From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Yannik Sembritzki <yannik@sembritzki.me>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Peter Anvin <hpa@zytor.com>,
the arch/x86 maintainers <x86@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Dave Young <dyoung@redhat.com>, Baoquan He <bhe@redhat.com>,
Justin Forbes <jforbes@redhat.com>,
Peter Jones <pjones@redhat.com>,
Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
Date: Wed, 15 Aug 2018 14:57:02 -0700 [thread overview]
Message-ID: <1534370222.4049.25.camel@HansenPartnership.com> (raw)
In-Reply-To: <20180815215240.GA15952@redhat.com>
On Wed, 2018-08-15 at 17:52 -0400, Vivek Goyal wrote:
> On Wed, Aug 15, 2018 at 02:13:17PM -0700, James Bottomley wrote:
> > On Wed, 2018-08-15 at 23:08 +0200, Yannik Sembritzki wrote:
> > > On 15.08.2018 22:47, Linus Torvalds wrote:
> > > > It basically says: we don't allow modules that weren't built
> > > > with
> > > > the kernel. Adding a new key later and signing a module with it
> > > > violates that premise.
> > >
> > > Considering the following scenario:
> > > A user is running a distro kernel, which is built by the distro,
> > > and has the distro signing key builtin (i.e. fedora). Now, the
> > > user has taken ownership of their system and provisioned their
> > > own platform key. Accordingly, the user signs the distro kernel
> > > with their own key.
> > >
> > > If I understand you correctly, modules signed by the users own
> > > key, but not signed with the distro key, will stop working in
> > > this case?
> >
> > They never actually would have worked, but yes.
> >
> > > IMO, this is not okay. The layer of trust should extend from the
> > > bottom (user-provisioned platform key) up. Only trusting the
> > > kernel builtin key later on (wrt. kernel modules) contradicts
> > > this principal.
> >
> > The kernel can't tell whether the UEFI user has taken ownership or
> > not so it has no basis on which to make a decision to trust the
> > UEFI keys or not, so we should *always* not trust them.
> >
> > Consider a UEFI system for which a user has taken ownership, but
> > which has some signed ROMs which are UEFI secure boot
> > verified. Simply to get their system to boot the user will be
> > forced to add the ODM key to the UEFI db ... and I'm sure in that
> > situation the user wouldn't want to trust the ODM key further than
> > booting.
>
> IIUC, it is fine to trust these ODM keys, User keys and "foo" keys
> for loading kernel but not for modules?
It's fine to trust the secure boot keys for the boot environment. If
you argue kexec is linux booting linux then yes, that's a supported
use.
> If yes, then atleast we can enable trusting keys in
> .secondary_trusted_keys keyring for kernel signature verificaton and
> that will solve the kexec/kdump issue on distribution kernels.
I think it's OK ... I can't think of any reason you'd want a signed
kernel to boot but not to be able to kexec to a kernel with the same
signer.
James
next prev parent reply other threads:[~2018-08-15 21:57 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-15 10:00 [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot Yannik Sembritzki
2018-08-15 16:54 ` Linus Torvalds
2018-08-15 17:27 ` Yannik Sembritzki
2018-08-15 17:37 ` Yannik Sembritzki
2018-08-15 17:42 ` Vivek Goyal
2018-08-15 18:44 ` Yannik Sembritzki
2018-08-15 18:58 ` Vivek Goyal
2018-08-15 19:06 ` Yannik Sembritzki
2018-08-15 19:49 ` Vivek Goyal
2018-08-15 20:47 ` Linus Torvalds
2018-08-15 20:53 ` James Bottomley
2018-08-15 21:08 ` Yannik Sembritzki
2018-08-15 21:13 ` James Bottomley
2018-08-15 21:31 ` Yannik Sembritzki
2018-08-15 21:40 ` James Bottomley
2018-08-15 21:50 ` Yannik Sembritzki
2018-08-15 21:57 ` Vivek Goyal
2018-08-15 22:14 ` Yannik Sembritzki
2018-08-15 21:52 ` Vivek Goyal
2018-08-15 21:57 ` James Bottomley [this message]
2018-08-15 21:14 ` Linus Torvalds
2018-08-16 13:51 ` David Howells
2018-08-16 15:16 ` James Bottomley
2018-08-16 15:42 ` James Bottomley
2018-08-16 15:49 ` David Howells
2018-08-16 15:56 ` James Bottomley
2018-08-16 16:56 ` David Laight
2018-08-16 17:15 ` James Bottomley
2018-08-16 20:31 ` David Howells
2018-08-17 0:07 ` James Bottomley
2018-08-17 8:24 ` David Howells
2018-08-17 14:58 ` James Bottomley
2018-08-17 15:42 ` Justin Forbes
2018-08-17 16:02 ` James Bottomley
2018-08-16 0:52 ` Dave Young
2018-08-16 0:55 ` Dave Young
2018-08-16 12:13 ` David Howells
2018-08-16 14:22 ` James Bottomley
2018-08-16 14:43 ` David Howells
2018-08-16 14:59 ` James Bottomley
2018-08-17 17:00 ` Alan Cox
2018-08-15 17:45 ` Linus Torvalds
2018-08-15 18:19 ` Yannik Sembritzki
2018-08-15 18:22 ` Linus Torvalds
2018-08-15 19:42 ` [PATCH 0/2] Fix kexec forbidding kernels signed with keys in the secondary keyring " Yannik Sembritzki
2018-08-16 18:02 ` Linus Torvalds
2018-08-15 19:42 ` [PATCH 1/2] " Yannik Sembritzki
2018-08-15 19:42 ` [PATCH 2/2] Replace magic for trusting the secondary keyring with #define Yannik Sembritzki
2018-08-15 21:14 ` kbuild test robot
2018-08-15 21:19 ` [PATCH 2/2] [FIXED] " Yannik Sembritzki
2018-08-15 22:01 ` Linus Torvalds
2018-08-15 22:07 ` [PATCH 2/2] [FIXED v2] " Yannik Sembritzki
2018-08-16 1:11 ` Dave Young
2018-08-16 7:43 ` Yannik Sembritzki
2018-08-16 8:02 ` Dave Young
2018-08-16 8:20 ` Greg Kroah-Hartman
2018-08-16 12:46 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1534370222.4049.25.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=bhe@redhat.com \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=hpa@zytor.com \
--cc=jforbes@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mjg59@google.com \
--cc=pjones@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
--cc=x86@kernel.org \
--cc=yannik@sembritzki.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).