From: Andy Lutomirski <luto@amacapital.net>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Luis Rodriguez <mcgrof@gmail.com>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
jkkm@jkkm.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 09:05:14 -0700 [thread overview]
Message-ID: <CALCETrVPf9gN92iC+vtKOOBY0GpzAnZuKpEMMgZzU-uXAM1qMQ@mail.gmail.com> (raw)
In-Reply-To: <1438097471.5441.152.camel@HansenPartnership.com>
On Tue, Jul 28, 2015 at 8:31 AM, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
> On Tue, 2015-07-28 at 08:22 -0700, Andy Lutomirski wrote:
>> On Tue, Jul 28, 2015 at 8:10 AM, James Bottomley
>> <James.Bottomley@hansenpartnership.com> wrote:
>> > On Tue, 2015-07-28 at 14:36 +0100, David Howells wrote:
>> >> Patches are in the works for the provision of signatures for firmware blobs
>> >> for the kernel to check, thus allowing the kernel to act as gatekeeper on what
>> >> firmware blobs get loaded where.
>> >>
>> >> Note that it has been agreed that signatures will be in separate files to the
>> >> firmware blobs so as not to potentially corrupt a blob by copying it to an OS
>> >> that doesn't expect the signature. Also, we don't want to modify the blob in
>> >> case of IP.
>> >>
>> >> We're currently using PKCS#7/CMS messages as the signature format since we
>> >> have a PKCS#7 parser and verifier already in the kernel for kexec.
>> >>
>> >> Patches have been proposed for inclusion in security/next that allow PKCS#11
>> >> to be used to supply h/w keys to the sign-file program and to the kernel build
>> >> process.
>> >>
>> >> There are a number of areas that could do with sorting out with regard key
>> >> policy:
>> >>
>> >> (1) Should signatures produced by the manager of the linux-firmware package
>> >> be allowed only?
>> >
>> > Firmware is a binary blob usually with no decompilation. How would the
>> > package manager know its provenance? The only people who know are the
>> > people who write the driver. If they sign, I think we have to accept
>> > their signature and if not, we could have a weaker level of trust on the
>> > package manager based on unbroken chain of transmission from the
>> > firmware provider, but you'd have to trust the packaging organisation.
>>
>> But IMO we really don't want trust $RANDOM_USB_WIDGET_VENDOR to supply
>> firmware for the GPU, for example.
>
> I'm not saying that. I'm saying that if we verify some chain in
> firmware, it has to be from a trusted supplier to us, meaning we invest
> trust already in the supplier. However, the trusted supplier should be
> the original device vendor. if $RANDOM_USB_WIGET_VENDOR isn't the
> original vendor, then this would not trust them. If they are, it's
> hobson's choice ... and god help us.
Sure, but we shouldn't stick the USB vendor's key into the system
keyring. I'm fine with having it in the kernel or in some database,
though.
--Andy
next prev parent reply other threads:[~2015-07-28 16:05 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski [this message]
2015-07-28 16:10 ` James Bottomley
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrVPf9gN92iC+vtKOOBY0GpzAnZuKpEMMgZzU-uXAM1qMQ@mail.gmail.com \
--to=luto@amacapital.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox