Received: by 10.213.65.68 with SMTP id h4csp1456456imn;
        Wed, 14 Mar 2018 23:18:26 -0700 (PDT)
X-Google-Smtp-Source: AG47ELta+4mug1DkM+0Ht1esTZOhM0bCTyTYQAuO4BdzCPTHj+7epoGhAObTuIyPauBI5KweUlzT
X-Received: by 2002:a17:902:5a4e:: with SMTP id f14-v6mr5253675plm.116.1521094706021;
        Wed, 14 Mar 2018 23:18:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521094705; cv=none;
        d=google.com; s=arc-20160816;
        b=fZyDgHd9SPPIqPfOzup2HRqS6Y5GJpoexaPHQgXrNnMg8hZlmRs+8ehDCoQCENfbs+
         Y38q/PShuxCF+rvdeZ3G2bczz9mOuz6J7WQPjSOF7T+U6B2TyAosaoofY4Z6Q88NKE0s
         5TXneLrNEDgYUexin4HTmvmBpq8dxyvghVlOhsd8ea8GBQWbSAXhbHFAFQwWoxvoy1ER
         EXp8+1pa9BCBxhvapDtkcYQjJfVLMIYt+r3q44i7OWorneI5gxsDUEj8bO4Lu6xwJXjw
         eVoj93MIjdkVmftrF/f9mKySAg9uryQGHJAwcOcdU4I194qQ/tXkRj4plB/DjOPoanY0
         OFBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=EI6wUueurjab+DlooPI7P276FHiHIeV2LosA1w6tKDs=;
        b=Rq1yyCDifaWOw//6RJUAV4LrQyms6Av2AMbpmaPkkUYQheBrGYsOM3jFDaNbapKLtt
         x0S7hk2kmcPJCcnbWHChoalpQlBAN3xctBahSeGF3kSpEGBknveTKmIyNhZwnbapehM9
         LVQ3dnPzDa2+fZ2AmcBsa9w25WM4Hwb7fbKqUtGfY0qjS3RWvJIJ/3YrGJfzGA3Yk5mk
         U+apl5HQEPrXwQsvBzda8jcF7cUWxMV2XqRaNPrL6svJW9kXY8S+5owCFXAm28kcW+3A
         0zyH/1hE6UNXvNSwoRNdi3KzIm5gA1Ywj4FmMAdusbhbNPl4HRmYjtaGag/VJUskklm0
         PsJw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e2-v6si3452134pls.160.2018.03.14.23.18.11;
        Wed, 14 Mar 2018 23:18:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751708AbeCOGRJ (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Thu, 15 Mar 2018 02:17:09 -0400
Received: from smtp.nue.novell.com ([195.135.221.5]:52521 "EHLO
        smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750729AbeCOGRI (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Thu, 15 Mar 2018 02:17:08 -0400
Received: from linux-l9pv.suse (unknown.telstraglobal.net [134.159.103.118])
        by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 15 Mar 2018 07:17:03 +0100
Date:   Thu, 15 Mar 2018 14:16:50 +0800
From:   joeyli <jlee@suse.com>
To:     James Bottomley <James.Bottomley@HansenPartnership.com>
Cc:     "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
        David Howells <dhowells@redhat.com>, linux-fs@vger.kernel.org,
        linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
        Josh Boyer <jwboyer@fedoraproject.org>
Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before
 loading a kernel module
Message-ID: <20180315061650.GA10628@linux-l9pv.suse>
References: <20180313103803.13388-1-jlee@suse.com>
 <20180313103803.13388-5-jlee@suse.com>
 <1520961515.5360.19.camel@HansenPartnership.com>
 <20180314060803.GD19718@linux-l9pv.suse>
 <1521037165.4508.13.camel@HansenPartnership.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1521037165.4508.13.camel@HansenPartnership.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 14, 2018 at 07:19:25AM -0700, James Bottomley wrote:
> On Wed, 2018-03-14 at 14:08 +0800, joeyli wrote:
> > On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote:
> > > 
> > > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote:
> > > > 
> > > > This patch adds the logic for checking the kernel module's hash
> > > > base on blacklist. The hash must be generated by sha256 and
> > > > enrolled
> > > > to dbx/mokx.
> > > > 
> > > > For example:
> > > > 	sha256sum sample.ko
> > > > 	mokutil --mokx --import-hash $HASH_RESULT
> > > > 
> > > > Whether the signature on ko file is stripped or not, the hash can
> > > > be
> > > > compared by kernel.
> > > 
> > > What's the use case for this?  We're already in trouble from the
> > > ODMs for the size of dbx and its consumption of the extremely
> > > limited variable space, so do we really have a use case for adding
> > > module blacklist hashes to the UEFI variables given the space
> > > constraints (as in one we can't do any other way)?
> > > 
> > 
> > The dbx is a authenticated variable that it can only be updated by
> > manufacturer. The mokx gives a flexible way for distro to revoke a
> > key or a signed module. Then we don't need to touch shim or bother
> > manufacturer to deliver new db. Currently it doesn't have real use
> > case yet. 
> > 
> > I knew that the NVRAM has limited space. But distro needs a backup
> > solution for emergency.
> 
> I wasn't asking why the variable, I was asking why the mechanism.
> 
> OK, let me try to ask the question in a different way:
> 
> Why would the distribution need to blacklist a module in this way?  For

This way is a new option for user to blacklist a module but not the only
way. MOK has this ability because shim implements the mokx by signature
database format (EFI_SIGNATURE_DATA in UEFI spec). This format supports
both hash signature and x.509 certificate.

> the distro to execute the script to add this blacklist, means the
> system is getting automated or manual updates ... can't those updates
> just remove the module?
>
Yes, we can just remove or update the module in kernel rpm or kmp. But
user may re-install distro with old kernel or install a old kmp. If
the blacklist hash was stored in variable, then kernel can prevent
to load the module.

On the other hand, for enrolling mokx, user must reboots system and
deals with shim-mokmanager UI. It's more secure because user should
really know what he does. And user can choice not to enroll the hash
if they still want to use the module.

> The point is that module sha sums are pretty ephemeral in our model
> (they change with every kernel), so it seems to be a mismatch to place
> them in a permanent blacklist, particularly when we have very limited
> space for that list.
>
Normally we run a serious process for signing a kernel module before
shipping it to customer. The SUSE's "Partner Linux Driver Program” (PLDP)
is an example. So the module sha sums are not too ephemeral.

I agree with you for the space is limit. But the mokx gives a option to
distro or user to blacklist kernel module. They can choice to use this
mechanism or not. 

Thanks a lot!
Joey Lee