MIME-Version: 1.0
In-Reply-To: <9984.1432224618@warthog.procyon.org.uk>
References: <31154.1431965087@warthog.procyon.org.uk> <CA+55aFyOCh=+xSzZwWBjFbx5hU48pGEoSSXq2TPa-u-VabJfOQ@mail.gmail.com>
 <555A88FB.7000809@kernel.org> <CA+55aFxuSOdTXO4RNc48etA22dWttUumuPBm8YW_qyYHxLQpiQ@mail.gmail.com>
 <CALCETrXO25VvR5DsAQVrpWz2UGJChpwqjXnKiFhNXdCG0xXPMg@mail.gmail.com>
 <1432058889.3277.73.camel@infradead.org> <CALCETrXGv-bi9GKWxm9n71wx6sYotpL4rm9OUB5d2Hh2h9FdJg@mail.gmail.com>
 <5348.1432061085@warthog.procyon.org.uk> <CALCETrWjygX_SsQxD25wfG9ttY=DjuZrDRPrhcLawOpgCXYY4A@mail.gmail.com>
 <9984.1432224618@warthog.procyon.org.uk>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 21 May 2015 09:50:46 -0700
Message-ID: <CALCETrVGtxuzN=Muw4YZm6YevH=aNSjA1yz2+L0Y9C-GQ2MpmA@mail.gmail.com>
Subject: Re: Should we automatically generate a module signing key at all?
To: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>, Michal Marek <mmarek@suse.cz>,
        Abelardo Ricart III <aricart@memnix.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Sedat Dilek <sedat.dilek@gmail.com>, keyrings@linux-nfs.org,
        Rusty Russell <rusty@rustcorp.com.au>,
        LSM List <linux-security-module@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2255
Lines: 56

On Thu, May 21, 2015 at 9:10 AM, David Howells <dhowells@redhat.com> wrote:
> Andy Lutomirski <luto@amacapital.net> wrote:
>
>> Suppose you have a depth-k tree (i.e. up to 2^k modules).  We'll
>> compute a 32-byte value Tree(d, i) for each d from 0 to k and each i
>> from 0 to 2^d-1.  First you assign each module an index starting at
>> zero (with the maximum index less than 2^k).  Then you hash each
>> module.
>
> Now you've got a different problem.  Unless you want to load the entire tree
> in one go (in which case you're back to the kernel space issue), the kernel
> now has to be able to pull it piecemeal from storage and the initramfs builder
> either has to pull in the entire tree or select a subset.  Further, if the
> initfamfs only contains a subtree, then the kernel has to be able to switch to
> the full tree as some point.

Each module would just package its proof as part of the module file.
After the kernel build is done, no one ever needs to see the whole
tree at once.

>
>> > And that doesn't include the issue of hashing the firmware blobs you might
>> > need.
>>
>> As before, that's true.  To verify firmware, either you need to hash
>> it, use a termporary signing key, or use a long-term signing key.
>> Choose your poison.  I still prefer a hash over a temporary signing
>> key.
>
> From a distribution point of view, a hash list of all known firmware is icky
> as all the kernels maintained by the distribution would have to be updated
> each time a new firmware blob needs listing.  Further, all past known firmware
> would have to be kept in the list and could never be discarded lest you
> prevent someone's machine from booting.
>

Sorry, I mis-spoke.  I don't think we should use a hash for firmware,
except possibly for Atomic-like systems, in which case we should
really just turn off firmware signature verification entirely in favor
of using IMA, dm-verity or similar to verify the entire root fs.

--Andy


> David


-- 
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/