From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Andy Lutomirski <luto@amacapital.net>,
Johannes Berg <johannes@sipsolutions.net>
Cc: Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Kyle McMartin <kyle@kernel.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Mon, 1 Aug 2016 22:57:06 +0200 [thread overview]
Message-ID: <20160801205706.GE3296@wotan.suse.de> (raw)
In-Reply-To: <CALCETrXZicXvXPFC=NenCCJ76rB=2shBzEfkUb4xgHh0Vrub+A@mail.gmail.com>
On Mon, Aug 01, 2016 at 01:37:43PM -0700, Andy Lutomirski wrote:
> On Mon, Aug 1, 2016 at 1:23 PM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> > On Mon, Aug 01, 2016 at 10:59:57AM -0700, Andy Lutomirski wrote:
> >> On Mon, Aug 1, 2016 at 10:29 AM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> >> > On Sun, Jul 31, 2016 at 11:20:08AM -0700, Andy Lutomirski wrote:
> >> >> If IMA doesn't want or need to verify the purpose of the loaded file, fine.
> >> >
> >> > So other than origin you are indicating a proper LSM that would want to vet firmware
> >> > should want purpose ? Is that right?
> >>
> >> A security policy that wants to provide strong protection should
> >> verify that whatever file is being loaded is being used for its
> >> authorized purpose. The wireless regulatory subsystem should only
> >> load data signed by the wifi regulatory key, the iwlwifi driver should
> >> only accept firmware signed by the system *for the purpose of being
> >> used as iwlwifi firmware* (or perhaps signed by Intel), the nouveau
> >> driver should accept files signed for the purpose of being used as
> >> nvidia firmware and should reject things that are signed by Intel,
> >> etc.
> >>
> >> > If so I'd like to understand this suggestion
> >> > a bit better given we already have. So we have:
> >> >
> >> > #define __kernel_read_file_id(id) \
> >> > id(UNKNOWN, unknown) \
> >> > id(FIRMWARE, firmware) \
> >> > id(FIRMWARE_PREALLOC_BUFFER, firmware) \
> >> > id(MODULE, kernel-module) \
> >> > id(KEXEC_IMAGE, kexec-image) \
> >> > id(KEXEC_INITRAMFS, kexec-initramfs) \
> >> > id(POLICY, security-policy) \
> >> > id(MAX_ID, )
> >> >
> >> >
> >> > #define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
> >> > #define __fid_stringify(dummy, str) #str,
> >> >
> >> > enum kernel_read_file_id {
> >> > __kernel_read_file_id(__fid_enumify)
> >> > };
> >> >
> >> > extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t,
> >> > enum kernel_read_file_id);
> >> >
> >> > Are you saying FIRMWARE id is not sufficient ? What would be an example
> >> > purpose be here for FIRMWARE ?
> >>
> >> The string "iwlwifi-8265-21.ucode" would be a reasonable purpose, I
> >> think. It could make sense to split out the vendor, too:
> >>
> >> .type = FIRMWARE,
> >> .vendor = "Intel",
> >> .purpose = "iwlwifi-8265-21.ucode",
> >>
> >> then distro policy could know to accept a file signed by Intel
> >> (because "Intel" would be mapped in some table to a public key), a
> >> file signed by the distro key where the signature (using PKCS#7
> >> auxiliarry data (or whatever it's called) or some other simpler
> >> protocol) indicates that the signed object is "iwlwifi-8265-21.ucode",
> >> or perhaps an IMA-verified file with an appropriate absolute path.
> >
> > OK thanks, this makes it clear.
> >
> > If you consider the existing kernel strategy for module signing as an LSM
> > (even though it is not yet), then the way firmware singing was being
> > designed currently was to match that LSM. That is, we'd have something
> > very similar to mod_verify_sig() just that when calling
> > verify_pkcs7_signature() would use VERIFYING_FIRMWARE_SIGNATURE, would
> > be used instead of VERIFYING_MODULE_SIGNATURE.
> >
> > We have:
> >
> > /*
> > * The use to which an asymmetric key is being put.
> > */
> > enum key_being_used_for {
> > VERIFYING_MODULE_SIGNATURE,
> > VERIFYING_FIRMWARE_SIGNATURE,
> > VERIFYING_KEXEC_PE_SIGNATURE,
> > VERIFYING_KEY_SIGNATURE,
> > VERIFYING_KEY_SELF_SIGNATURE,
> > VERIFYING_UNSPECIFIED_SIGNATURE,
> > NR__KEY_BEING_USED_FOR
> > };
> >
> > In this light, what you describe would be an extension to this LSM and am
> > wondering if we can stage this so this so that this "vendor" and "purpose"
> > thing is dealt with after the same LSM strategy is matched to module signing
> > first. With this simple scheme we'd just have one key -- the linux-firmware
> > maintainer's key.
> >
>
> I don't see why not. After all, nothing is verifying the firmware
> name / purpose right not, so nothing would regress.
OK then as far as firmware signing is concerned I think this is agreed upon
material.
> > The second stage of firmware singing would be to iron out if vendors even want
> > to participate with a series of vendor + firmware file key and we'd have a
> > registry in the kernel built-in. We'd check then provenance in 2 levels:
> >
> > o linux-firmware maintainer key
> > o vendor key for the target file
>
> Given Johannes Berg's request to move regulatory database loading into
> the kernel, there might be an earlier use case.
I share his goal, and in fact getting rid of needing CRDA was my original
motivation to add firmware signing support. When we reviewed how this would
work -- we seemed to have agreed that Seth (wireless-regdb maintainer) would no
longer need to sign the regulatory.bin file and whatever file we end up with
would instead be signed by Kyle, the linux-firmware maintainer.
> Specifically, either
> set up the regulatory database with a vendor of
> "linux-wireless-regulatory" and teach the verification code that this
> particular vendor *requires* a vendor signature (and not, say, a
> distro signature) or allocate it its own enum value for the type and
> teach the verification code to work with that.
Well reason we ended up deciding on just one key and linux-firmware was
that people already package linux-firmware and we'd hope no one will
put a gun to Kyle's head to do evil things. Nevertheless, what you
describe of augmenting keys for files / purpose seems sensible, however
this should be optional. For our case in 802.11 we seemed to be OK
with Kyle's key last we discussed.
At least for starters.
> In any event, consolidating the code so there's a single "verify this
> loaded blob" function that implements all the policy would probably
> make this easier to write, maintain, and audit.
Agreed. So LSM'ifyng this.
Luis
next prev parent reply other threads:[~2016-08-01 20:57 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 [Ksummit-discuss] Last minute nominations: mcgrof and toshi Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez [this message]
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
2016-08-01 10:22 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160801205706.GE3296@wotan.suse.de \
--to=mcgrof@suse.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=johannes@sipsolutions.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=kyle@kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.