From: Petko Manolov <petkan@mip-labs.com>
To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "Woodhouse, David" <david.woodhouse@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"seth.forshee@canonical.com" <seth.forshee@canonical.com>,
"zohar@linux.vnet.ibm.com" <zohar@linux.vnet.ibm.com>,
"mricon@kernel.org" <mricon@kernel.org>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"rusty@rustcorp.com.au" <rusty@rustcorp.com.au>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"jlee@suse.de" <jlee@suse.de>,
"kyle@kernel.org" <kyle@kernel.org>,
"gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"mcgrof@suse.com" <mcgrof@suse.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: [RFD] linux-firmware key arrangement for firmware signing
Date: Thu, 21 May 2015 20:14:38 +0300 [thread overview]
Message-ID: <20150521171438.GK18164@localhost> (raw)
In-Reply-To: <20150521170236.GC12932@kroah.com>
On 15-05-21 10:02:36, gregkh@linuxfoundation.org wrote:
> On Thu, May 21, 2015 at 04:03:02PM +0000, Woodhouse, David wrote:
> >
> > In a lot of cases we have loadable firmware precisely to allow us to
> > reduce the cost of the hardware. Adding cryptographic capability in the
> > 'load firmware' state of the device isn't really compatible with that
> > :)
>
> We do? What devices want this? That's really a bad hardware design to trust
> the kernel to get all of this correct.
Which means nearly all hardware we use today is badly designed... :)
> And I say this as someone who is currently working on a hardware design that
> does just this for a very tiny device. It's only a few hundred bytes of
> firmware size to be able to do proper key verification that the firmware image
> is correct and can be "trusted".
And a "few" more bytes for the hash algorithm along the one for asymmetric key
computation and management. :)
> > In the case where kernel and modules are signed, it *is* useful for a kernel
> > device driver also to be able to validate that what it's about to load into
> > a device is authentic. Where 'authentic' will originally just mean that it's
> > come from the linux-firmware.git repository or the same entity that built
> > (and signed) the kernel, but actually I *do* expect vendors who are actively
> > maintaining the firmware images in linux-firmware.git to start providing
> > detached signatures of their own.
>
> Again, why have a detached signature and not just part of the firmware blob?
> The device needs to be caring about this, not the kernel.
In ideal world this is what should be done. However, adding the simplest (read
slowest) MD5 implementation requires a few K's of ram on 32bit cpu. MD5 is
dead. So we need SHA-something, which isn't smaller in terms of code size. Add
the asymmetric cryptography to the picture and we've already put away all
vendors.
> As the kernel doesn't know/care about what the firmware blob really is, I
> don't see why it should be caring about firmware signing as that's a binary
> running on a separate "computer". Do we want to take this the next logical
> step further and start requiring networked devices to attest their kernels are
> signed correctly before we can talk to them?
I think it is enough for you to know that your iwlwifi's firmware comes from
Intel and not from a random Internet punk. If you trust Intel with your wifi
adapter you probably trust them to write good firmware for it.
Petko
next prev parent reply other threads:[~2015-05-21 17:15 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 20:02 [RFD] linux-firmware key arrangement for firmware signing Luis R. Rodriguez
2015-05-19 20:40 ` Luis R. Rodriguez
2015-05-19 20:59 ` Andy Lutomirski
2015-05-19 22:11 ` Luis R. Rodriguez
2015-05-19 22:40 ` Andy Lutomirski
2015-05-21 15:51 ` David Howells
2015-05-21 16:30 ` Mimi Zohar
2015-05-21 16:39 ` Andy Lutomirski
2015-05-21 16:51 ` Petko Manolov
2015-05-21 16:55 ` Andy Lutomirski
2015-05-21 17:44 ` Petko Manolov
2015-05-21 16:43 ` Petko Manolov
2015-05-21 16:48 ` Andy Lutomirski
2015-05-21 16:58 ` Petko Manolov
2015-05-21 16:59 ` Mimi Zohar
2015-05-19 23:30 ` Julian Calaby
2015-05-19 23:42 ` Andy Lutomirski
2015-05-20 0:39 ` Luis R. Rodriguez
2015-05-20 0:41 ` Andy Lutomirski
2015-05-21 22:26 ` Luis R. Rodriguez
2015-05-21 23:15 ` Casey Schaufler
2015-05-19 21:48 ` Mimi Zohar
2015-05-19 22:19 ` Luis R. Rodriguez
2015-05-19 23:37 ` Mimi Zohar
2015-05-20 0:22 ` Luis R. Rodriguez
2015-05-20 1:06 ` Mimi Zohar
2015-05-20 1:29 ` Andy Lutomirski
2015-05-20 2:05 ` Mimi Zohar
2015-05-20 2:10 ` Andy Lutomirski
2015-05-20 15:49 ` Petko Manolov
2015-05-20 16:08 ` Petko Manolov
2015-05-20 14:04 ` Seth Forshee
2015-05-20 15:08 ` David Howells
2015-05-20 15:47 ` Seth Forshee
2015-05-21 16:23 ` David Howells
2015-05-20 16:24 ` One Thousand Gnomes
2015-05-20 16:46 ` Petko Manolov
2015-05-21 4:41 ` Greg Kroah-Hartman
2015-05-21 5:41 ` Petko Manolov
2015-05-21 6:14 ` Greg Kroah-Hartman
2015-05-21 13:05 ` Mimi Zohar
2015-05-21 15:45 ` Greg Kroah-Hartman
2015-05-21 15:53 ` Petko Manolov
2015-05-21 16:57 ` Greg Kroah-Hartman
2015-05-26 17:08 ` One Thousand Gnomes
2015-05-26 19:15 ` Petko Manolov
2015-05-26 19:52 ` Mimi Zohar
2015-05-26 23:06 ` David Howells
2015-05-21 16:03 ` Woodhouse, David
2015-05-21 16:22 ` Mimi Zohar
2015-05-21 16:31 ` Woodhouse, David
2015-05-21 17:02 ` gregkh
2015-05-21 17:14 ` Petko Manolov [this message]
2015-05-21 18:23 ` Luis R. Rodriguez
2015-05-21 18:30 ` Luis R. Rodriguez
2015-05-21 19:32 ` Woodhouse, David
2015-05-21 17:49 ` Luis R. Rodriguez
2015-05-21 14:45 ` Petko Manolov
2015-05-21 22:50 ` Luis R. Rodriguez
2015-05-20 20:35 ` Kyle McMartin
2015-05-20 15:14 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150521171438.GK18164@localhost \
--to=petkan@mip-labs.com \
--cc=david.woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jlee@suse.de \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mricon@kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.