From: Vivek Goyal <vgoyal@redhat.com>
To: Borislav Petkov <bp@alien8.de>
Cc: linux-kernel@vger.kernel.org, ebiederm@xmission.com,
hpa@zytor.com, mjg59@srcf.ucam.org, greg@kroah.com,
dyoung@redhat.com, chaowang@redhat.com, bhe@redhat.com,
akpm@linux-foundation.org, dhowells@redhat.com,
pjones@redhat.com, Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage
Date: Fri, 4 Jul 2014 23:01:34 -0400 [thread overview]
Message-ID: <20140705030134.GA18508@redhat.com> (raw)
In-Reply-To: <20140704145118.GD3340@pd.tnic>
On Fri, Jul 04, 2014 at 04:51:18PM +0200, Borislav Petkov wrote:
> On Thu, Jul 03, 2014 at 05:07:12PM -0400, Vivek Goyal wrote:
> > Hi,
> >
> > This patch series enables signature verification of signed PE bzimage. This
> > patches series needs two more patch series before it.
> >
> > First one is kexec_file_load() syscall support posted here.
> >
> > https://lkml.org/lkml/2014/6/26/497
> >
> > This patch seris is also available in -mm tree now.
> >
> > Second one is PKCS7 signature parsing and verification support. These
> > patches are available in David Howells's modsign tree in pkcs7 branch.
> >
> > https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/log/?h=pkcs7
> >
> > This patch series is based on David Howells's work of PE file parsing
> > and PKCS7 signature verificaiton. Now PKCS7 signature part is available
> > in his tree. So I have taken PE file parsing patches, changed them a
> > bit and posting these here.
>
> Ok, now this looks strange. You're referring to those patches without
> posting them together with yours. And they're in some repo. Normally in
> such cases people post the *whole* patchset and do not refer to some
> other tree.
>
> >From looking at them, they're part of the pull request which Linus did
> shot down already last year:
>
> https://lkml.org/lkml/2013/2/21/228
>
> And he explicitly stated then that we don't want PE file parsing in the
> kernel, AFAICR. What changed since then?
I think use case has changed since then. My impression was that Linus
primarily did not like the idea of carrying keys in PE files. He said
we have x509 for that.
This time that's not the use case. We have dropped those patches. In fact
no keys are being added. I am just verifying the signature of PE bzImage
against a key in system_trusted_keyring.
We already generate PE bzImage and have code to generate right PE header
for bzImage.
In Linux Plumbers last year idea was to append signatures to kernel image
(like modules). But later I found out that it will not work as if I append
another signature to already signed PE image, PE signatures will be broken.
And given that distributions are already shipping signe PE bzImage, it
made sense to parse and verify those signatures instead of trying to
come up with a mechanism so that two signatures can co-exist and sign
images twice.
Given that this time we have a new use case, I am hoping that idea of
parsing PE and verifying signature is more acceptable.
Thanks
Vivek
next prev parent reply other threads:[~2014-07-05 3:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-03 21:07 [RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage Vivek Goyal
2014-07-03 21:07 ` [PATCH 1/9] pkcs7: Forward declare struct key in pkcs7.h Vivek Goyal
2014-07-03 21:07 ` [PATCH 2/9] Provide PE binary definitions Vivek Goyal
2014-07-04 19:12 ` Anca Emanuel
2014-07-04 19:14 ` H. Peter Anvin
2014-07-04 19:16 ` Matthew Garrett
2014-07-03 21:07 ` [PATCH 3/9] pefile: Parse a PE binary and verify signature Vivek Goyal
2014-07-03 21:07 ` [PATCH 4/9] pefile: Strip the wrapper off of the cert data block Vivek Goyal
2014-07-03 21:07 ` [PATCH 5/9] pefile: Parse the presumed PKCS#7 content of the certificate blob Vivek Goyal
2014-07-03 21:07 ` [PATCH 6/9] pefile: Parse the "Microsoft individual code signing" data blob Vivek Goyal
2014-07-03 21:07 ` [PATCH 7/9] pefile: Digest the PE binary and compare to the PKCS#7 data Vivek Goyal
2014-07-03 21:07 ` [PATCH 8/9] PEFILE: Validate PKCS#7 trust chain Vivek Goyal
2014-07-03 21:07 ` [PATCH 9/9] kexec: Verify the signature of signed PE bzImage Vivek Goyal
2014-07-04 14:51 ` [RFC PATCH 0/9] kexec: Verify signature of PE signed bzImage Borislav Petkov
2014-07-05 3:01 ` Vivek Goyal [this message]
2014-07-08 15:54 ` Borislav Petkov
2014-07-08 16:07 ` Vivek Goyal
2014-07-08 16:12 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140705030134.GA18508@redhat.com \
--to=vgoyal@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=chaowang@redhat.com \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=pjones@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox