From: Peter Jones <pjones@redhat.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: mcgrof@gmail.com, ksummit-discuss@lists.linuxfoundation.org,
richard@hughsie.com, jkkm@jkkm.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 14:47:30 -0400 [thread overview]
Message-ID: <20150728184730.GA22263@redhat.com> (raw)
In-Reply-To: <1438096326.26913.180.camel@infradead.org>
On Tue, Jul 28, 2015 at 04:12:06PM +0100, David Woodhouse wrote:
> On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
>
> > (3) If the vendors of firmware blobs supply signatures, should we accept
> > those instead of or as well as linux-firmware signatures?
>
> Yes, definitely. And in fact that ties in to separate discussions we've
> been having about how to automatically *obtain* certain firmware
> images, which are signed by Microsoft's AuthentiCode scheme.
>
> People were talking about how to validate those signatures in userspace
> when we obtain the firmware. But really, they should be carried all the
> way through and validated in the kernel too.
And even past there - if the firmware update is compliant with NIST
SP800-147 (which they really all /should/ be, but we know how that
goes), then the actual blob that gets passed to the firmware still must
be signed with a key trusted by the firmware.
The standard says (this is the summary section, but the whole thing is
only 26 pages):
2. BIOS Update Authentication
2-A There shall be a Root of Trust for Update (RTU) that contains a
signature verification algorithm and a key store that includes the
public key needed to verify the signature on the BIOS update image.
2-B The key store and the signature verification algorithm shall be
stored in a protected fashion on the computer system and shall be
modifiable only using an authenticated update mechanism or a secure
local update mechanism as outlined in Section 3.1.2.
2-C The key store in the RTU shall include the public key for
verifying the signature on a BIOS update image or include the hash
[FIPS 180-3] of the public key for verifying the signature on a BIOS
update image that includes the public key. In the latter case, the
update mechanism shall ensure that the hash of the public key provided
with the BIOS update image appears in the key store before using the
provided public key to verify the signature on the BIOS update image.
2-D BIOS images shall be signed in conformance with NIST SP 800-89,
Recommendation for Obtaining Assurances for Digital Signature
Applications [SP800-89], using an approved digital signature algorithm
as specified in NIST FIPS 186-3, Digital Signature Standard
[FIPS186-3], that provides at least 112 bits of security strength, in
accordance with NIST SP 800-131A, Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and Key Lengths
[SP800-131A].
2-E The authenticated update mechanism shall ensure that the BIOS
update image has been digitally signed and that the digital signature
can be verified using one of the keys in the key store in the RTU
before updating the BIOS.
(elsewhere it defines BIOS quite broadly.)
Now, of course this is a NIST "Recommendations" "Special Publication",
not an actual National Standard or ISO document or anything else, but if
you ask e.g. Dell or Insyde or others if their Capsule updates are
compliant, many of them are.
TBH I'm not sure we shouldn't put up a big disclaimer that says you
aren't allowed be using our update system unless they are.
--
Peter
next prev parent reply other threads:[~2015-07-28 18:47 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski
2015-07-28 16:10 ` James Bottomley
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones [this message]
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150728184730.GA22263@redhat.com \
--to=pjones@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mcgrof@gmail.com \
--cc=richard@hughsie.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox