From: David Woodhouse <dwmw2@infradead.org>
To: Jason Cooper <jason@lakedaemon.net>,
Linus Walleij <linus.walleij@linaro.org>
Cc: Mark Brown <broonie@sirena.org.uk>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: Last minute nominations: mcgrof and toshi
Date: Tue, 02 Aug 2016 15:09:03 +0100 [thread overview]
Message-ID: <1470146943.6822.21.camel@infradead.org> (raw)
In-Reply-To: <20160802140031.GK4541@io.lakedaemon.net>
[-- Attachment #1: Type: text/plain, Size: 2137 bytes --]
On Tue, 2016-08-02 at 14:00 +0000, Jason Cooper wrote:
>
> You're actually hitting at the core of the problem. The CA system
> (Thawte, Verisign, etc) is better than what came before it. We now have
> enough experience with it, and have seen the band-aids [0], to know we need
> something better.
>
> The problem here is that we (users) need to be able to verify that
> iwlwifi-whatever.ucode claimed to be created by Intel, was indeed the
> *same* one Intel shipped out the door. That's it. It's up to the user
> to decide to "trust" Intel's microcode or not. All the kernel should be
> doing is confirming cryptographically that it came from Intel.
>
> Now, the CA vice Web-of-trust question is "Is this public key the proper
> public key for Intel?" There's several ways to solve this, and they
> aren't mutually exclusive:
>
> - Use the CA to verify you have the correct key
> - Use PGP counter-signing to sign Intel's key (kernel devs could do
> this according to pre-determined authenticity criteria)
> - Use TOFU (Trust on First Use) to confirm that your firmware file is
> signed with the *same* key for each subsequent version
> - Use crowd-sourcing to confirm that everyone else has the same public
> key for Intel
>
> Each approach has it's pluses and minuses, so a combination of
> approaches is probably the most viable.
The simple solution which had been proposed was to add a variant of
request_firmware() which specified the key(s) which were acceptable for
signing the firmware in question.
So Intel's signing key would be "trusted" merely by virtue of the fact
that it is explicitly referenced by the iwlwifi driver.
If you are able to get changes to the iwlwifi driver accepted by Linus,
then you can change that. But then, if you can sneak bogus changes into
the drivers then you have other attack models anyway, so I don't think
we need to invent more trust schemes to avoid that.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@intel.com Intel Corporation
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]
next prev parent reply other threads:[~2016-08-02 14:09 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 [Ksummit-discuss] " Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse [this message]
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1470146943.6822.21.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=linus.walleij@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox