From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756727AbdKNUz3 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 14 Nov 2017 15:55:29 -0500
Received: from mail-it0-f67.google.com ([209.85.214.67]:39963 "EHLO
        mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1756704AbdKNUzM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Nov 2017 15:55:12 -0500
X-Google-Smtp-Source: AGs4zMZGG0pXTDTi8EAX4E+LZJsruDQECWa7oU/4nlFbZRoCoC0ctXkPQshFEfjx9/MVAfYF1u3Uvvn6xu3fr3Yi+oc=
MIME-Version: 1.0
In-Reply-To: <20171114205014.GJ729@wotan.suse.de>
References: <20171109044619.GG7859@linaro.org> <20171111023240.2398ca55@alans-desktop>
 <20171113174250.GA22894@wotan.suse.de> <20171113210848.4dc344bd@alans-desktop>
 <454.1510609487@warthog.procyon.org.uk> <CA+55aFzrK29hbxoKs3GsvVUY4_uR7aBgZv2eeVyVq7MzfATY3w@mail.gmail.com>
 <1510662098.3711.139.camel@linux.vnet.ibm.com> <CA+55aFzvuvqOfsJ9arzcc1QbTGs+U-TsNmsyem9UAVVQC8YkZQ@mail.gmail.com>
 <CACdnJuvP=0AHGtfGJ5+cT+kHRy3fU4BLjwkvzP0rLO6q5ejAQQ@mail.gmail.com>
 <CA+55aFxeLwgwxh2iJTf6Dz0T_a_TZfTdhBw5TkcSsCmjt2N5pw@mail.gmail.com> <20171114205014.GJ729@wotan.suse.de>
From: Matthew Garrett <mjg59@google.com>
Date: Tue, 14 Nov 2017 15:55:10 -0500
Message-ID: <CACdnJuvzPnMwsAF4mUJXCaJWQ=nCc9Yi5u3gj1A0+BsWf1Swgw@mail.gmail.com>
Subject: Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Johannes Berg <johannes@sipsolutions.net>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        David Howells <dhowells@redhat.com>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        "AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jan Blunck <jblunck@infradead.org>,
        Julia Lawall <julia.lawall@lip6.fr>,
        Marcus Meissner <meissner@suse.de>, Gary Lin <GLin@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-efi <linux-efi@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 14, 2017 at 3:50 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> On Tue, Nov 14, 2017 at 12:18:54PM -0800, Linus Torvalds wrote:
>> This is all theoretical security masturbation. The _real_ attacks have
>> been elsewhere.
>
> In my research on this front I'll have to agree with this, in terms of
> justification and there are only *two* arguments which I've so far have found
> to justify firmware signing:
>
> a) If you want signed modules, you therefore should want signed firmware.
>    This however seems to be solved by using trusted boot thing, given it
>    seems trusted boot requires having firmware be signed as well. (Docs
>    would be useful to get about where in the specs this is mandated,
>    anyone?). Are there platforms that don't have trusted boot or for which
>    they don't enforce hardware checking for signed firmware for which
>    we still want to support firmware signing for? Are there platforms
>    that require and use module signing but don't and won't have a trusted
>    boot of some sort? Do we care?

TPM-backed Trusted Boot means you don't /need/ to sign anything, since
the measurements of what you loaded will end up in the TPM. But
signatures make it a lot easier, since you can just assert that only
signed material will be loaded and so you only need to measure the
kernel and the trusted keys.