Re: [GIT PULL] Load keys from signed PE binaries

Hi David, On Wed, 20 Mar 2013 16:52:39 + David Howells wrote: > > David Howells wrote: > > > Stephen Rothwell wrote: > > > > > David, if I do remove it, are there other patches in your pekey tree that > > > are still going forward? > > > > No. > > Well, maybe. But feel free to drop it

Re: [GIT PULL] Load keys from signed PE binaries

David Howells wrote: > Stephen Rothwell wrote: > > > David, if I do remove it, are there other patches in your pekey tree that > > are still going forward? > > No. Well, maybe. But feel free to drop it anyway for the moment. David -- To unsubscribe from this list: send the line "unsubscribe

Re: [GIT PULL] Load keys from signed PE binaries

Stephen Rothwell wrote: > David, if I do remove it, are there other patches in your pekey tree that > are still going forward? No. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http:

Re: [GIT PULL] Load keys from signed PE binaries

Hi Linus, On Thu, 21 Feb 2013 10:56:44 -0800 Linus Torvalds wrote: > > On Thu, Feb 21, 2013 at 10:34 AM, Peter Jones wrote: > > On Thu, Feb 21, 2013 at 10:25:47AM -0800, Linus Torvalds wrote: > >> - why do you bother with the MS keysigning of Linux kernel modules to > >> begin with? > > > > Th

Re: [GIT PULL] Load keys from signed PE binaries

On Friday 01 March 2013, Matthew Garrett wrote: >On Wed, Feb 27, 2013 at 08:35:45PM +, ownssh wrote: >> Matthew Garrett srcf.ucam.org> writes: >> > There's no way to update the UEFI key database without the update >> > being signed by an already trusted key, so what you're proposing >> > isn't

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 08:35:45PM +, ownssh wrote: > Matthew Garrett srcf.ucam.org> writes: > > > There's no way to update the UEFI key database without the update being > > signed by an already trusted key, so what you're proposing isn't > > possible. > > > > I confused. > Isn't custom

Re: [GIT PULL] Load keys from signed PE binaries

On Fri, Mar 01, 2013 at 11:00:52AM +0100, Vojtech Pavlik wrote: > > Mr. Blackhat then can load his i_own_your_ring0.ko module signed by his > key on your system, having obtained root access previously. The question will be what does Mr. Blackhat do with this i_own_your_ring0.ko module. The FUD t

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 10:51:15PM +, Matthew Garrett wrote: > On Thu, Feb 28, 2013 at 11:48:06PM +0100, Jiri Kosina wrote: > > > Let me formulate my point more clearly -- Microsoft very likely going to > > sign hello world EFI PE binary, no matter the contents of .keylist > > section, as th

Re: [GIT PULL] Load keys from signed PE binaries

On Fri, 1 Mar 2013, Matthew Garrett wrote: > > > If you've loaded an x.509 certificate into the kernel and it's later > > > revoked, any module signed with the key is going to be loadable until > > > it's revoked. I don't see an especially large difference here? > > > > i_own_your_ring0.ko can

Re: [GIT PULL] Load keys from signed PE binaries

On Fri, Mar 01, 2013 at 12:52:51AM +0100, Jiri Kosina wrote: > On Thu, 28 Feb 2013, Matthew Garrett wrote: > > If you've loaded an x.509 certificate into the kernel and it's later > > revoked, any module signed with the key is going to be loadable until > > it's revoked. I don't see an especially

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, 28 Feb 2013, Matthew Garrett wrote: > > > Sure, if you've been infected before the revocation, you'll still be > > > infected. There's not really any good way around that. > > > > Which is a very substantial difference to normal X509 chain of trust, > > isn't it? > > If you've loaded a

Re: [GIT PULL] Load keys from signed PE binaries

On Fri, Mar 01, 2013 at 12:45:23AM +0100, Jiri Kosina wrote: > On Thu, 28 Feb 2013, Matthew Garrett wrote: > > Sure, if you've been infected before the revocation, you'll still be > > infected. There's not really any good way around that. > > Which is a very substantial difference to normal X509

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, 28 Feb 2013, Matthew Garrett wrote: > > But the real harm is being done by the i_own_your_ring0.ko module, which > > can be modprobed on all the systems where the signed "hello world" binary > > has been keyctl-ed before it was blacklisted. > > Sure, if you've been infected before the r

Re: [GIT PULL] Load keys from signed PE binaries

On Fri, Mar 01, 2013 at 12:02:43AM +0100, Jiri Kosina wrote: > But the real harm is being done by the i_own_your_ring0.ko module, which > can be modprobed on all the systems where the signed "hello world" binary > has been keyctl-ed before it was blacklisted. Sure, if you've been infected befor

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, 28 Feb 2013, Matthew Garrett wrote: > > Let me formulate my point more clearly -- Microsoft very likely going to > > sign hello world EFI PE binary, no matter the contents of .keylist > > section, as they don't give a damn about this section, as it has zero > > semantic value to them, r

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 11:48:06PM +0100, Jiri Kosina wrote: > Let me formulate my point more clearly -- Microsoft very likely going to > sign hello world EFI PE binary, no matter the contents of .keylist > section, as they don't give a damn about this section, as it has zero > semantic value t

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, 21 Feb 2013, David Howells wrote: > The way we have come up with to get around this is to embed an X.509 > certificate containing the key in a section called ".keylist" in an EFI PE > binary and then get the binary signed by Microsoft. The key can then be > passed > to the kernel by pass

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 09:23:45PM +0100, Florian Weimer wrote: > * Matthew Garrett: > > grub's running before ExitBootServices(), because otherwise it has no > > way to actually read anything off disk. Or draw to the screen. > > Sorry, if Linux can read from the disk after ExitBootServices(), so

Re: [GIT PULL] Load keys from signed PE binaries

* Matthew Garrett: > On Thu, Feb 28, 2013 at 08:41:13PM +0100, Florian Weimer wrote: >> * Matthew Garrett: >> >> >> Would it be possible to have a signed bootloader that allows booting >> >> Win8 from within the secure environment, or it could exit the secure >> >> environment and run unsigned gr

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 08:41:13PM +0100, Florian Weimer wrote: > * Matthew Garrett: > > >> Would it be possible to have a signed bootloader that allows booting > >> Win8 from within the secure environment, or it could exit the secure > >> environment and run unsigned grub? > > > > What would stop

Re: [GIT PULL] Load keys from signed PE binaries

* Matthew Garrett: >> Would it be possible to have a signed bootloader that allows booting >> Win8 from within the secure environment, or it could exit the secure >> environment and run unsigned grub? > > What would stop the unsigned grub from installing a firmware hook that > lies about whether

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 09:43:10AM -0600, Chris Friesen wrote: > On 02/28/2013 01:57 AM, Florian Weimer wrote: > > >In any case, there's another reading of the UEFI Secure Boot > >requirements: you may run any code you wish after calling > >ExitBootServices(). That could be an unsigned, tradition

Re: [GIT PULL] Load keys from signed PE binaries

* Chris Friesen: > On 02/28/2013 01:57 AM, Florian Weimer wrote: > >> In any case, there's another reading of the UEFI Secure Boot >> requirements: you may run any code you wish after calling >> ExitBootServices(). That could be an unsigned, traditional GRUB. But >> this will not generally addre

Re: [GIT PULL] Load keys from signed PE binaries

On 02/28/2013 01:57 AM, Florian Weimer wrote: In any case, there's another reading of the UEFI Secure Boot requirements: you may run any code you wish after calling ExitBootServices(). That could be an unsigned, traditional GRUB. But this will not generally address the issue of dual-booting Wi

Re: [GIT PULL] Load keys from signed PE binaries

* Greg KH: > On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: >> Because Microsoft have indicated that they'd be taking a reactive >> approach to blacklisting and because, so far, nobody has decided to >> write the trivial proof of concept that demonstrates the problem. > > So, o

Re: [GIT PULL] Load keys from signed PE binaries

Il 28/02/2013 07:27, Geert Uytterhoeven ha scritto: > I thought it was about market segmentation? Charge $$$ for the model with VT > enabled. No, there's the Atom that doesn't come with virtualization extensions at all. But things like Bluepill are the reason why you have to enable VT manually.

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 10:31 PM, Dave Airlie wrote: > On Thu, Feb 28, 2013 at 1:24 AM, Theodore Ts'o wrote: >> On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote: >>> No, no, no. Quit saying nobody knows. We've got a pretty good idea - >>> we've got a contract with them, and it says t

Re: [GIT PULL] Load keys from signed PE binaries

On Thu, Feb 28, 2013 at 1:24 AM, Theodore Ts'o wrote: > On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote: >> No, no, no. Quit saying nobody knows. We've got a pretty good idea - >> we've got a contract with them, and it says they provide the signing >> service, and under circumstances

Re: [GIT PULL] Load keys from signed PE binaries

Matthew Garrett srcf.ucam.org> writes: > There's no way to update the UEFI key database without the update being > signed by an already trusted key, so what you're proposing isn't > possible. > I confused. Isn't custom mode can add user's own key? > http://mjg59.dreamwidth.org/12368.html > Bu

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 01:21:03PM -0600, Chris Friesen wrote: > > I think it'd need to be "doesn't notice operationally when running > the virtualized Windows install". > > Anyone going through all the trouble to virtualize an existing > install could probably arrange to have the target computer

Re: [GIT PULL] Load keys from signed PE binaries

On 02/27/2013 11:59 AM, Theodore Ts'o wrote: On Wed, Feb 27, 2013 at 11:36:09AM -0600, Chris Friesen wrote: ... At this point you've got a running infected Win8 install that is running on Secure Boot hardware but is actually running malware. Admittedly this would be tricky to do reliably in a w

Re: [GIT PULL] Load keys from signed PE binaries

Il 27/02/2013 18:36, Chris Friesen ha scritto: > On 02/27/2013 09:24 AM, Theodore Ts'o wrote: >> On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote: >>> No, no, no. Quit saying nobody knows. We've got a pretty good idea - >>> we've got a contract with them, and it says they provide the s

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 11:36:09AM -0600, Chris Friesen wrote: > ... > At this point you've got a running infected Win8 install that is > running on Secure Boot hardware but is actually running malware. > > Admittedly this would be tricky to do reliably in a way that the > user doesn't notice, so

Re: [GIT PULL] Load keys from signed PE binaries

On 02/27/2013 09:24 AM, Theodore Ts'o wrote: On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote: No, no, no. Quit saying nobody knows. We've got a pretty good idea - we've got a contract with them, and it says they provide the signing service, and under circumstances where the thing b

Re: [GIT PULL] Load keys from signed PE binaries

Vivek Goyal writes: > On Tue, Feb 26, 2013 at 10:30:45AM -0500, Vivek Goyal wrote: >> On Tue, Feb 26, 2013 at 04:57:47AM +, Matthew Garrett wrote: >> >> [..] >> > > - encourage things like per-host random keys - with the stupid UEFI >> > > checks disabled entirely if required. They are almo

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 11:54:51AM -0500, Peter Jones wrote: > No, no, no. Quit saying nobody knows. We've got a pretty good idea - > we've got a contract with them, and it says they provide the signing > service, and under circumstances where the thing being signed is found > to enable malware t

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 09:35:24AM +, ownssh wrote: > I think, redhat should have their own root key to sign binary files. > Bootloader of install media can be sign by MS certificates, but only use to > add > the redhat root key to UEFI database before install. There's no way to update the U

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 01:32:30PM +0100, Geert Uytterhoeven wrote: > On Tue, Feb 26, 2013 at 11:06 PM, Peter Jones wrote: > > On Tue, Feb 26, 2013 at 10:57:38PM +0100, Geert Uytterhoeven wrote: > > > >> BTW, I assume UEFI checks itself if enrolled hashes have been revoked, > >> so it must phone h

Re: [GIT PULL] Load keys from signed PE binaries

On Wed, Feb 27, 2013 at 01:32:30PM +0100, Geert Uytterhoeven wrote: > So revocation will only be done by the guest OS? > I.e. if I only boot my own trusted Linux, even if it's signed with the MS key, > the MS key _on my system_ will never be revoked? As long as you never apply any updates that wi

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 11:06 PM, Peter Jones wrote: > On Tue, Feb 26, 2013 at 10:57:38PM +0100, Geert Uytterhoeven wrote: > >> BTW, I assume UEFI checks itself if enrolled hashes have been revoked, >> so it must phone home to some server? That must be disabled as well. > > No. Quit fearmongering

Re: [GIT PULL] Load keys from signed PE binaries

On 27 February 2013 11:27, Alexander Holler wrote: > Am 27.02.2013 11:17, schrieb James Courtier-Dutton: > > >> 3) Trust based on date. I trust everything from X that I put on my >> system 2 weeks ago, but one week ago X got hacked, so don't trust >> anything new from them until the hack has been

Re: [GIT PULL] Load keys from signed PE binaries

Am 27.02.2013 11:17, schrieb James Courtier-Dutton: 3) Trust based on date. I trust everything from X that I put on my system 2 weeks ago, but one week ago X got hacked, so don't trust anything new from them until the hack has been stopped and the revokation/correction steps have been completed.

Re: [GIT PULL] Load keys from signed PE binaries

On 27 February 2013 09:35, ownssh wrote: > David Howells redhat.com> writes: > >> >> >> Florian Weimer deneb.enyo.de> wrote: >> >> > Seriously, folks, can we go back one step and discuss what problem you >> > are trying to solve? Is it about allowing third-party kernel modules >> > in an enviro

Re: [GIT PULL] Load keys from signed PE binaries

David Howells redhat.com> writes: > > > Florian Weimer deneb.enyo.de> wrote: > > > Seriously, folks, can we go back one step and discuss what problem you > > are trying to solve? Is it about allowing third-party kernel modules > > in an environment which does not allow unsigned ring 0 code e

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 04:40:53PM -0500, Peter Jones wrote: > It prevents a form of malware which exists in the wild. I think that's > enough reason to want *something*, though SB isn't necessarily what > we'd have dreamed of. Nevertheless, SB is what we've got, and as such > is why we've been

Re: [GIT PULL] Load keys from signed PE binaries

On 02/26/2013 03:40 PM, Florian Weimer wrote: * Chris Friesen: On 02/25/2013 10:14 AM, Matthew Garrett wrote: Windows 8 will not load unsigned drivers if Secure Boot is enabled. For reference: http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062%28v=vs.85%29.aspx Thanks. Do y

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 10:57:38PM +0100, Geert Uytterhoeven wrote: > BTW, I assume UEFI checks itself if enrolled hashes have been revoked, > so it must phone home to some server? That must be disabled as well. No. Quit fearmongering. -- Peter -- To unsubscribe from this list: send the

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 5:43 AM, Linus Torvalds wrote: > On Mon, Feb 25, 2013 at 8:23 PM, Matthew Garrett wrote: >> If the user has explicitly enrolled a hash then they're stepping outside >> the trust model. > > This is the kind of totally bogus crap that no sane person should ever > spout. Stop

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 10:30:46PM +0100, Florian Weimer wrote: > * Linus Torvalds: > > > So here's what I would suggest, and it is based on REAL SECURITY and > > on PUTTING THE USER FIRST instead of your continual "let's please > > microsoft by doing idiotic crap" approach. > > I think the real

Re: [GIT PULL] Load keys from signed PE binaries

* Chris Friesen: > On 02/25/2013 10:14 AM, Matthew Garrett wrote: >> Windows 8 will not load unsigned drivers if Secure Boot is enabled. > > For reference: > > http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062%28v=vs.85%29.aspx Thanks. Do you know perchance of any other Microsoft

Re: [GIT PULL] Load keys from signed PE binaries

* Linus Torvalds: > So here's what I would suggest, and it is based on REAL SECURITY and > on PUTTING THE USER FIRST instead of your continual "let's please > microsoft by doing idiotic crap" approach. I think the real question is this one: Is there *any* device out there which comes with Microso

Re: [GIT PULL] Load keys from signed PE binaries

* Matthew Garrett: > On Mon, Feb 25, 2013 at 03:28:32PM +0100, Florian Weimer wrote: > >> But what puzzles me most is why anyone would assume that the UEFI >> application signing process somehow ensures that the embedded >> certificate is non-malicious. We cannot even track it back to the >> subm

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 08:40:53PM +0100, Florian Weimer wrote: > | No, there's no way to set the legacy boot as the default option. > > > > So non-interactive booting of alternative operating systems is *not* > supported. This is

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 08:30:17PM +0100, Florian Weimer wrote: > I'm sure many folks have read > ("Implementing UEFI Secure Boot in Fedora", 2012-30-05) and similar > analysis and came away with the impression of a rather open, automated > signing process,

Re: [GIT PULL] Load keys from signed PE binaries

* Theodore Ts'o: > On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: >> >> Its a simple argument, MS can revoke our keys for whatever reason, >> reducing the surface area of reasons for them to do so seems like a >> good idea. Unless someone can read the mind of the MS guy that >> arbi

Re: [GIT PULL] Load keys from signed PE binaries

* Matthew Garrett: > On Mon, Feb 25, 2013 at 10:25:08PM -0500, Theodore Ts'o wrote: >> On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: >> > >> > Because Microsoft have indicated that they'd be taking a reactive >> > approach to blacklisting and because, so far, nobody has decide

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 11:45:21PM -0500, Theodore Ts'o wrote: > On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: > > > > Its a simple argument, MS can revoke our keys for whatever reason, > > reducing the surface area of reasons for them to do so seems like a > > good idea. Unless som

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:11:41PM +, David Howells wrote: > Greg KH wrote: > > > > (6) To maintain secure boot mode, the kernel must be signed and the boot > > > loader must check the signature on it. The key must be either > > > compiled > > > into the bootloader (and thus vali

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 4:21 AM, Matthew Garrett wrote: > On Tue, Feb 26, 2013 at 02:07:22AM -0800, Raymond Jennings wrote: >> Just curious here, but is this as much of an issue if a user is >> somehow able to take ownership of his own machine? > > No, if you're doing your own key management then

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 10:30:45AM -0500, Vivek Goyal wrote: > On Tue, Feb 26, 2013 at 04:57:47AM +, Matthew Garrett wrote: > > [..] > > > - encourage things like per-host random keys - with the stupid UEFI > > > checks disabled entirely if required. They are almost certainly going > > > to b

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 04:57:47AM +, Matthew Garrett wrote: [..] > > - encourage things like per-host random keys - with the stupid UEFI > > checks disabled entirely if required. They are almost certainly going > > to be *more* secure than depending on some crazy root of trust based > > on a

Re: [GIT PULL] Load keys from signed PE binaries

Greg KH wrote: > > (6) To maintain secure boot mode, the kernel must be signed and the boot > > loader must check the signature on it. The key must be either compiled > > into the bootloader (and thus validated by the bootloader signature) or > > must reside in the UEFI database.

Re: [GIT PULL] Load keys from signed PE binaries

My two cents on this subject btw is that anything to do with Microsoft's intentions or plans is an issue of policy that belongs entirely in userspace. "mechanism, not policy" Besides, what do modules have to do with this if we're talking about UEFI? Doesn't the kernel have to be loaded before mo

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, 25 Feb 2013, David Howells wrote: > (G) Suspend to disk. This is not permitted if it's possible to then alter > the image and resume it. Tangetial to this discussion, but worth mentioning anyway: this can be solved in a secure way in cooperation with trusted bootloader (such as s

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 02:07:22AM -0800, Raymond Jennings wrote: > Just curious here, but is this as much of an issue if a user is > somehow able to take ownership of his own machine? No, if you're doing your own key management then it's no problem at all. > I'm assuming this is related to TPM

Re: [GIT PULL] Load keys from signed PE binaries

Dave, Here's a further thought, extending on the analogy with closed graphics hardware which requires proprietary drivers. We _could_ have made life easier for users who had the misfortune of purchasing closed hardware. We could have tied ourselves in knots and promulgated a stable kernel ABI, s

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 02:55:32PM +1000, Dave Airlie wrote: > > So it would be nice if LF could undertake to go and talk to Microsoft, > and get vague opinions turned into something real. Uh, folks like James and Greg K-H have talked to folks at Microsoft I haven't talked to the folks at Mic

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 08:43:59PM -0800, Linus Torvalds wrote: > On Mon, Feb 25, 2013 at 8:23 PM, Matthew Garrett wrote: > > > > If the user has explicitly enrolled a hash then they're stepping outside > > the trust model. > > This is the kind of totally bogus crap that no sane person should eve

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 08:31:08PM -0800, Linus Torvalds wrote: > On Mon, Feb 25, 2013 at 7:48 PM, Matthew Garrett wrote: > > > > Our users want to be able to boot Linux. If Microsoft blacklist a > > distribution's bootloader, that user isn't going to be able to boot > > Linux any more. How does t

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 2:45 PM, Theodore Ts'o wrote: > On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: >> >> Its a simple argument, MS can revoke our keys for whatever reason, >> reducing the surface area of reasons for them to do so seems like a >> good idea. Unless someone can read

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: > >> > >> Right. We've failed at creating an alternative. That doesn't mean that > >> we get to skip the responsibilities associated with the choice we've > >> made. > > > > Wait, who is "we" here? The community? The community over-all

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: > > Its a simple argument, MS can revoke our keys for whatever reason, > reducing the surface area of reasons for them to do so seems like a > good idea. Unless someone can read the mind of the MS guy that > arbitrarily decides this in 5

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 8:23 PM, Matthew Garrett wrote: > > If the user has explicitly enrolled a hash then they're stepping outside > the trust model. This is the kind of totally bogus crap that no sane person should ever spout. Stop it. If the user has explicitly enrolled a hash, then that sho

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 7:48 PM, Matthew Garrett wrote: > > Our users want to be able to boot Linux. If Microsoft blacklist a > distribution's bootloader, that user isn't going to be able to boot > Linux any more. How does that benefit our users? How does bringing up an unlikely and bogus scenari

Re: [GIT PULL] Load keys from signed PE binaries

>> >> Right. We've failed at creating an alternative. That doesn't mean that >> we get to skip the responsibilities associated with the choice we've >> made. > > Wait, who is "we" here? The community? The community over-all didn't > agree with anything with Microsoft, that is between the people g

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 08:13:24PM -0800, Greg KH wrote: > On Tue, Feb 26, 2013 at 04:04:56AM +, Matthew Garrett wrote: > > There's no reason for the LF or generic shim to be blacklisted, since > > neither will load anything without manual intervention. But that also > > means that anyone try

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 04:04:56AM +, Matthew Garrett wrote: > On Mon, Feb 25, 2013 at 07:54:16PM -0800, Greg KH wrote: > > On Tue, Feb 26, 2013 at 03:38:04AM +, Matthew Garrett wrote: > > > On Mon, Feb 25, 2013 at 07:31:56PM -0800, Greg KH wrote: > > > > So, once that proof is written, sud

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:54:16PM -0800, Greg KH wrote: > On Tue, Feb 26, 2013 at 03:38:04AM +, Matthew Garrett wrote: > > On Mon, Feb 25, 2013 at 07:31:56PM -0800, Greg KH wrote: > > > So, once that proof is written, suddenly all of the working Linux > > > distros's keys will be revoked? Tha

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:38:04AM +, Matthew Garrett wrote: > On Mon, Feb 25, 2013 at 07:31:56PM -0800, Greg KH wrote: > > On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > > > Because Microsoft have indicated that they'd be taking a reactive > > > approach to blacklisting an

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:28:39AM +, Matthew Garrett wrote: > You're happy advising Linux vendors that they don't need to worry about > module signing because it's "not obvious" that Microsoft would actually > enforce the security model they've spent significant money developing > and adver

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:45:24PM -0800, Linus Torvalds wrote: > On Mon, Feb 25, 2013 at 7:42 PM, Matthew Garrett wrote: > > > > The user Microsoft care about isn't running Linux > > How f*cking hard is it for you to understand? > > Stop arguing about what MS wants. We do not care. We care bout

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 7:42 PM, Matthew Garrett wrote: > > The user Microsoft care about isn't running Linux How f*cking hard is it for you to understand? Stop arguing about what MS wants. We do not care. We care bout the *user*. You are continually missing the whole point of security, and then

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:40:31PM -0800, Greg KH wrote: > What "vendor" is there in this case? You released a signed shim, as did > the Linux Foundation, and lots of distros are now using it, and there > are absolutly no "orginization" behind a bunch of them. Will your > signed shim be revoked

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:32:04PM -0800, Linus Torvalds wrote: > On Mon, Feb 25, 2013 at 7:28 PM, Matthew Garrett wrote: > > > > You're happy advising Linux vendors that they don't need to worry about > > module signing because it's "not obvious" that Microsoft would actually > > enforce the secu

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:28:39AM +, Matthew Garrett wrote: > On Mon, Feb 25, 2013 at 10:25:08PM -0500, Theodore Ts'o wrote: > > On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > > > > > > Because Microsoft have indicated that they'd be taking a reactive > > > approach to bl

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:31:56PM -0800, Greg KH wrote: > On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > > Because Microsoft have indicated that they'd be taking a reactive > > approach to blacklisting and because, so far, nobody has decided to > > write the trivial proof of

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 7:28 PM, Matthew Garrett wrote: > > You're happy advising Linux vendors that they don't need to worry about > module signing because it's "not obvious" that Microsoft would actually > enforce the security model they've spent significant money developing > and advertising?

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > On Mon, Feb 25, 2013 at 07:02:49PM -0800, Greg KH wrote: > > On Tue, Feb 26, 2013 at 02:33:32AM +, Matthew Garrett wrote: > > > Oh, come on Greg. Allowing unsigned modules allows loading arbitrary > > > code into the kernel, an

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 10:25:08PM -0500, Theodore Ts'o wrote: > On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > > > > Because Microsoft have indicated that they'd be taking a reactive > > approach to blacklisting and because, so far, nobody has decided to > > write the trivia

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: > > Because Microsoft have indicated that they'd be taking a reactive > approach to blacklisting and because, so far, nobody has decided to > write the trivial proof of concept that demonstrates the problem. Microsoft would take a

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 07:02:49PM -0800, Greg KH wrote: > On Tue, Feb 26, 2013 at 02:33:32AM +, Matthew Garrett wrote: > > Oh, come on Greg. Allowing unsigned modules allows loading arbitrary > > code into the kernel, and allowing arbitrary code into the kernel means > > that the kernel can

Re: [GIT PULL] Load keys from signed PE binaries

On Tue, Feb 26, 2013 at 02:33:32AM +, Matthew Garrett wrote: > On Mon, Feb 25, 2013 at 04:59:55PM -0800, Greg KH wrote: > > > Wait right here. This is NOT mandated by UEFI, nor by anyone else. It > > might be a nice thing that some people and companies want to implement, > > but please don't

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 04:59:55PM -0800, Greg KH wrote: > Wait right here. This is NOT mandated by UEFI, nor by anyone else. It > might be a nice thing that some people and companies want to implement, > but please don't think that some external entity is requiring that Linux > implement this,

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 11:51:05PM +, David Howells wrote: > > Florian Weimer wrote: > > > Seriously, folks, can we go back one step and discuss what problem you > > are trying to solve? Is it about allowing third-party kernel modules > > in an environment which does not allow unsigned ring

Re: [GIT PULL] Load keys from signed PE binaries

Florian Weimer wrote: > Seriously, folks, can we go back one step and discuss what problem you > are trying to solve? Is it about allowing third-party kernel modules > in an environment which does not allow unsigned ring 0 code execution? Let me try and lay things out: (1) Like it or not, th

Re: [GIT PULL] Load keys from signed PE binaries

On 02/25/2013 10:14 AM, Matthew Garrett wrote: On Mon, Feb 25, 2013 at 04:50:50PM +0100, Florian Weimer wrote: * Matthew Garrett: On Mon, Feb 25, 2013 at 03:46:14PM +0100, Florian Weimer wrote: You could just drop the requirement that ring 0 code must be signed. I don't think Windows 8 enfor

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 04:50:50PM +0100, Florian Weimer wrote: > * Matthew Garrett: > > > On Mon, Feb 25, 2013 at 03:46:14PM +0100, Florian Weimer wrote: > > > >> You could just drop the requirement that ring 0 code must be signed. > >> I don't think Windows 8 enforces this, but I'm not yet sure

Re: [GIT PULL] Load keys from signed PE binaries

* Matthew Garrett: > On Mon, Feb 25, 2013 at 03:46:14PM +0100, Florian Weimer wrote: > >> You could just drop the requirement that ring 0 code must be signed. >> I don't think Windows 8 enforces this, but I'm not yet sure if there >> is a physical presence check before you can enter a mode in whic

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 03:28:32PM +0100, Florian Weimer wrote: > But what puzzles me most is why anyone would assume that the UEFI > application signing process somehow ensures that the embedded > certificate is non-malicious. We cannot even track it back to the > submitter because the third-par

Re: [GIT PULL] Load keys from signed PE binaries

On Mon, Feb 25, 2013 at 03:33:12PM +0100, Florian Weimer wrote: > * Matthew Garrett: > > > I don't think that's a problem. Just put the original binary hash in the > > certificate before signing it, and extend the X.509 parser to refuse > > certificates that have a tag that's present in dbx. >

  1   2   >