Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753088AbbETNOm (ORCPT ); Wed, 20 May 2015 09:14:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56446 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751720AbbETNOi (ORCPT ); Wed, 20 May 2015 09:14:38 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <555BDA4B.6020207@kernel.org> References: <555BDA4B.6020207@kernel.org> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <20150515123551.16723.7733.stgit@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #4] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <31478.1432127671.1@warthog.procyon.org.uk> Date: Wed, 20 May 2015 14:14:31 +0100 Message-ID: <31479.1432127671@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2292 Lines: 57 Andy Lutomirski wrote: > > enum pkey_id_type { > > PKEY_ID_PGP, /* OpenPGP generated key ID */ > > PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ > > + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ > > PKEY_ID_TYPE__LAST > > }; > > > > I don't understand these comments. "OpenPGP generated key ID" refers to the > name of a key. "X.509 arbitrary subjectKeyIdentifier" also refers to a name > of a key. OpenPGP was how we did things originally. We then switched to X.509 because we had to take account of UEFI. These values are implicit parts of the kernel ABI. > "Signature in PKCS#7 message" refers to a signature style. This seems > inconsistent. Not precisely. The format of the descriptor is immutable given the particular magic number. You set the ID type to that and all the other fields bar one to zero and you put the signature and all the metadata in the PKCS#7 blob which you place directly prior to the descriptor (the length of the blob is the one thing you do need to specify). Effectively, it's an override. > Also, I think we're really going to want signatures that specify their > purpose, e.g. "module named xyz" or "firmware file named abc" or "kexec > image". Let's get this right the first time rather than needing yet another > type in the very near future. If this is so, then this _must_ also apply to your hash list idea. > Finally, why are we using PKCS#7 for this? Can't everything except kexec > images use raw signatures in some trivial non-ASN.1-ified format? A raw > signature can reference a UEFI-sourced key just fine. We have PKCS#7 already in the kernel. It's a standard. We can add attributes of our own devising to extend it if necessary (say your typing idea referenced above). > It could be as simple as: > > 4 bytes of signature type > (length of pubkey identifier, pubkey identifier) > 4 bytes of purpose > (length of purpose-specific data, purpose-specific data) Let's not create yet another unextendable non-standard standard. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/