From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1flh70-0008Bo-K1 for mharc-grub-devel@gnu.org; Fri, 03 Aug 2018 16:55:50 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58200) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1flh6y-0008Bi-J7 for grub-devel@gnu.org; Fri, 03 Aug 2018 16:55:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1flh6x-0006xY-M6 for grub-devel@gnu.org; Fri, 03 Aug 2018 16:55:48 -0400 Received: from cavan.codon.org.uk ([2a00:1098:0:80:1000:c:0:1]:44940) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1flh6x-0006pT-CW for grub-devel@gnu.org; Fri, 03 Aug 2018 16:55:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=lkBobRC0WrlzVOjGPZLrhfrrr+Dha3BpaL4XPCJnhoI=; b=Alpb0F8p8cVZcISDUyCQfRqv5ru9O1yq5CQteGP1MIfxFlIRXKX+eF4Lb9ySKakUZLLljW/HY0xcDKgFgCxCdUSKDjGEHWaYsMar3EWBP1VetbVMh6kcihnhHet4cZVveflAkfNrvruM+MM0M/51JIzJcK1HVuOgHw6RieWg3fw=; Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.84_2) (envelope-from ) id 1flh6o-0000Ro-6y; Fri, 03 Aug 2018 21:55:38 +0100 Date: Fri, 3 Aug 2018 21:55:38 +0100 From: Matthew Garrett To: Daniel Kiper Cc: grub-devel@gnu.org, dpsmith.dev@gmail.com, eric.snowberg@oracle.com, javierm@redhat.com, jonmccune@google.com, kanth.ghatraju@oracle.com, keng-yu.lin@hpe.com, konrad.wilk@oracle.com, leif.lindholm@linaro.org, phcoder@gmail.com, philip.b.tricca@intel.com, ross.philipson@oracle.com Subject: Re: [PATCH RFC v2 0/5] verifiers: Framework and EFI shim lock verifier Message-ID: <20180803205538.GA1432@srcf.ucam.org> References: <1533303598-13233-1-git-send-email-daniel.kiper@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1533303598-13233-1-git-send-email-daniel.kiper@oracle.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1098:0:80:1000:c:0:1 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2018 20:55:49 -0000 On Fri, Aug 03, 2018 at 03:39:53PM +0200, Daniel Kiper wrote: > Some verifiers, e.g. shim lock, may not be able to verify all file types, e.g. > GRUB2 modules, on your own and would want to delegate verification to other > verifiers, e.g. PGP. Currently this is not possible. So, I think that we should If every verifier is called in turn, isn't this handled by having the shim interface return valid for all file types it doesn't verify? > extend the interface with relevant functionality. However, this will not solve > all problems. E.g. it is dangerous to load iorw or memrw modules, even if they > are signed e.g. with PGP, if UEFI secure boot is enabled. So, I think that we > should disable module loading if such verifiers are in use or provide > a functionality which gives us a chance to black list some modules. One option would be a secure boot verifier that just denies verification of all modules (or has some more complicated policy)? > If TPM verifier is introduced then module loading order changes will change > measurements. So, in this case maybe we should encourage users to use > standalone GRUB2. Or enforce module loading order somehow. However, this > can be difficult and not reliable. Yeah, I think standalone images are going to be the right solution for most users here. -- Matthew Garrett | mjg59@srcf.ucam.org