diff for duplicates of <1510697658.7703.12.camel@HansenPartnership.com> diff --git a/a/1.txt b/N1/1.txt index ca5b560..0133355 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -8,26 +8,26 @@ On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote: > > > have been elsewhere. > > > > In my research on this front I'll have to agree with this, in terms -> > of justification and there are only *two* arguments which I've so +> > of justification and there are only *two* arguments which I've so? > > far have found to justify firmware signing: > > > > a) If you want signed modules, you therefore should want signed > > firmware. -> > This however seems to be solved by using trusted boot thing, +> > ???This however seems to be solved by using trusted boot thing, > > given it -> > seems trusted boot requires having firmware be signed as well. +> > ???seems trusted boot requires having firmware be signed as well. > > (Docs -> > would be useful to get about where in the specs this is +> > ???would be useful to get about where in the specs this is > > mandated, -> > anyone?). Are there platforms that don't have trusted boot or +> > ???anyone?). Are there platforms that don't have trusted boot or > > for which -> > they don't enforce hardware checking for signed firmware for +> > ???they don't enforce hardware checking for signed firmware for > > which -> > we still want to support firmware signing for? Are there +> > ???we still want to support firmware signing for? Are there > > platforms -> > that require and use module signing but don't and won't have a +> > ???that require and use module signing but don't and won't have a > > trusted -> > boot of some sort? Do we care? +> > ???boot of some sort? Do we care? > > TPM-backed Trusted Boot means you don't /need/ to sign anything, > since the measurements of what you loaded will end up in the TPM. But @@ -37,17 +37,22 @@ On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote: Actually, I'd disagree with that quite a lot: measured boot only works if you're attesting to something outside of your system that has the -capability for doing something about a wrong measurement. Absent that, -measured boot has no safety whatsoever. Secure boot, on the other +capability for doing something about a wrong measurement. ?Absent that, +measured boot has no safety whatsoever. ?Secure boot, on the other hand, can enforce not booting with elements that fail the signature check. The question, really, in any system, is how you want to prove security. - In a standalone server system, measured boot is pretty useless because +?In a standalone server system, measured boot is pretty useless because you don't have an external entity to attest to, so signatures and -secure boot are really the bulwark against breaches. In a properly +secure boot are really the bulwark against breaches. ?In a properly attested server cluster whose attestation controller has the ability to reboot you, perhaps signatures and secure boot don't add that much more value. James + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 3979ca4..ed0412e 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -10,26 +10,10 @@ "ref\0CA+55aFxeLwgwxh2iJTf6Dz0T_a_TZfTdhBw5TkcSsCmjt2N5pw@mail.gmail.com\0" "ref\020171114205014.GJ729@wotan.suse.de\0" "ref\0CACdnJuvzPnMwsAF4mUJXCaJWQ=nCc9Yi5u3gj1A0+BsWf1Swgw@mail.gmail.com\0" - "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" - "Subject\0Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" + "From\0James.Bottomley@hansenpartnership.com (James Bottomley)\0" + "Subject\0Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" "Date\0Tue, 14 Nov 2017 14:14:18 -0800\0" - "To\0Matthew Garrett <mjg59@google.com>" - " Luis R. Rodriguez <mcgrof@kernel.org>\0" - "Cc\0Linus Torvalds <torvalds@linux-foundation.org>" - Johannes Berg <johannes@sipsolutions.net> - Mimi Zohar <zohar@linux.vnet.ibm.com> - David Howells <dhowells@redhat.com> - Alan Cox <gnomes@lxorguk.ukuu.org.uk> - AKASHI - Takahiro <takahiro.akashi@linaro.org> - Greg Kroah-Hartman <gregkh@linuxfoundation.org> - Jan Blunck <jblunck@infradead.org> - Julia Lawall <julia.lawall@lip6.fr> - Marcus Meissner <meissner@suse.de> - Gary Lin <GLin@suse.com> - LSM List <linux-security-module@vger.kernel.org> - linux-efi <linux-efi@vger.kernel.org> - " Linux Kernel Mailing List <linux-kernel@vger.kernel.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote:\n" @@ -42,26 +26,26 @@ "> > > have been elsewhere.\n" "> > \n" "> > In my research on this front I'll have to agree with this, in terms\n" - "> > of justification and there are only *two* arguments which I've so\302\240\n" + "> > of justification and there are only *two* arguments which I've so?\n" "> > far have found to justify firmware signing:\n" "> > \n" "> > a) If you want signed modules, you therefore should want signed\n" "> > firmware.\n" - "> > \302\240\302\240\302\240This however seems to be solved by using trusted boot thing,\n" + "> > ???This however seems to be solved by using trusted boot thing,\n" "> > given it\n" - "> > \302\240\302\240\302\240seems trusted boot requires having firmware be signed as well.\n" + "> > ???seems trusted boot requires having firmware be signed as well.\n" "> > (Docs\n" - "> > \302\240\302\240\302\240would be useful to get about where in the specs this is\n" + "> > ???would be useful to get about where in the specs this is\n" "> > mandated,\n" - "> > \302\240\302\240\302\240anyone?). Are there platforms that don't have trusted boot or\n" + "> > ???anyone?). Are there platforms that don't have trusted boot or\n" "> > for which\n" - "> > \302\240\302\240\302\240they don't enforce hardware checking for signed firmware for\n" + "> > ???they don't enforce hardware checking for signed firmware for\n" "> > which\n" - "> > \302\240\302\240\302\240we still want to support firmware signing for? Are there\n" + "> > ???we still want to support firmware signing for? Are there\n" "> > platforms\n" - "> > \302\240\302\240\302\240that require and use module signing but don't and won't have a\n" + "> > ???that require and use module signing but don't and won't have a\n" "> > trusted\n" - "> > \302\240\302\240\302\240boot of some sort? Do we care?\n" + "> > ???boot of some sort? Do we care?\n" "> \n" "> TPM-backed Trusted Boot means you don't /need/ to sign anything,\n" "> since the measurements of what you loaded will end up in the TPM. But\n" @@ -71,19 +55,24 @@ "\n" "Actually, I'd disagree with that quite a lot: measured boot only works\n" "if you're attesting to something outside of your system that has the\n" - "capability for doing something about a wrong measurement. \302\240Absent that,\n" - "measured boot has no safety whatsoever. \302\240Secure boot, on the other\n" + "capability for doing something about a wrong measurement. ?Absent that,\n" + "measured boot has no safety whatsoever. ?Secure boot, on the other\n" "hand, can enforce not booting with elements that fail the signature\n" "check.\n" "\n" "The question, really, in any system, is how you want to prove security.\n" - "\302\240In a standalone server system, measured boot is pretty useless because\n" + "?In a standalone server system, measured boot is pretty useless because\n" "you don't have an external entity to attest to, so signatures and\n" - "secure boot are really the bulwark against breaches. \302\240In a properly\n" + "secure boot are really the bulwark against breaches. ?In a properly\n" "attested server cluster whose attestation controller has the ability to\n" "reboot you, perhaps signatures and secure boot don't add that much more\n" "value.\n" "\n" - James + "James\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -0528b09c2ce5e103ba191e4fe17ed94642540ed5befd80f0aa41f9adfa86b691 +c34c59d4fbf71b00a8d2fcb6058c37a4b91a9caa1bdf26d8f2c43e1841d31a6c
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.