From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org,
Matthew Garrett <matthew.garrett@nebula.com>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Josh Boyer <jwboyer@fedoraproject.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: Re: [PATCH 8/9] MODSIGN: Import certificates from UEFI Secure Boot
Date: Fri, 02 Dec 2016 10:57:48 -0800 [thread overview]
Message-ID: <1480705068.2410.64.camel@HansenPartnership.com> (raw)
In-Reply-To: <1480015063.2444.9.camel@HansenPartnership.com>
On Thu, 2016-11-24 at 11:17 -0800, James Bottomley wrote:
> On Mon, 2016-11-21 at 16:16 +0000, Ard Biesheuvel wrote:
> > On 16 November 2016 at 18:11, David Howells <dhowells@redhat.com>
> > wrote:
> > > From: Josh Boyer <jwboyer@fedoraproject.org>
> > >
> > > Secure Boot stores a list of allowed certificates in the 'db'
> > > variable. This imports those certificates into the system trusted
> > > keyring. This allows for a third party signing certificate to
> > > be used in conjunction with signed modules. By importing the
> > > public certificate into the 'db' variable, a user can allow a
> > > module signed with that certificate to load. The shim UEFI
> > > bootloader has a similar certificate list stored in the
> > > 'MokListRT' variable. We import those as well.
> > >
> >
> > This sounds like a bad idea to me. For the standard databases like
> > db and dbx, we can rely on the firmware to ensure that they are
> > what you expect.
>
> Actually, I think it's a bad idea for the opposite reason: Shim
> explicitly pivots the root of trust away from the db keys to its own
> Moklist keys. We have no choice and are forced to trust db for the
> secure boot part, but once we're in the kernel proper, I'd argue that
> we would only want to trust the pivoted root, i.e. Moklist.
>
> Trusting both could generate unwanted consequences, like pressure on
> Microsoft to sign modules or worse, pressure on OEMs to include
> module keys or hashes ... or worst of all OEMs signing external
> modules.
>
> > For MokListRt, not so much: anyone with sufficient
> > capabilities can generate such a variable from userland, and not
> > every arch/distro combo will be using shim and/or mokmanager. (The
> > debates are still ongoing, but my position is that there is no need
> > for shim at all on ARM given that the M$ problem only exists on
> > x86)
>
> OK, so on this point, I'm already not using Shim on my x86 box.
> However, what you find if you're using grub is that because grub
> doesn't do signature verification, you still have to use the shim
> protocol callout, so you need something between UEFI and grub to load
> at least this protocol. I suppose this would go away once we can
> persuade grub to verify signatures.
Hm, that got crickets.
Let me propose an alternative mechanism then.
My problem is that although I am forced to trust the secure boot keys
for the UEFI security boundary, I don't necessarily want to trust them
for signing things for my kernel, so I want to pivot (or at
leastselectively weed out) keys. Shim already has this concept
partially with MokIgnoreDB.
For the purposes of the kernel, I think we simply need a variable, lets
call it MokKernelCerts, that gives the list of certificates to import
into the kernel keyring. I think this variable should be BS NV only
(not RT) meaning we have to collect it before ExitBootServices(). The
reason for this is to ensure it's populated by a trusted entity within
the UEFI secure boot boundary. This will cause a kexec problem, so we
might have to relax this and use a RT shadow as we already do for
MokList. The idea is that we populate the kernel certificates only
from this variable, so policy can be decided by the bootloader (or
something else which runs within the secure boot environment).
You can stop reading here if you're not interested in *how* this policy
would work.
To make it work, Shim or one of the other intermediates would set up
the variable. we could communicate policy to it with the usual Foo,
FooUpdate mechanism we already use for MokList. The default policy (if
the variable doesn't exist on firstboot) can be whatever the distro
wants, so if Fedora wants all the secure boot certs, it can do that and
other distros can follow their own stricter or less strict policies.
The user would be able to overwrite this using the Update process,
which could be password verified like MokList already is.
Does this sound acceptable to everyone?
James
next prev parent reply other threads:[~2016-12-02 19:05 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-16 18:10 [PATCH 0/9] KEYS: Blacklisting & UEFI database load David Howells
2016-11-16 18:10 ` [PATCH 1/9] KEYS: Add a system blacklist keyring David Howells
2016-11-16 18:10 ` [PATCH 2/9] X.509: Allow X.509 certs to be blacklisted David Howells
2016-11-16 18:11 ` [PATCH 3/9] PKCS#7: Handle blacklisted certificates David Howells
2016-11-16 18:11 ` [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring David Howells
2016-11-17 6:41 ` Petko Manolov
2016-11-17 9:56 ` David Howells
2016-11-17 10:22 ` Petko Manolov
2016-11-17 11:18 ` David Howells
2016-11-21 14:04 ` Mimi Zohar
2016-11-21 15:17 ` David Howells
2016-11-21 16:24 ` Mimi Zohar
2016-11-16 18:11 ` [PATCH 5/9] efi: Add SHIM and image security database GUID definitions David Howells
2016-11-21 16:07 ` Ard Biesheuvel
2016-11-16 18:11 ` [PATCH 6/9] efi: Add EFI signature data types David Howells
2016-11-16 23:43 ` Mat Martineau
2016-11-17 9:44 ` David Howells
2016-11-21 16:08 ` Ard Biesheuvel
2016-11-16 18:11 ` [PATCH 7/9] efi: Add an EFI signature blob parser David Howells
2016-11-16 18:11 ` [PATCH 8/9] MODSIGN: Import certificates from UEFI Secure Boot David Howells
2016-11-21 16:16 ` Ard Biesheuvel
2016-11-21 16:25 ` Josh Boyer
2016-11-24 19:22 ` James Bottomley
2016-11-24 19:17 ` James Bottomley
2016-12-02 18:57 ` James Bottomley [this message]
2016-12-02 20:18 ` Mimi Zohar
2016-11-16 18:11 ` [PATCH 9/9] MODSIGN: Allow the "db" UEFI variable to be suppressed David Howells
2016-11-21 16:18 ` Ard Biesheuvel
2016-11-21 16:26 ` Josh Boyer
2016-11-21 16:42 ` Ard Biesheuvel
2016-11-21 19:05 ` Peter Jones
2016-11-21 19:06 ` Ard Biesheuvel
2016-11-21 19:18 ` Peter Jones
2016-11-21 19:33 ` Ard Biesheuvel
2018-03-06 14:05 ` [PATCH 0/9] KEYS: Blacklisting & UEFI database load Jiri Slaby
2018-03-07 13:18 ` Mimi Zohar
2018-03-07 15:28 ` James Bottomley
2018-03-11 3:20 ` joeyli
2018-03-19 14:12 ` Mimi Zohar
2018-03-27 11:08 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1480705068.2410.64.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=jwboyer@fedoraproject.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).