Good day! Just found that flashrom doesnt work on some hardened configuration - Hardened Gentoo - on hardened kernel-2.6.38
Linux xserver 2.6.38-hardened #1 SMP Wed Apr 20 02:19:23 CEST 2011 x86_64 Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz GenuineIntel GNU/Linux
flashrom v0.9.3-r1297 on Linux 2.6.38-hardened (x86_64), built with libpci 3.1.7, GCC 4.5.2, little endian flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OS timer resolution is 1 usecs, 1530M loops per second, 10 myus = 10 us, 100 myus = 99 us, 1000 myus = 996 us, 10000 myus = 9977 us, 4 myus = 4 us, OK. Initializing internal programmer ERROR: Could not get I/O privileges (Operation not permitted). You need to be root.
And this from dmesg:
[1578171.686680] grsec: From 79.111.220.160: denied use of iopl() by /home/xvilka/flashrom/flashrom[flashrom:10596] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10591] uid/euid:0/0 gid/egid:0/0 [1578218.043347] grsec: From 79.111.220.160: denied use of iopl() by /home/xvilka/flashrom/flashrom[flashrom:10612] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10606] uid/euid:0/0 gid/egid:0/0 [1578388.047996] grsec: From 79.111.220.160: denied use of iopl() by /home/xvilka/flashrom/flashrom[flashrom:10645] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10606] uid/euid:0/0 gid/egid:0/0
And found this theme http://forums.grsecurity.net/viewtopic.php?t=1654 So, for access ioperm() and iopl() you need disable "Disable Privileged I/O (CONFIG_GRKERSEC_IO)" option in kernel config. Can we print this message when found such configuration? Are there way to make port access without iopl()?
Best regards, Anton Kochkov.
Am Sonntag, den 08.05.2011, 12:05 +0400 schrieb Антон Кочков:
And found this theme http://forums.grsecurity.net/viewtopic.php?t=1654 So, for access ioperm() and iopl() you need disable "Disable Privileged I/O (CONFIG_GRKERSEC_IO)" option in kernel config. Can we print this message when found such configuration? Are there way to make port access without iopl()?
The only way to make some I/O port access without iopl() is with ioperm(), and the limites ioperm sets (no ports above 0x3ff) are making it nearly useless for flashrom. And as even ioperm is forbidden, there are no ways remaining. And that's intentional. With iopl() you are able not only to flash a BIOS rootkit, but also for example to write random data to random sectors of parallel ATA hard drives. The latter also works with ioperm in typical PC configurations.
Regards, Michael Karcher
On 5/8/11 1:05 AM, Антон Кочков wrote:
And found this theme http://forums.grsecurity.net/viewtopic.php?t=1654 So, for access ioperm() and iopl() you need disable "Disable Privileged I/O (CONFIG_GRKERSEC_IO)" option in kernel config. Can we print this message when found such configuration? Are there way to make port access without iopl()?
No. The whole reason of CONFIG_GRKERSEC_IO is to prevent you from running tools like flashrom. ;-)
Am Montag, den 09.05.2011, 22:48 -0700 schrieb Stefan Reinauer:
Are there way to make port access without iopl()?
No. The whole reason of CONFIG_GRKERSEC_IO is to prevent you from running tools like flashrom. ;-)
Which is (although there is a smiley) not a joke. Hardware drivers belong to the kernel, which is deemed "trusted" in models like grsecurity, and anything doing direct hardware access circumventing the kernel is deemed to be evil. So it does not target flashrom in special, but it is meant in fact for (or more likely against) programs "like flashrom". I would not be surprised if grsecurity also prevents r/w mapping of the BIOS chip.
Regards, Michael Karcher
-
Michael Karcher -
Stefan Reinauer -
Антон Кочков