linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>, Andy Lutomirski <luto@kernel.org>
Cc: linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
	serge@hallyn.com, linux-kernel@vger.kernel.org,
	linux-wireless@vger.kernel.org,
	David Howells <dhowells@redhat.com>,
	Kyle McMartin <kyle@kernel.org>,
	David Woodhouse <david.woodhouse@intel.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Joey Lee <jlee@suse.de>, Rusty Russell <rusty@rustcorp.com.au>,
	mricon@kernel.org, Kees Cook <keescook@chromium.org>
Subject: Re: [RFD] linux-firmware key arrangement for firmware signing
Date: Wed, 20 May 2015 00:19:02 +0200	[thread overview]
Message-ID: <20150519221902.GQ23057@wotan.suse.de> (raw)
In-Reply-To: <1432072117.4510.180.camel@linux.vnet.ibm.com>

On Tue, May 19, 2015 at 05:48:37PM -0400, Mimi Zohar wrote:
> On Tue, 2015-05-19 at 22:02 +0200, Luis R. Rodriguez wrote:
> > David Howells has posted v4 of his series of supporting PKCS#7 for module
> > signing. I'm in my v3 series now on RFCs for firmware PKCS#7 support, and after
> > some review and patch shuffling I think this is ready for patch form.  My own
> > series however depend on quite a bit of other pending changes, one series which
> > will go through Rusty's tree, another series of fixes on firmware_class which
> > should go through Greg's tree. I'll wait until all this and David's own patches
> > get merged before posting firmware PKCS#7 support. Before all this though in
> > preparation for fw signing one thing we should start to talk about more broadly
> > however is how linux-firmware binary file signing would work in practice and
> > what we need, and make sure folks are OK with all this.
> 
> Commit 13752fe "security: introduce kernel_fw_from_file hook" introduced
> a new security hook.  (IMA is on this hook as well.)  Have you
> considered using this hook?

Yes, the same hook is used here.

> Are there other places that this hook would need to be called?

Nope, it'd be called. Folks who do not want to use key signing stuff can use
their own preferred LSM hook just as module signing has the kernel module
signing infrastructure but also module LSM hooks. It'd be similar here for
firmware.

Now that we have LSM hooks stacked on the way perhaps this is more in line with
what Andy has envisioned for alternatives for module signature verification.
But then again since an LSM hook already exists for both modules and firmware
perhaps this is sufficient for what Andy envisions? That is if folks do not want
this signing thing just disable it and add use your preferred LSM module of choice?

Now granted -- if we envision this module signing infrastructure as an LSM hook
in and of itself perhaps we should LSM'ify it. Its not right now.

> > I think we need one change here, we'd need to ensure that such key could only
> > be used for vetting firmware files, not modules loaded.  The firmware_class
> > could for instance still use all the keys in system_trusted_keyring, which
> > would include the UEFI key db, but it does not seems reasonable to expect keys
> > used for fw signing to also go into system_trusted_keyring to also be used for
> > module signing.
> 
> I agree totally!  For this reason, IMA defined a separate trusted
> keyring to be used for verifying file signatures.

OK I'll add that to my TODO list here.

  Luis

  reply	other threads:[~2015-05-19 22:19 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-19 20:02 [RFD] linux-firmware key arrangement for firmware signing Luis R. Rodriguez
2015-05-19 20:40 ` Luis R. Rodriguez
2015-05-19 20:59 ` Andy Lutomirski
2015-05-19 22:11   ` Luis R. Rodriguez
2015-05-19 22:40     ` Andy Lutomirski
2015-05-19 23:30   ` Julian Calaby
2015-05-19 23:42     ` Andy Lutomirski
2015-05-20  0:39       ` Luis R. Rodriguez
2015-05-20  0:41         ` Andy Lutomirski
2015-05-21 22:26           ` Luis R. Rodriguez
2015-05-21 23:15             ` Casey Schaufler
2015-05-21 15:51   ` David Howells
2015-05-21 16:30     ` Mimi Zohar
2015-05-21 16:39     ` Andy Lutomirski
2015-05-21 16:51       ` Petko Manolov
2015-05-21 16:55         ` Andy Lutomirski
2015-05-21 17:44           ` Petko Manolov
2015-05-21 16:43     ` Petko Manolov
2015-05-21 16:48       ` Andy Lutomirski
2015-05-21 16:58         ` Petko Manolov
2015-05-21 16:59       ` Mimi Zohar
2015-05-19 21:48 ` Mimi Zohar
2015-05-19 22:19   ` Luis R. Rodriguez [this message]
2015-05-19 23:37     ` Mimi Zohar
2015-05-20  0:22       ` Luis R. Rodriguez
2015-05-20  1:06         ` Mimi Zohar
2015-05-20  1:29           ` Andy Lutomirski
2015-05-20  2:05             ` Mimi Zohar
2015-05-20  2:10               ` Andy Lutomirski
2015-05-20 15:49                 ` Petko Manolov
2015-05-20 16:08         ` Petko Manolov
2015-05-20 14:04 ` Seth Forshee
2015-05-20 16:24   ` One Thousand Gnomes
2015-05-20 16:46     ` Petko Manolov
2015-05-21  4:41       ` Greg Kroah-Hartman
2015-05-21  5:41         ` Petko Manolov
2015-05-21  6:14           ` Greg Kroah-Hartman
2015-05-21 13:05             ` Mimi Zohar
2015-05-21 15:45               ` Greg Kroah-Hartman
2015-05-21 15:53                 ` Petko Manolov
2015-05-21 16:57                   ` Greg Kroah-Hartman
2015-05-26 17:08                   ` One Thousand Gnomes
2015-05-26 19:15                     ` Petko Manolov
2015-05-26 19:52                     ` Mimi Zohar
2015-05-26 23:06                   ` David Howells
2015-05-21 16:03                 ` Woodhouse, David
2015-05-21 16:22                   ` Mimi Zohar
2015-05-21 16:31                     ` Woodhouse, David
2015-05-21 17:02                   ` gregkh
2015-05-21 17:14                     ` Petko Manolov
2015-05-21 18:23                     ` Luis R. Rodriguez
2015-05-21 18:30                       ` Luis R. Rodriguez
2015-05-21 19:32                     ` Woodhouse, David
2015-05-21 17:49                   ` Luis R. Rodriguez
2015-05-21 14:45             ` Petko Manolov
2015-05-21 22:50     ` Luis R. Rodriguez
2015-05-20 20:35   ` Kyle McMartin
2015-05-20 15:08 ` David Howells
2015-05-20 15:47   ` Seth Forshee
2015-05-21 16:23   ` David Howells
2015-05-20 15:14 ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150519221902.GQ23057@wotan.suse.de \
    --to=mcgrof@suse.com \
    --cc=david.woodhouse@intel.com \
    --cc=dhowells@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=james.l.morris@oracle.com \
    --cc=jlee@suse.de \
    --cc=keescook@chromium.org \
    --cc=kyle@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mricon@kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=serge@hallyn.com \
    --cc=seth.forshee@canonical.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).