Re: Fixing CVE-2017-15361
From: Jarkko Sakkinen
Date: Thu Oct 26 2017 - 13:04:40 EST
On Thu, Oct 26, 2017 at 07:02:37PM +0200, Jarkko Sakkinen wrote:
> On Thu, Oct 26, 2017 at 04:57:48PM +0200, Michal Suchánek wrote:
> > On Thu, 26 Oct 2017 16:06:02 +0200
> > Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Thu, Oct 26, 2017 at 02:59:02PM +0200, Michal Suchánek wrote:
> > > > It does not really matter. People ignore the messages unless looking
> > > > for something specific as you already noticed. Warn seems adequate
> > > > because the cipher is weaker than expected but not known to
> > > > be compromised. People who care can look up the message. People who
> > > > don't care will ignore it even if it's crit.
> > >
> > > Is it worth of trouble to do any driver changes then (open question to
> > > everyone)? I'm not sure it is worth of trouble to add cruft to the
> > > driver code for a warning that will likely be ignored anyway.
> >
> > If the kernel can reliably detect the affected TPMs it saves the
> > user the work of figuring out where the firmware revision is accessible
> > on the running machine and what firmware revisions are affected.
> >
> > Thanks
> >
> > Michal
>
> Just giving the warning does not require any kernel functionality. If
> nothing proactive is required from the kernel I'd move the
> responsibility to the user space. Nothing in the kernel is broken an
> kernel cannot workaround the issue by ay means.
>
> /Jarkko
I.e. I'm not going to fix a bug if there is no bug to fix.
/Jarkko