From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: "Luis R. Rodriguez" <mcgrof@suse.com>,
Andy Lutomirski <luto@kernel.org>,
linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
serge@hallyn.com, linux-kernel@vger.kernel.org,
linux-wireless@vger.kernel.org, Kyle McMartin <kyle@kernel.org>,
David Woodhouse <david.woodhouse@intel.com>,
Seth Forshee <seth.forshee@canonical.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Joey Lee <jlee@suse.de>, Rusty Russell <rusty@rustcorp.com.au>,
mricon@kernel.org, Michal Marek <mmarek@suse.cz>,
Abelardo Ricart III <aricart@memnix.com>,
Sedat Dilek <sedat.dilek@gmail.com>,
keyrings@linux-nfs.org, Borislav Petkov <bp@alien8.de>,
Jiri Kosina <jkosina@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFD] linux-firmware key arrangement for firmware signing
Date: Thu, 21 May 2015 12:30:09 -0400 [thread overview]
Message-ID: <1432225809.2450.11.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <9567.1432223509@warthog.procyon.org.uk>
On Thu, 2015-05-21 at 16:51 +0100, David Howells wrote:
> Luis R. Rodriguez <mcgrof@suse.com> wrote:
>
> > I had this planned out because regulatory.bin used its own simple RSA key
> > with no x509 juju magic. I also envisioned it being easier for Kyle for
> > instance to use his own PGP key to sign linux-firmware files to start off
> > with than some complex x509 thing. Based on discussions with David, Seth,
> > and Kyle though it seems we were going to be happy with trusting Kyle's key
> > for regulatory.bin, since that will be done Kyle might as well sign all
> > linux-firmware files and folks who trust that can use it.
>
> To go down the signature root, what the kernel needs is:
>
> (1) A way to get a key into the kernel. We're currently using X.509 for this
> for module signing and kexec.
>
> (2) A way to get a signature into the kernel with sufficient metadata to
> select the key to use. Currently, kexec uses PKCS#7 for this and module
> signing uses a private format which I'm intending to change to PKCS#7.
>
> For firmware, I think Andy is right and we also need to include in the
> metadata something that says under what circumstances the firmware can be
> used - likely the name that is passed to request_firmware() - which must
> also be included in the digested data.
>
> I don't believe that module signing actually requires a hint of this type
> since we have to permit insmod to work and there won't be a hint we can
> trust. Besides, once verified, modules have to be loadable by the module
> loader which is probably a sufficient restriction in itself.
>
> I don't believe that kexec signing requires a name hint either since I
> think the only restriction on what we're allowed to kexec is that it must
> be bootable from the beginning - and must be a PE binary on x86 type
> platforms.
>
> I do have patches to parse PGP key data and add the public keys found therein
> onto the kernel keyring, but that would mean adding an extra key data parser.
>
> You could probably do this with the integrity functions - but turning them on
> has a performance cost and you have to load things in the right order as I
> understand it.
The only ordering is loading the keys before verifying the signatures.
Have you recently done any performance testing?
Mimi
next prev parent reply other threads:[~2015-05-21 16:30 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 20:02 [RFD] linux-firmware key arrangement for firmware signing Luis R. Rodriguez
2015-05-19 20:40 ` Luis R. Rodriguez
2015-05-19 20:59 ` Andy Lutomirski
2015-05-19 22:11 ` Luis R. Rodriguez
2015-05-19 22:40 ` Andy Lutomirski
2015-05-19 23:30 ` Julian Calaby
2015-05-19 23:42 ` Andy Lutomirski
2015-05-20 0:39 ` Luis R. Rodriguez
2015-05-20 0:41 ` Andy Lutomirski
2015-05-21 22:26 ` Luis R. Rodriguez
2015-05-21 23:15 ` Casey Schaufler
2015-05-21 15:51 ` David Howells
2015-05-21 16:30 ` Mimi Zohar [this message]
2015-05-21 16:39 ` Andy Lutomirski
2015-05-21 16:51 ` Petko Manolov
2015-05-21 16:55 ` Andy Lutomirski
2015-05-21 17:44 ` Petko Manolov
2015-05-21 16:43 ` Petko Manolov
2015-05-21 16:48 ` Andy Lutomirski
2015-05-21 16:58 ` Petko Manolov
2015-05-21 16:59 ` Mimi Zohar
2015-05-19 21:48 ` Mimi Zohar
2015-05-19 22:19 ` Luis R. Rodriguez
2015-05-19 23:37 ` Mimi Zohar
2015-05-20 0:22 ` Luis R. Rodriguez
2015-05-20 1:06 ` Mimi Zohar
2015-05-20 1:29 ` Andy Lutomirski
2015-05-20 2:05 ` Mimi Zohar
2015-05-20 2:10 ` Andy Lutomirski
2015-05-20 15:49 ` Petko Manolov
2015-05-20 16:08 ` Petko Manolov
2015-05-20 14:04 ` Seth Forshee
2015-05-20 16:24 ` One Thousand Gnomes
2015-05-20 16:46 ` Petko Manolov
2015-05-21 4:41 ` Greg Kroah-Hartman
2015-05-21 5:41 ` Petko Manolov
2015-05-21 6:14 ` Greg Kroah-Hartman
2015-05-21 13:05 ` Mimi Zohar
2015-05-21 15:45 ` Greg Kroah-Hartman
2015-05-21 15:53 ` Petko Manolov
2015-05-21 16:57 ` Greg Kroah-Hartman
2015-05-26 17:08 ` One Thousand Gnomes
2015-05-26 19:15 ` Petko Manolov
2015-05-26 19:52 ` Mimi Zohar
2015-05-26 23:06 ` David Howells
2015-05-21 16:03 ` Woodhouse, David
2015-05-21 16:22 ` Mimi Zohar
2015-05-21 16:31 ` Woodhouse, David
2015-05-21 17:02 ` gregkh
2015-05-21 17:14 ` Petko Manolov
2015-05-21 18:23 ` Luis R. Rodriguez
2015-05-21 18:30 ` Luis R. Rodriguez
2015-05-21 19:32 ` Woodhouse, David
2015-05-21 17:49 ` Luis R. Rodriguez
2015-05-21 14:45 ` Petko Manolov
2015-05-21 22:50 ` Luis R. Rodriguez
2015-05-20 20:35 ` Kyle McMartin
2015-05-20 15:08 ` David Howells
2015-05-20 15:47 ` Seth Forshee
2015-05-21 16:23 ` David Howells
2015-05-20 15:14 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432225809.2450.11.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=aricart@memnix.com \
--cc=bp@alien8.de \
--cc=david.woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jkosina@suse.cz \
--cc=jlee@suse.de \
--cc=keyrings@linux-nfs.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mcgrof@suse.com \
--cc=mmarek@suse.cz \
--cc=mricon@kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=sedat.dilek@gmail.com \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).