From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: "Luis R. Rodriguez" <mcgrof@suse.com>,
Andy Lutomirski <luto@kernel.org>,
linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
serge@hallyn.com, linux-kernel@vger.kernel.org,
linux-wireless@vger.kernel.org, Kyle McMartin <kyle@kernel.org>,
David Woodhouse <david.woodhouse@intel.com>,
Seth Forshee <seth.forshee@canonical.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Joey Lee <jlee@suse.de>, Rusty Russell <rusty@rustcorp.com.au>,
mricon@kernel.org, Michal Marek <mmarek@suse.cz>,
Abelardo Ricart III <aricart@memnix.com>,
Sedat Dilek <sedat.dilek@gmail.com>,
keyrings@linux-nfs.org, Borislav Petkov <bp@alien8.de>,
Jiri Kosina <jkosina@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFD] linux-firmware key arrangement for firmware signing
Date: Thu, 21 May 2015 12:30:09 -0400 [thread overview]
Message-ID: <1432225809.2450.11.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <9567.1432223509@warthog.procyon.org.uk>
On Thu, 2015-05-21 at 16:51 +0100, David Howells wrote:
> Luis R. Rodriguez <mcgrof@suse.com> wrote:
>
> > I had this planned out because regulatory.bin used its own simple RSA key
> > with no x509 juju magic. I also envisioned it being easier for Kyle for
> > instance to use his own PGP key to sign linux-firmware files to start off
> > with than some complex x509 thing. Based on discussions with David, Seth,
> > and Kyle though it seems we were going to be happy with trusting Kyle's key
> > for regulatory.bin, since that will be done Kyle might as well sign all
> > linux-firmware files and folks who trust that can use it.
>
> To go down the signature root, what the kernel needs is:
>
> (1) A way to get a key into the kernel. We're currently using X.509 for this
> for module signing and kexec.
>
> (2) A way to get a signature into the kernel with sufficient metadata to
> select the key to use. Currently, kexec uses PKCS#7 for this and module
> signing uses a private format which I'm intending to change to PKCS#7.
>
> For firmware, I think Andy is right and we also need to include in the
> metadata something that says under what circumstances the firmware can be
> used - likely the name that is passed to request_firmware() - which must
> also be included in the digested data.
>
> I don't believe that module signing actually requires a hint of this type
> since we have to permit insmod to work and there won't be a hint we can
> trust. Besides, once verified, modules have to be loadable by the module
> loader which is probably a sufficient restriction in itself.
>
> I don't believe that kexec signing requires a name hint either since I
> think the only restriction on what we're allowed to kexec is that it must
> be bootable from the beginning - and must be a PE binary on x86 type
> platforms.
>
> I do have patches to parse PGP key data and add the public keys found therein
> onto the kernel keyring, but that would mean adding an extra key data parser.
>
> You could probably do this with the integrity functions - but turning them on
> has a performance cost and you have to load things in the right order as I
> understand it.
The only ordering is loading the keys before verifying the signatures.
Have you recently done any performance testing?
Mimi
next prev parent reply other threads:[~2015-05-21 16:30 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 20:02 [RFD] linux-firmware key arrangement for firmware signing Luis R. Rodriguez
2015-05-19 20:40 ` Luis R. Rodriguez
2015-05-19 20:59 ` Andy Lutomirski
2015-05-19 22:11 ` Luis R. Rodriguez
2015-05-19 22:40 ` Andy Lutomirski
2015-05-21 15:51 ` David Howells
2015-05-21 16:30 ` Mimi Zohar [this message]
2015-05-21 16:39 ` Andy Lutomirski
2015-05-21 16:51 ` Petko Manolov
2015-05-21 16:55 ` Andy Lutomirski
2015-05-21 17:44 ` Petko Manolov
2015-05-21 16:43 ` Petko Manolov
2015-05-21 16:48 ` Andy Lutomirski
2015-05-21 16:58 ` Petko Manolov
2015-05-21 16:59 ` Mimi Zohar
2015-05-19 23:30 ` Julian Calaby
2015-05-19 23:42 ` Andy Lutomirski
2015-05-20 0:39 ` Luis R. Rodriguez
2015-05-20 0:41 ` Andy Lutomirski
2015-05-21 22:26 ` Luis R. Rodriguez
2015-05-21 23:15 ` Casey Schaufler
2015-05-19 21:48 ` Mimi Zohar
2015-05-19 22:19 ` Luis R. Rodriguez
2015-05-19 23:37 ` Mimi Zohar
2015-05-20 0:22 ` Luis R. Rodriguez
2015-05-20 1:06 ` Mimi Zohar
2015-05-20 1:29 ` Andy Lutomirski
2015-05-20 2:05 ` Mimi Zohar
2015-05-20 2:10 ` Andy Lutomirski
2015-05-20 15:49 ` Petko Manolov
2015-05-20 16:08 ` Petko Manolov
2015-05-20 14:04 ` Seth Forshee
2015-05-20 15:08 ` David Howells
2015-05-20 15:47 ` Seth Forshee
2015-05-21 16:23 ` David Howells
2015-05-20 16:24 ` One Thousand Gnomes
2015-05-20 16:46 ` Petko Manolov
2015-05-21 4:41 ` Greg Kroah-Hartman
2015-05-21 5:41 ` Petko Manolov
2015-05-21 6:14 ` Greg Kroah-Hartman
2015-05-21 13:05 ` Mimi Zohar
2015-05-21 15:45 ` Greg Kroah-Hartman
2015-05-21 15:53 ` Petko Manolov
2015-05-21 16:57 ` Greg Kroah-Hartman
2015-05-26 17:08 ` One Thousand Gnomes
2015-05-26 19:15 ` Petko Manolov
2015-05-26 19:52 ` Mimi Zohar
2015-05-26 23:06 ` David Howells
2015-05-21 16:03 ` Woodhouse, David
2015-05-21 16:22 ` Mimi Zohar
2015-05-21 16:31 ` Woodhouse, David
2015-05-21 17:02 ` gregkh
2015-05-21 17:14 ` Petko Manolov
2015-05-21 18:23 ` Luis R. Rodriguez
2015-05-21 18:30 ` Luis R. Rodriguez
2015-05-21 19:32 ` Woodhouse, David
2015-05-21 17:49 ` Luis R. Rodriguez
2015-05-21 14:45 ` Petko Manolov
2015-05-21 22:50 ` Luis R. Rodriguez
2015-05-20 20:35 ` Kyle McMartin
2015-05-20 15:14 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432225809.2450.11.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=aricart@memnix.com \
--cc=bp@alien8.de \
--cc=david.woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jkosina@suse.cz \
--cc=jlee@suse.de \
--cc=keyrings@linux-nfs.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mcgrof@suse.com \
--cc=mmarek@suse.cz \
--cc=mricon@kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=sedat.dilek@gmail.com \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.