From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: joeyli <jlee@suse.com>
Cc: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
David Howells <dhowells@redhat.com>,
linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org,
Josh Boyer <jwboyer@fedoraproject.org>
Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module
Date: Thu, 15 Mar 2018 07:30:26 -0700 [thread overview]
Message-ID: <1521124226.5348.15.camel@HansenPartnership.com> (raw)
In-Reply-To: <20180315061650.GA10628@linux-l9pv.suse>
On Thu, 2018-03-15 at 14:16 +0800, joeyli wrote:
> On Wed, Mar 14, 2018 at 07:19:25AM -0700, James Bottomley wrote:
> >
> > On Wed, 2018-03-14 at 14:08 +0800, joeyli wrote:
> > >
> > > On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote:
> > > >
> > > >
> > > > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote:
> > > > >
> > > > >
> > > > > This patch adds the logic for checking the kernel module's
> > > > > hash base on blacklist. The hash must be generated by sha256
> > > > > and enrolled to dbx/mokx.
> > > > >
> > > > > For example:
> > > > > sha256sum sample.ko
> > > > > mokutil --mokx --import-hash $HASH_RESULT
> > > > >
> > > > > Whether the signature on ko file is stripped or not, the hash
> > > > > can be compared by kernel.
> > > >
> > > > What's the use case for this? We're already in trouble from
> > > > the ODMs for the size of dbx and its consumption of the
> > > > extremely limited variable space, so do we really have a use
> > > > case for adding module blacklist hashes to the UEFI variables
> > > > given the space constraints (as in one we can't do any other
> > > > way)?
> > > >
> > >
> > > The dbx is a authenticated variable that it can only be updated
> > > by manufacturer. The mokx gives a flexible way for distro to
> > > revoke a key or a signed module. Then we don't need to touch shim
> > > or bother manufacturer to deliver new db. Currently it doesn't
> > > have real use case yet.
> > >
> > > I knew that the NVRAM has limited space. But distro needs a
> > > backup solution for emergency.
> >
> > I wasn't asking why the variable, I was asking why the mechanism.
> >
> > OK, let me try to ask the question in a different way:
> >
> > Why would the distribution need to blacklist a module in this way?
> > For
>
> This way is a new option for user to blacklist a module but not the
> only way.
So this is for the *user* not the distribution?
> MOK has this ability because shim implements the mokx by signature
> database format (EFI_SIGNATURE_DATA in UEFI spec). This format
> supports both hash signature and x.509 certificate.
>
> >
> > the distro to execute the script to add this blacklist, means the
> > system is getting automated or manual updates ... can't those
> > updates just remove the module?
> >
> Yes, we can just remove or update the module in kernel rpm or kmp.
> But user may re-install distro with old kernel or install a old kmp.
> If the blacklist hash was stored in variable, then kernel can prevent
> to load the module.
>
> On the other hand, for enrolling mokx, user must reboots system and
> deals with shim-mokmanager UI. It's more secure because user should
> really know what he does. And user can choice not to enroll the hash
> if they still want to use the module.
OK, so now the use case is the user needs to roll back but doesn't want
a module to load ... I've got to say that in that case I'd just remove
it before reload.
> > The point is that module sha sums are pretty ephemeral in our model
> > (they change with every kernel), so it seems to be a mismatch to
> > place them in a permanent blacklist, particularly when we have very
> > limited space for that list.
> >
> Normally we run a serious process for signing a kernel module before
> shipping it to customer. The SUSE's "Partner Linux Driver Program”
> (PLDP) is an example. So the module sha sums are not too ephemeral.
Ephemeral isn't about the signing process it means that the sum is
short lived because every time you create a module for a specific
kernel its sum changes (because of the interface versioning) so your
blacklist only applies to one module and specific kernel combination.
Once you compile it for a different kernel you need a different
blacklist sum for it.
James
next prev parent reply other threads:[~2018-03-15 14:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 10:37 [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module Lee, Chun-Yi
2018-03-13 10:37 ` [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Lee, Chun-Yi
2018-03-13 17:25 ` Ard Biesheuvel
2018-03-14 10:23 ` joeyli
2018-03-13 10:38 ` [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list Lee, Chun-Yi
2018-03-13 10:38 ` [PATCH 3/5] MODSIGN: load blacklist from MOKx Lee, Chun-Yi
2018-03-13 10:38 ` [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module Lee, Chun-Yi
2018-03-13 17:18 ` James Bottomley
2018-03-14 6:08 ` joeyli
2018-03-14 14:19 ` James Bottomley
2018-03-15 6:16 ` joeyli
2018-03-15 14:30 ` James Bottomley [this message]
2018-03-16 7:32 ` joeyli
2018-03-13 10:38 ` [PATCH 5/5] MODSIGN: check the attributes of db and mok Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521124226.5348.15.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=jlee@suse.com \
--cc=joeyli.kernel@gmail.com \
--cc=jwboyer@fedoraproject.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).