Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754687AbcLBUS4 (ORCPT ); Fri, 2 Dec 2016 15:18:56 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57029 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751758AbcLBUSx (ORCPT ); Fri, 2 Dec 2016 15:18:53 -0500 Subject: Re: [PATCH 8/9] MODSIGN: Import certificates from UEFI Secure Boot From: Mimi Zohar To: James Bottomley Cc: Ard Biesheuvel , David Howells , keyrings@vger.kernel.org, Matthew Garrett , "linux-efi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-security-module , Josh Boyer , linux-ima-devel Date: Fri, 02 Dec 2016 15:18:32 -0500 In-Reply-To: <1480705068.2410.64.camel@HansenPartnership.com> References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <147931990222.16460.11621102657967011265.stgit@warthog.procyon.org.uk> <1480015063.2444.9.camel@HansenPartnership.com> <1480705068.2410.64.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16120220-0048-0000-0000-000001E6CF17 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16120220-0049-0000-0000-0000471A453B Message-Id: <1480709912.24620.102.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-12-02_14:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1612020313 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4304 Lines: 83 Since this discussion affects which keys can be added to trusted keyrings, cc'ing linux-ima-devel. On Fri, 2016-12-02 at 10:57 -0800, James Bottomley wrote: > On Thu, 2016-11-24 at 11:17 -0800, James Bottomley wrote: > > On Mon, 2016-11-21 at 16:16 +0000, Ard Biesheuvel wrote: > > > On 16 November 2016 at 18:11, David Howells > > > wrote: > > > > From: Josh Boyer > > > > > > > > Secure Boot stores a list of allowed certificates in the 'db' > > > > variable. This imports those certificates into the system trusted > > > > keyring. This allows for a third party signing certificate to > > > > be used in conjunction with signed modules. By importing the > > > > public certificate into the 'db' variable, a user can allow a > > > > module signed with that certificate to load. The shim UEFI > > > > bootloader has a similar certificate list stored in the > > > > 'MokListRT' variable. We import those as well. > > > > > > > > > > This sounds like a bad idea to me. For the standard databases like > > > db and dbx, we can rely on the firmware to ensure that they are > > > what you expect. > > > > Actually, I think it's a bad idea for the opposite reason: Shim > > explicitly pivots the root of trust away from the db keys to its own > > Moklist keys. We have no choice and are forced to trust db for the > > secure boot part, but once we're in the kernel proper, I'd argue that > > we would only want to trust the pivoted root, i.e. Moklist. > > > > Trusting both could generate unwanted consequences, like pressure on > > Microsoft to sign modules or worse, pressure on OEMs to include > > module keys or hashes ... or worst of all OEMs signing external > > modules. > > > > > For MokListRt, not so much: anyone with sufficient > > > capabilities can generate such a variable from userland, and not > > > every arch/distro combo will be using shim and/or mokmanager. (The > > > debates are still ongoing, but my position is that there is no need > > > for shim at all on ARM given that the M$ problem only exists on > > > x86) > > > > OK, so on this point, I'm already not using Shim on my x86 box. > > However, what you find if you're using grub is that because grub > > doesn't do signature verification, you still have to use the shim > > protocol callout, so you need something between UEFI and grub to load > > at least this protocol. I suppose this would go away once we can > > persuade grub to verify signatures. > > Hm, that got crickets. > > Let me propose an alternative mechanism then. > > My problem is that although I am forced to trust the secure boot keys > for the UEFI security boundary, I don't necessarily want to trust them > for signing things for my kernel, so I want to pivot (or at > leastselectively weed out) keys. Shim already has this concept > partially with MokIgnoreDB. > > For the purposes of the kernel, I think we simply need a variable, lets > call it MokKernelCerts, that gives the list of certificates to import > into the kernel keyring. I think this variable should be BS NV only > (not RT) meaning we have to collect it before ExitBootServices(). The > reason for this is to ensure it's populated by a trusted entity within > the UEFI secure boot boundary. This will cause a kexec problem, so we > might have to relax this and use a RT shadow as we already do for > MokList. The idea is that we populate the kernel certificates only > from this variable, so policy can be decided by the bootloader (or > something else which runs within the secure boot environment). > > You can stop reading here if you're not interested in *how* this policy > would work. > > To make it work, Shim or one of the other intermediates would set up > the variable. we could communicate policy to it with the usual Foo, > FooUpdate mechanism we already use for MokList. The default policy (if > the variable doesn't exist on firstboot) can be whatever the distro > wants, so if Fedora wants all the secure boot certs, it can do that and > other distros can follow their own stricter or less strict policies. > The user would be able to overwrite this using the Update process, > which could be password verified like MokList already is. > > Does this sound acceptable to everyone?