From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755819AbbEUWsN (ORCPT ); Thu, 21 May 2015 18:48:13 -0400 Received: from mail-lb0-f179.google.com ([209.85.217.179]:33288 "EHLO mail-lb0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753397AbbEUWsM (ORCPT ); Thu, 21 May 2015 18:48:12 -0400 MIME-Version: 1.0 In-Reply-To: References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <555BD715.40202@kernel.org> <31772.1432128969@warthog.procyon.org.uk> <20150520162059.GC10473@localhost> <20150521213829.GH23057@wotan.suse.de> From: Andy Lutomirski Date: Thu, 21 May 2015 15:47:49 -0700 Message-ID: Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] To: "Luis R. Rodriguez" Cc: David Howells , Andy Lutomirski , Rusty Russell , Michal Marek , Matthew Garrett , keyrings@linux-nfs.org, Dmitry Kasatkin , "linux-kernel@vger.kernel.org" , Seth Forshee , LSM List , David Woodhouse Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 21, 2015 at 3:31 PM, Luis R. Rodriguez wrote: > On Thu, May 21, 2015 at 3:24 PM, Andy Lutomirski wrote: >> On Thu, May 21, 2015 at 3:16 PM, Luis R. Rodriguez wrote: >>> On Thu, May 21, 2015 at 3:06 PM, Andy Lutomirski wrote: >>>> Given that, I would say that merely shoving firmware files through the >>>> module verifier as-is would not be okay. >>> >>> Replacing one dog and pony show for another is what is going on, what >>> you describe and suggest seems best, and I welcome patches, it seems >>> you know what you are talking about :) >>> >> >> Don't hold your breath. My plate is over-full. I'm probably a decent >> reviewer of crypto, though. > > Well as good as you are in 10 years we'll have better ones. So when > module signature went into the kernel the real expectation should have > been: > > This code looks good now but is going to be complete shit and > breakable a few years from now. > > Hence my first implicit and now explicit claims on dog and pony shows. > Best thing we can do IMHO is to just allow us to replace stupid human > code with better human code later, and eventually hopefully better AI > code, and so on. Since you don't have time for a real replacement > maybe what we can do is at least document / target / agree for what > pipe dream we want and shoot for it with time. Hopefully folks will > find time to implement it. I disagree. I'm a firm believer in security proofs. While I'm not trained in formal crypto proofs, I can sketch out a proof of why a system that properly tags its signatures is secure against a reasonable threat model. I can also show why that proof wouldn't work for a scheme without tags, and I can demonstrate the actual weakness in a scheme without tags. In ten years, the only reason a scheme that I say looks good would be because (a) I screwed up, (b) an underlying assumption is wrong, or (c) the implementation is subtly wrong. In particular, it won't fail because I'm insufficiently clever. A real professional expert would be less likely to screw up. (For reference, I wrote an actual doctoral thesis involving crypto.) > > In the meantime should that block current dog and pony show trading? I > don't think so. Yes, since I can demonstrate the actual weakness without tags, and crypto is notoriously hard to fix once done poorly and there's a great history of obviously-theoretically-weak systems being meaningfully attacked in the real world. See, for example, every single old SSL/TLS cipher. (And yes, the crypto community knew what was wrong in theory and how to fix it when the protocol was designed. People just didn't pay attention.) --Andy