From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Luis Rodriguez <mcgrof@gmail.com>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
jkkm@jkkm.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 09:10:39 -0700 [thread overview]
Message-ID: <1438099839.5441.165.camel@HansenPartnership.com> (raw)
In-Reply-To: <CALCETrVPf9gN92iC+vtKOOBY0GpzAnZuKpEMMgZzU-uXAM1qMQ@mail.gmail.com>
On Tue, 2015-07-28 at 09:05 -0700, Andy Lutomirski wrote:
> On Tue, Jul 28, 2015 at 8:31 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Tue, 2015-07-28 at 08:22 -0700, Andy Lutomirski wrote:
> >> On Tue, Jul 28, 2015 at 8:10 AM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
> >> >> Patches are in the works for the provision of signatures for firmware blobs
> >> >> for the kernel to check, thus allowing the kernel to act as gatekeeper on what
> >> >> firmware blobs get loaded where.
> >> >>
> >> >> Note that it has been agreed that signatures will be in separate files to the
> >> >> firmware blobs so as not to potentially corrupt a blob by copying it to an OS
> >> >> that doesn't expect the signature. Also, we don't want to modify the blob in
> >> >> case of IP.
> >> >>
> >> >> We're currently using PKCS#7/CMS messages as the signature format since we
> >> >> have a PKCS#7 parser and verifier already in the kernel for kexec.
> >> >>
> >> >> Patches have been proposed for inclusion in security/next that allow PKCS#11
> >> >> to be used to supply h/w keys to the sign-file program and to the kernel build
> >> >> process.
> >> >>
> >> >> There are a number of areas that could do with sorting out with regard key
> >> >> policy:
> >> >>
> >> >> (1) Should signatures produced by the manager of the linux-firmware package
> >> >> be allowed only?
> >> >
> >> > Firmware is a binary blob usually with no decompilation. How would the
> >> > package manager know its provenance? The only people who know are the
> >> > people who write the driver. If they sign, I think we have to accept
> >> > their signature and if not, we could have a weaker level of trust on the
> >> > package manager based on unbroken chain of transmission from the
> >> > firmware provider, but you'd have to trust the packaging organisation.
> >>
> >> But IMO we really don't want trust $RANDOM_USB_WIDGET_VENDOR to supply
> >> firmware for the GPU, for example.
> >
> > I'm not saying that. I'm saying that if we verify some chain in
> > firmware, it has to be from a trusted supplier to us, meaning we invest
> > trust already in the supplier. However, the trusted supplier should be
> > the original device vendor. if $RANDOM_USB_WIGET_VENDOR isn't the
> > original vendor, then this would not trust them. If they are, it's
> > hobson's choice ... and god help us.
>
> Sure, but we shouldn't stick the USB vendor's key into the system
> keyring. I'm fine with having it in the kernel or in some database,
> though.
Actually, I don't think we should have a general system keyring for
firmware. We need driver specific ones, so the USB vendor key is *only*
trusted for that particular driver. Putting vendor keys into our
general keyring would be a recipe for inviting abuse.
James
next prev parent reply other threads:[~2015-07-28 16:10 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski
2015-07-28 16:10 ` James Bottomley [this message]
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438099839.5441.165.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox