xref: /openbmc/linux/Documentation/process/embargoed-hardware-issues.rst (revision 8bf6e0e3c7de857b91a75aa57cecd56c10035bb2)
1dec6224bSAlex Shi.. _embargoed_hardware_issues:
2dec6224bSAlex Shi
3ddaedbbeSThomas GleixnerEmbargoed hardware issues
4ddaedbbeSThomas Gleixner=========================
5ddaedbbeSThomas Gleixner
6ddaedbbeSThomas GleixnerScope
7ddaedbbeSThomas Gleixner-----
8ddaedbbeSThomas Gleixner
9ddaedbbeSThomas GleixnerHardware issues which result in security problems are a different category
10ddaedbbeSThomas Gleixnerof security bugs than pure software bugs which only affect the Linux
11ddaedbbeSThomas Gleixnerkernel.
12ddaedbbeSThomas Gleixner
13ddaedbbeSThomas GleixnerHardware issues like Meltdown, Spectre, L1TF etc. must be treated
14ddaedbbeSThomas Gleixnerdifferently because they usually affect all Operating Systems ("OS") and
15ddaedbbeSThomas Gleixnertherefore need coordination across different OS vendors, distributions,
16ddaedbbeSThomas Gleixnerhardware vendors and other parties. For some of the issues, software
17ddaedbbeSThomas Gleixnermitigations can depend on microcode or firmware updates, which need further
18ddaedbbeSThomas Gleixnercoordination.
19ddaedbbeSThomas Gleixner
20ddaedbbeSThomas Gleixner.. _Contact:
21ddaedbbeSThomas Gleixner
22ddaedbbeSThomas GleixnerContact
23ddaedbbeSThomas Gleixner-------
24ddaedbbeSThomas Gleixner
25ddaedbbeSThomas GleixnerThe Linux kernel hardware security team is separate from the regular Linux
26ddaedbbeSThomas Gleixnerkernel security team.
27ddaedbbeSThomas Gleixner
28ddaedbbeSThomas GleixnerThe team only handles the coordination of embargoed hardware security
29ddaedbbeSThomas Gleixnerissues.  Reports of pure software security bugs in the Linux kernel are not
30ddaedbbeSThomas Gleixnerhandled by this team and the reporter will be guided to contact the regular
31ddaedbbeSThomas GleixnerLinux kernel security team (:ref:`Documentation/admin-guide/
32ddaedbbeSThomas Gleixner<securitybugs>`) instead.
33ddaedbbeSThomas Gleixner
34ddaedbbeSThomas GleixnerThe team can be contacted by email at <hardware-security@kernel.org>. This
35ddaedbbeSThomas Gleixneris a private list of security officers who will help you to coordinate an
36ddaedbbeSThomas Gleixnerissue according to our documented process.
37ddaedbbeSThomas Gleixner
38ddaedbbeSThomas GleixnerThe list is encrypted and email to the list can be sent by either PGP or
39ddaedbbeSThomas GleixnerS/MIME encrypted and must be signed with the reporter's PGP key or S/MIME
40ddaedbbeSThomas Gleixnercertificate. The list's PGP key and S/MIME certificate are available from
41ab229d62SKonstantin Ryabitsevthe following URLs:
42ab229d62SKonstantin Ryabitsev
43ab229d62SKonstantin Ryabitsev  - PGP: https://www.kernel.org/static/files/hardware-security.asc
44ab229d62SKonstantin Ryabitsev  - S/MIME: https://www.kernel.org/static/files/hardware-security.crt
45ddaedbbeSThomas Gleixner
46ddaedbbeSThomas GleixnerWhile hardware security issues are often handled by the affected hardware
47ddaedbbeSThomas Gleixnervendor, we welcome contact from researchers or individuals who have
48ddaedbbeSThomas Gleixneridentified a potential hardware flaw.
49ddaedbbeSThomas Gleixner
50ddaedbbeSThomas GleixnerHardware security officers
51ddaedbbeSThomas Gleixner^^^^^^^^^^^^^^^^^^^^^^^^^^
52ddaedbbeSThomas Gleixner
53ddaedbbeSThomas GleixnerThe current team of hardware security officers:
54ddaedbbeSThomas Gleixner
55ddaedbbeSThomas Gleixner  - Linus Torvalds (Linux Foundation Fellow)
56ddaedbbeSThomas Gleixner  - Greg Kroah-Hartman (Linux Foundation Fellow)
57ddaedbbeSThomas Gleixner  - Thomas Gleixner (Linux Foundation Fellow)
58ddaedbbeSThomas Gleixner
59ddaedbbeSThomas GleixnerOperation of mailing-lists
60ddaedbbeSThomas Gleixner^^^^^^^^^^^^^^^^^^^^^^^^^^
61ddaedbbeSThomas Gleixner
62ddaedbbeSThomas GleixnerThe encrypted mailing-lists which are used in our process are hosted on
63ab229d62SKonstantin RyabitsevLinux Foundation's IT infrastructure. By providing this service, members
64ab229d62SKonstantin Ryabitsevof Linux Foundation's IT operations personnel technically have the
65ab229d62SKonstantin Ryabitsevability to access the embargoed information, but are obliged to
66ab229d62SKonstantin Ryabitsevconfidentiality by their employment contract. Linux Foundation IT
67ab229d62SKonstantin Ryabitsevpersonnel are also responsible for operating and managing the rest of
68ab229d62SKonstantin Ryabitsevkernel.org infrastructure.
69ddaedbbeSThomas Gleixner
70ab229d62SKonstantin RyabitsevThe Linux Foundation's current director of IT Project infrastructure is
71ddaedbbeSThomas GleixnerKonstantin Ryabitsev.
72ddaedbbeSThomas Gleixner
73ddaedbbeSThomas Gleixner
74ddaedbbeSThomas GleixnerNon-disclosure agreements
75ddaedbbeSThomas Gleixner-------------------------
76ddaedbbeSThomas Gleixner
77ddaedbbeSThomas GleixnerThe Linux kernel hardware security team is not a formal body and therefore
78ddaedbbeSThomas Gleixnerunable to enter into any non-disclosure agreements.  The kernel community
79ddaedbbeSThomas Gleixneris aware of the sensitive nature of such issues and offers a Memorandum of
80ddaedbbeSThomas GleixnerUnderstanding instead.
81ddaedbbeSThomas Gleixner
82ddaedbbeSThomas Gleixner
83ddaedbbeSThomas GleixnerMemorandum of Understanding
84ddaedbbeSThomas Gleixner---------------------------
85ddaedbbeSThomas Gleixner
86ddaedbbeSThomas GleixnerThe Linux kernel community has a deep understanding of the requirement to
87ddaedbbeSThomas Gleixnerkeep hardware security issues under embargo for coordination between
88ddaedbbeSThomas Gleixnerdifferent OS vendors, distributors, hardware vendors and other parties.
89ddaedbbeSThomas Gleixner
90ddaedbbeSThomas GleixnerThe Linux kernel community has successfully handled hardware security
91ddaedbbeSThomas Gleixnerissues in the past and has the necessary mechanisms in place to allow
92ddaedbbeSThomas Gleixnercommunity compliant development under embargo restrictions.
93ddaedbbeSThomas Gleixner
94ddaedbbeSThomas GleixnerThe Linux kernel community has a dedicated hardware security team for
95ddaedbbeSThomas Gleixnerinitial contact, which oversees the process of handling such issues under
96ddaedbbeSThomas Gleixnerembargo rules.
97ddaedbbeSThomas Gleixner
98ddaedbbeSThomas GleixnerThe hardware security team identifies the developers (domain experts) who
99ddaedbbeSThomas Gleixnerwill form the initial response team for a particular issue. The initial
100ddaedbbeSThomas Gleixnerresponse team can bring in further developers (domain experts) to address
101ddaedbbeSThomas Gleixnerthe issue in the best technical way.
102ddaedbbeSThomas Gleixner
103ddaedbbeSThomas GleixnerAll involved developers pledge to adhere to the embargo rules and to keep
104ddaedbbeSThomas Gleixnerthe received information confidential. Violation of the pledge will lead to
105ddaedbbeSThomas Gleixnerimmediate exclusion from the current issue and removal from all related
106ddaedbbeSThomas Gleixnermailing-lists. In addition, the hardware security team will also exclude
107ddaedbbeSThomas Gleixnerthe offender from future issues. The impact of this consequence is a highly
108ddaedbbeSThomas Gleixnereffective deterrent in our community. In case a violation happens the
109ddaedbbeSThomas Gleixnerhardware security team will inform the involved parties immediately. If you
110ddaedbbeSThomas Gleixneror anyone becomes aware of a potential violation, please report it
111ddaedbbeSThomas Gleixnerimmediately to the Hardware security officers.
112ddaedbbeSThomas Gleixner
113ddaedbbeSThomas Gleixner
114ddaedbbeSThomas GleixnerProcess
115ddaedbbeSThomas Gleixner^^^^^^^
116ddaedbbeSThomas Gleixner
117ddaedbbeSThomas GleixnerDue to the globally distributed nature of Linux kernel development,
118ddaedbbeSThomas Gleixnerface-to-face meetings are almost impossible to address hardware security
119ddaedbbeSThomas Gleixnerissues.  Phone conferences are hard to coordinate due to time zones and
120ddaedbbeSThomas Gleixnerother factors and should be only used when absolutely necessary. Encrypted
121ddaedbbeSThomas Gleixneremail has been proven to be the most effective and secure communication
122ddaedbbeSThomas Gleixnermethod for these types of issues.
123ddaedbbeSThomas Gleixner
124ddaedbbeSThomas GleixnerStart of Disclosure
125ddaedbbeSThomas Gleixner"""""""""""""""""""
126ddaedbbeSThomas Gleixner
127ddaedbbeSThomas GleixnerDisclosure starts by contacting the Linux kernel hardware security team by
128ddaedbbeSThomas Gleixneremail. This initial contact should contain a description of the problem and
129ddaedbbeSThomas Gleixnera list of any known affected hardware. If your organization builds or
130ddaedbbeSThomas Gleixnerdistributes the affected hardware, we encourage you to also consider what
131ddaedbbeSThomas Gleixnerother hardware could be affected.
132ddaedbbeSThomas Gleixner
133ddaedbbeSThomas GleixnerThe hardware security team will provide an incident-specific encrypted
134ddaedbbeSThomas Gleixnermailing-list which will be used for initial discussion with the reporter,
135ddaedbbeSThomas Gleixnerfurther disclosure and coordination.
136ddaedbbeSThomas Gleixner
137ddaedbbeSThomas GleixnerThe hardware security team will provide the disclosing party a list of
138ddaedbbeSThomas Gleixnerdevelopers (domain experts) who should be informed initially about the
139ddaedbbeSThomas Gleixnerissue after confirming with the developers  that they will adhere to this
140ddaedbbeSThomas GleixnerMemorandum of Understanding and the documented process. These developers
141ddaedbbeSThomas Gleixnerform the initial response team and will be responsible for handling the
142ddaedbbeSThomas Gleixnerissue after initial contact. The hardware security team is supporting the
143ddaedbbeSThomas Gleixnerresponse team, but is not necessarily involved in the mitigation
144ddaedbbeSThomas Gleixnerdevelopment process.
145ddaedbbeSThomas Gleixner
146ddaedbbeSThomas GleixnerWhile individual developers might be covered by a non-disclosure agreement
147ddaedbbeSThomas Gleixnervia their employer, they cannot enter individual non-disclosure agreements
148ddaedbbeSThomas Gleixnerin their role as Linux kernel developers. They will, however, agree to
149ddaedbbeSThomas Gleixneradhere to this documented process and the Memorandum of Understanding.
150ddaedbbeSThomas Gleixner
151dc925a36SThomas GleixnerThe disclosing party should provide a list of contacts for all other
152dc925a36SThomas Gleixnerentities who have already been, or should be, informed about the issue.
153dc925a36SThomas GleixnerThis serves several purposes:
154dc925a36SThomas Gleixner
155e0a45cdaSAndrew Klychkov - The list of disclosed entities allows communication across the
156dc925a36SThomas Gleixner   industry, e.g. other OS vendors, HW vendors, etc.
157dc925a36SThomas Gleixner
158dc925a36SThomas Gleixner - The disclosed entities can be contacted to name experts who should
159dc925a36SThomas Gleixner   participate in the mitigation development.
160dc925a36SThomas Gleixner
161dc925a36SThomas Gleixner - If an expert which is required to handle an issue is employed by an
162dc925a36SThomas Gleixner   listed entity or member of an listed entity, then the response teams can
163dc925a36SThomas Gleixner   request the disclosure of that expert from that entity. This ensures
164dc925a36SThomas Gleixner   that the expert is also part of the entity's response team.
165ddaedbbeSThomas Gleixner
166ddaedbbeSThomas GleixnerDisclosure
167ddaedbbeSThomas Gleixner""""""""""
168ddaedbbeSThomas Gleixner
169ddaedbbeSThomas GleixnerThe disclosing party provides detailed information to the initial response
170ddaedbbeSThomas Gleixnerteam via the specific encrypted mailing-list.
171ddaedbbeSThomas Gleixner
172ddaedbbeSThomas GleixnerFrom our experience the technical documentation of these issues is usually
173ddaedbbeSThomas Gleixnera sufficient starting point and further technical clarification is best
174ddaedbbeSThomas Gleixnerdone via email.
175ddaedbbeSThomas Gleixner
176ddaedbbeSThomas GleixnerMitigation development
177ddaedbbeSThomas Gleixner""""""""""""""""""""""
178ddaedbbeSThomas Gleixner
179ddaedbbeSThomas GleixnerThe initial response team sets up an encrypted mailing-list or repurposes
180dc925a36SThomas Gleixneran existing one if appropriate.
181ddaedbbeSThomas Gleixner
182ddaedbbeSThomas GleixnerUsing a mailing-list is close to the normal Linux development process and
183ddaedbbeSThomas Gleixnerhas been successfully used in developing mitigations for various hardware
184ddaedbbeSThomas Gleixnersecurity issues in the past.
185ddaedbbeSThomas Gleixner
186ddaedbbeSThomas GleixnerThe mailing-list operates in the same way as normal Linux development.
187ddaedbbeSThomas GleixnerPatches are posted, discussed and reviewed and if agreed on applied to a
188ddaedbbeSThomas Gleixnernon-public git repository which is only accessible to the participating
189ddaedbbeSThomas Gleixnerdevelopers via a secure connection. The repository contains the main
190ddaedbbeSThomas Gleixnerdevelopment branch against the mainline kernel and backport branches for
191ddaedbbeSThomas Gleixnerstable kernel versions as necessary.
192ddaedbbeSThomas Gleixner
193ddaedbbeSThomas GleixnerThe initial response team will identify further experts from the Linux
194dc925a36SThomas Gleixnerkernel developer community as needed. Bringing in experts can happen at any
195dc925a36SThomas Gleixnertime of the development process and needs to be handled in a timely manner.
196dc925a36SThomas Gleixner
197dc925a36SThomas GleixnerIf an expert is employed by or member of an entity on the disclosure list
198dc925a36SThomas Gleixnerprovided by the disclosing party, then participation will be requested from
199dc925a36SThomas Gleixnerthe relevant entity.
200dc925a36SThomas Gleixner
201dc925a36SThomas GleixnerIf not, then the disclosing party will be informed about the experts
202dc925a36SThomas Gleixnerparticipation. The experts are covered by the Memorandum of Understanding
203dc925a36SThomas Gleixnerand the disclosing party is requested to acknowledge the participation. In
204dc925a36SThomas Gleixnercase that the disclosing party has a compelling reason to object, then this
205dc925a36SThomas Gleixnerobjection has to be raised within five work days and resolved with the
206dc925a36SThomas Gleixnerincident team immediately. If the disclosing party does not react within
207dc925a36SThomas Gleixnerfive work days this is taken as silent acknowledgement.
208dc925a36SThomas Gleixner
209dc925a36SThomas GleixnerAfter acknowledgement or resolution of an objection the expert is disclosed
210dc925a36SThomas Gleixnerby the incident team and brought into the development process.
211dc925a36SThomas Gleixner
212ddaedbbeSThomas Gleixner
213ddaedbbeSThomas GleixnerCoordinated release
214ddaedbbeSThomas Gleixner"""""""""""""""""""
215ddaedbbeSThomas Gleixner
216ddaedbbeSThomas GleixnerThe involved parties will negotiate the date and time where the embargo
217ddaedbbeSThomas Gleixnerends. At that point the prepared mitigations are integrated into the
218ddaedbbeSThomas Gleixnerrelevant kernel trees and published.
219ddaedbbeSThomas Gleixner
220ddaedbbeSThomas GleixnerWhile we understand that hardware security issues need coordinated embargo
221ddaedbbeSThomas Gleixnertime, the embargo time should be constrained to the minimum time which is
222ddaedbbeSThomas Gleixnerrequired for all involved parties to develop, test and prepare the
223ddaedbbeSThomas Gleixnermitigations. Extending embargo time artificially to meet conference talk
224ddaedbbeSThomas Gleixnerdates or other non-technical reasons is creating more work and burden for
225ddaedbbeSThomas Gleixnerthe involved developers and response teams as the patches need to be kept
226ddaedbbeSThomas Gleixnerup to date in order to follow the ongoing upstream kernel development,
227ddaedbbeSThomas Gleixnerwhich might create conflicting changes.
228ddaedbbeSThomas Gleixner
229ddaedbbeSThomas GleixnerCVE assignment
230ddaedbbeSThomas Gleixner""""""""""""""
231ddaedbbeSThomas Gleixner
232ddaedbbeSThomas GleixnerNeither the hardware security team nor the initial response team assign
233ddaedbbeSThomas GleixnerCVEs, nor are CVEs required for the development process. If CVEs are
234ddaedbbeSThomas Gleixnerprovided by the disclosing party they can be used for documentation
235ddaedbbeSThomas Gleixnerpurposes.
236ddaedbbeSThomas Gleixner
237ddaedbbeSThomas GleixnerProcess ambassadors
238ddaedbbeSThomas Gleixner-------------------
239ddaedbbeSThomas Gleixner
240ddaedbbeSThomas GleixnerFor assistance with this process we have established ambassadors in various
241ddaedbbeSThomas Gleixnerorganizations, who can answer questions about or provide guidance on the
242ddaedbbeSThomas Gleixnerreporting process and further handling. Ambassadors are not involved in the
243ddaedbbeSThomas Gleixnerdisclosure of a particular issue, unless requested by a response team or by
244ddaedbbeSThomas Gleixneran involved disclosed party. The current ambassadors list:
245ddaedbbeSThomas Gleixner
246ddaedbbeSThomas Gleixner  ============= ========================================================
2474a9acb6dSTom Lendacky  AMD		Tom Lendacky <tom.lendacky@amd.com>
248*8bf6e0e3SDarren Hart  ARM		Grant Likely <grant.likely@arm.com>
2492f7eaa30SChristian Borntraeger  IBM Power	Anton Blanchard <anton@linux.ibm.com>
250*8bf6e0e3SDarren Hart  IBM Z		Christian Borntraeger <borntraeger@de.ibm.com>
25138c7a30aSTony Luck  Intel		Tony Luck <tony.luck@intel.com>
252a8e0abaeSTrilok Soni  Qualcomm	Trilok Soni <tsoni@codeaurora.org>
253ddaedbbeSThomas Gleixner
2544bc4f812SJames Morris  Microsoft	James Morris <jamorris@linux.microsoft.com>
255ddaedbbeSThomas Gleixner  VMware
25602e740aeSAndrew Cooper  Xen		Andrew Cooper <andrew.cooper3@citrix.com>
257ddaedbbeSThomas Gleixner
2583da62707STyler Hicks  Canonical	John Johansen <john.johansen@canonical.com>
259ddaedbbeSThomas Gleixner  Debian	Ben Hutchings <ben@decadent.org.uk>
260ddaedbbeSThomas Gleixner  Oracle	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
261ddaedbbeSThomas Gleixner  Red Hat	Josh Poimboeuf <jpoimboe@redhat.com>
262ddaedbbeSThomas Gleixner  SUSE		Jiri Kosina <jkosina@suse.cz>
263ddaedbbeSThomas Gleixner
264485d5b75SGreg Kroah-Hartman  Amazon
265f56f791fSKees Cook  Google	Kees Cook <keescook@chromium.org>
266f56f791fSKees Cook  ============= ========================================================
267ddaedbbeSThomas Gleixner
268ddaedbbeSThomas GleixnerIf you want your organization to be added to the ambassadors list, please
269ddaedbbeSThomas Gleixnercontact the hardware security team. The nominated ambassador has to
270ddaedbbeSThomas Gleixnerunderstand and support our process fully and is ideally well connected in
271ddaedbbeSThomas Gleixnerthe Linux kernel community.
272ddaedbbeSThomas Gleixner
273ddaedbbeSThomas GleixnerEncrypted mailing-lists
274ddaedbbeSThomas Gleixner-----------------------
275ddaedbbeSThomas Gleixner
276ddaedbbeSThomas GleixnerWe use encrypted mailing-lists for communication. The operating principle
277ddaedbbeSThomas Gleixnerof these lists is that email sent to the list is encrypted either with the
278ddaedbbeSThomas Gleixnerlist's PGP key or with the list's S/MIME certificate. The mailing-list
279ddaedbbeSThomas Gleixnersoftware decrypts the email and re-encrypts it individually for each
280ddaedbbeSThomas Gleixnersubscriber with the subscriber's PGP key or S/MIME certificate. Details
281ddaedbbeSThomas Gleixnerabout the mailing-list software and the setup which is used to ensure the
282ddaedbbeSThomas Gleixnersecurity of the lists and protection of the data can be found here:
283ab229d62SKonstantin Ryabitsevhttps://korg.wiki.kernel.org/userdoc/remail.
284ddaedbbeSThomas Gleixner
285ddaedbbeSThomas GleixnerList keys
286ddaedbbeSThomas Gleixner^^^^^^^^^
287ddaedbbeSThomas Gleixner
288ddaedbbeSThomas GleixnerFor initial contact see :ref:`Contact`. For incident specific mailing-lists
289ddaedbbeSThomas Gleixnerthe key and S/MIME certificate are conveyed to the subscribers by email
290ddaedbbeSThomas Gleixnersent from the specific list.
291ddaedbbeSThomas Gleixner
292ddaedbbeSThomas GleixnerSubscription to incident specific lists
293ddaedbbeSThomas Gleixner^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
294ddaedbbeSThomas Gleixner
295ddaedbbeSThomas GleixnerSubscription is handled by the response teams. Disclosed parties who want
296ddaedbbeSThomas Gleixnerto participate in the communication send a list of potential subscribers to
297ddaedbbeSThomas Gleixnerthe response team so the response team can validate subscription requests.
298ddaedbbeSThomas Gleixner
299ddaedbbeSThomas GleixnerEach subscriber needs to send a subscription request to the response team
300ddaedbbeSThomas Gleixnerby email. The email must be signed with the subscriber's PGP key or S/MIME
301ddaedbbeSThomas Gleixnercertificate. If a PGP key is used, it must be available from a public key
302ddaedbbeSThomas Gleixnerserver and is ideally connected to the Linux kernel's PGP web of trust. See
303ddaedbbeSThomas Gleixneralso: https://www.kernel.org/signature.html.
304ddaedbbeSThomas Gleixner
305ddaedbbeSThomas GleixnerThe response team verifies that the subscriber request is valid and adds
306ddaedbbeSThomas Gleixnerthe subscriber to the list. After subscription the subscriber will receive
307ddaedbbeSThomas Gleixneremail from the mailing-list which is signed either with the list's PGP key
308ddaedbbeSThomas Gleixneror the list's S/MIME certificate. The subscriber's email client can extract
309ddaedbbeSThomas Gleixnerthe PGP key or the S/MIME certificate from the signature so the subscriber
310ddaedbbeSThomas Gleixnercan send encrypted email to the list.
311ddaedbbeSThomas Gleixner
312