Opened 9 years ago

Last modified 20 months ago

#4443 new enhancement

XO activation lease replay protection

Reported by: mstone Owned by: cscott
Priority: normal Milestone:
Component: security Version:
Keywords: security, activation Cc: cscott, mstone, krstic, kimquirk
Blocked By: Blocking: #7397
Deployments affected: Action Needed:
Verified: no


XOs should accept activation leases exactly once.

Change History (6)

comment:1 Changed 9 years ago by kimquirk

  • Cc kimquirk added
  • Type changed from defect to enhancement

Michael... is this true? What happens when countries want to reinstall images? As is being done in Uruguay right now?

I don't like this feature without more discussion. Is it really a bug / or a feature request?

comment:2 Changed 9 years ago by mstone

It's actually a statement of a security requirement of the "short-term leases" feature. I don't think that it has been implemented. Fortunately, we're not using short-term leases. You should think of this bug as stating that our implementation of the theft-deterrence protocol is not complete until we satisfy ourselves that the initramfs maintains this invariant.

comment:3 Changed 9 years ago by cscott

In particular, once a machine is marked 'stolen', it can be reactivated with a new activation lease. But it can *not* be reactivated with an 'old' activation lease.

I don't think this feature is relevant for passive kill, because once the lease expires it's not useful anyway. We don't have to keep track of expired leases, except to try to detect clock-reset attacks -- and the clock reset attacks could just as easily be mounted *before* the lease expires, so trying to be clever here doesn't buy us much actual security.

Does this match your recollection, Michael?

comment:4 Changed 9 years ago by mstone

This is a basic property of correct lease-checking initramfsen which is orthogonal to the issue of attacks on the substrate of the lease-checker; i.e. the filesystem and the real-time clock. As the ticket states, a correct implementation should accept activation leases exactly once. At the time this ticket was created, I believe we thought that we had greater ability to make small amounts of information expensive to rewrite, e.g. by storing them in the SPI flash or on a protected part of the filesystem.

comment:5 Changed 9 years ago by cscott

  • Blocking 7397 added

comment:6 Changed 20 months ago by Quozl

  • Milestone 8.2.0 (was Update.2) deleted

Milestone 8.2.0 (was Update.2) deleted

Note: See TracTickets for help on using tickets.