[Ksummit-discuss] [CORE TOPIC] Trusted kernel patchset

[Ksummit-discuss] [CORE TOPIC] Trusted kernel patchset

[Matthew Garrett]

(Posting as core rather than tech because I suspect this is more 
political than technical at this point)

Most major distributions ship these. There is strong demand from Google, 
who want to use them in a use-case that has nothing to do with UEFI 
Secure Boot. Making a distinction between root and kernel security is a 
necessary part of securing a boot chain[1].

Yet, after apparently gaining at least a rough consensus at LPC last 
year, we're now at the point where there's yet another suggestion for 
how to rewrite them but absolutely nobody showing any signs of being 
willing to do that work or any agreement from anyone in the security 
community that entirely reworking capabilities is either practical or 
desirable.

It'd be nice to have this done before August, but given that all 
previous attempts to actually get it unblocked on mailing lists have 
failed maybe we should talk about it in person. Again.

[1] See: the large number of people running modified kernels on their 
Android devices by using the signed vendor kernel to kexec them. Great 
for freedom, bad for the guarantees you were attempting to provide 
regarding trusted code

-- 
Matthew Garrett | mjg59@srcf.ucam.org

Re: [Ksummit-discuss] [CORE TOPIC] Trusted kernel patchset

[Josh Boyer]

On Wed, May 7, 2014 at 2:03 PM, Matthew Garrett <mjg59@srcf.ucam.org> wrote:
> (Posting as core rather than tech because I suspect this is more
> political than technical at this point)
>
> Most major distributions ship these. There is strong demand from Google,
> who want to use them in a use-case that has nothing to do with UEFI
> Secure Boot. Making a distinction between root and kernel security is a
> necessary part of securing a boot chain[1].
>
> Yet, after apparently gaining at least a rough consensus at LPC last
> year, we're now at the point where there's yet another suggestion for
> how to rewrite them but absolutely nobody showing any signs of being
> willing to do that work or any agreement from anyone in the security
> community that entirely reworking capabilities is either practical or
> desirable.
>
> It'd be nice to have this done before August, but given that all
> previous attempts to actually get it unblocked on mailing lists have
> failed maybe we should talk about it in person. Again.

I think it's fairly obvious I'd like to attend this.  Other suggested
people would be:

James Bottomley
James Morris
Kees Cook
Joey Li
Gary Lin
Vojtech Pavlik

josh

Re: [Ksummit-discuss] [CORE TOPIC] Trusted kernel patchset

[Andy Lutomirski]

On Wed, May 7, 2014 at 11:03 AM, Matthew Garrett <mjg59@srcf.ucam.org> wrote:
> (Posting as core rather than tech because I suspect this is more
> political than technical at this point)
>
> Most major distributions ship these. There is strong demand from Google,
> who want to use them in a use-case that has nothing to do with UEFI
> Secure Boot. Making a distinction between root and kernel security is a
> necessary part of securing a boot chain[1].
>
> Yet, after apparently gaining at least a rough consensus at LPC last
> year, we're now at the point where there's yet another suggestion for
> how to rewrite them but absolutely nobody showing any signs of being
> willing to do that work or any agreement from anyone in the security
> community that entirely reworking capabilities is either practical or
> desirable.

I am very interested in this, both from the POV of how capabilities do
and/or should work, and of what trusted boot should do.

There is a lot of very vocal opposition to any change in the way that
capabilities work, and I think that, at some point, it might be
helpful if enough people who think that capabilities can change
reached some kind of consensus so that something can be done.

That being said, capabilities are a giant mess, and it might be really
hard to fix them.

--Andy