[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130226031338.GA29784@srcf.ucam.org>
Date: Tue, 26 Feb 2013 03:13:38 +0000
From: Matthew Garrett <mjg59@...f.ucam.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: David Howells <dhowells@...hat.com>,
Florian Weimer <fw@...eb.enyo.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Josh Boyer <jwboyer@...hat.com>,
Peter Jones <pjones@...hat.com>,
Vivek Goyal <vgoyal@...hat.com>,
Kees Cook <keescook@...omium.org>, keyrings@...ux-nfs.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries
On Mon, Feb 25, 2013 at 07:02:49PM -0800, Greg KH wrote:
> On Tue, Feb 26, 2013 at 02:33:32AM +0000, Matthew Garrett wrote:
> > Oh, come on Greg. Allowing unsigned modules allows loading arbitrary
> > code into the kernel, and allowing arbitrary code into the kernel means
> > that the kernel can be used to directly boot a modified copy of the
> > Windows kernel. Avoiding that scenario is *explicitly* mandated by
> > Microsoft.
>
> Then why is the signed shim is currently being used by successfully by
> distros that do not use signed kernel modules?
Because Microsoft have indicated that they'd be taking a reactive
approach to blacklisting and because, so far, nobody has decided to
write the trivial proof of concept that demonstrates the problem.
> > We can avoid it by either not using Microsoft as the root of
> > trust or by requiring explicit key installation during the OS install
> > process, but both of those make OS installation more difficult. If we
> > want Linux to Just Work out of the box on Microsoft-certified hardware,
> > this is one of the rules we have to live by.
>
> I don't see that being required in the wording for the Microsoft signing
> authority, and in personal discussions with them, they say it would be
> nice, but they can't force the issue. Where does it say this in the
> agreement specifically?
"In addition, in the case of Microsoft’s digital signatures of UEFI
Code, Microsoft may remove a Compatible Product from the Microsoft
Compatibility Lists and/or revoke the digital signature upon 30 days’
notice to Company in the event Microsoft determines in its sole judgment
that the security of the UEFI Code is compromised."
The ability to use the signed code to boot an untrusted copy of the
Windows kernel is a clear breach of the trust model.
--
Matthew Garrett | mjg59@...f.ucam.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists