Re: [GIT PULL] Load keys from signed PE binaries

From: Paolo Bonzini <pbonzini@redhat.com>
To: Chris Friesen <chris.friesen@genband.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>, Peter Jones <pjones@redhat.com>,
	Dave Airlie <airlied@gmail.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	David Howells <dhowells@redhat.com>,
	Florian Weimer <fw@deneb.enyo.de>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Josh Boyer <jwboyer@redhat.com>, Vivek Goyal <vgoyal@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	keyrings@linux-nfs.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] Load keys from signed PE binaries
Date: Wed, 27 Feb 2013 20:14:30 +0100	[thread overview]
Message-ID: <512E5B16.4050002@redhat.com> (raw)
In-Reply-To: <512E4409.2040907@genband.com>

Il 27/02/2013 18:36, Chris Friesen ha scritto:
> On 02/27/2013 09:24 AM, Theodore Ts'o wrote:
>> On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote:
>>> No, no, no.  Quit saying nobody knows.  We've got a pretty good idea -
>>> we've got a contract with them, and it says they provide the signing
>>> service, and under circumstances where the thing being signed is found
>>> to enable malware that circumvents Secure Boot
>>
>> The question is what does "malware that circuments Secure Boot" mean?
>> Does starting up a hacked KVM and running Windows 8 under KVM so that
>> malare can be injected count as circumenting Secure Boot?  If so, will
>> you have to disable KVM, too?
> 
> I could see an argument for KVM to require either a signed binary or
> else someone at the keyboard to explicitly okay loading the image.
> Anything else breaks the chain of trust.

Not just the executable; the firmware would also need to be signed.

In fact, I think requiring signed KVM binaries and signed VM firmwares
makes sense in the long term, but you have to stop somewhere.

And BTW you can always emulate the instruction set instead of using
hardware virtualization.  This way the kernel is not involved.  It's a
slippery slope and leads you straight to the app store model and
restrictions on interpreters like Apple's.

Certainly an attack using unsigned modules is trivial, unlike one that
virtualizes the victim OS, and also much harder to discover
(virtualization is easy to detect by timing certain operations in the
guest).  Just for this reason, putting unsigned modules on the "no" side
makes much more sense than putting virtualization on the "no" side.

Paolo

> It may be somewhat far-fetched, but I think it would be possible to take
> an existing secure-boot Win 8 install, turn it into a VM but with an
> infected kernel. Then install a signed Linux distro that runs the Win8
> VM as a guest.
> 
> At this point you've got a running infected Win8 install that is running
> on Secure Boot hardware but is actually running malware.
> 
> Admittedly this would be tricky to do reliably in a way that the user
> doesn't notice, so it may not actually be a real-world threat.
> 
> Chris