From: joeyli <jlee@suse.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
David Howells <dhowells@redhat.com>,
linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org,
Josh Boyer <jwboyer@fedoraproject.org>
Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module
Date: Fri, 16 Mar 2018 15:32:49 +0800 [thread overview]
Message-ID: <20180316073249.GF15088@linux-l9pv.suse> (raw)
In-Reply-To: <1521124226.5348.15.camel@HansenPartnership.com>
On Thu, Mar 15, 2018 at 07:30:26AM -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 14:16 +0800, joeyli wrote:
> > On Wed, Mar 14, 2018 at 07:19:25AM -0700, James Bottomley wrote:
> > >
> > > On Wed, 2018-03-14 at 14:08 +0800, joeyli wrote:
> > > >
> > > > On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote:
> > > > >
> > > > >
> > > > > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote:
> > > > > >
> > > > > >
> > > > > > This patch adds the logic for checking the kernel module's
> > > > > > hash base on blacklist. The hash must be generated by sha256
> > > > > > and enrolled to dbx/mokx.
> > > > > >
> > > > > > For example:
> > > > > > sha256sum sample.ko
> > > > > > mokutil --mokx --import-hash $HASH_RESULT
> > > > > >
> > > > > > Whether the signature on ko file is stripped or not, the hash
> > > > > > can be compared by kernel.
> > > > >
> > > > > What's the use case for this? We're already in trouble from
> > > > > the ODMs for the size of dbx and its consumption of the
> > > > > extremely limited variable space, so do we really have a use
> > > > > case for adding module blacklist hashes to the UEFI variables
> > > > > given the space constraints (as in one we can't do any other
> > > > > way)?
> > > > >
> > > >
> > > > The dbx is a authenticated variable that it can only be updated
> > > > by manufacturer. The mokx gives a flexible way for distro to
> > > > revoke a key or a signed module. Then we don't need to touch shim
> > > > or bother manufacturer to deliver new db. Currently it doesn't
> > > > have real use case yet.
> > > >
> > > > I knew that the NVRAM has limited space. But distro needs a
> > > > backup solution for emergency.
> > >
> > > I wasn't asking why the variable, I was asking why the mechanism.
> > >
> > > OK, let me try to ask the question in a different way:
> > >
> > > Why would the distribution need to blacklist a module in this way?
> > > For
> >
> > This way is a new option for user to blacklist a module but not the
> > only way.
>
> So this is for the *user* not the distribution?
>
> > MOK has this ability because shim implements the mokx by signature
> > database format (EFI_SIGNATURE_DATA in UEFI spec). This format
> > supports both hash signature and x.509 certificate.
> >
> > >
> > > the distro to execute the script to add this blacklist, means the
> > > system is getting automated or manual updates ... can't those
> > > updates just remove the module?
> > >
> > Yes, we can just remove or update the module in kernel rpm or kmp.
> > But user may re-install distro with old kernel or install a old kmp.
> > If the blacklist hash was stored in variable, then kernel can prevent
> > to load the module.
> >
> > On the other hand, for enrolling mokx, user must reboots system and
> > deals with shim-mokmanager UI. It's more secure because user should
> > really know what he does. And user can choice not to enroll the hash
> > if they still want to use the module.
>
> OK, so now the use case is the user needs to roll back but doesn't want
> a module to load ... I've got to say that in that case I'd just remove
> it before reload.
>
> > > The point is that module sha sums are pretty ephemeral in our model
> > > (they change with every kernel), so it seems to be a mismatch to
> > > place them in a permanent blacklist, particularly when we have very
> > > limited space for that list.
> > >
> > Normally we run a serious process for signing a kernel module before
> > shipping it to customer. The SUSE's "Partner Linux Driver Program”
> > (PLDP) is an example. So the module sha sums are not too ephemeral.
>
> Ephemeral isn't about the signing process it means that the sum is
> short lived because every time you create a module for a specific
> kernel its sum changes (because of the interface versioning) so your
> blacklist only applies to one module and specific kernel combination.
> Once you compile it for a different kernel you need a different
> blacklist sum for it.
>
I agree with you that the sum is ephemeral. I will remove this patch
from the mokx series. The certificate in mokx will be loaded to
blacklist keyring. Which means that we still can use mokx to revoke
public key. But kernel will not check the blacklisted hash before
loading kernel module.
Thanks a lot!
Joey Lee
next prev parent reply other threads:[~2018-03-16 7:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 10:37 [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module Lee, Chun-Yi
2018-03-13 10:37 ` [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Lee, Chun-Yi
2018-03-13 17:25 ` Ard Biesheuvel
2018-03-14 10:23 ` joeyli
2018-03-13 10:38 ` [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list Lee, Chun-Yi
2018-03-13 10:38 ` [PATCH 3/5] MODSIGN: load blacklist from MOKx Lee, Chun-Yi
2018-03-13 10:38 ` [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module Lee, Chun-Yi
2018-03-13 17:18 ` James Bottomley
2018-03-14 6:08 ` joeyli
2018-03-14 14:19 ` James Bottomley
2018-03-15 6:16 ` joeyli
2018-03-15 14:30 ` James Bottomley
2018-03-16 7:32 ` joeyli [this message]
2018-03-13 10:38 ` [PATCH 5/5] MODSIGN: check the attributes of db and mok Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180316073249.GF15088@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=joeyli.kernel@gmail.com \
--cc=jwboyer@fedoraproject.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).