From: David Howells <dhowells@redhat.com>
To: ksummit-discuss@lists.linuxfoundation.org
Cc: mcgrof@gmail.com, jkkm@jkkm.org
Subject: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 14:36:59 +0100 [thread overview]
Message-ID: <20436.1438090619@warthog.procyon.org.uk> (raw)
Patches are in the works for the provision of signatures for firmware blobs
for the kernel to check, thus allowing the kernel to act as gatekeeper on what
firmware blobs get loaded where.
Note that it has been agreed that signatures will be in separate files to the
firmware blobs so as not to potentially corrupt a blob by copying it to an OS
that doesn't expect the signature. Also, we don't want to modify the blob in
case of IP.
We're currently using PKCS#7/CMS messages as the signature format since we
have a PKCS#7 parser and verifier already in the kernel for kexec.
Patches have been proposed for inclusion in security/next that allow PKCS#11
to be used to supply h/w keys to the sign-file program and to the kernel build
process.
There are a number of areas that could do with sorting out with regard key
policy:
(1) Should signatures produced by the manager of the linux-firmware package
be allowed only?
(2) If the linux-firmware packages are signed by a single key (or just a few
keys) it may be manageable to compile all these keys into the kernel.
(3) If the vendors of firmware blobs supply signatures, should we accept
those instead of or as well as linux-firmware signatures?
(4) If we start taking vendor created blobs, what do we do with all the
vendor keys? Compiling them into the kernel could quickly get out of
hand and asking the user to add them to the UEFI keystore has the
potential to brick the user's system due to a dodgy BIOS.
(5) For firmware signatures, the patches we have currently expect to find a
signed attribute in the PKCS#7 that specifies the same name as is passed
to request_firmware().
(6) Should module signatures contain the module name - to be matched against
the modinfo structure after the signature is checked?
(7) Do we want to have the driver mandate the key that will be used when
requesting firmware? How would we specify the key? I'm loathe to
include a hash of the public key since that means the driver is then tied
to a particular key.
(8) Can we then trust that key if we load it on the basis that a driver
specifies it by public key hash, even it we can't chain back from it to
the system_trusted_keyring.
(9) Do we allow UEFI blacklisting of firmware signatures?
Some points that may be of use in considering the above:
(A) PKCS#7/CMS messages can take multiple signatures. Extra signatures can
be added at a later date.
(B) We can load keys dynamically - provided we can verify them with a key we
already have.
(C) If we can't trace a key back to a key we know we trust, that key cannot
be used.
(D) The PKCS#7/CMS field that matches the signing key is not itself signed.
If we do have this discussion, it would be useful to have some or all of Luis
Rodriguez, David Woodhouse, Andy Lutomirski, Kyle McMartin, Seth Forshee and
Mimi Zohar present.
David
next reply other threads:[~2015-07-28 13:37 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells [this message]
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski
2015-07-28 16:10 ` James Bottomley
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20436.1438090619@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox