LKML Archive on lore.kernel.org
 help / color / Atom feed
From: "Luis R. Rodriguez" <mcgrof@kernel.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>,
	"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jan Blunck <jblunck@infradead.org>,
	Julia Lawall <julia.lawall@lip6.fr>,
	David Howells <dhowells@redhat.com>,
	Andy Lutomirski <luto@kernel.org>,
	David Woodhouse <dwmw2@infradead.org>,
	Marcus Meissner <meissner@suse.de>, Gary Lin <GLin@suse.com>,
	Josh Triplett <josh@joshtriplett.org>,
	Ben Hutchings <ben@decadent.org.uk>,
	Kyle McMartin <kyle@kernel.org>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Peter Jones <pjones@redhat.com>,
	linux-security-module@vger.kernel.org,
	gnomes@lxorguk.ukuu.org.uk, linux-efi <linux-efi@vger.kernel.org>,
	linux-kernel@vger.kernel.org, Matthew Garrett <mjg59@google.com>
Subject: Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown
Date: Mon, 13 Nov 2017 19:50:35 +0100
Message-ID: <20171113185035.GB22894@wotan.suse.de> (raw)
In-Reply-To: <1510321506.3359.42.camel@linux.vnet.ibm.com>

On Fri, Nov 10, 2017 at 08:45:06AM -0500, Mimi Zohar wrote:
> On Fri, 2017-11-10 at 02:46 +0100, Luis R. Rodriguez wrote:
> > On Thu, Nov 09, 2017 at 10:48:43AM +0900, AKASHI, Takahiro wrote:
> > > On Wed, Nov 08, 2017 at 08:46:26PM +0100, Luis R. Rodriguez wrote:
> > > > But perhaps I'm not understanding the issue well, let me know.
> > > 
> > > My point is quite simple:
> > > my_deviceA_init() {
> > >         err = request_firmware(&fw, "deviceA"); <--- (a)
> > >         if (err)
> > >                 goto err_request;
> > > 
> > >         err = verify_firmware(fw);  <--- (b)
> > >         if (err)
> > >                 goto err_verify;
> > > 
> > >         load_fw_to_deviceA(fw);     <--- (c)
> > >         ...
> > > }
> > > 
> > > As legacy device drivers does not have (b), there is no chance to
> > > prevent loading a firmware at (c) for locked-down kernel.
> > 
> > Ah, I think your example requires another piece of code to make it clearer.
> > Here is an example legacy driver:
> > 
> > my_legacy_deviceB_init() {
> >         err = request_firmware(&fw, "deviceB"); <--- (a)
> >         if (err)
> >                 goto err_request;
> > 
> >         load_fw_to_deviceA(fw);     <--- (c)
> >         ...
> > }
> > 
> > There is no verify_firmware() call here, and as such the approach Linus
> > suggested a while ago cannot possibly fail on a "locked down kernel", unless
> > *very* legacy API call gets a verify_firmware() sprinkled.
> > 
> > One sensible thing to say here is then that all request_firmware() calls should
> > just fail on a "locked down kernel", however if this were true then even calls
> > which *did* issue a subsequent verify_firmware() would fail earlier therefore
> > making verify_firmware() pointless on new drivers.
> 
> As long as these "*very* legacy API calls", are calling
> kernel_read_file_from_path() to read the firmware, there shouldn't be
> a problem.

For the *default* validation approach, agreed that we can LSMify this now through
kernel_read_file() by checking the enum kernel_read_file_id for READING_FIRMWARE,
as you did with your proposed LSM hook fw_lockdown_read_file(), but *iff* we
agree on which mechanisms to support for the default validation approach.

I say support given LSM'ifying this means anyone can end up trying to scheme up
a kernel solution which is non-IMA appraisals. For instance, based on
discussions so far, perhaps a sensible initial *default* scheme to strive for
firmware which we may not get a vendor to sign for us, or for which we don't
have a key to trust for singing could be to use a simple hash of files. This
makes sense for firmware which is typically not updated regularly and for which
we lost a source of updates for.

There's still a similar catch-22 issue here though:

A few folks have argued that we should support custom key requirements
from the start, so we can support a vendor wishing to use their own keys
from the start. Using a specific key is much more efficient for device
drivers which for instance may have firmware updated much more regularly,
this way a hash update on the kernel is not needed per firmware update.
Even if we support both schemes from the start, supporting a "default"
scheme without having any drivers update implies *all* firmware API calls
would need to fit the default policy scheme initially supported. So if
hashes of files is what would be used to start off with we'd be forcing all
firmware API kernel calls to follow that scheme from the start and I don't
think that makes much sense.

Despite some folks not liking it, supporting an initial default scheme just be
to be firmware signed by the linux-firmware maintainer might be an easier first
optional policy to support.

It does not mean we don't have to support hashes from the start, we can,
however that could require a driver change where its hash is specified or
preferred, for instance.

Likewise, for alternative and custom signing requirements, we also can require
a different API call, but for this to work well, I think we'd need a different
firmware API call and an LSM hook other than kernel_read_file_from_path() which
can enable the custom requirements to be specified. Otherwise we run into
similar issue as Takahiro pointed out with verify_firmware(), where the default
policy (say a default key) would not have a match from the start so it would
fail from the start. There is also the technical limitation that
kernel_read_file_from_path() has no way of letting callers pass further
security criteria.

  Luis

  reply index

Thread overview: 151+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-19 14:50 David Howells
2017-10-19 14:50 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image David Howells
2017-10-20 23:19   ` James Morris
2017-10-19 14:50 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown David Howells
2017-10-19 17:20   ` Randy Dunlap
2017-10-19 22:12   ` David Howells
2017-11-07 17:39   ` Thiago Jung Bauermann
2017-11-07 22:56   ` David Howells
2017-10-19 14:50 ` [PATCH 03/27] Enforce module signatures if the kernel is locked down David Howells
2017-10-20  6:33   ` joeyli
2017-10-20 23:21   ` James Morris
2017-10-27 18:48   ` Mimi Zohar
2017-10-30 17:00   ` David Howells
2017-10-30 17:52     ` Mimi Zohar
2017-11-02 17:22   ` David Howells
2017-11-02 19:13     ` Mimi Zohar
2017-11-02 21:30     ` David Howells
2017-11-02 21:41       ` Mimi Zohar
2017-11-02 22:01       ` David Howells
2017-11-02 22:18         ` Mimi Zohar
2017-10-19 14:51 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when " David Howells
2017-10-20  6:37   ` joeyli
2017-10-20 23:21   ` James Morris
2017-10-19 14:51 ` [PATCH 05/27] kexec: Disable at runtime if " David Howells
2017-10-20  6:38   ` joeyli
2017-10-20 23:22   ` James Morris
2017-10-19 14:51 ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-10-20  6:40   ` joeyli
2017-10-19 14:51 ` [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-10-20 23:26   ` James Morris
2017-10-23 15:54   ` Mimi Zohar
2017-10-26  7:42     ` joeyli
2017-10-26 14:17       ` Mimi Zohar
2017-10-27 19:30         ` Mimi Zohar
2017-10-27 19:32         ` Mimi Zohar
2017-10-28  8:34           ` joeyli
2017-10-29 22:26             ` Mimi Zohar
2017-10-30  9:00       ` David Howells
2017-10-30 12:01         ` Mimi Zohar
2017-10-26 15:02     ` David Howells
2017-10-26 15:46       ` Mimi Zohar
2017-10-30 15:49       ` David Howells
2017-10-30 16:43         ` Mimi Zohar
2017-11-02 17:00         ` David Howells
2017-10-26 14:51   ` David Howells
2017-11-02 17:29   ` David Howells
2017-10-19 14:51 ` [PATCH 08/27] hibernate: Disable when the kernel is locked down David Howells
2017-10-20  6:40   ` joeyli
2017-10-19 14:51 ` [PATCH 09/27] uswsusp: " David Howells
2017-10-20  6:41   ` joeyli
2017-10-20 23:29   ` James Morris
2017-10-19 14:51 ` [PATCH 10/27] PCI: Lock down BAR access " David Howells
2017-10-20  6:42   ` joeyli
2017-10-19 14:51 ` [PATCH 11/27] x86: Lock down IO port " David Howells
2017-10-20  6:43   ` joeyli
2017-10-19 14:52 ` [PATCH 12/27] x86/msr: Restrict MSR " David Howells
2017-10-20  6:43   ` joeyli
2017-10-20 18:09   ` Alan Cox
2017-10-20 20:48   ` David Howells
2017-10-21  4:39     ` joeyli
2017-10-23 14:49   ` David Howells
2017-10-25 14:03     ` joeyli
2017-10-19 14:52 ` [PATCH 13/27] asus-wmi: Restrict debugfs interface " David Howells
2017-10-20  6:44   ` joeyli
2017-10-19 14:52 ` [PATCH 14/27] ACPI: Limit access to custom_method " David Howells
2017-10-20  6:45   ` joeyli
2017-10-19 14:52 ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-10-20  6:45   ` joeyli
2017-10-19 14:52 ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " David Howells
2017-10-20  6:46   ` joeyli
2017-10-19 14:52 ` [PATCH 17/27] acpi: Disable APEI error injection " David Howells
2017-10-20  6:47   ` joeyli
2017-10-19 14:52 ` [PATCH 18/27] bpf: Restrict kernel image access functions when " David Howells
2017-10-19 22:18   ` Alexei Starovoitov
2017-10-20  2:47     ` joeyli
2017-10-20  8:08     ` David Howells
2017-10-20 15:57       ` jlee
2017-10-20 23:00         ` Alexei Starovoitov
2017-10-23 14:51         ` David Howells
2017-10-20 16:03       ` David Howells
2017-10-20 16:43         ` jlee
2017-10-23 14:53         ` David Howells
2017-10-25  7:07           ` joeyli
2017-10-19 22:48   ` David Howells
2017-10-19 23:31     ` Alexei Starovoitov
2017-11-09 17:15     ` David Howells
2017-10-19 14:52 ` [PATCH 19/27] scsi: Lock down the eata driver David Howells
2017-10-19 14:53 ` [PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 21/27] Lock down TIOCSSERIAL David Howells
2017-10-19 14:53 ` [PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-10-19 14:53 ` [PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-10-19 14:53 ` [PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 25/27] Lock down /proc/kcore David Howells
2017-10-21  2:11   ` James Morris
2017-10-23 14:56   ` David Howells
2017-10-19 14:53 ` [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
2017-10-21  2:19   ` James Morris
2017-10-23 14:58   ` David Howells
2017-10-19 14:53 ` [PATCH 27/27] efi: Lock down the kernel if booted in " David Howells
2017-10-19 22:39 ` [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-23 14:34 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
2017-10-24 10:48   ` Ethan Zhao
2017-10-24 14:56   ` David Howells
2017-11-02 22:01 ` [PATCH 00/27] security, efi: Add kernel lockdown Mimi Zohar
2017-11-02 22:04 ` Firmware signing -- " David Howells
2017-11-02 22:10   ` Mimi Zohar
2017-11-07 23:07     ` Luis R. Rodriguez
2017-11-08  6:15       ` AKASHI, Takahiro
2017-11-08 19:46         ` Luis R. Rodriguez
2017-11-09  1:48           ` AKASHI, Takahiro
2017-11-09  2:17             ` Mimi Zohar
2017-11-09  4:46               ` AKASHI, Takahiro
2017-11-10 13:37                 ` Mimi Zohar
2017-11-11  2:32                 ` Alan Cox
2017-11-13 11:49                   ` Mimi Zohar
2017-11-13 17:42                   ` Luis R. Rodriguez
2017-11-13 21:08                     ` Alan Cox
2017-12-04 19:51                       ` Luis R. Rodriguez
2017-12-07 15:32                         ` Alan Cox
2017-11-13 21:44                     ` David Howells
2017-11-13 22:09                       ` Linus Torvalds
2017-11-14  0:20                         ` Alan Cox
2017-11-14 12:21                         ` Mimi Zohar
2017-11-14 12:38                           ` Greg Kroah-Hartman
2017-11-14 13:17                             ` Mimi Zohar
2017-11-14 17:34                           ` Linus Torvalds
2017-11-14 19:58                             ` Matthew Garrett
2017-11-14 20:18                               ` Linus Torvalds
2017-11-14 20:31                                 ` Matthew Garrett
2017-11-14 20:35                                   ` Linus Torvalds
2017-11-14 20:37                                     ` Matthew Garrett
2017-11-14 20:50                                 ` Luis R. Rodriguez
2017-11-14 20:55                                   ` Matthew Garrett
2017-11-14 22:14                                     ` James Bottomley
2017-11-14 22:17                                       ` Matthew Garrett
2017-11-14 22:31                                         ` James Bottomley
2017-11-14 22:34                                           ` Matthew Garrett
2017-11-15 11:49                                   ` Mimi Zohar
2017-11-15 17:52                                     ` Luis R. Rodriguez
2017-11-15 19:56                                       ` Mimi Zohar
2017-11-15 20:46                                         ` Luis R. Rodriguez
2017-11-16  0:05                                           ` Mimi Zohar
2017-12-05 10:27                                 ` Pavel Machek
2017-12-07 23:02                                   ` Luis R. Rodriguez
2017-12-08 17:11                                     ` Alan Cox
2017-11-10  1:46             ` Luis R. Rodriguez
2017-11-10 13:45               ` Mimi Zohar
2017-11-13 18:50                 ` Luis R. Rodriguez [this message]
2017-11-13 19:08                   ` Luis R. Rodriguez
2017-11-08 20:01       ` Mimi Zohar
2017-11-08 20:09         ` Luis R. Rodriguez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171113185035.GB22894@wotan.suse.de \
    --to=mcgrof@kernel.org \
    --cc=GLin@suse.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=ben@decadent.org.uk \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=jblunck@infradead.org \
    --cc=josh@joshtriplett.org \
    --cc=julia.lawall@lip6.fr \
    --cc=kyle@kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=meissner@suse.de \
    --cc=mjg59@google.com \
    --cc=pjones@redhat.com \
    --cc=takahiro.akashi@linaro.org \
    --cc=torvalds@linux-foundation.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git