lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 11 Jun 2014 00:00:39 +0300
From:	Dmitry Kasatkin <dmitry.kasatkin@...il.com>
To:	Matthew Garrett <mjg59@...f.ucam.org>
Cc:	Josh Boyer <jwboyer@...hat.com>,
	David Howells <dhowells@...hat.com>,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	Dmitry Kasatkin <d.kasatkin@...sung.com>,
	keyrings <keyrings@...ux-nfs.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	linux-security-module <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only

On 10 June 2014 23:40, Matthew Garrett <mjg59@...f.ucam.org> wrote:
> On Tue, Jun 10, 2014 at 11:34:17PM +0300, Dmitry Kasatkin wrote:
>
>> Preventing loading keys from uefi except dbx by default actually improves
>> security. Adding kernel parameter to read db we make system more
>> vulnerable.
>
> It only adds security if you're performing a measured boot and remote
> attestation. Otherwise you implicitly trust that key anyway. In almost
> all cases refusing to trust db gives you a false sense of security
> without any real improvement. I don't think it's obvious it should be
> the default.
>
> --
> Matthew Garrett | mjg59@...f.ucam.org

May be you are right... "in almost all cases"...

It does not mater if one trust DB or not... It's all about
distro/system configuration...

Normal user even will not know what is default behavior and what
kernel parameter disables or enables...
And distro will have it by default or will use kernel parameter... It
does not change anything...

I am just discussing kernel configuration...
Without kind of looking to it  I cannot be sure if UEFI keys will
appear on system keyring or not.
Now I have to be aware how kernel is compiled... If it is compiled
with CONFIG_KEYS_UEFI or so
I need to remember may be to supply addition kernel parameters to
limit key UEFI usage...

It is may be not a big deal...

-- 
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ