Date: Wed, 2 Sep 2015 02:00:15 +0200
From: "Luis R. Rodriguez" <mcgrof@suse.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Woodhouse <dwmw2@infradead.org>,
	David Howells <dhowells@redhat.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Kees Cook <keescook@chromium.org>,
	"Roberts, William C" <william.c.roberts@intel.com>,
	"linux-security-module@vger.kernel.org"
	<linux-security-module@vger.kernel.org>,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
	"serge@hallyn.com" <serge@hallyn.com>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Paul Moore <paul@paul-moore.com>,
	Eric Paris <eparis@parisplace.org>, selinux@tycho.nsa.gov,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"Schaufler, Casey" <casey.schaufler@intel.com>,
	"Luis R. Rodriguez" <mcgrof@do-not-panic.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Peter Jones <pjones@redhat.com>, Takashi Iwai <tiwai@suse.de>,
	Ming Lei <ming.lei@canonical.com>, Joey Lee <jlee@suse.de>,
	=?utf-8?B?IlZvanTEm2NoIFBhdmzDrWsi?= <vojtech@suse.com>,
	Kyle McMartin <kyle@kernel.org>,
	Seth Forshee <seth.forshee@canonical.com>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Johannes Berg <johannes@sipsolutions.net>,
	Julia Lawall <julia.lawall@lip6.fr>,
	Jay Schulist <jschlst@samba.org>,
	Daniel Borkmann <dborkman@redhat.com>,
	Alexei Starovoitov <ast@plumgrid.com>
Subject: Re: Linux Firmware Signing
Message-ID: <20150902000015.GV8051@wotan.suse.de> (sfid-20150902_020059_428272_3B03BB6C)
References: <1440464705.2737.36.camel@linux.vnet.ibm.com>
 <14540.1440599584@warthog.procyon.org.uk>
 <31228.1440671938@warthog.procyon.org.uk>
 <36ddb60c1d22756234392a2d065a02cb.squirrel@twosheds.infradead.org>
 <20150827212907.GF8051@wotan.suse.de>
 <1440719673.2118.84.camel@linux.vnet.ibm.com>
 <20150829021659.GN8051@wotan.suse.de>
 <1441030735.2647.70.camel@linux.vnet.ibm.com>
 <1441037120.4453.93.camel@infradead.org>
 <1441039536.2647.73.camel@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <1441039536.2647.73.camel@linux.vnet.ibm.com>
Sender: linux-wireless-owner@vger.kernel.org

On Mon, Aug 31, 2015 at 12:45:36PM -0400, Mimi Zohar wrote:
> On Mon, 2015-08-31 at 17:05 +0100, David Woodhouse wrote:
> > On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote:
> > > I'm not real happy about it, but since we can't break the existing ABI
> > > of loading data into the kernel via a buffer, a stop gap method of
> > > signing and verifying a buffer would be needed.
> > 
> > Actually I think we can. The usermode helper is already being phased
> > out.
>
> Right.  The discussion has moved beyond just firmware, but to policies
> and other things the kernel consumes.

And I'm saying that if the pitch here is we should be vetting *all* buffers
passed to the kernel I'd agree a generic interface is desriable but more
importantly I think we should get everyone on board first and its not clear
to me that has yet happened.

For the other interfaces were discussing that *did* have an obvious file
descriptor (struct fd), or file (struct file) use it would seem obvious
to try to streamline that and share the code there (modules, firmware, kexec,
initramfs, SELinux policy files), our only issues there were what to do about
file that some distros require to be generated by machines and are machine
specific (SELinux policy file in some cases, initramfs in some others) and
for that Paul had suggested to consider the Machine Owner Key (MOK) -- but now
for buffers.... its news to me we had everyone up in arms in agreement on that
crusade. I didn't even know such crusade existed. I can see why, but was just
not aware there was an effort to streamline a solution.

  Luis