From: Andy Lutomirski <luto@amacapital.net>
To: David Woodhouse <dwmw2@infradead.org>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Luis Rodriguez <mcgrof@gmail.com>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Kyle McMartin <jkkm@jkkm.org>
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Firmware signing
Date: Tue, 28 Jul 2015 12:31:30 -0700 [thread overview]
Message-ID: <CALCETrVVtcno1k8L_+LWuBApayUNFJmfG11MJV1hDo_0UjVRBg@mail.gmail.com> (raw)
In-Reply-To: <1438111168.26913.189.camel@infradead.org>
On Tue, Jul 28, 2015 at 12:19 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> On Tue, 2015-07-28 at 10:03 -0700, Andy Lutomirski wrote:
>>
>> This will require that we take any firmware vendor's key and rewrap it
>> somehow into a new X.509 blob with a key usage constraint.
>
> There are established ways of handling those constraints as external
> objects (see how NSS does it in its trust tokens, and thus p11-kit
> -trust does too).
Wow, I thought X.509 was bad. Now we get PKCS#11, too? Ick.
I have no problem whatsoever with having the userspace tooling support
PKCS#11 tokens. I think the kernel should try to minimize the extent
to which is depends on X.509 on the kernel side.
If we're going to load keys into the kernel (at compile time, from
UEFI, whatever), let's just *tell* the kernel, in plain English or C,
what those keys are for, rather than trying to parse X.509
constraints.
I'll point out that the Internet tried to use X.509 name constraints
to allow CAs to be constrained to subsets of the DNS space, and it
*still* doesn't work.
Heck, with the X.509 variant, if Megasoft has an existing key signed
by SketchyTrust, and we want to trust SketchyTrust to sign firmware
for SketchyUSB devices (and to delegate to Megasoft using the
*existing* key), are we supposed to enforce transitive constraints?
Where are they rooted? I think this way lies madness. Let's just
throw SketchyTrust's key in the "SketchyUSB only" pile and be done
with it rather than fiddling with OpenSSL to re-wrap SketchyTrust's
self-signed (?).
If I'm the unaffiliated author of a driver for a SketchyTrust device,
I want to throw the cert into my driver and be done with it. The
kernel should *figure out on its own* that the cert is associated with
my driver and my driver only and can't sign for my GPU. I really
don't want to muck with the X.509 blob, because I'm going to get it
wrong.
[1] If we start rewrapping root keys and shoving the X.509 blobs into
drivers, who signs those blobs? We can't self-sign them because we
don't have the private key, and we don't really want a completely
pointless "kernel" key that exists solely for the purpose of producing
well-formed X.509 certs, and we probably don't want to use ill-formed
unsigned X.509 certs as our root. So what's the point of using X.509
at all for this purpose?
--Andy
next prev parent reply other threads:[~2015-07-28 19:31 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-28 13:36 David Howells
2015-07-28 14:23 ` David Woodhouse
2015-07-28 16:55 ` Luis R. Rodriguez
2015-07-28 15:10 ` James Bottomley
2015-07-28 15:22 ` Andy Lutomirski
2015-07-28 15:31 ` James Bottomley
2015-07-28 16:05 ` Andy Lutomirski
2015-07-28 16:10 ` James Bottomley
2015-07-28 16:15 ` David Woodhouse
2015-07-28 16:35 ` Andy Lutomirski
2015-07-28 16:44 ` David Howells
2015-07-28 17:03 ` Andy Lutomirski
2015-07-28 19:19 ` David Woodhouse
2015-07-28 19:31 ` Andy Lutomirski [this message]
2015-07-28 19:43 ` David Woodhouse
2015-07-28 22:03 ` James Bottomley
2015-08-11 20:24 ` David Howells
2015-08-11 21:56 ` Andy Lutomirski
2015-08-11 22:03 ` Luis R. Rodriguez
2015-08-12 18:22 ` David Howells
2015-08-12 18:45 ` David Woodhouse
2015-08-12 19:09 ` Andy Lutomirski
2015-08-12 19:15 ` James Bottomley
2015-08-12 19:25 ` Andy Lutomirski
2015-08-12 19:43 ` James Bottomley
2015-08-12 19:45 ` Andy Lutomirski
2015-08-12 19:59 ` James Bottomley
2015-08-13 7:03 ` Jan Kara
2015-08-13 14:01 ` James Bottomley
2015-08-12 22:46 ` David Howells
2015-08-12 22:51 ` Andy Lutomirski
2015-08-12 19:06 ` Andy Lutomirski
2015-08-12 22:39 ` David Howells
2015-08-12 22:45 ` Andy Lutomirski
2015-08-12 22:45 ` David Howells
2015-08-12 22:47 ` Andy Lutomirski
2015-07-28 16:18 ` David Howells
2015-07-28 16:42 ` James Bottomley
2015-07-28 17:05 ` Andy Lutomirski
2015-07-28 17:09 ` James Bottomley
2015-07-28 17:10 ` Andy Lutomirski
2015-07-29 2:00 ` James Morris
2015-07-28 16:58 ` Josh Boyer
2015-07-28 15:12 ` David Woodhouse
2015-07-28 18:47 ` Peter Jones
2015-07-28 19:14 ` David Howells
2015-07-28 19:52 ` Peter Jones
2015-07-28 16:17 ` David Howells
2015-07-28 16:59 ` James Bottomley
2015-07-28 19:11 ` David Howells
2015-07-28 19:34 ` Luis R. Rodriguez
2015-07-28 21:53 ` James Bottomley
2015-07-28 22:39 ` David Howells
2015-07-28 22:44 ` Andy Lutomirski
2015-07-29 8:39 ` David Woodhouse
2015-07-28 18:36 ` josh
2015-07-28 18:44 ` James Bottomley
2015-07-28 18:54 ` josh
2015-07-28 19:06 ` Luis R. Rodriguez
2015-07-28 21:38 ` Greg KH
2015-07-28 23:59 ` josh
2015-07-29 0:17 ` Greg KH
2015-07-29 9:37 ` David Woodhouse
2015-07-29 15:00 ` James Bottomley
2015-07-29 15:35 ` David Woodhouse
2015-07-29 16:38 ` James Bottomley
2015-07-29 17:32 ` David Woodhouse
2015-07-29 23:39 ` James Bottomley
2015-07-30 8:08 ` David Woodhouse
2015-07-30 13:48 ` James Bottomley
2015-07-30 14:21 ` Heiko Stübner
2015-07-30 14:30 ` James Bottomley
2015-07-30 15:01 ` David Woodhouse
2015-07-30 16:17 ` James Bottomley
2015-07-30 19:17 ` David Woodhouse
2015-07-31 14:41 ` Theodore Ts'o
2015-07-31 16:14 ` Tim Bird
2015-07-31 17:25 ` David Woodhouse
2015-07-30 16:24 ` Tim Bird
2015-07-29 16:35 ` Josh Triplett
2015-07-29 8:29 ` David Woodhouse
2015-07-29 11:57 ` Mark Brown
2015-07-29 12:02 ` David Woodhouse
2015-07-29 12:24 ` Mark Brown
2015-07-28 19:23 ` David Woodhouse
2015-07-28 19:19 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrVVtcno1k8L_+LWuBApayUNFJmfG11MJV1hDo_0UjVRBg@mail.gmail.com \
--to=luto@amacapital.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=dwmw2@infradead.org \
--cc=jkkm@jkkm.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox