lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130221181157.GA21688@srcf.ucam.org>
Date:	Thu, 21 Feb 2013 18:11:57 +0000
From:	Matthew Garrett <mjg59@...f.ucam.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	David Howells <dhowells@...hat.com>,
	Josh Boyer <jwboyer@...hat.com>,
	Peter Jones <pjones@...hat.com>,
	Vivek Goyal <vgoyal@...hat.com>,
	Kees Cook <keescook@...omium.org>, keyrings@...ux-nfs.org,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 21, 2013 at 10:03:20AM -0800, Linus Torvalds wrote:

> Seriously, if somebody wants to make a binary module for Fedora 18 or
> whatever, they should go to Red Hat and ask whether RH is willing to
> sign their key. And the whole "no, we only think it makes sense to
> trust MS keys" argument is so f*cking stupid that if somebody really
> brings that up, I can only throw my hands up and say "whatever".

MS have infrastructure to do identity verification and actually run some 
kind of vaguely responsible CA, and I don't trust Red Hat to be able to 
do that. And if the machine's carrying Microsoft's key in its firmware 
then you *already* trust Microsoft, because if the bad guy can get 
something signed by them then he's already just replaced your bootloader 
instead of pissing about inserting modules. Using the hardware keys as 
the root of trust makes practical sense.

> Besides, let's face it, Red Hat is going to sign the official nVidia
> and AMD binary modules anyway. Don't even bother to pretend anything
> else.

I don't think there's any chance of them signing modules. But it's a 
given that RHEL's going to end up trusting keys owned by nvidia and amd 
somehow, and chances are that's going to be based on the Microsoft 
signing service. The question is whether there's a benefit in ensuring 
that the same key is trusted by RHEL, Ubuntu, Suse and everyone else or 
whether different kernels are going to have completely different 
policies.

-- 
Matthew Garrett | mjg59@...f.ucam.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ