Received: by 10.213.65.68 with SMTP id h4csp1712635imn; Thu, 15 Mar 2018 07:32:00 -0700 (PDT) X-Google-Smtp-Source: AG47ELvaorOApTsuYF1SW0hMjEYLW0qpbZdf482/C7eyvhNRldYK1Y52o8tIQjXk5oF9iTF78pFl X-Received: by 2002:a17:902:6ac2:: with SMTP id i2-v6mr8182192plt.368.1521124320062; Thu, 15 Mar 2018 07:32:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521124320; cv=none; d=google.com; s=arc-20160816; b=rKwCB9Dcwf/oZArk6UwBh69O09RvkDkMQGDMgecuB4ALbsdXF0Q+uexX9/mmdBbZZk bu0MYRFqpiKluqdraMeEwDWhG1PX7Kn2d3fHiJ5ecUHLL/28B7eaBdVyU3nuLjqFZ+ck CdQtSkP0d6mqKTvIV6QDVhb2vFfXPP1d5Lid6hk6Tmabui5Gs6wLs2tzhLwRw9EKb7gt 9FKLXGgw1mJtrmcnRa/Rph3jlGk1/WiRR1NFYmS1Wm8A+EclOM5Hk98oM28RnuMfxsb7 g8bPlUwuk5tHTGDmk/nqyivsFfupsmgmMRMWNZ58hRtp7MfkCJpa4cleDZ4BecTUi14L nApQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=Xa5LzdugeTHcGaX8PAqSUDetZcPv+Oivw1rFhspZ6aA=; b=U0IFw5d+u+152S4MIvvYIihEW3FwUOA7gX6U0pD5io4w3NwFWdrYsMpyeivE0F/r+7 Bv71adsCMjeg4U6b1wiZMiKt4n68UpyFQpcsObfTEMLVcVX/HVpwzmC7knZiGXQUPApf pyP1kJPvqRpEQ0vytMROlba81M3lHxoMXM3sZ/aH7EFoF8JsN843TZpFRQzTy6TrKZnx fZpOEr+sxu2RBHiVUv0fWT9p+ja8FlsdNVe2VCqeiiDRGPuuqqi8B8V0zLVItA3XyBl7 SdbgN2pK53n4OrxIJoxU2Fd7eoLgKfqPFnAkl5FzmnosxzEyJqIwFA1RSrio9auJAzHk letw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=AcI1uoyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j192si3456503pge.291.2018.03.15.07.31.38; Thu, 15 Mar 2018 07:32:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=AcI1uoyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752526AbeCOOab (ORCPT + 99 others); Thu, 15 Mar 2018 10:30:31 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:36006 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752476AbeCOOa3 (ORCPT ); Thu, 15 Mar 2018 10:30:29 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 7018C8EE139; Thu, 15 Mar 2018 07:30:28 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0zlwfUgL2TY; Thu, 15 Mar 2018 07:30:28 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id C02EF8EE0C7; Thu, 15 Mar 2018 07:30:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1521124228; bh=Obx7QBlCVM2AwPMmqhnylfSw7elD1zyudmy2O38197c=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=AcI1uoyJIPpfslLx0f9E9u6zkhYeecy+IiWNRU61tYkwc0dKemOi0G8itMPmVD8Pq Tmoj3O5OQrT/Q3LrpwUDyPRNXEhupnXL9R4XcEZ3262GpRznTA+gcrgoITrd9NQo/o n44E9swud6ymvOGyR/B6uQKyU3Yx+Begezo09xsw= Message-ID: <1521124226.5348.15.camel@HansenPartnership.com> Subject: Re: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module From: James Bottomley To: joeyli Cc: "Lee, Chun-Yi" , David Howells , linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Josh Boyer Date: Thu, 15 Mar 2018 07:30:26 -0700 In-Reply-To: <20180315061650.GA10628@linux-l9pv.suse> References: <20180313103803.13388-1-jlee@suse.com> <20180313103803.13388-5-jlee@suse.com> <1520961515.5360.19.camel@HansenPartnership.com> <20180314060803.GD19718@linux-l9pv.suse> <1521037165.4508.13.camel@HansenPartnership.com> <20180315061650.GA10628@linux-l9pv.suse> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-03-15 at 14:16 +0800, joeyli wrote: > On Wed, Mar 14, 2018 at 07:19:25AM -0700, James Bottomley wrote: > > > > On Wed, 2018-03-14 at 14:08 +0800, joeyli wrote: > > > > > > On Tue, Mar 13, 2018 at 10:18:35AM -0700, James Bottomley wrote: > > > > > > > > > > > > On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote: > > > > > > > > > > > > > > > This patch adds the logic for checking the kernel module's > > > > > hash base on blacklist. The hash must be generated by sha256 > > > > > and enrolled to dbx/mokx. > > > > > > > > > > For example: > > > > > sha256sum sample.ko > > > > > mokutil --mokx --import-hash $HASH_RESULT > > > > > > > > > > Whether the signature on ko file is stripped or not, the hash > > > > > can be compared by kernel. > > > > > > > > What's the use case for this?  We're already in trouble from > > > > the ODMs for the size of dbx and its consumption of the > > > > extremely limited variable space, so do we really have a use > > > > case for adding module blacklist hashes to the UEFI variables > > > > given the space constraints (as in one we can't do any other > > > > way)? > > > > > > > > > > The dbx is a authenticated variable that it can only be updated > > > by manufacturer. The mokx gives a flexible way for distro to > > > revoke a key or a signed module. Then we don't need to touch shim > > > or bother manufacturer to deliver new db. Currently it doesn't > > > have real use case yet.  > > > > > > I knew that the NVRAM has limited space. But distro needs a > > > backup solution for emergency. > > > > I wasn't asking why the variable, I was asking why the mechanism. > > > > OK, let me try to ask the question in a different way: > > > > Why would the distribution need to blacklist a module in this way? > >  For > > This way is a new option for user to blacklist a module but not the > only way. So this is for the *user* not the distribution? > MOK has this ability because shim implements the mokx by signature > database format (EFI_SIGNATURE_DATA in UEFI spec). This format > supports both hash signature and x.509 certificate. > > > > > the distro to execute the script to add this blacklist, means the > > system is getting automated or manual updates ... can't those > > updates just remove the module? > > > Yes, we can just remove or update the module in kernel rpm or kmp. > But user may re-install distro with old kernel or install a old kmp. > If the blacklist hash was stored in variable, then kernel can prevent > to load the module. > > On the other hand, for enrolling mokx, user must reboots system and > deals with shim-mokmanager UI. It's more secure because user should > really know what he does. And user can choice not to enroll the hash > if they still want to use the module. OK, so now the use case is the user needs to roll back but doesn't want a module to load ... I've got to say that in that case I'd just remove it before reload. > > The point is that module sha sums are pretty ephemeral in our model > > (they change with every kernel), so it seems to be a mismatch to > > place them in a permanent blacklist, particularly when we have very > > limited space for that list. > > > Normally we run a serious process for signing a kernel module before > shipping it to customer. The SUSE's "Partner Linux Driver Program” > (PLDP) is an example. So the module sha sums are not too ephemeral. Ephemeral isn't about the signing process it means that the sum is short lived because every time you create a module for a specific kernel its sum changes (because of the interface versioning) so your blacklist only applies to one module and specific kernel combination.  Once you compile it for a different kernel you need a different blacklist sum for it. James