Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2578741imm; Thu, 16 Aug 2018 11:50:09 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwZTYdZbUHXR+YN8WrilFmX6MVhIe91TmA4ofKWF7BHjS0zunIqkyDnigZUAPPnCdExGWCy X-Received: by 2002:a63:de4c:: with SMTP id y12-v6mr29879479pgi.435.1534445409147; Thu, 16 Aug 2018 11:50:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534445409; cv=none; d=google.com; s=arc-20160816; b=LqKrnPWzyWkAYZMgB1r15a4SLIH09VQcertgekOhnXyEY+yyXE3H9w7xz8eaTSufn2 WpFv+Q56uqy0uiuFGuYT/VQBjC7w3OpkCzBsOpOnl6Unr/McJomF8ZsT8Ky3I7r8W0aC DmcOCBRqMWcj5goQ/ZDk68Zo0t28r+wi4fOW6LF2vqMCNlLfauXz001s2rBktlrgaJJO jd5IQC6Rn/9c3QLg0bW/cQbvYUBJxMrUrFBPbExIGHHOdjHAzFd44T9+V2iwBGKWCVGW EUnc6qlioo5NaKv1snEsmc86ielwmp8rd0n7LLAYw9Rmu0cn/o47TLri8aIGS6T0N5zQ xkfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=ID4syxHrDYnQtw9t3Kf0TTg+1o3ai9wV/HGcn+s7A6g=; b=LxMaROXoodf/4nVe9qziLXMDE4NJWF1omej8nXFXGB8bsA64DDJ/1RGG4y2/eCr1iJ jmlzv3ofHugaBYo3G1QSIQHznf7rM5zWqo3sIwqIP9ejFS34SjXpbcTMk2nxjUHYBLTC cLdcszMjIbzXFLDRek8tcisqdvBg6FdQv3BfpLFKDAM1Yh0hNDmQxH8I7ShkA31vOgrf crpvqJ2RHykOOsC+dG2n1UQmxt+tp0a4AgRpCxyF+DnqtVxm7LLAHcX9wGenVuvxbY3B xvhzQft+XsMqVmDMocailTBgn9x/f4zfx3E9nDDH2TiVX6z2SF2e3goCdBk6+M64KMg5 FbPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=Q9yoCKAc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f23-v6si47490pgj.282.2018.08.16.11.49.53; Thu, 16 Aug 2018 11:50:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=Q9yoCKAc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729530AbeHPUO6 (ORCPT + 99 others); Thu, 16 Aug 2018 16:14:58 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:44710 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728927AbeHPUO6 (ORCPT ); Thu, 16 Aug 2018 16:14:58 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 5A52C8EE171; Thu, 16 Aug 2018 10:15:13 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XC4CR5n48mu; Thu, 16 Aug 2018 10:15:13 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 76E748EE092; Thu, 16 Aug 2018 10:15:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1534439713; bh=dvLOWuwdU9754Ye3uLY4sFYi9HMiwhz26xL9QxMjaIw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=Q9yoCKAcEUQjAq9xsGGLzpODjGDfLs7vuC8k+UMYW80SkaI4HIz46LtJ8vVFwBJGs lCx1YWfOQSGxgrzhdxpMVsvtC8+k05ALyyaNHmIoYRhUC7kn29QsWuZTW7Dc+82tOm CC93FvWXFnjuVKmmIvvve8oBxW9KGR/5jgCaFpLo= Message-ID: <1534439711.3166.13.camel@HansenPartnership.com> Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot From: James Bottomley To: David Laight , David Howells Cc: Linus Torvalds , Vivek Goyal , "yannik@sembritzki.me" , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , Justin Forbes , Peter Jones , Matthew Garrett Date: Thu, 16 Aug 2018 10:15:11 -0700 In-Reply-To: References: <1534432615.3166.5.camel@HansenPartnership.com> <20180815100053.13609-1-yannik@sembritzki.me> <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me> <20180815174247.GB29541@redhat.com> <20180815185812.GC29541@redhat.com> <20180815194932.GD29541@redhat.com> <20628.1534427487@warthog.procyon.org.uk> <30607.1534434597@warthog.procyon.org.uk> <1534435000.3166.9.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-08-16 at 16:56 +0000, David Laight wrote: > From: James Bottomley > > Sent: 16 August 2018 16:57 > > On Thu, 2018-08-16 at 16:49 +0100, David Howells wrote: > > > James Bottomley wrote: > > > > > > > > The problem with that is that it means you can't load third > > > > > party modules - such as the NVidia driver.  That's fine if > > > > > you absolutely reject the right of people to produce third > > > > > party drivers for the Linux kernel and absolutely require > > > > > that they open and upstream their code if they want in. > > > > > > > > So if you build your own kernel and want to load the nVidia > > > > module, you have the key to sign it. > > > > > > I think you have to assume that doing this is beyond most people. > > > > As a step by step process, I agree.  However, I think we can > > automate it to the point where you install a package and it says > > "insert your yubikey" every time you upgrade the kernel > > What about 3rd parties that want to release drivers that can be > loadedinto 'distribution' kernels? You'd follow the distributions external kernel module process, I think. > We can do that for windows (provided we've paid the 'driver signing > tax') because windows has a stable kernel DDI/DKI. > For Linux we have to release most of the driver as a binary 'blob' > and compile wrapper code on the target system with the correct kernel > headers. Right, that's the usual distribution kernel module approach. I'm most familiar with the SUSE DKMS packaging project, which has a lot of automation around this. I believe it's actually pretty easy to use from talking to people about it. Of course, SUSE doesn't currently use signed kernel modules, which makes the key issue a non problem for them ... > There is no way we could generate signed copies for every > 'distribution' kernel - even if there was a way to get them signed. > Even if we agreed to make our source code available it wouldn't be > accepted for inclusion in the kernel source tree. Well, I think for signed kernel modules the DKMS process could be adapted to generate a private key and then install the public component in the kernel, resign with the private key, put the private key in the MoK database and that means the DKMS process now has a key with which it could sign any kernel module at the request of the user. Of course the main problem will be guarding the private key. However, in the above process signing is under the control of the end user. I'm guessing you want signing to be under the control of an external third party or the distro, like the Microsoft case? In that case you have to either persuade the distros to run a signing service or persuade them to trust a third party to run it. James