From: Andy Lutomirski <luto@amacapital.net>
To: Jason Cooper <jason@lakedaemon.net>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Wed, 3 Aug 2016 10:20:17 -0700 [thread overview]
Message-ID: <CALCETrUUrYJk-WoTEMinxJyLG7TfJJAh+v3bZ1XsoufyjR99xg@mail.gmail.com> (raw)
In-Reply-To: <20160803164452.GM4541@io.lakedaemon.net>
On Wed, Aug 3, 2016 at 9:44 AM, Jason Cooper <jason@lakedaemon.net> wrote:
> Hi Andy,
>
> On Tue, Aug 02, 2016 at 08:07:17AM -0700, Andy Lutomirski wrote:
>> On Aug 2, 2016 5:20 AM, "Jason Cooper" <jason@lakedaemon.net> wrote:
>> > On Mon, Aug 01, 2016 at 04:45:20PM -0700, Andy Lutomirski wrote:
>> > > On Aug 1, 2016 4:30 PM, "Jason Cooper" <jason@lakedaemon.net> wrote:
>> > > > On Mon, Aug 01, 2016 at 04:13:50PM -0700, Andy Lutomirski wrote:
>> > > > > On Aug 1, 2016 4:04 PM, "Jason Cooper" <jason@lakedaemon.net> wrote:
>> > ...
>> > > > > > Assuming Andy's lightweight signature scheme, it would probably be best
>> > > > > > to do a lookup based on the sha256 hash of the file. Then pathnames
>> > > > > > don't matter, and bad files don't even get to the signature checking
>> > > > > > code.
>> > > > > >
>> > > > >
>> > > > > I'm not sure I understand what you mean. What table would we look the hash
>> > > > > up in? What are we finding in that table?
>> > > >
>> > > > From the other subthread:
>> > > >
>> > > > > Then, to verify a signature, the kernel hashes the blob, generates its
>> > > > > own linux_blob_signed_data, memcmps it to the one that Kyle signed
>> > > > > (and rejects if they differ *at all*), and then verifies the
>> > > > > signature. (Do not try to be clever and parse the supplied
>> > > > > linux_blob_signed_data -- there is a long and storied history of
>> > > > > equivalent ideas being implemented incorrectly, and I can dig out
>> > > > > literature references if you really want. Just generate your own and
>> > > > > memcmp it, which leaves no room for ambiguity.)
>> > > > >
>> > > >
>> > > > So, I'm suggesting that when "the kernel hashes the blob", it use that
>> > > > hash to locate *which* "Kyle-signed" linux_blob_signed_data it needs to
>> > > > compare against. That's all, just removing the filename from the
>> > > > equation. :-)
>> > >
>> > > So Kyle would generate a list of signatures indexed by the blob's hash
>> > > instead of generating things like "iwlwifi-whatever.ucode.sig"? Seems
>> > > okay. It'll keep the existing hooks working, I think. Of course, we still
>> > > need to check the "iwlwifi-whatever.ucode" bit to confirm that it matches
>> > > Kyle's signed data.
>> >
>> > Right. That's where it may be better to use a version string, say the
>> > sha1 from linux-firmware.git, or the upstream version number. However,
>> > that route means we can't easily 'build our own linux_blob_signed_data
>> > and do a memcmp.' since userspace may not have that info handy.
>>
>> I don't think I agree, although iwlwifi may not be the best example.
>
> merf. No, that was a half-baked idea (version numbers and such).
>
>> The driver will say request_firmware("iwlwifi-whatever.ucode", ...,
>> "Intel") or similar. The distro compiles the driver. Afterwards, Intel
>> releases an updated, backwards-compatible blob.
>>
>> If root trusts Intel, root can install that blob along with Kyle or Intel's
>> signature, and the kernel should accept it. We can achieve this by Kyle
>> signing the whole struct *and providing the signed struct* or by Intel
>> doing the equivalent operation.
>
> I agree, but aren't a lot of the files in linux-firmware hex dumps?
> meaning that 'compiling' is just reverting them to binary. Almost akin
> to a deterministic build. Intel's signature should still verify.
>
> Having Kyle's signature adds weight since an after-the-fact attacker
> would have to compromise two locations instead of just one.
I don't think that most vendors supply signatures right now, though.
>
>> But we do need the kernel to verify the "iwlwifi-whatever.ucode" string to
>> prevent an attack in which someone does:
>>
>> cp other-signed-thing.ucode iwlwifi-whatever.ucode
>
> How so? The sha256 of the blob won't match, the signature will fail.
>
I'm assuming the attacker has the ability to validly sign
other-signed-thing.ucode. For example, suppose that Eviltel wanted to
compromise Intel hardware and released a firmware blob that worked
correctly on Eviltel hardware but did bad things if loaded into an
Intel card. The verification scheme should prevent Kyle's signature
on the Eviltel blob from being abused to load it into the Intel
device.
> And besides, you seems to be saying the kernel needs to verify the
> filename, yet the command you give spoofs that filename... You seem to
> be proving *my* point ;-)
?
I'm saying that my attack should fail because the kernel should verify
that Kyle signed a message saying "the blob with has xyz is okay to
use for drivers that request 'other-signed-thing.ucode'". Drivers
that request 'iwlwifi-whatever.ucode' won't accept that.
>
>> and thus causes the driver to upload something harmful to the card. The
>> reason the textual firmware name works here (for using Kyle's signature and
>> for distro signatures) is that the string does uniquely define the firmware
>> purpose for Linux.
>
> Back to my earlier suggestion: The sha256 hash of the blob uniquely
> identifies the blob, and gives us a more flexible system. We care about
> the blob, not the name. git does the same thing, but with sha1.
>
> We can still happily use the filename in the request_firmware() call,
> it's just an untrusted fs lookup string. Ultimately, it's the hash of the
> blob that matters.
But this is vulnerable to exactly the attack above, right?
To clarify, I'm not saying I care at all about the actual on-disk name
of the file. I'm saying that I think Kyle should sign something that
includes the literal string passed to request_firmware, as that string
defines the intended purpose of the blob. In most cases, they happen
to be the same string.
>
>> If needed for vendor relations, we could accept an alternate format for
>> vendor keys. In that case, we avoid the wrong-blob attack by checking that
>> the key we verify with matches the expected vendor and hope that the vendor
>> doesn't release two pieces of hardware with firmwares that damage or attack
>> each other.
>
> -EPARSE.
What I mean is: Kyle would sign a structure defined by the kernel, but
if necessary would also accept a different signature format from a
hardware vendor if the vendor wanted us to.
next prev parent reply other threads:[~2016-08-03 17:20 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski [this message]
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrUUrYJk-WoTEMinxJyLG7TfJJAh+v3bZ1XsoufyjR99xg@mail.gmail.com \
--to=luto@amacapital.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox