Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: David Howells <dhowells@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Vivek Goyal <vgoyal@redhat.com>,
	yannik@sembritzki.me, Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Peter Anvin <hpa@zytor.com>,
	the arch/x86 maintainers <x86@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Dave Young <dyoung@redhat.com>, Baoquan He <bhe@redhat.com>,
	Justin Forbes <jforbes@redhat.com>,
	Peter Jones <pjones@redhat.com>,
	Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
Date: Thu, 16 Aug 2018 08:56:40 -0700	[thread overview]
Message-ID: <1534435000.3166.9.camel@HansenPartnership.com> (raw)
In-Reply-To: <30607.1534434597@warthog.procyon.org.uk>

On Thu, 2018-08-16 at 16:49 +0100, David Howells wrote:
> James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> 
> > > The problem with that is that it means you can't load third party
> > > modules - such as the NVidia driver.  That's fine if you
> > > absolutely reject the right of people to produce third party
> > > drivers for the Linux kernel and absolutely require that they
> > > open and upstream their code if they want in.
> > 
> > So if you build your own kernel and want to load the nVidia module,
> > you have the key to sign it.
> 
> I think you have to assume that doing this is beyond most people.

As a step by step process, I agree.  However, I think we can automate
it to the point where you install a package and it says "insert your
yubikey" every time you upgrade the kernel

>   Further, as a distribution we would prefer people didn't raise bugs
> against kernels that we didn't build.

Mehmet's patches don't require building a new kernel.  They merely
require the added key be linked into the Red Hat built bzImage and then
the resulting blob be signed.  You can still identify that the original
bzImage is the Red Hat one.

> > If you're a distribution and want third party modules to be loaded
> > you can set up a third party signing process using a distro key ...
> > I don't see what the big problem is.
> 
> That's the problem is right there.  AIUI, we *don't* want to set up a
> third party signing process.  As I said, it potentially comes with
> lawyers attached.

Right so generate a business pressure to overcome the legal one.  To be
honest that's what I believe happened at Microsoft: I'm sure their
lawyers initially said "no way" to being a third party signing
authority until their executives laid out the business cost of being
blamed for the first boot virus after having refused to implement
ecosystem protection for legal reasons.

> > So your lawyers tell you if you sign a third party module for your
> > kernel then you could get blamed for the damage it causes?
> 
> There's more to it than that, but I feel I should discuss it with our
> legal dept. before airing it here.

Sure; if you want me to be involved in the conversation I can do it
under NDA or whatever they require.

James