lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 21 May 2015 15:31:44 -0700
From:	"Luis R. Rodriguez" <mcgrof@...e.com>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	David Howells <dhowells@...hat.com>,
	Andy Lutomirski <luto@...nel.org>,
	Rusty Russell <rusty@...tcorp.com.au>,
	Michal Marek <mmarek@...e.cz>,
	Matthew Garrett <mjg59@...f.ucam.org>, keyrings@...ux-nfs.org,
	Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Seth Forshee <seth.forshee@...onical.com>,
	LSM List <linux-security-module@...r.kernel.org>,
	David Woodhouse <dwmw2@...radead.org>
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

On Thu, May 21, 2015 at 3:24 PM, Andy Lutomirski <luto@...capital.net> wrote:
> On Thu, May 21, 2015 at 3:16 PM, Luis R. Rodriguez <mcgrof@...e.com> wrote:
>> On Thu, May 21, 2015 at 3:06 PM, Andy Lutomirski <luto@...capital.net> wrote:
>>> Given that, I would say that merely shoving firmware files through the
>>> module verifier as-is would not be okay.
>>
>> Replacing one dog and pony show for another is what is going on, what
>> you describe and suggest seems best, and I welcome patches, it seems
>> you know what you are talking about :)
>>
>
> Don't hold your breath.  My plate is over-full.  I'm probably a decent
> reviewer of crypto, though.

Well as good as you are in 10 years we'll have better ones. So when
module signature went into the kernel the real expectation should have
been:

This code looks good now but is going to be complete shit and
breakable a few years from now.

Hence my first implicit and now explicit claims on dog and pony shows.
Best thing we can do IMHO is to just allow us to replace stupid human
code with better human code later, and eventually hopefully better AI
code, and so on. Since you don't have time for a real replacement
maybe what we can do is at least document / target / agree for what
pipe dream we want and shoot for it with time. Hopefully folks will
find time to implement it.

In the meantime should that block current dog and pony show trading? I
don't think so.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ