SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones
diff mbox series

Message ID 20200709194820.27032-1-grandmaster@al2klimov.de
State New
Headers show
Series
  • SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones
Related show

Commit Message

Alexander A. Klimov July 9, 2020, 7:48 p.m. UTC
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  If not .svg:
    For each line:
      If doesn't contain `\bxmlns\b`:
        For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
            If both the HTTP and HTTPS versions
            return 200 OK and serve the same content:
              Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
---
 Continuing my work started at 93431e0607e5.
 See also: git log --oneline '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' v5.7..master
 (Actually letting a shell for loop submit all this stuff for me.)

 If there are any URLs to be removed completely or at least not HTTPSified:
 Just clearly say so and I'll *undo my change*.
 See also: https://lkml.org/lkml/2020/6/27/64

 If there are any valid, but yet not changed URLs:
 See: https://lkml.org/lkml/2020/6/26/837

 If you apply the patch, please let me know.


 drivers/infiniband/ulp/srpt/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Bart Van Assche July 10, 2020, 2:22 p.m. UTC | #1
On 2020-07-09 12:48, Alexander A. Klimov wrote:
> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> index 4b5d9b792cfa..f63b34d9ae32 100644
> --- a/drivers/infiniband/ulp/srpt/Kconfig
> +++ b/drivers/infiniband/ulp/srpt/Kconfig
> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>  	  that supports the RDMA protocol. Currently the RDMA protocol is
>  	  supported by InfiniBand and by iWarp network hardware. More
>  	  information about the SRP protocol can be found on the website
> -	  of the INCITS T10 technical committee (http://www.t10.org/).
> +	  of the INCITS T10 technical committee (https://www.t10.org/).

It is not clear to me how modifying an URL in a Kconfig file helps to
reduce the attack surface on kernel devs?

Thanks,

Bart.
Alexander A. Klimov July 10, 2020, 6:12 p.m. UTC | #2
Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>> index 4b5d9b792cfa..f63b34d9ae32 100644
>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>   	  that supports the RDMA protocol. Currently the RDMA protocol is
>>   	  supported by InfiniBand and by iWarp network hardware. More
>>   	  information about the SRP protocol can be found on the website
>> -	  of the INCITS T10 technical committee (http://www.t10.org/).
>> +	  of the INCITS T10 technical committee (https://www.t10.org/).
> 
> It is not clear to me how modifying an URL in a Kconfig file helps to
> reduce the attack surface on kernel devs?
Not on all, just on the ones who open it.

> 
> Thanks,
> 
> Bart.
> 
>
Bart Van Assche July 12, 2020, 7:52 p.m. UTC | #3
On 2020-07-10 11:12, Alexander A. Klimov wrote:
> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>>         that supports the RDMA protocol. Currently the RDMA protocol is
>>>         supported by InfiniBand and by iWarp network hardware. More
>>>         information about the SRP protocol can be found on the website
>>> -      of the INCITS T10 technical committee (http://www.t10.org/).
>>> +      of the INCITS T10 technical committee (https://www.t10.org/).
>>
>> It is not clear to me how modifying an URL in a Kconfig file helps to
>> reduce the attack surface on kernel devs?
>
> Not on all, just on the ones who open it.

Is changing every single HTTP URL in the kernel into a HTTPS URL the best
solution? Is this the only solution? Has it been considered to recommend
kernel developers who are concerned about MITM attacks to install a browser
extension like HTTPS Everywhere instead?

Thanks,

Bart.
Alexander A. Klimov July 12, 2020, 8:15 p.m. UTC | #4
Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> On 2020-07-10 11:12, Alexander A. Klimov wrote:
>> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>>>          that supports the RDMA protocol. Currently the RDMA protocol is
>>>>          supported by InfiniBand and by iWarp network hardware. More
>>>>          information about the SRP protocol can be found on the website
>>>> -      of the INCITS T10 technical committee (http://www.t10.org/).
>>>> +      of the INCITS T10 technical committee (https://www.t10.org/).
>>>
>>> It is not clear to me how modifying an URL in a Kconfig file helps to
>>> reduce the attack surface on kernel devs?
>>
>> Not on all, just on the ones who open it.
> 
> Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> solution? Is this the only solution? Has it been considered to recommend
> kernel developers who are concerned about MITM attacks to install a browser
> extension like HTTPS Everywhere instead?
I've installed that addon myself.
But IMAO it's just a workaround which is (not available to all browsers, 
not installed by default in any of them and) not even 100% secure unless 
you tick a particular checkbox.

Anyway the majority of maintainers and Torvalds himself agree with my 
solution.

I mean, just look at
git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \
--oneline v5.7..master

Or (better) wait for v5.9-rc1 (and all the yet just applied patches it 
will consist of) *and then* run the command.

> 
> Thanks,
> 
> Bart.
>
Jason Gunthorpe July 13, 2020, 1:50 p.m. UTC | #5
On Sun, Jul 12, 2020 at 10:15:29PM +0200, Alexander A. Klimov wrote:
> 
> 
> Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> > On 2020-07-10 11:12, Alexander A. Klimov wrote:
> > > Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> > > > On 2020-07-09 12:48, Alexander A. Klimov wrote:
> > > > > diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > index 4b5d9b792cfa..f63b34d9ae32 100644
> > > > > +++ b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
> > > > >          that supports the RDMA protocol. Currently the RDMA protocol is
> > > > >          supported by InfiniBand and by iWarp network hardware. More
> > > > >          information about the SRP protocol can be found on the website
> > > > > -      of the INCITS T10 technical committee (http://www.t10.org/).
> > > > > +      of the INCITS T10 technical committee (https://www.t10.org/).
> > > > 
> > > > It is not clear to me how modifying an URL in a Kconfig file helps to
> > > > reduce the attack surface on kernel devs?
> > > 
> > > Not on all, just on the ones who open it.
> > 
> > Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> > solution? Is this the only solution? Has it been considered to recommend
> > kernel developers who are concerned about MITM attacks to install a browser
> > extension like HTTPS Everywhere instead?
> I've installed that addon myself.
> But IMAO it's just a workaround which is (not available to all browsers, not
> installed by default in any of them and) not even 100% secure unless you
> tick a particular checkbox.
> 
> Anyway the majority of maintainers and Torvalds himself agree with my
> solution.
> 
> I mean, just look at
> git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \
> 
> Or (better) wait for v5.9-rc1 (and all the yet just applied patches it will
> consist of) *and then* run the command.

Well, if you are going to do this please send just one patch for all
of drivers/infiniband/ and include/rdma

I don't need to see it broken up any more than that

Jason

Patch
diff mbox series

diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index 4b5d9b792cfa..f63b34d9ae32 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -10,4 +10,4 @@  config INFINIBAND_SRPT
 	  that supports the RDMA protocol. Currently the RDMA protocol is
 	  supported by InfiniBand and by iWarp network hardware. More
 	  information about the SRP protocol can be found on the website
-	  of the INCITS T10 technical committee (http://www.t10.org/).
+	  of the INCITS T10 technical committee (https://www.t10.org/).