Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1422668AbbEUQKc (ORCPT <rfc822;w@1wt.eu>);
	Thu, 21 May 2015 12:10:32 -0400
Received: from mx1.redhat.com ([209.132.183.28]:36034 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756094AbbEUQK0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 21 May 2015 12:10:26 -0400
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <CALCETrWjygX_SsQxD25wfG9ttY=DjuZrDRPrhcLawOpgCXYY4A@mail.gmail.com>
References: <CALCETrWjygX_SsQxD25wfG9ttY=DjuZrDRPrhcLawOpgCXYY4A@mail.gmail.com> <31154.1431965087@warthog.procyon.org.uk> <CA+55aFyOCh=+xSzZwWBjFbx5hU48pGEoSSXq2TPa-u-VabJfOQ@mail.gmail.com> <555A88FB.7000809@kernel.org> <CA+55aFxuSOdTXO4RNc48etA22dWttUumuPBm8YW_qyYHxLQpiQ@mail.gmail.com> <CALCETrXO25VvR5DsAQVrpWz2UGJChpwqjXnKiFhNXdCG0xXPMg@mail.gmail.com> <1432058889.3277.73.camel@infradead.org> <CALCETrXGv-bi9GKWxm9n71wx6sYotpL4rm9OUB5d2Hh2h9FdJg@mail.gmail.com> <5348.1432061085@warthog.procyon.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: dhowells@redhat.com, David Woodhouse <dwmw2@infradead.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>, Michal Marek <mmarek@suse.cz>,
        Abelardo Ricart III <aricart@memnix.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>
Subject: Re: Should we automatically generate a module signing key at all?
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9983.1432224618.1@warthog.procyon.org.uk>
Date: Thu, 21 May 2015 17:10:18 +0100
Message-ID: <9984.1432224618@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1653
Lines: 35

Andy Lutomirski <luto@amacapital.net> wrote:

> Suppose you have a depth-k tree (i.e. up to 2^k modules).  We'll
> compute a 32-byte value Tree(d, i) for each d from 0 to k and each i
> from 0 to 2^d-1.  First you assign each module an index starting at
> zero (with the maximum index less than 2^k).  Then you hash each
> module.

Now you've got a different problem.  Unless you want to load the entire tree
in one go (in which case you're back to the kernel space issue), the kernel
now has to be able to pull it piecemeal from storage and the initramfs builder
either has to pull in the entire tree or select a subset.  Further, if the
initfamfs only contains a subtree, then the kernel has to be able to switch to
the full tree as some point.

> > And that doesn't include the issue of hashing the firmware blobs you might
> > need.
> 
> As before, that's true.  To verify firmware, either you need to hash
> it, use a termporary signing key, or use a long-term signing key.
> Choose your poison.  I still prefer a hash over a temporary signing
> key.

>From a distribution point of view, a hash list of all known firmware is icky
as all the kernels maintained by the distribution would have to be updated
each time a new firmware blob needs listing.  Further, all past known firmware
would have to be kept in the list and could never be discarded lest you
prevent someone's machine from booting.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/