Ticket #4443 (new enhancement)

Opened 7 years ago

Last modified 6 years ago

XO activation lease replay protection

Reported by: mstone Owned by: cscott
Priority: normal Milestone: 8.2.0 (was Update.2)
Component: security Version:
Keywords: security, activation Cc: cscott, mstone, krstic, kimquirk
Action Needed: Verified: no
Deployments affected: Blocked By:
Blocking: #7397

Description

XOs should accept activation leases exactly once.

Change History

Changed 7 years ago by kimquirk

  • cc kimquirk added
  • type changed from defect to enhancement

Michael... is this true? What happens when countries want to reinstall images? As is being done in Uruguay right now?

I don't like this feature without more discussion. Is it really a bug / or a feature request?

Changed 7 years ago by mstone

It's actually a statement of a security requirement of the "short-term leases" feature. I don't think that it has been implemented. Fortunately, we're not using short-term leases. You should think of this bug as stating that our implementation of the theft-deterrence protocol is not complete until we satisfy ourselves that the initramfs maintains this invariant.

Changed 6 years ago by cscott

In particular, once a machine is marked 'stolen', it can be reactivated with a new activation lease. But it can *not* be reactivated with an 'old' activation lease.

I don't think this feature is relevant for passive kill, because once the lease expires it's not useful anyway. We don't have to keep track of expired leases, except to try to detect clock-reset attacks -- and the clock reset attacks could just as easily be mounted *before* the lease expires, so trying to be clever here doesn't buy us much actual security.

Does this match your recollection, Michael?

Changed 6 years ago by mstone

This is a basic property of correct lease-checking initramfsen which is orthogonal to the issue of attacks on the substrate of the lease-checker; i.e. the filesystem and the real-time clock. As the ticket states, a correct implementation should accept activation leases exactly once. At the time this ticket was created, I believe we thought that we had greater ability to make small amounts of information expensive to rewrite, e.g. by storing them in the SPI flash or on a protected part of the filesystem.

Changed 6 years ago by cscott

  • blocking 7397 added
Note: See TracTickets for help on using tickets.