.
While fast-reboot is disabled by default, it can be enabled by two
nvram parameters -- one of which circumvents the built-in
disable_fast_reboot() mechanism.

This patch prevents all calls to fast_reboot() when firmware secure boot
is enabled.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 core/fast-reboot.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Oliver O'Halloran April 15, 2020, 3:54 a.m. UTC | #1
On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote:
>
> The possible impact of the current fast-reboot design on secure/trusted
> boot is unclear and will likely need additional review and testing.

Are you really expecting me to hard disable fast reboot on the basis
of "I don't understand what this does"?

We looked at it years ago and decided that the interaction with
firmware secureboot was fine since a fast-reboot is roughlt the same
as a kexec between host kernels. If you think that's wrong (it might
be) then provide an actual explanation as to why.

Oliver
Stewart Smith April 15, 2020, 6:27 a.m. UTC | #2
> On 14 Apr 2020, at 20:54, Oliver O'Halloran <oohall@gmail.com> wrote:
> 
> On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote:
>> 
>> The possible impact of the current fast-reboot design on secure/trusted
>> boot is unclear and will likely need additional review and testing.
> 
> Are you really expecting me to hard disable fast reboot on the basis
> of "I don't understand what this does"?
> 
> We looked at it years ago and decided that the interaction with
> firmware secureboot was fine since a fast-reboot is roughlt the same
> as a kexec between host kernels. If you think that's wrong (it might
> be) then provide an actual explanation as to why.

In band reboot can’t ever be trusted anyway (how do you prove it did reboot?), so I don’t see how fast reboot is different.
Eric Richter April 16, 2020, 8:05 p.m. UTC | #3
On 4/14/20 10:54 PM, Oliver O'Halloran wrote:
> On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote:
>>
>> The possible impact of the current fast-reboot design on secure/trusted
>> boot is unclear and will likely need additional review and testing.
> 
> Are you really expecting me to hard disable fast reboot on the basis
> of "I don't understand what this does"?
> 
> We looked at it years ago and decided that the interaction with
> firmware secureboot was fine since a fast-reboot is roughlt the same
> as a kexec between host kernels. If you think that's wrong (it might
> be) then provide an actual explanation as to why.
> 
> Oliver
> 

We had concerns over OS secure boot, but after further discussions, decided
that this is something we will document and potentially address in a later
release.

There is a potential issue regarding trusted boot -- only the firmware
measurement log will be persisted. Any higher-level, non-resettable PCRs will
not be able to be recalculated, which is a definite problem with IMA/kexec
measurements in skiroot for example. Since this isn't a strong blocking issue
however, we will include a strong recommendation against using this feature
in our documentation.
diff mbox series

Patch

diff --git a/core/fast-reboot.c b/core/fast-reboot.c
index 02f0ca05..c4361bb1 100644
--- a/core/fast-reboot.c
+++ b/core/fast-reboot.c
@@ -23,6 +23,8 @@ 
 #include <ipmi.h>
 #include <direct-controls.h>
 #include <nvram.h>
+#include <types.h>
+#include <secureboot.h>
 
 /* Flag tested by the OPAL entry code */
 static volatile bool fast_boot_release;
@@ -109,6 +111,12 @@  void fast_reboot(void)
 		return;
 	}
 
+	if (is_fw_secureboot()) {
+		prlog(PR_DEBUG,
+		      "RESET: Fast reboot disabled by FW secureboot\n");
+		return;
+	}
+
 	/*
 	 * Ensure all other CPUs have left OPAL calls.
 	 */