From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Mon, 1 Aug 2016 22:23:20 +0200 [thread overview]
Message-ID: <20160801202320.GB3296@wotan.suse.de> (raw)
In-Reply-To: <CALCETrX134Qnv4Xy2RAHO2QXka9_k9qAoEqrXaw-mX2kAkrzig@mail.gmail.com>
On Mon, Aug 01, 2016 at 10:59:57AM -0700, Andy Lutomirski wrote:
> On Mon, Aug 1, 2016 at 10:29 AM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> > On Sun, Jul 31, 2016 at 11:20:08AM -0700, Andy Lutomirski wrote:
> >> If IMA doesn't want or need to verify the purpose of the loaded file, fine.
> >
> > So other than origin you are indicating a proper LSM that would want to vet firmware
> > should want purpose ? Is that right?
>
> A security policy that wants to provide strong protection should
> verify that whatever file is being loaded is being used for its
> authorized purpose. The wireless regulatory subsystem should only
> load data signed by the wifi regulatory key, the iwlwifi driver should
> only accept firmware signed by the system *for the purpose of being
> used as iwlwifi firmware* (or perhaps signed by Intel), the nouveau
> driver should accept files signed for the purpose of being used as
> nvidia firmware and should reject things that are signed by Intel,
> etc.
>
> > If so I'd like to understand this suggestion
> > a bit better given we already have. So we have:
> >
> > #define __kernel_read_file_id(id) \
> > id(UNKNOWN, unknown) \
> > id(FIRMWARE, firmware) \
> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> > id(MODULE, kernel-module) \
> > id(KEXEC_IMAGE, kexec-image) \
> > id(KEXEC_INITRAMFS, kexec-initramfs) \
> > id(POLICY, security-policy) \
> > id(MAX_ID, )
> >
> >
> > #define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
> > #define __fid_stringify(dummy, str) #str,
> >
> > enum kernel_read_file_id {
> > __kernel_read_file_id(__fid_enumify)
> > };
> >
> > extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t,
> > enum kernel_read_file_id);
> >
> > Are you saying FIRMWARE id is not sufficient ? What would be an example
> > purpose be here for FIRMWARE ?
>
> The string "iwlwifi-8265-21.ucode" would be a reasonable purpose, I
> think. It could make sense to split out the vendor, too:
>
> .type = FIRMWARE,
> .vendor = "Intel",
> .purpose = "iwlwifi-8265-21.ucode",
>
> then distro policy could know to accept a file signed by Intel
> (because "Intel" would be mapped in some table to a public key), a
> file signed by the distro key where the signature (using PKCS#7
> auxiliarry data (or whatever it's called) or some other simpler
> protocol) indicates that the signed object is "iwlwifi-8265-21.ucode",
> or perhaps an IMA-verified file with an appropriate absolute path.
OK thanks, this makes it clear.
If you consider the existing kernel strategy for module signing as an LSM
(even though it is not yet), then the way firmware singing was being
designed currently was to match that LSM. That is, we'd have something
very similar to mod_verify_sig() just that when calling
verify_pkcs7_signature() would use VERIFYING_FIRMWARE_SIGNATURE, would
be used instead of VERIFYING_MODULE_SIGNATURE.
We have:
/*
* The use to which an asymmetric key is being put.
*/
enum key_being_used_for {
VERIFYING_MODULE_SIGNATURE,
VERIFYING_FIRMWARE_SIGNATURE,
VERIFYING_KEXEC_PE_SIGNATURE,
VERIFYING_KEY_SIGNATURE,
VERIFYING_KEY_SELF_SIGNATURE,
VERIFYING_UNSPECIFIED_SIGNATURE,
NR__KEY_BEING_USED_FOR
};
In this light, what you describe would be an extension to this LSM and am
wondering if we can stage this so this so that this "vendor" and "purpose"
thing is dealt with after the same LSM strategy is matched to module signing
first. With this simple scheme we'd just have one key -- the linux-firmware
maintainer's key.
The second stage of firmware singing would be to iron out if vendors even want
to participate with a series of vendor + firmware file key and we'd have a
registry in the kernel built-in. We'd check then provenance in 2 levels:
o linux-firmware maintainer key
o vendor key for the target file
Luis
next prev parent reply other threads:[~2016-08-01 20:23 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez [this message]
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160801202320.GB3296@wotan.suse.de \
--to=mcgrof@suse.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox