lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1534435000.3166.9.camel@HansenPartnership.com>
Date:   Thu, 16 Aug 2018 08:56:40 -0700
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     David Howells <dhowells@...hat.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Vivek Goyal <vgoyal@...hat.com>, yannik@...britzki.me,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Peter Anvin <hpa@...or.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Dave Young <dyoung@...hat.com>, Baoquan He <bhe@...hat.com>,
        Justin Forbes <jforbes@...hat.com>,
        Peter Jones <pjones@...hat.com>,
        Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom
 platform keys to boot

On Thu, 2018-08-16 at 16:49 +0100, David Howells wrote:
> James Bottomley <James.Bottomley@...senPartnership.com> wrote:
> 
> > > The problem with that is that it means you can't load third party
> > > modules - such as the NVidia driver.  That's fine if you
> > > absolutely reject the right of people to produce third party
> > > drivers for the Linux kernel and absolutely require that they
> > > open and upstream their code if they want in.
> > 
> > So if you build your own kernel and want to load the nVidia module,
> > you have the key to sign it.
> 
> I think you have to assume that doing this is beyond most people.

As a step by step process, I agree.  However, I think we can automate
it to the point where you install a package and it says "insert your
yubikey" every time you upgrade the kernel

>   Further, as a distribution we would prefer people didn't raise bugs
> against kernels that we didn't build.

Mehmet's patches don't require building a new kernel.  They merely
require the added key be linked into the Red Hat built bzImage and then
the resulting blob be signed.  You can still identify that the original
bzImage is the Red Hat one.

> > If you're a distribution and want third party modules to be loaded
> > you can set up a third party signing process using a distro key ...
> > I don't see what the big problem is.
> 
> That's the problem is right there.  AIUI, we *don't* want to set up a
> third party signing process.  As I said, it potentially comes with
> lawyers attached.

Right so generate a business pressure to overcome the legal one.  To be
honest that's what I believe happened at Microsoft: I'm sure their
lawyers initially said "no way" to being a third party signing
authority until their executives laid out the business cost of being
blamed for the first boot virus after having refused to implement
ecosystem protection for legal reasons.

> > So your lawyers tell you if you sign a third party module for your
> > kernel then you could get blamed for the damage it causes?
> 
> There's more to it than that, but I feel I should discuss it with our
> legal dept. before airing it here.

Sure; if you want me to be involved in the conversation I can do it
under NDA or whatever they require.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ