diff options
Diffstat (limited to 'l.patch')
| -rw-r--r-- | l.patch | 343 |
1 files changed, 343 insertions, 0 deletions
diff --git a/l.patch b/l.patch new file mode 100644 index 00000000000000..5a9432dbcf50b4 --- /dev/null +++ b/l.patch @@ -0,0 +1,343 @@ +[PATCH V6] Documentation/admin-guide: Embargoed hardware security issues + +To address the requirements of embargoed hardware issues, like Meltdown, +Spectre, L1TF etc. it is necessary to define and document a process for +handling embargoed hardware security issues. + +Following the discussion at the maintainer summit 2018 in Edinburgh +(https://lwn.net/Articles/769417/) the volunteered people have worked +out a process and a Memorandum of Understanding. The latter addresses +the fact that the Linux kernel community cannot sign NDAs for various +reasons. + +The initial contact point for hardware security issues is different from +the regular kernel security contact to provide a known and neutral +interface for hardware vendors and researchers. The initial primary +contact team is proposed to be staffed by Linux Foundation Fellows, who +are not associated to a vendor or a distribution and are well connected +in the industry as a whole. + +The process is designed with the experience of the past incidents in +mind and tries to address the remaining gaps, so future (hopefully rare) +incidents can be handled more efficiently. It won’t remove the fact, +that most of this has to be done behind closed doors, but it is set up +to avoid big bureaucratic hurdles for individual developers. + +The process is solely for handling hardware security issues and cannot +be used for regular kernel (software only) security bugs. + +This memo can help with hardware companies who, and I quote, "[my +manager] doesn't want to bet his job on the list keeping things secret." +This despite numerous leaks directly from that company over the years, +and none ever so far from the kernel security team. Cognitive +dissidence seems to be a requirement to be a good manager. + +To accelerate the adoption of this process, we introduce the concept of +ambassadors in participating companies. The ambassadors are there to +guide people to comply with the process, but are not automatically +involved in the disclosure of a particular incident. + +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Reviewed-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + Documentation/admin-guide/embargoed-hardware-issues.rst | 281 ++++++++++++++++ + Documentation/admin-guide/index.rst | 1 + 2 files changed, 282 insertions(+) + +--- /dev/null ++++ b/Documentation/admin-guide/embargoed-hardware-issues.rst +@@ -0,0 +1,281 @@ ++.. _embargoedhardwareissues: ++ ++Embargoed hardware issues ++========================= ++ ++Scope ++----- ++ ++Hardware issues which result in security problems are a different category ++of security bugs than pure software bugs which only affect the Linux ++kernel. ++ ++Hardware issues like Meltdown, Spectre, L1TF etc. must be treated ++differently because they usually affect all Operating Systems (“OS“) and ++therefore need coordination across different OS vendors, distributions, ++hardware vendors and other parties. For some of the issues, software ++mitigations can depend on microcode or firmware updates, which need further ++coordination. ++ ++.. _Contact: ++ ++Contact ++------- ++ ++The Linux kernel hardware security team is separate from the regular Linux ++kernel security team. ++ ++The team is only handling the coordination of embargoed hardware security ++issues. Reports of pure software security bugs in the Linux kernel are not ++handled by this team and the reporter will be guided to contact the regular ++Linux kernel security team (:ref:`Documentation/admin-guide/ ++<securitybugs>`) instead. ++ ++The team can be contacted by email at <hardware-security@kernel.org>. This ++is a private list of security officers who will help you to coordinate an ++issue according to our documented process. ++ ++The list is encrypted and email to the list can be sent by either PGP or ++S/MIME encrypted and must be signed with the reporter's PGP key or S/MIME ++certificate. The list's PGP key and S/MIME certificate are available from ++https://www.kernel.org/.... ++ ++While hardware security issues are often handled by the affected hardware ++vendor, we welcome contact from researchers or individuals who identified a ++potential hardware flaw. ++ ++Hardware security officers ++^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++The current team of hardware security officers: ++ ++ - Linus Torvalds (Linux Foundation Fellow) ++ - Greg Kroah-Hartman (Linux Foundation Fellow) ++ - Thomas Gleixner (Linux Foundation Fellow) ++ ++Operation of mailing-lists ++^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++The encrypted mailing-lists which are used in our process are hosted on ++Linux Foundation's IT infrastructure. By providing this service Linux ++Foundation's director of IT Infrastructure security technically has the ++ability to access the embargoed information, but is obliged to ++confidentiality by his employment contract. Linux Foundation's director of ++IT Infrastructure security is also responsible for the kernel.org ++infrastructure. ++ ++The Linux Foundation's current director of IT Infrastructure security is ++Konstantin Ryabitsev. ++ ++ ++Non-disclosure agreements ++------------------------- ++ ++The Linux kernel hardware security team is not a formal body and therefore ++unable to enter into any non-disclosure agreements. The kernel community ++is aware of the sensitive nature of such issues and offers a Memorandum of ++Understanding instead. ++ ++ ++Memorandum of Understanding ++--------------------------- ++ ++The Linux kernel community has a deep understanding of the requirement to ++keep hardware security issues under embargo for coordination between ++different OS vendors, distributors, hardware vendors and other parties. ++ ++The Linux kernel community has successfully handled hardware security ++issues in the past and has the necessary mechanisms in place to allow ++community compliant development under embargo restrictions. ++ ++The Linux kernel community has a dedicated hardware security team for ++initial contact, which oversees the process of handling such issues under ++embargo rules. ++ ++The hardware security team identifies the developers (domain experts) which ++form the initial response team for a particular issue. The initial response ++team can bring in further developers (domain experts) to address the issue ++in the best technical way. ++ ++All involved developers pledge to adhere to the embargo rules and to keep ++the received information confidential. Violation of the pledge will lead to ++immediate exclusion from the current issue and removal from all related ++mailing-lists. In addition, the hardware security team will also exclude ++the offender from future issues. The impact of this consequence is a highly ++effective deterrent in our community. In case a violation happens the ++hardware security team will inform the involved parties immediately. If you ++or anyone becomes aware of a potential violation, please report it ++immediately to the Hardware security officers. ++ ++ ++Process ++^^^^^^^ ++ ++Due to the globally distributed nature of Linux kernel development, face to ++face meetings are almost impossible to address hardware security issues. ++Phone conferences are hard to coordinate due to time zones and other ++factors and should be only used when absolutely necessary. Encrypted email ++has been proven to be the most effective and secure communication method ++for these types of issues. ++ ++Start of Disclosure ++""""""""""""""""""" ++ ++Disclosure starts by contacting the Linux kernel hardware security team by ++email. This initial contact should contain a description of the problem and ++a list of any known affected hardware. If your organization builds or ++distributes the affected hardware, we encourage you to also consider what ++other hardware could be affected. ++ ++The hardware security team will provide a per incident specific encrypted ++mailing-list which will be used for initial discussion with the reporter, ++further disclosure and coordination. ++ ++The hardware security team will provide the disclosing party a list of ++developers (domain experts) who should be informed initially about the ++issue after confirming with the developers that they will adhere to this ++Memorandum of Understanding and the documented process. These developers ++form the initial response team and will be responsible for handling the ++issue after initial contact. The hardware security team is supporting the ++response team, but is not necessarily involved in the mitigation ++development process. ++ ++While individual developers might be covered by a non-disclosure agreement ++via their employer, they cannot enter individual non-disclosure agreements ++in their role as Linux kernel developers. They will, however, adhere to ++this documented process and the Memorandum of Understanding. ++ ++ ++Disclosure ++"""""""""" ++ ++The disclosing party provides detailed information to the initial response ++team via the specific encrypted mailing-list. ++ ++From our experience the technical documentation of these issues is usually ++a sufficient starting point and further technical clarification is best ++done via email. ++ ++Mitigation development ++"""""""""""""""""""""" ++ ++The initial response team sets up an encrypted mailing-list or repurposes ++an existing one if appropriate. The disclosing party should provide a list ++of contacts for all other parties who have already been, or should be ++informed about the issue. The response team contacts these parties so they ++can name experts who should be subscribed to the mailing-list. ++ ++Using a mailing-list is close to the normal Linux development process and ++has been successfully used in developing mitigations for various hardware ++security issues in the past. ++ ++The mailing-list operates in the same way as normal Linux development. ++Patches are posted, discussed and reviewed and if agreed on applied to a ++non-public git repository which is only accessible to the participating ++developers via a secure connection. The repository contains the main ++development branch against the mainline kernel and backport branches for ++stable kernel versions as necessary. ++ ++The initial response team will identify further experts from the Linux ++kernel developer community as needed and inform the disclosing party about ++their participation. Bringing in experts can happen at any time of the ++development process and often needs to be handled in a timely manner. ++ ++Coordinated release ++""""""""""""""""""" ++ ++The involved parties will negotiate the date and time where the embargo ++ends. At that point the prepared mitigations are integrated into the ++relevant kernel trees and published. ++ ++While we understand that hardware security issues need coordinated embargo ++time, the embargo time should be constrained to the minimum time which is ++required for all involved parties to develop, test and prepare the ++mitigations. Extending embargo time artificially to meet conference talk ++dates or other non-technical reasons is creating more work and burden for ++the involved developers and response teams as the patches need to be kept ++up to date in order to follow the ongoing upstream kernel development, ++which might create conflicting changes. ++ ++CVE assignment ++"""""""""""""" ++ ++Neither the hardware security team nor the initial response team assign ++CVEs, nor are CVEs required for the development process. If CVEs are ++provided by the disclosing party they can be used for documentation ++purposes. ++ ++Process ambassadors ++------------------- ++ ++For assistance with this process we have established ambassadors in various ++organizations, who can answer questions about or provide guidance on the ++reporting process and further handling. Ambassadors are not involved in the ++disclosure of a particular issue, unless requested by a response team or by ++an involved disclosed party. The current ambassadors list: ++ ++ ============== ======================================================== ++ ARM ++ AMD ++ IBM ++ Intel ++ Qualcomm ++ ++ Microsoft ++ VMware ++ XEN ++ ++ Canonical ++ Debian ++ Oracle ++ Redhat ++ Suse Jiri Kosina <jkosina@suse.com> ++ ++ Amazon ++ Google ++ ============== ======================================================== ++ ++If you want your organization to be added to the ambassadors list, please ++contact the hardware security team. The nominated ambassador has to ++understand and support our process fully and is ideally well connected in ++the Linux kernel community. ++ ++Encrypted mailing-lists ++----------------------- ++ ++We use encrypted mailing-lists for communication. The operating principle ++of these lists is that email sent to the list is encrypted either with the ++list's PGP key or with the list's S/MIME certificate. The mailing-list ++software decrypts the email and re-encrypts it individually for each ++subscriber with the subscriber's PGP key or S/MIME certificate. Details ++about the mailing-list software and the setup which is used to ensure the ++security of the lists and protection of the data can be found here: ++https://www.kernel.org/.... ++ ++List keys ++^^^^^^^^^ ++ ++For initial contact see :ref:`Contact`. For incident specific mailing-lists ++the key and S/MIME certificate are conveyed to the subscribers by email ++sent from the specific list. ++ ++Subscription to incident specific lists ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++Subscription is handled by the response teams. Disclosed parties who want ++to participate in the communication send a list of potential subscribers to ++the response team so the response team can validate subscription requests. ++ ++Each subscriber needs to send a subscription request to the response team ++by email. The email must be signed with the subscriber's PGP key or S/MIME ++certificate. If a PGP key is used, it must be available from a public key ++server and is ideally connected to the Linux kernel's PGP web of trust. See ++also: https://www.kernel.org/signature.html. ++ ++The response team verifies that the subscriber request is valid and adds ++the subscriber to the list. After subscription the subscriber will receive ++email from the mailing-list which is signed either with the list's PGP key ++or the list's S/MIME certificate. The subscriber's email client can extract ++the PGP key or the S/MIME certificate from the signature so the subscriber ++can send encrypted email to the list. ++ +--- a/Documentation/admin-guide/index.rst ++++ b/Documentation/admin-guide/index.rst +@@ -33,6 +33,7 @@ problems and bugs in particular. + + reporting-bugs + security-bugs ++ embargoed-hardware-issues + bug-hunting + bug-bisect + tainted-kernels |