From: Andy Lutomirski <luto@amacapital.net>
To: Matthew Garrett <mjg59@coreos.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Mark Brown <broonie@sirena.org.uk>
Subject: Re: [Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust
Date: Wed, 3 Aug 2016 10:29:31 -0700 [thread overview]
Message-ID: <CALCETrWahLpXpRxoCfaWYe=X7DyjLDX6WXEVNU_=xL9bBOBsRw@mail.gmail.com> (raw)
In-Reply-To: <CAPeXnHv3-p5y=jXn1NcVVacq2LmBsX0hGz-cz21upcMq9-F1Dg@mail.gmail.com>
On Wed, Aug 3, 2016 at 10:23 AM, Matthew Garrett <mjg59@coreos.com> wrote:
> On Wed, Aug 3, 2016 at 10:04 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>> What's wrong with that? In grub language, this would be approximately:
>>
>> linuxefi path/to/image
>> linuxkeypolicy path/to/policy
>
> Thinking about it further - there's no real problem integrating this
> with a build-time key. Rather than having the public half in the
> kernel, stash the public half in the packaging and then have the
> signing step (that's signing the kernel anyway) also sign the key. The
> bootloader verifies that the key is signed by a trusted root and
> passes that on to the kernel. If we have a standardised mechanism for
> the bootloader to pass this information on, it's absolutely possible
> to push the root of trust down to the bootloader (and also make it
> responsible for pulling any other signing keys out of EFI variables or
--
Andy Lutomirski
AMA Capital Management, LLC
> wherever)
>
>> Anyway, here's a concrete proposal for a cross-arch way to pass
>> trusted policy from the bootloader to the kernel: define a new
>> structure:
>>
>> struct trusted_policy_header {
>> unsigned long size;
>> };
>>
>> Rig up the linker script so the trusted_policy is at the very end of
>> the kernel virtual address space and lives in its own ELF segment (or
>> arch equivalent). That segment will have filesize == 0 and memsize ==
>> sizeof(struct trusted_policy_header). Mark the segment so the
>> bootloader knows about it.
>>
>> Now the bootloader can supply policy (keys and whatever else it wants)
>> by simply writing it to the trusted_policy_header and beyond in
>> memory.
>
> The bootloader doesn't see the ELF object on (at least) x86?
:(
On the other hand, x86's bzImage appears to be an ELF object too, and
maybe it could learn to propagate the policy segment. In other words,
bzImage would speak the same protocol, and the x86 stub that hands off
from bzImage to vmlinux could copy the data over. This gets a bit
nasty if we want to do embedding because it's also a PE file and
probably a few other things, so there would be lots of headers to
update.
--
Andy Lutomirski
AMA Capital Management, LLC
next prev parent reply other threads:[~2016-08-03 17:29 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-03 2:58 Andy Lutomirski
2016-08-03 3:24 ` Kees Cook
2016-08-03 3:32 ` Matthew Garrett
2016-08-03 4:34 ` Andy Lutomirski
2016-08-03 4:42 ` Michael S. Tsirkin
2016-08-03 4:46 ` Andy Lutomirski
2016-08-03 5:15 ` Matthew Garrett
2016-08-03 8:33 ` Alexandre Belloni
2016-08-03 10:31 ` Mark Brown
2016-08-03 10:43 ` David Howells
2016-08-03 16:46 ` Andy Lutomirski
2016-08-03 17:17 ` Matthew Garrett
2016-08-03 17:23 ` Andy Lutomirski
2016-08-03 17:26 ` Matthew Garrett
2016-08-03 17:28 ` Andy Lutomirski
2016-08-03 18:00 ` Michael S. Tsirkin
2016-08-03 23:01 ` Ben Hutchings
2016-08-03 23:22 ` Andy Lutomirski
2016-08-04 5:26 ` Kees Cook
2016-08-17 11:38 ` Ben Hutchings
2016-08-17 13:03 ` Mimi Zohar
2016-08-17 16:11 ` Ben Hutchings
2016-08-18 12:28 ` Mimi Zohar
2016-08-03 12:42 ` James Bottomley
2016-08-03 17:04 ` Andy Lutomirski
2016-08-03 17:23 ` Matthew Garrett
2016-08-03 17:29 ` Andy Lutomirski [this message]
2016-08-03 22:09 ` James Bottomley
[not found] ` <CALCETrVpCnfOJ2aXkNsOXatQAF6NG-AcJpxeYfA9wG_t2ocykg@mail.gmail.com>
[not found] ` <CALCETrWgS0XObzxfQWQbyntVEn6QF81K2TVbS4bGNyN6EcYb_A@mail.gmail.com>
2016-08-03 22:39 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrWahLpXpRxoCfaWYe=X7DyjLDX6WXEVNU_=xL9bBOBsRw@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=jwboyer@fedoraproject.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mjg59@coreos.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox