| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2015 10:31:52 +1000 From: Julian Calaby <julian.calaby@...il.com> To: "Luis R. Rodriguez" <mcgrof@...not-panic.com> Cc: ming.lei@...onical.com, Rusty Russell <rusty@...tcorp.com.au>, Linus Torvalds <torvalds@...ux-foundation.org>, dhowells@...hat.com, Seth Forshee <seth.forshee@...onical.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, pebolle@...cali.nl, linux-wireless <linux-wireless@...r.kernel.org>, Greg KH <gregkh@...uxfoundation.org>, jlee@...e.com, Takashi Iwai <tiwai@...e.de>, casey@...aufler-ca.com, Kees Cook <keescook@...omium.org>, Matthew Garrett <mjg59@...f.ucam.org>, Andrew Morton <akpm@...ux-foundation.org>, "Luis R. Rodriguez" <mcgrof@...e.com>, Kyle McMartin <kyle@...nel.org> Subject: Re: [RFC v2 6/6] firmware: add firmware signature checking support Hi Luis, On Thu, May 14, 2015 at 4:23 AM, Luis R. Rodriguez <mcgrof@...not-panic.com> wrote: > From: "Luis R. Rodriguez" <mcgrof@...e.com> > > Systems that have module signing currently enabled may > wish to extend vetting of firmware passed to the kernel > as well. We can re-use most of the code for module signing > for firmware signature verification and signing. This will > also later enable re-use of this same code for subsystems > that wish to provide their own cryptographic verification > mechanisms on userspace data needed. > > As with module signing, we do a very simple search for a > particular string appended to the firmware. There's both a > config option and a boot parameter which control whether we > accept or fail with unsigned firmware and firmware that are > signed with an unknown key. > > If firmware signing is enabled, the kernel will be tainted > if a firmware is loaded that is unsigned or has a signature > for which we don't have the key. > > Cc: Rusty Russell <rusty@...tcorp.com.au> > Cc: David Howells <dhowells@...hat.com> > Cc: Ming Lei <ming.lei@...onical.com> > Cc: Seth Forshee <seth.forshee@...onical.com> > Cc: Kyle McMartin <kyle@...nel.org> > Signed-off-by: Luis R. Rodriguez <mcgrof@...e.com> > --- > Documentation/firmware_class/signing.txt | 88 +++++++++ > drivers/base/Kconfig | 18 ++ > drivers/base/firmware_class.c | 214 ++++++++++++++++++++- > .../sysdata-internal.h => include/linux/sysdata.h | 0 > kernel/module.c | 2 +- > kernel/sysdata_signing.c | 3 +- > kernel/system_keyring.c | 2 +- > 7 files changed, 317 insertions(+), 10 deletions(-) > create mode 100644 Documentation/firmware_class/signing.txt > rename kernel/sysdata-internal.h => include/linux/sysdata.h (100%) > > diff --git a/Documentation/firmware_class/signing.txt b/Documentation/firmware_class/signing.txt > new file mode 100644 > index 0000000..6e1ce3c > --- /dev/null > +++ b/Documentation/firmware_class/signing.txt > @@ -0,0 +1,88 @@ > + ================================ > + KERNEL FIRMWARE SIGNING FACILITY > + ================================ > + > +CONTENTS > + > + - Overview. > + - Configuring firmware signing. > + - Using signing keys. > + - Signing firmware files. > + > + > +======== > +OVERVIEW > +======== > + > +Device drivers which require a firmware to be uploaded onto a device as its own > +device's microcode use any of the following APIs: > + > + * request_firmware() > + * request_firmware_direct() > + * request_firmware_nowait() > + > +The kernel firmware signing facility enables to cryptographically sign > +firmware files on a system using the same keys used for module signing. > +Firmware files's signatures consist of PKCS#7 messages of the respective > +firmware file. A firmware file named foo.bin, would have its respective > +signature on the filesystem as foo.bin.pkcs7. When firmware signature > +checking is enabled (FIRMWARE_SIG) when one of the above APIs is used > +against foo.bin, the file foo.bin.pkcs7 will also be looked for. If > +FIRMWARE_SIG_FORCE is enabled the foo.bin file will only be allowed to > +be returned to callers of the above APIs if and only if the foo.bin.pkcs7 > +file is confirmed to be a valid signature of the foo.bin file. If > +FIRMWARE_SIG_FORCE is not enabled and only FIRMWARE_SIG is enabled the > +kernel will be permissive and enabled unsiged firmware files, or firmware > +files with incorrect signatures. If FIRMWARE_SIG is not enabled the > +signature file is ignored completely. > + > +Firmware signing increases security by making it harder to load a malicious > +firmware into the kernel. The firmware signature checking is done by the > +kernel so that it is not necessary to have trusted userspace bits. > + > +============================ > +CONFIGURING FIRMWARE SIGNING > +============================ > + > +The firmware signing facility is enabled by going to the section: > + > +-> Device Drivers > + -> Generic Driver Options > + -> Userspace firmware loading support (FW_LOADER [=y]) > + -> Firmware signature verification (FIRMWARE_SIG [=y]) > + > +If you want to not allow unsigned firmware to be loaded you should > +enable: > + > +"Require all firmware to be validly signed", under the same menu. You reference the relevant Kconfig symbols above, do you want to add it here too? Thanks, -- Julian Calaby Email: julian.calaby@...il.com Profile: http://www.google.com/profiles/julian.calaby/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists