Sherry Moore wrote:
> Hi Garrett,
>
> Thanks for raising the concern. I talked with Gary Winiger and he said
> that zero'ing memory on boot/reboot is not a security requirement.
>
>
>> One possible concern I think I raised has to do with the fact that memory
>> may not be cleared. I worry that going from one boot to another, you could
>> have random bits in memory which you'd rather not expose. This is
>> especially true if you fast reboot from a BE with one set of permissions to
>> another one that might have different permissions.
>>
>
> 1. With non-malicious new kernel
>
> It probably won't do anything with whatever random bits are exposed
> from the previous boot.
>
> From the perspective of correctness, kernel text and data are
> reloaded, BSS cleared. When the kernel allocates memory, it either
> explicitly requests for zero'ed memory, or it zeros memory itself.
> The VM layer can guarantee user processes are given zero-filled
> memory.
>
> The new kernel does not use anything left in memory from the old
> kernel, so if file permissions have changed, the new kernel honors
> the new permission. As a matter of fact, the new kernel has not
> recollection of the existence of a previous kernel.
>
> 2. With malicious new kernel
>
> For a system to be fast rebooted to a malicious new kernel, the
> malicious user would have to have gained privilege control of the
> system. If the malicious user already had privilege control of the
> system, all bets are off anyway.
>
Its case 2 that I worry about, and really the concern is booting to an
alternate BE. (Obviously rebooting the same BE should not be a problem.)
I wonder if a small NOTE in the man page indicating that memory is not
cleared, and therefore fast reboot should not be used to boot to
alternative and untrusted environments is appropriate.
-- Garrett
