lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1534366395.4049.19.camel@HansenPartnership.com>
Date:   Wed, 15 Aug 2018 13:53:15 -0700
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Vivek Goyal <vgoyal@...hat.com>
Cc:     yannik@...britzki.me, David Howells <dhowells@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Peter Anvin <hpa@...or.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Dave Young <dyoung@...hat.com>, Baoquan He <bhe@...hat.com>,
        Justin Forbes <jforbes@...hat.com>,
        Peter Jones <pjones@...hat.com>,
        Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom
 platform keys to boot

On Wed, 2018-08-15 at 13:47 -0700, Linus Torvalds wrote:
> On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgoyal@...hat.com>
> wrote:
> > 
> > I see that module signing code trusts only builtin keys and
> > not the keys in secondary_trusted_keys keyring.
> 
> This, I think, makes sense.
> 
> It basically says: we don't allow modules that weren't built with the
> kernel. Adding a new key later and signing a module with it violates
> that premise.

Yes, the point is about layers of trust.  The UEFI secure boot keys for
a standard (i.e. system where the user hasn't taken ownership) contain
Microsoft and some ODM vendor keys.  You're forced to trust these keys
in the boot (or reboot) environment because that's consistent with the
way windows operates (any breach and microsoft will get annoyed and
help us sort it out).  You can't trust them for other kernel key
operations because that's outside the boot environment trust boundary
and if something goes wrong (say someone at an ODM signs a malicious
linux kernel module because the ODM keys are trusted to sign modules)
Microsoft won't care and we'll be on our own with no real ability to
sort it out.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ