Received: by 10.213.65.68 with SMTP id h4csp1021241imn;
        Wed, 14 Mar 2018 07:20:51 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvCWRb9TDwROWdqH0erlyd935pQjbZMcxqfqMoZreRysRXpZCXhfXWFZ72sCzbSeY1hJtZw
X-Received: by 10.99.127.72 with SMTP id p8mr2156432pgn.52.1521037251047;
        Wed, 14 Mar 2018 07:20:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521037251; cv=none;
        d=google.com; s=arc-20160816;
        b=TuO7iWtX2sPIDIVu+nDN8+KJbNQrBrloajOLaGDDjyMH8isWf+v7igeMLcC1wvDvoA
         nb0qcpgEoPDy6aJ18llAVZ/fhVcDiAtxfR6tALai3WnYvGPvb6ZcgXlpWd6LvAofBRZj
         iHQ10WNhqjt/bQwjZdbFoit91tSxTyv16K0nyeM0tyn93ZNNrMCCuwUDh57MIfkRvwBk
         45pkN2ZWeFSsXHBGuaxEF15tHSel7gVk8C3zMX9JJHgd9rZne5l6zOQ1pqKEtaIHLcJC
         lUa9PzPvbFS731bdLaiUizgs9vXfPAv22GGJMwQU51VOJUq4hmexV0AvW/sct8ULezVZ
         GlPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature:arc-authentication-results;
        bh=bWBzzQEVKJsPrdibxjFsfncEv0mncm+dRWsxXbN1q54=;
        b=ekEedX+VXc1wOhPaxLenlw9GB3EZYWyzGHIMDkbBXZ7PcU0isq40VQaf6RSny28whc
         nsARLAWx1XaDaqR0bfva+oZnIALyLoHfG4uj1l7zvK9XZalgHi3Gsh0p3PVymTcRINUO
         IXjX2ABCM8j7KM8PhmW0POHuMDPiPDvOBT89iuWHxrIryvk0/1v9JKqqLICCNL1z+FB7
         5MK75P1xijr4Y/jTqopcWxgp9EFkjnwx5bNLB1ITaqNFu7x1gixn5PwU2S26Z3HviOIK
         jvMFcCqEGe3iqxWtLl4LeIEnx4PJDPM4SAmIqL/Fc57M2mtkWfIlzwajbaoUPvZpiei6
         6nXA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=Ah4dP+yY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m25si2162511pfj.131.2018.03.14.07.20.35;
        Wed, 14 Mar 2018 07:20:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=Ah4dP+yY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751748AbeCNOTb (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Wed, 14 Mar 2018 10:19:31 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:51986 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751682AbeCNOT3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Mar 2018 10:19:29 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id D4DCA8EE3BF;
        Wed, 14 Mar 2018 07:19:27 -0700 (PDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id GakmImdbrD36; Wed, 14 Mar 2018 07:19:27 -0700 (PDT)
Received: from [153.66.254.194] (unknown [50.35.65.221])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1EFC88EE0CF;
        Wed, 14 Mar 2018 07:19:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1521037167;
        bh=hnKcDGZrJDJY+HZdQNs2ajsovhNUGLBprJUnXo6N/gA=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=Ah4dP+yYZk/zAR52qLw9+DWQyN+318vgwEWob1aeQp2sb+EXaRs5/1d7m4Fwo8KUD
         +AE+Xgmz/I3Qz33DW6kDNGdq8RoS3ntzhN2vGWrRZtpszVLyPgqfpjtoryNtkUq/zw
         +SvdaKT8/w80QWjGGxkVPYk0Cl2YCIzuBydxB7xc=
Message-ID: <1521037165.4508.13.camel@HansenPartnership.com>
Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before
 loading a kernel module
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     joeyli <jlee@suse.com>
Cc:     "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
        David Howells <dhowells@redhat.com>, linux-fs@vger.kernel.org,
        linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
        Josh Boyer <jwboyer@fedoraproject.org>
Date:   Wed, 14 Mar 2018 07:19:25 -0700
In-Reply-To: <20180314060803.GD19718@linux-l9pv.suse>
References: <20180313103803.13388-1-jlee@suse.com>
         <20180313103803.13388-5-jlee@suse.com>
         <1520961515.5360.19.camel@HansenPartnership.com>
         <20180314060803.GD19718@linux-l9pv.suse>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-03-14 at 14:08 +0800, joeyli wrote:
> On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote:
> > 
> > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote:
> > > 
> > > This patch adds the logic for checking the kernel module's hash
> > > base on blacklist. The hash must be generated by sha256 and
> > > enrolled
> > > to dbx/mokx.
> > > 
> > > For example:
> > > 	sha256sum sample.ko
> > > 	mokutil --mokx --import-hash $HASH_RESULT
> > > 
> > > Whether the signature on ko file is stripped or not, the hash can
> > > be
> > > compared by kernel.
> > 
> > What's the use case for this?  We're already in trouble from the
> > ODMs for the size of dbx and its consumption of the extremely
> > limited variable space, so do we really have a use case for adding
> > module blacklist hashes to the UEFI variables given the space
> > constraints (as in one we can't do any other way)?
> > 
> 
> The dbx is a authenticated variable that it can only be updated by
> manufacturer. The mokx gives a flexible way for distro to revoke a
> key or a signed module. Then we don't need to touch shim or bother
> manufacturer to deliver new db. Currently it doesn't have real use
> case yet. 
> 
> I knew that the NVRAM has limited space. But distro needs a backup
> solution for emergency.

I wasn't asking why the variable, I was asking why the mechanism.

OK, let me try to ask the question in a different way:

Why would the distribution need to blacklist a module in this way?  For
the distro to execute the script to add this blacklist, means the
system is getting automated or manual updates ... can't those updates
just remove the module?

The point is that module sha sums are pretty ephemeral in our model
(they change with every kernel), so it seems to be a mismatch to place
them in a permanent blacklist, particularly when we have very limited
space for that list.

James