Re: [Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust

["Michael S. Tsirkin" <mst@redhat.com>]

On Wed, Aug 03, 2016 at 10:23:00AM -0700, Andy Lutomirski wrote:
> >>> I don't see a compelling argument for why we'd want to do module hashing at
> >>> all, given that we have to have the signature checking mechanism around anyway
> >>> for various reasons.
> >>
> >> I think that, for the Secure Boot usecase, we actually wouldn't need
> >> the signature checking mechanism at all.  Firmware signature checking
> >> in-kernel is important for some chain-of-trust use cases but AFAIK not
> >> for Secure Boot for standard desktop distros.
> >
> > Without an IOMMU you can probably subvert any DMA capable device that
> > loads unsigned firmware, at which point you're in a bad place again.
> > This isn't something I'm losing much sleep over, since attacks that
> > only work if you have a specific piece of hardware installed are much
> > less exciting. We'd still need signature checking so that users can
> > install their own signing keys, and I don't see distributions being
> > terribly enthusiastic about having two unrelated module validation
> > systems.
> 
> That's a question for the distros.  My intent would be to make the
> module hashing scheme as painless as possible for the distros: distros
> would just enable a config option and, if needed, adjust their debug
> info generation slightly.

It's actually nice not having to rebuild the kernel each time though.
Can the hash-checking code itself be a module (LSM?), such that hash isn't
checked if it's not loaded? One could imagine loading that
e.g. from the initrd.

> _______________________________________________
> Ksummit-discuss mailing list
> Ksummit-discuss@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/ksummit-discuss