lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Aug 2018 08:42:32 -0700
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     David Howells <dhowells@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Vivek Goyal <vgoyal@...hat.com>, yannik@...britzki.me,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Peter Anvin <hpa@...or.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Dave Young <dyoung@...hat.com>, Baoquan He <bhe@...hat.com>,
        Justin Forbes <jforbes@...hat.com>,
        Peter Jones <pjones@...hat.com>,
        Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom
 platform keys to boot

On Thu, 2018-08-16 at 08:16 -0700, James Bottomley wrote:
> So your lawyers tell you if you sign a third party module for your
> kernel then you could get blamed for the damage it causes?  So this
> whole escapade is about Red Hat trying to evade legal responsibility
> for allowing customers to load third party modules.
> 
> Firstly, your lawyers are wrong: Microsoft took a lot of legal advice
> before they agreed to become the third party signing authority for
> UEFI.  They definitely believe they can't be sued if they sign
> something that later breaches UEFI security.  However, I realise
> trying to overcome overly cautious legal advice is a no win
> situation, so lets move on.

Let me give you some advice from an old hand on this: You definitely
can't overcome a lawyer with a legal argument (well, unless you're
really good, pig headed and come spoiling for a fight), but you
definitely can with a business case.  Once you present a business case
for doing whatever it is the lawyer's have said no to, the next
instruction a good executive will issue is "quantify the legal risk so
we can balance it against the business benefit".  That's where a "no"
based on over caution usually gets overruled because the risks look
minor when exposed to scrutiny.

To generate that business case, why not merge Mehmet's patches?  If
other distributions start using them successfully, then you'll have
both direct and indirect business pressures for Red Hat to do the same
and it will force the re-evaluation you need.  If no-one uses them
there'll be no additional pressure and you'll be no worse off.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ