[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170421194732.GB23671@khazad-dum.debian.net>
Date: Fri, 21 Apr 2017 16:47:32 -0300
From: Henrique de Moraes Holschuh <hmh@....eng.br>
To: Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>
Cc: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
keyrings <keyrings@...r.kernel.org>,
LSM <linux-security-module@...r.kernel.org>,
kernel <linux-kernel@...r.kernel.org>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>,
George Wilson <gcwilson@...ibm.com>
Subject: Re: [PATCH v4 1/4] KEYS: Insert incompressible bytes to reserve
space in bzImage
On Thu, 20 Apr 2017, Mehmet Kayaalp wrote:
> > On Apr 20, 2017, at 7:13 PM, Henrique de Moraes Holschuh <hmh@....eng.br> wrote:
> > On Thu, 20 Apr 2017, Mehmet Kayaalp wrote:
> >> Include a random filled binary in vmlinux at the space reserved with
> >> CONFIG_SYSTEM_EXTRA_CERTIFICATE. This results in an uncompressed reserved
...
> > Alternatively, you could ship a static file with random data that has
> > been tested to be uncompressible "enough" for every currently supported
> > compression engine, maybe with a bit of a safety margin just in case a
> > future compression engine does somewhat better...
>
> The seed makes it static for a given size, and I tested it to be
> incompressible. But I don't know about the safety margin. Even without the
If you tested the result to be incompressible enough, it is fine with me.
> compression, the reserved size is not accurate. If you reserve 4096 bytes,
> the DER encoded certificate inserted is not going to be exactly 4096 either
> (for reference, the built-in certificate is 1346 bytes). Compression makes it
> a little more inaccurate, but is over-provisioning several hundreds of bytes
> a concern when the bzImage is several megabytes?
Maybe for embedded, but in that case any overprovisioning would already
be too much, and one has to fix the issue in some other way.
--
Henrique Holschuh
Powered by blists - more mailing lists