From: "Theodore Ts'o" <tytso@mit.edu>
To: David Howells <dhowells@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Josh Boyer <jwboyer@redhat.com>, Peter Jones <pjones@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>,
Kees Cook <keescook@chromium.org>,
keyrings@linux-nfs.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries
Date: Thu, 21 Feb 2013 15:08:22 -0500 [thread overview]
Message-ID: <20130221200822.GD17322@thunk.org> (raw)
In-Reply-To: <567.1361470653@warthog.procyon.org.uk>
On Thu, Feb 21, 2013 at 06:17:33PM +0000, David Howells wrote:
>
> There's a problem with your idea.
>
> (1) Microsoft's revocation certificates would be based on the hash of the PE
> binary, not the key.
>
> (2) Re-signing would make the keys then dependent on our master key rather
> than directly on Microsoft's. Microsoft's revocation certificates[*]
> would then be useless.
>
> (3) The only way Microsoft could then revoke the extra keys would be to
> revoke our *master* key.
Well, this hypothetical service could also simply scan the Microsoft
revocation certificates (aka CRL's), and if the service detects a PE
hash that it relied upon to resign the module, it could then issue its
own CRL revoking the signature on the module.
If it is run this way, programmatically, I'll note that anyone can run
this service. It doesn't have to be Red Hat. It could be Linux
Foundation, if the LF wanted to support this whole code signing
insanity. (Which I really think is completely overblown, and I'm
going to be amused when this blows to hell all of Red Hat's
investments in Systemtap, but whatever.) Given that I think this
whole thing is insane, I completely agree with Linus's attempt to keep
this insanity as far away from the upstream kernel as we can. :-/
- Ted
next prev parent reply other threads:[~2013-02-21 20:08 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-21 15:47 [GIT PULL] Load keys from signed PE binaries David Howells
2013-02-21 16:39 ` Linus Torvalds
2013-02-21 16:42 ` Matthew Garrett
2013-02-21 16:58 ` Linus Torvalds
2013-02-21 17:49 ` Matthew Garrett
2013-02-21 18:03 ` Linus Torvalds
2013-02-21 18:11 ` Matthew Garrett
2013-02-22 14:05 ` Peter Jones
2013-02-25 14:46 ` Florian Weimer
2013-02-25 15:42 ` Matthew Garrett
2013-02-25 15:50 ` Florian Weimer
2013-02-25 16:14 ` Matthew Garrett
2013-02-25 16:20 ` Chris Friesen
2013-02-26 21:40 ` Florian Weimer
2013-02-26 22:19 ` Chris Friesen
2013-02-21 18:17 ` David Howells
2013-02-21 18:25 ` Matthew Garrett
2013-02-25 14:33 ` Florian Weimer
2013-02-25 15:42 ` Matthew Garrett
2013-02-21 18:25 ` Linus Torvalds
2013-02-21 18:34 ` Peter Jones
2013-02-21 18:56 ` Linus Torvalds
2013-02-21 19:10 ` Peter Jones
2013-02-21 19:10 ` Matthew Garrett
2013-02-21 20:31 ` Vivek Goyal
2013-02-21 20:32 ` Matthew Garrett
2013-02-21 20:38 ` Vivek Goyal
2013-03-18 2:12 ` Stephen Rothwell
2013-03-19 18:11 ` David Howells
2013-03-20 16:52 ` David Howells
2013-03-20 23:28 ` Stephen Rothwell
2013-02-21 20:08 ` Theodore Ts'o [this message]
2013-02-25 14:28 ` Florian Weimer
2013-02-25 15:45 ` Matthew Garrett
2013-02-26 21:08 ` Florian Weimer
2013-02-25 23:51 ` David Howells
2013-02-26 0:59 ` Greg KH
2013-02-26 2:33 ` Matthew Garrett
2013-02-26 3:02 ` Greg KH
2013-02-26 3:13 ` Matthew Garrett
2013-02-26 3:25 ` Theodore Ts'o
2013-02-26 3:28 ` Matthew Garrett
2013-02-26 3:32 ` Linus Torvalds
2013-02-26 3:42 ` Matthew Garrett
2013-02-26 3:45 ` Linus Torvalds
2013-02-26 3:48 ` Matthew Garrett
2013-02-26 4:31 ` Linus Torvalds
2013-02-26 4:57 ` Matthew Garrett
2013-02-26 15:30 ` Vivek Goyal
2013-02-26 15:38 ` Vivek Goyal
2013-02-27 17:23 ` Eric W. Biederman
2013-02-26 21:30 ` Florian Weimer
2013-02-26 21:40 ` Peter Jones
2013-02-26 22:35 ` Al Viro
2013-02-26 3:40 ` Greg KH
2013-02-26 3:45 ` Matthew Garrett
2013-02-26 3:49 ` Theodore Ts'o
2013-02-26 19:30 ` Florian Weimer
2013-02-26 19:41 ` Matthew Garrett
2013-02-26 3:31 ` Greg KH
2013-02-26 3:38 ` Matthew Garrett
2013-02-26 3:54 ` Greg KH
2013-02-26 4:04 ` Matthew Garrett
2013-02-26 4:13 ` Greg KH
2013-02-26 4:23 ` Matthew Garrett
2013-02-26 4:43 ` Linus Torvalds
2013-02-26 4:59 ` Matthew Garrett
2013-02-26 21:57 ` Geert Uytterhoeven
2013-02-26 22:06 ` Peter Jones
2013-02-27 12:32 ` Geert Uytterhoeven
2013-02-27 12:43 ` Matthew Garrett
2013-02-27 14:14 ` Peter Jones
2013-02-26 4:25 ` Dave Airlie
2013-02-26 4:45 ` Theodore Ts'o
2013-02-26 4:55 ` Dave Airlie
2013-02-26 6:04 ` Theodore Ts'o
2013-02-26 6:38 ` Theodore Ts'o
2013-02-26 10:07 ` Raymond Jennings
2013-02-26 10:21 ` Matthew Garrett
2013-02-26 16:45 ` Kent Yoder
2013-02-26 16:54 ` Peter Jones
2013-02-27 15:24 ` Theodore Ts'o
2013-02-27 17:36 ` Chris Friesen
2013-02-27 17:59 ` Theodore Ts'o
2013-02-27 19:21 ` Chris Friesen
2013-02-27 19:34 ` Theodore Ts'o
2013-02-27 19:14 ` Paolo Bonzini
2013-02-27 21:31 ` Dave Airlie
2013-02-28 6:27 ` Geert Uytterhoeven
2013-02-28 7:48 ` Paolo Bonzini
2013-02-26 19:40 ` Florian Weimer
2013-02-26 19:46 ` Matthew Garrett
2013-02-26 4:50 ` Greg KH
2013-02-28 7:57 ` Florian Weimer
2013-02-28 15:43 ` Chris Friesen
2013-02-28 19:26 ` Florian Weimer
2013-02-28 19:30 ` Matthew Garrett
2013-02-28 19:41 ` Florian Weimer
2013-02-28 19:53 ` Matthew Garrett
2013-02-28 20:23 ` Florian Weimer
2013-02-28 20:31 ` Matthew Garrett
2013-02-26 15:11 ` David Howells
2013-02-26 16:50 ` Greg KH
2013-02-26 13:34 ` Jiri Kosina
2013-02-26 14:16 ` Raymond Jennings
2013-02-27 9:35 ` ownssh
2013-02-27 10:17 ` James Courtier-Dutton
2013-02-27 11:27 ` Alexander Holler
2013-02-27 11:49 ` James Courtier-Dutton
2013-02-27 14:56 ` Matthew Garrett
2013-02-27 20:35 ` ownssh
2013-03-01 18:21 ` Matthew Garrett
2013-03-01 18:39 ` Gene Heskett
2013-02-28 22:48 ` Jiri Kosina
2013-02-28 22:51 ` Matthew Garrett
2013-02-28 23:02 ` Jiri Kosina
2013-02-28 23:05 ` Matthew Garrett
2013-02-28 23:45 ` Jiri Kosina
2013-02-28 23:47 ` Matthew Garrett
2013-02-28 23:52 ` Jiri Kosina
2013-03-01 0:00 ` Matthew Garrett
2013-03-01 0:08 ` Jiri Kosina
2013-03-01 10:00 ` Vojtech Pavlik
2013-03-01 14:30 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130221200822.GD17322@thunk.org \
--to=tytso@mit.edu \
--cc=dhowells@redhat.com \
--cc=jwboyer@redhat.com \
--cc=keescook@chromium.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=pjones@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox