From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Andy Lutomirski <luto@amacapital.net>,
Johannes Berg <johannes@sipsolutions.net>
Cc: Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Kyle McMartin <kyle@kernel.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Mon, 1 Aug 2016 22:57:06 +0200 [thread overview]
Message-ID: <20160801205706.GE3296@wotan.suse.de> (raw)
In-Reply-To: <CALCETrXZicXvXPFC=NenCCJ76rB=2shBzEfkUb4xgHh0Vrub+A@mail.gmail.com>
On Mon, Aug 01, 2016 at 01:37:43PM -0700, Andy Lutomirski wrote:
> On Mon, Aug 1, 2016 at 1:23 PM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> > On Mon, Aug 01, 2016 at 10:59:57AM -0700, Andy Lutomirski wrote:
> >> On Mon, Aug 1, 2016 at 10:29 AM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> >> > On Sun, Jul 31, 2016 at 11:20:08AM -0700, Andy Lutomirski wrote:
> >> >> If IMA doesn't want or need to verify the purpose of the loaded file, fine.
> >> >
> >> > So other than origin you are indicating a proper LSM that would want to vet firmware
> >> > should want purpose ? Is that right?
> >>
> >> A security policy that wants to provide strong protection should
> >> verify that whatever file is being loaded is being used for its
> >> authorized purpose. The wireless regulatory subsystem should only
> >> load data signed by the wifi regulatory key, the iwlwifi driver should
> >> only accept firmware signed by the system *for the purpose of being
> >> used as iwlwifi firmware* (or perhaps signed by Intel), the nouveau
> >> driver should accept files signed for the purpose of being used as
> >> nvidia firmware and should reject things that are signed by Intel,
> >> etc.
> >>
> >> > If so I'd like to understand this suggestion
> >> > a bit better given we already have. So we have:
> >> >
> >> > #define __kernel_read_file_id(id) \
> >> > id(UNKNOWN, unknown) \
> >> > id(FIRMWARE, firmware) \
> >> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> >> > id(MODULE, kernel-module) \
> >> > id(KEXEC_IMAGE, kexec-image) \
> >> > id(KEXEC_INITRAMFS, kexec-initramfs) \
> >> > id(POLICY, security-policy) \
> >> > id(MAX_ID, )
> >> >
> >> >
> >> > #define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
> >> > #define __fid_stringify(dummy, str) #str,
> >> >
> >> > enum kernel_read_file_id {
> >> > __kernel_read_file_id(__fid_enumify)
> >> > };
> >> >
> >> > extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t,
> >> > enum kernel_read_file_id);
> >> >
> >> > Are you saying FIRMWARE id is not sufficient ? What would be an example
> >> > purpose be here for FIRMWARE ?
> >>
> >> The string "iwlwifi-8265-21.ucode" would be a reasonable purpose, I
> >> think. It could make sense to split out the vendor, too:
> >>
> >> .type = FIRMWARE,
> >> .vendor = "Intel",
> >> .purpose = "iwlwifi-8265-21.ucode",
> >>
> >> then distro policy could know to accept a file signed by Intel
> >> (because "Intel" would be mapped in some table to a public key), a
> >> file signed by the distro key where the signature (using PKCS#7
> >> auxiliarry data (or whatever it's called) or some other simpler
> >> protocol) indicates that the signed object is "iwlwifi-8265-21.ucode",
> >> or perhaps an IMA-verified file with an appropriate absolute path.
> >
> > OK thanks, this makes it clear.
> >
> > If you consider the existing kernel strategy for module signing as an LSM
> > (even though it is not yet), then the way firmware singing was being
> > designed currently was to match that LSM. That is, we'd have something
> > very similar to mod_verify_sig() just that when calling
> > verify_pkcs7_signature() would use VERIFYING_FIRMWARE_SIGNATURE, would
> > be used instead of VERIFYING_MODULE_SIGNATURE.
> >
> > We have:
> >
> > /*
> > * The use to which an asymmetric key is being put.
> > */
> > enum key_being_used_for {
> > VERIFYING_MODULE_SIGNATURE,
> > VERIFYING_FIRMWARE_SIGNATURE,
> > VERIFYING_KEXEC_PE_SIGNATURE,
> > VERIFYING_KEY_SIGNATURE,
> > VERIFYING_KEY_SELF_SIGNATURE,
> > VERIFYING_UNSPECIFIED_SIGNATURE,
> > NR__KEY_BEING_USED_FOR
> > };
> >
> > In this light, what you describe would be an extension to this LSM and am
> > wondering if we can stage this so this so that this "vendor" and "purpose"
> > thing is dealt with after the same LSM strategy is matched to module signing
> > first. With this simple scheme we'd just have one key -- the linux-firmware
> > maintainer's key.
> >
>
> I don't see why not. After all, nothing is verifying the firmware
> name / purpose right not, so nothing would regress.
OK then as far as firmware signing is concerned I think this is agreed upon
material.
> > The second stage of firmware singing would be to iron out if vendors even want
> > to participate with a series of vendor + firmware file key and we'd have a
> > registry in the kernel built-in. We'd check then provenance in 2 levels:
> >
> > o linux-firmware maintainer key
> > o vendor key for the target file
>
> Given Johannes Berg's request to move regulatory database loading into
> the kernel, there might be an earlier use case.
I share his goal, and in fact getting rid of needing CRDA was my original
motivation to add firmware signing support. When we reviewed how this would
work -- we seemed to have agreed that Seth (wireless-regdb maintainer) would no
longer need to sign the regulatory.bin file and whatever file we end up with
would instead be signed by Kyle, the linux-firmware maintainer.
> Specifically, either
> set up the regulatory database with a vendor of
> "linux-wireless-regulatory" and teach the verification code that this
> particular vendor *requires* a vendor signature (and not, say, a
> distro signature) or allocate it its own enum value for the type and
> teach the verification code to work with that.
Well reason we ended up deciding on just one key and linux-firmware was
that people already package linux-firmware and we'd hope no one will
put a gun to Kyle's head to do evil things. Nevertheless, what you
describe of augmenting keys for files / purpose seems sensible, however
this should be optional. For our case in 802.11 we seemed to be OK
with Kyle's key last we discussed.
At least for starters.
> In any event, consolidating the code so there's a single "verify this
> loaded blob" function that implements all the policy would probably
> make this easier to write, maintain, and audit.
Agreed. So LSM'ifyng this.
Luis
next prev parent reply other threads:[~2016-08-01 20:57 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez [this message]
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160801205706.GE3296@wotan.suse.de \
--to=mcgrof@suse.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=johannes@sipsolutions.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=kyle@kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox