[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: 'password' command in GRUB 2?
From: |
Michal Suchanek |
Subject: |
Re: Re[2]: 'password' command in GRUB 2? |
Date: |
Tue, 25 Aug 2009 20:55:09 +0200 |
2009/8/25 Vladimir 'phcoder' Serbinenko <address@hidden>:
>> Does it has the same problem as CVE-2008-3896 published for grub-legacy?
> It's completely different concern. Actually BIOS keyboard buffer
> shouldn't be a problem since only root can read raw memory and if user
> is a root he can just kexec any kernel he wants.
> I could add keyboard buffer wiping to my sendkey work but it only
> offsets the problem since same info is stored in RAM by grb anyway.
> The only solution I see for second problem is to make grub_free shred
> the memory and ensuring all sensitive fields are dynamically allocated
> and free'ed before boot (last part makes code cleaner too). Actually I
> have done some experiments with replacing grub_sprintf with
> grub_asprintf which revealed many spot of suboptimal code too.
> After all I think this is worth to do (wiping keyboard buffer and
> making grub_free wipe the memory). But it doesn't destroy the info
> which was in memory before grub booted. Doing so may take significant
> booting time (to be tested) but may be desirable in some cases.
Ever tried memtest?
Depending on the speed of the memory bus and memory size I would
expect doing a single write over the whole ram would take seconds to a
few tens of seconds.
Not unreasonable if you don't boot often but unless it's in the range
of seconds I probably would not use such feature.
However, that CVE is about grub leaving its passwords in memory.
Wiping memory used by grub should be fast - orders of magnitude faster
than loading the OS kernel for example.
Thanks
Michal
Thanks
Michal
- Re: Re[2]: 'password' command in GRUB 2?, (continued)
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/19
- Re: Re[2]: 'password' command in GRUB 2?, Robert Millan, 2009/08/20
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/21
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/22
- Re: Re[2]: 'password' command in GRUB 2?, Robert Millan, 2009/08/23
- Re: Re[2]: 'password' command in GRUB 2?, Robert Millan, 2009/08/24
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/24
- Re: Re[2]: 'password' command in GRUB 2?, Felix Zielcke, 2009/08/25
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/25
- Re: Re[2]: 'password' command in GRUB 2?,
Michal Suchanek <=
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/25
- Re: Re[2]: 'password' command in GRUB 2?, Michal Suchanek, 2009/08/26
- Re: Re[2]: 'password' command in GRUB 2?, Vladimir 'phcoder' Serbinenko, 2009/08/26
- Re: Re[2]: 'password' command in GRUB 2?, Robert Millan, 2009/08/28