From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Mark Brown <broonie@sirena.org.uk>
Subject: Re: [Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust
Date: Thu, 18 Aug 2016 08:28:12 -0400 [thread overview]
Message-ID: <1471523292.2664.105.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1471450271.13300.76.camel@decadent.org.uk>
On Wed, 2016-08-17 at 17:11 +0100, Ben Hutchings wrote:
> On Wed, 2016-08-17 at 09:03 -0400, Mimi Zohar wrote:
> > On Wed, 2016-08-17 at 12:38 +0100, Ben Hutchings wrote:
> > >
> > > On Thu, 2016-08-04 at 00:01 +0100, Ben Hutchings wrote:
> > > >
> > > > On Wed, 2016-08-03 at 09:46 -0700, Andy Lutomirski wrote:
> > > > [...]
> > > > >
> > > > >
> > > > > And it gets rid of the IMO extremely nasty temporary key. I
> > > > > personally think that reproducible builds would add considerable
> > > > > value
> > > > > to many use cases, and we currently can't simultaneously support
> > > > > reproducible builds and Secure Boot without a big mess involving
> > > > > trusted parties, and the whole point of reproducible builds is to
> > > > > avoid needed to trust the packager.
> > > > [...]
> > > >
> > > > You need that trusted party to supply a signature for the kernel, so
> > > > why is it so much worse to have them do that for the modules as well?
> > > [...]
> > >
> > > I think I can now answer this myself.
> > >
> > > Where there's a separate certificate store, the signing stage can be
> > > entirely independent of the initial build. A user of a distribution
> > > can reproduce the distribution's unsigned binaries and then use their
> > > own keys to build signed binaries for their own use.
> > >
> > > However, the module signing certificate embedded in the kernel - even
> > > if it refers to a persistent signing key, making it reproducible - has
> > > to be established before the initial build, so it doesn't allow for
> > > users to use a different root of trust. So there ought to be an option
> > > to require signatures but without defining any trusted keys at build
> > > time.
> >
> > With Mehmet Kayaalp's patches memory can be reserved for adding keys
> > post build. After adding the key, the kernel would need to be
> > (re-)signed.
>
> I know, but it doesn't replace the first certificate.
A kernel is being built for a product development group without any
builtin keys, but with reserved memory. They've enabled
CONFIG_MODULE_SIG, but disabled CONFIG_MODULE_SIG_ALL.
Both inserting the key into the kernel and signing the kernel modules
are done post build.
For reproducible builds, instead of filling the reserved memory with
random numbers, so that it isn't compressed out, we would need to modify
the build process to use predefined uncompressible junk.
Mimi
next prev parent reply other threads:[~2016-08-18 12:28 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-03 2:58 Andy Lutomirski
2016-08-03 3:24 ` Kees Cook
2016-08-03 3:32 ` Matthew Garrett
2016-08-03 4:34 ` Andy Lutomirski
2016-08-03 4:42 ` Michael S. Tsirkin
2016-08-03 4:46 ` Andy Lutomirski
2016-08-03 5:15 ` Matthew Garrett
2016-08-03 8:33 ` Alexandre Belloni
2016-08-03 10:31 ` Mark Brown
2016-08-03 10:43 ` David Howells
2016-08-03 16:46 ` Andy Lutomirski
2016-08-03 17:17 ` Matthew Garrett
2016-08-03 17:23 ` Andy Lutomirski
2016-08-03 17:26 ` Matthew Garrett
2016-08-03 17:28 ` Andy Lutomirski
2016-08-03 18:00 ` Michael S. Tsirkin
2016-08-03 23:01 ` Ben Hutchings
2016-08-03 23:22 ` Andy Lutomirski
2016-08-04 5:26 ` Kees Cook
2016-08-17 11:38 ` Ben Hutchings
2016-08-17 13:03 ` Mimi Zohar
2016-08-17 16:11 ` Ben Hutchings
2016-08-18 12:28 ` Mimi Zohar [this message]
2016-08-03 12:42 ` James Bottomley
2016-08-03 17:04 ` Andy Lutomirski
2016-08-03 17:23 ` Matthew Garrett
2016-08-03 17:29 ` Andy Lutomirski
2016-08-03 22:09 ` James Bottomley
[not found] ` <CALCETrVpCnfOJ2aXkNsOXatQAF6NG-AcJpxeYfA9wG_t2ocykg@mail.gmail.com>
[not found] ` <CALCETrWgS0XObzxfQWQbyntVEn6QF81K2TVbS4bGNyN6EcYb_A@mail.gmail.com>
2016-08-03 22:39 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471523292.2664.105.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ben@decadent.org.uk \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=jwboyer@fedoraproject.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox