Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932548AbbETPtE (ORCPT ); Wed, 20 May 2015 11:49:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35478 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932514AbbETPsz (ORCPT ); Wed, 20 May 2015 11:48:55 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20150519200232.GM23057@wotan.suse.de> References: <20150519200232.GM23057@wotan.suse.de> To: "Luis R. Rodriguez" Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, james.l.morris@oracle.com, serge@hallyn.com, linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org, Kyle McMartin , David Woodhouse , Seth Forshee , Greg Kroah-Hartman , Joey Lee , Rusty Russell , zohar@linux.vnet.ibm.com, mricon@kernel.org Subject: Re: [RFD] linux-firmware key arrangement for firmware signing MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <6809.1432134859.1@warthog.procyon.org.uk> Date: Wed, 20 May 2015 16:14:19 +0100 Message-ID: <6810.1432134859@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1773 Lines: 43 Luis R. Rodriguez wrote: > This begs the question on how we'd manage keys for firmware signing on > linux-firmare. Since the keys are x509 keys we need a CA. Based on some > initial discussions it would seem we'd need the Linux Foundation to create a > key, this would be embedded in the kernel and that key would be used to sign > Kyle's key. Kyle would in turn use his key for signing linux-firmware > files. David, Kyle, did I summarize this correctly ? Yes. > I think we need one change here, we'd need to ensure that such key could > only be used for vetting firmware files, not modules loaded. The > firmware_class could for instance still use all the keys in > system_trusted_keyring, which would include the UEFI key db, but it does not > seems reasonable to expect keys used for fw signing to also go into > system_trusted_keyring to also be used for module signing. X.509 certificates can take attributes that define what the key held therein may be used for. You actually have four categories of key usage, I think: (1) Signing modules. (2) Signing firmware. (3) Signing kernel binaries for kexec. (4) Signing other keys that can then be chained to (1) - (3). For instance, the LF might use their key to sign Kyle's key. Kyle might want to replace his key yearly, say, because the more examples of things signed with it, the more exposed it becomes. So the kernel would need to carry the LF key, say, and then the appropriate one of Kyle's keys could be loaded dynamically. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/