Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>,
	Andy Lutomirski <luto@kernel.org>,
	Rusty Russell <rusty@rustcorp.com.au>,
	Michal Marek <mmarek@suse.cz>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	keyrings@linux-nfs.org,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Seth Forshee <seth.forshee@canonical.com>,
	LSM List <linux-security-module@vger.kernel.org>,
	David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
Date: Fri, 22 May 2015 01:01:05 +0200	[thread overview]
Message-ID: <20150521230105.GL23057@wotan.suse.de> (raw)
In-Reply-To: <CALCETrV70hso2y=oJFSaQoaxtfThsCa31EeNfWLdMA36kBXbAg@mail.gmail.com>

On Thu, May 21, 2015 at 03:47:49PM -0700, Andy Lutomirski wrote:
> On Thu, May 21, 2015 at 3:31 PM, Luis R. Rodriguez <mcgrof@suse.com> wrote:
> >
> > Well as good as you are in 10 years we'll have better ones. So when
> > module signature went into the kernel the real expectation should have
> > been:
> >
> > This code looks good now but is going to be complete shit and
> > breakable a few years from now.
> >
> > Hence my first implicit and now explicit claims on dog and pony shows.
> > Best thing we can do IMHO is to just allow us to replace stupid human
> > code with better human code later, and eventually hopefully better AI
> > code, and so on. Since you don't have time for a real replacement
> > maybe what we can do is at least document / target / agree for what
> > pipe dream we want and shoot for it with time. Hopefully folks will
> > find time to implement it.
> 
> I disagree.  I'm a firm believer in security proofs.  While I'm not
> trained in formal crypto proofs, I can sketch out a proof of why a
> system that properly tags its signatures is secure against a
> reasonable threat model.  I can also show why that proof wouldn't work
> for a scheme without tags, and I can demonstrate the actual weakness
> in a scheme without tags.
> 
> In ten years, the only reason a scheme that I say looks good would be
> because (a) I screwed up, (b) an underlying assumption is wrong, or
> (c) the implementation is subtly wrong.  In particular, it won't fail
> because I'm insufficiently clever.
> 
> A real professional expert would be less likely to screw up.
> 
> (For reference, I wrote an actual doctoral thesis involving crypto.)

OK, I think what I mentioned still holds:

these premises must hold true for a period of time, and provided
you have all information. You cannot have all the information, so
the "threat model" depends on the reviewer, and the information they
have access to. So, still its still a dog and pony show, at least
a temporal one or one with a set of clauses.

> > In the meantime should that block current dog and pony show trading? I
> > don't think so.
> 
> Yes, since I can demonstrate the actual weakness without tags,

But you don't want to do the work to provide a better replacement?

> and
> crypto is notoriously hard to fix once done poorly and there's a great
> history of obviously-theoretically-weak systems being meaningfully
> attacked in the real world.  See, for example, every single old
> SSL/TLS cipher.  (And yes, the crypto community knew what was wrong in
> theory and how to fix it when the protocol was designed.  People just
> didn't pay attention.)

Its a fair argument, but still -- we have the vaporware problem.

  Luis