lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Aug 2018 14:00:11 +0800 From: joeyli <jlee@...e.com> To: James Bottomley <James.Bottomley@...senPartnership.com> Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>, "Lee, Chun-Yi" <joeyli.kernel@...il.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, linux-efi <linux-efi@...r.kernel.org>, the arch/x86 maintainers <x86@...nel.org>, keyrings@...r.kernel.org, linux-integrity <linux-integrity@...r.kernel.org>, Kees Cook <keescook@...omium.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>, Pavel Machek <pavel@....cz>, Chen Yu <yu.c.chen@...el.com>, Oliver Neukum <oneukum@...e.com>, Ryan Chen <yu.chen.surf@...il.com>, David Howells <dhowells@...hat.com>, Mimi Zohar <zohar@...ux.vnet.ibm.com> Subject: Re: [PATCH 0/6][RFC] Add EFI secure key to key retention service Hi James, On Sun, Aug 05, 2018 at 10:47:26AM -0700, James Bottomley wrote: > On Sun, 2018-08-05 at 09:25 +0200, Ard Biesheuvel wrote: > > Hello Chun,yi, > > > > On 5 August 2018 at 05:21, Lee, Chun-Yi <joeyli.kernel@...il.com> > > wrote: > > > When secure boot is enabled, only signed EFI binary can access > > > EFI boot service variable before ExitBootService. Which means that > > > the EFI boot service variable is secure. > > > > > > > No it, isn't, and this is a very dangerous assumption to make. > > > > 'Secure' means different things to different people. 'Secure boot' is > > a misnomer, since it is too vague: it should be called 'authenticated > > boot', and the catch is that authentication using public-key crypto > > does not involve secrets at all. > > Hang on, let's not throw the baby out with the bathwater here. > > The design of "secure boot" is to create a boot time environment where > only trusted code may execute. We rely on this trust guarantee when we > pivot from the EFI to the MoK root of trust in shim. > > The reason we in Linux trust this guarantee is that it pertains to the > boot environment only, so any violation would allow Windows boot to be > compromised as well and we trust Microsoft's Business interests in > securing windows far enough to think this would be dealt with very > severely and it's an outcome the ODMs (who also add secure boot keys) > are worried enough about to be very careful. > > The rub (and this is where I'm agreeing with Ard) is that any use case > we come up with where a violation wouldn't cause a problem in windows > is a use case where we cannot rely on the guarantee because Microsoft > no longer has a strong business interest in policing it. This, for > instance, is why we don't populate the Linux trusted keyrings with the > secure boot keys (we may trust them in the boot environment where > compromise would be shared with windows but we can't trust them in the > Linux OS environment where it wouldn't). So this means we have to be > very careful coming up with uses for secure boot that aren't strictly > rooted in the guarantee as enforced by the business interests of > Microsoft and the ODMs. > Thank you for providing the view point from Microsoft bussiness ineterests. I agreed with you. Honestly I didn't think this point before. > > The UEFI variable store was not designed with confidentiality in > > mind, and assuming [given the reputation of EFI on the implementation > > side] that you can use it to keep secrets is rather unwise imho. > > Agree completely here: Microsoft doesn't use UEFI variables for > confidentiality, so we shouldn't either. If you want confidentiality, > use a TPM (like Microsoft does for the bitlocker key). > OK~~ Then I will use TPM trusted key + encrypted key in hibernation encryption/authentication. Thanks for James and Ard's comments. Joey Lee
Powered by blists - more mailing lists