Mitigations against event type manipulation in UEFI eventlog #816
Conversation
|
@kkaarreell the Fedora rawhide tests are currently failing. Is there something that we can fix them or can we just disable them until the issue in rawhide itself is solved? |
|
According to @sergio-correia same patches as in Re tests, do you mean disable them all or just on Rawhide? |
|
@kkaarreell: there was a bug open for it already [1], so I just added a comment there some days ago. The maintainer of |
|
@THS-on Would you mind adding a commit that replaces |
|
@kkaarreell done. The tests now pass. |
EvSeperatorTest and EvEfiActionTest are test for common constant values in the event log. OnceTest is a test that can be only run once successfully. This is useful for events that we only expect once in the log. It prohibits that this test can be reused to validate other entries by changing the event type. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
THS-on
force-pushed
the
mb-mitigations
branch
from
b3de10e
to
83c13ce
Compare
|
This looks good to me, but probably needs someone from @maugustosilva 's team to look it over since they did the initial implementation. |
|
@maugustosilva any chance you could take a look at these changes? |
|
Passes all my tests, let's merge |
This provides the initial hardening of the example policy against event type manipulation.
This not directly an issue with Keylime, because the UEFI eventlog does not include the metadata in the hash that is used to extend the PCR. The original issue can be found here: https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md
The most effective way to mitigate against that is to reduce the usage of
acceptAlland limit how often they can be used.As discussed with @mpeters we will first update our example policy and then provide documentation on how to write custom policies.