lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z90l26ADmS87tu0k@gardel-login>
Date: Fri, 21 Mar 2025 09:39:55 +0100
From: Lennart Poettering <mzxreary@...inter.de>
To: lee joey <joeyli.kernel@...il.com>
Cc: Jarkko Sakkinen <jarkko@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>,
	Roberto Sassu <roberto.sassu@...wei.com>,
	Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
	Eric Snowberg <eric.snowberg@...cle.com>,
	Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
	joeyli <jlee@...e.com>
Subject: Re: [PATCH] Revert "integrity: Do not load MOK and MOKx when secure
 boot be disabled"

On Fr, 21.03.25 15:13, lee joey (joeyli.kernel@...il.com) wrote:

> Hi Lennart,
>
> Lennart Poettering <mzxreary@...inter.de> 於 2025年3月20日 週四 下午8:02寫道:
> >
> > This reverts commit 92ad19559ea9a8ec6f158480934ae26ebfe2c14f.
> >
> > This original commit this reverts creates a strange situation: it
> > ensures more restrictive behaviour if SecureBoot is off then when it
> > is on, which is the opposite of what one would expect.
> >
> > Typically, one would expect that if SB is off the validation of
> > resources during the pre-kernel and kernel initialization is less
> > restrictive, not more restrictive. But this check turned the world on
> > its head.
> >
>
> SB off means that the chain of trust is broken. Which means that all
> mechanisms rely on SB are non-secure. Meanwhile, if the integrity of kernel
> can be guaranteed by other mechanism (e.g. TPM), then mok should not
> be loaded when SB off.

Why not? as you say, chain of trust is broken: the kernel itself is
not immediately integrity protected and neither is the firmware. Hence
filtering out keys in this case is really pointless.

> > I'd like to ask for this commit to be reverted. If SB is on all bets are
> > off regarding integrity of boot loaders and stuff, hence it makes no
> > sense to be restrictive here: you cannot regain integrity once you gave
> > it up once, hence if all bets are off anyway we might as well import any
> > Mok keys passed to us into the kernel keyring.
> >
> > Or to say this differently: if an attacker got control of the pre-kernel
> > boot phase they might as well patch around in the firmware apis to make
> > the kernel believe it is in SB mode even if it is not. Hence the check
> > carries no value. It doesn't protect anything in any effective way.
>
> If this is the case, the check of MokListTrustedRT can also be
> removed.

I think it makes sense to honour explicit knobs, such as
MokListTrustedRT: It has a very clear meaning: it indicates whether to
import the keys or not.

This is quite different from SB state, which is not explicit about
importing keys at all, it just indicates whether firmware level
validation of signatures is done or not.

> All mok can directly be added to machine keyring then link with
> secondary keyring.
> Because attacker can create MokListTrusted/MokListTrusted variables to cheat
> bootloader or kernel. The check of MokListTrustedRT is useless.

Yeah, it does not carry immediate security value if SB is off. But it
does allow finer-grained control by pre-boot code of how the kernel
later sets up things. Hence I'd keep it.

> > You might wonder what signed dm-verity gives me if I have SB off. If
> > we authenticate the boot phase up to Linux userspace via TPM-based PCR
> > policies (i.e. measured boot) we can be sure of the boot integrity
> > without having to rely on SB. But then we'd still like to use
> > dm-verity based code signing for userspace.
>
> hm... I am a bit confused. So, this patch can help the above
> scenario?

The revert I posted will allow us to populate the kernel keyring used
for dm-verity signature checks from pre-boot even if SB is off. Via
local or remote attestation during boot we can later validate this
chosen boot path, and hence can a-posteriori validate that everything
is OK even if the a-priori SB check is not done. But once we have
validated that we then have the key in the kernel keyring for later
dm-verity validations, which is all we wanted.

Lennart

--
Lennart Poettering, Berlin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ