Re: Linux Firmware Signing

On Thu, Sep 03, 2015 at 02:14:18PM -0700, Kees Cook wrote: > [removed bounced email addresses] > > On Wed, Sep 2, 2015 at 2:37 PM, Luis R. Rodriguez wrote: > > On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: > >> On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: > >> > On Tue,

Re: Linux Firmware Signing

[removed bounced email addresses] On Wed, Sep 2, 2015 at 2:37 PM, Luis R. Rodriguez wrote: > On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: >> On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: >> > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: >> >> > OK great,

Re: Linux Firmware Signing

On Thu, 2015-09-03 at 02:29 +0200, Luis R. Rodriguez wrote: > On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote: > > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > We want something that is not only usefu

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote: > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > > OK great, I think that instead of passing the actual routine name we > > > > should > > > > instead pass

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 07:54:13PM -0400, Mimi Zohar wrote: > On Wed, 2015-09-02 at 01:43 +0200, Luis R. Rodriguez wrote: > > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > > > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > > > On Thu, Aug 27, 2015 at 07:54:33PM -040

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > OK great, I think that instead of passing the actual routine name we > > > should > > > instead pass an enum type for to the LSM, that'd be easier to parse and > > > we'

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 01:43 +0200, Luis R. Rodriguez wrote: > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > > > On Thu, 2015-08-27 at 23:29 +0200, Luis

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: > On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > >> > OK great, I think that instead of passing the actual routine name we > >> > should > >> > instead pass an e

Re: Linux Firmware Signing

On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: >> > OK great, I think that instead of passing the actual routine name we should >> > instead pass an enum type for to the LSM, that'd be easier to parse and >> > we'd >> > then

Re: Linux Firmware Signing

On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > OK great, I think that instead of passing the actual routine name we should > > instead pass an enum type for to the LSM, that'd be easier to parse and we'd > > then have each case well documented. Each LSM then could add its own > > d

Re: Linux Firmware Signing

On 2015-09-02 12:45, Mimi Zohar wrote: On Wed, 2015-09-02 at 08:28 -0700, Kees Cook wrote: On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: On Mon, Aug 31, 2015 at 10:18:55AM -0400,

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 08:28 -0700, Kees Cook wrote: > On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: > > On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: > >> On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > >> > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > >> >>

Re: Linux Firmware Signing

On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: > On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: >> On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: >> > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: >> >> > > eBPF/seccomp >> > >> > OK I knew nothing about this but I

Re: Linux Firmware Signing

On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: > On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > >> > > eBPF/seccomp > > > > OK I knew nothing about this but I just looked into it, here are my notes: > > > > * old BP

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 02:09 +0200, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 01:20:37PM -0700, Kees Cook wrote: > > On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > > As long as the LSM know what kind of file it's loading, and has access > > to the fd (and for IMA, the blob loa

Re: Linux Firmware Signing

On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: >> > > eBPF/seccomp > > OK I knew nothing about this but I just looked into it, here are my notes: > > * old BPF - how far do we want to go? This goes so far as to parsing >

Re: Linux Firmware Signing

On Tue, Sep 01, 2015 at 01:20:37PM -0700, Kees Cook wrote: > On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > Right so now that firmware usermode helper is behind us (systemd ripped it) > > we > > do the fs lookup d

Re: Linux Firmware Signing

On Mon, Aug 31, 2015 at 12:45:36PM -0400, Mimi Zohar wrote: > On Mon, 2015-08-31 at 17:05 +0100, David Woodhouse wrote: > > On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > > > I'm not real happy about it, but since we can't break the existing ABI > > > of loading data into the kernel via a b

Re: Linux Firmware Signing

On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > > On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > > > > On Thu, Aug 27, 2015 at 10:57:23AM -000

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 22:52 -0400, Paul Moore wrote: > On Fri, Aug 28, 2015 at 10:03 PM, Luis R. Rodriguez > wrote: > > On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: > > > On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C > > > wrote: > > > > Even triggered updates make sense, sin

Re: Linux Firmware Signing

...@vger.kernel.org; Greg Kroah-Hartman; Vitaly Kuznetsov; David Woodhouse Subject: Re: Linux Firmware Signing Paul Moore wrote: Yes, there are lots of way we could solve the signed policy format issue, I just don't have one in mind at this moment. Also, to be honest, there are enough limitatio

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: >> In conversation with Mimi last week she was very keen on the model where >> we load modules & firmware in such a fashion that the kernel has access to >> the original ino

RE: Linux Firmware Signing

er.kernel.org; Andy Lutomirski; > linux- > security-mod...@vger.kernel.org; Greg Kroah-Hartman; Vitaly Kuznetsov; David > Woodhouse > Subject: Re: Linux Firmware Signing > > Paul Moore wrote: > > > > > Yes, there are lots of way we could solve the signed policy format >

Re: Linux Firmware Signing

Paul Moore wrote: Yes, there are lots of way we could solve the signed policy format issue, I just don't have one in mind at this moment. Also, to be honest, there are enough limitations to signing SELinux policies that this isn't very high onmy personal SELinux priority list. The fact that

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 10:03 PM, Luis R. Rodriguez wrote: > On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: >> On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C >> wrote: >> > Even triggered updates make sense, since you can at least have some form >> > of trust >> > of where that

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 17:05 +0100, David Woodhouse wrote: > On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > > I'm not real happy about it, but since we can't break the existing ABI > > of loading data into the kernel via a buffer, a stop gap method of > > signing and verifying a buffer would

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > I'm not real happy about it, but since we can't break the existing ABI > of loading data into the kernel via a buffer, a stop gap method of > signing and verifying a buffer would be needed. Actually I think we can. The usermode helper is alrea

Re: Linux Firmware Signing

On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > > > > Luis R. Rodriguez wrote: > > >

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > > > Luis R. Rodriguez wrote: > > > > > > > >> "PKCS#7: Add an optional authenticated attribute to hold

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: > On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C > wrote: > > Even triggered updates make sense, since you can at least have some form of > > trust > > of where that binary policy came from. > > It isn't always that simple, see my

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 11:20:10AM +, Roberts, William C wrote: > > -Original Message- > > From: Paul Moore [mailto:p...@paul-moore.com] > > > > While I question the usefulness of a SELinux policy signature in the > > general case, > > there are some situations where it might make sen

Re: Linux Firmware Signing

er, Casey; Luis R. Rodriguez; >> Dmitry Kasatkin; Greg Kroah-Hartman; Peter Jones; Takashi Iwai; Ming Lei; >> Joey >> Lee; Vojtěch Pavlík; Kyle McMartin; Seth Forshee; Matthew Garrett; Johannes >> Berg >> Subject: Re: Linux Firmware Signing >> >> On Thu,

RE: Linux Firmware Signing

shi Iwai; Ming Lei; Joey > Lee; Vojtěch Pavlík; Kyle McMartin; Seth Forshee; Matthew Garrett; Johannes > Berg > Subject: Re: Linux Firmware Signing > > On Thu, Aug 27, 2015 at 5:29 PM, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: &

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 5:29 PM, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > SELinux uses: security_load_policy(data, len), refer to selinuxfs > sel_load_ops. > Since its write operation on its file_operation is sel_write_load() and that > is as

Re: Linux Firmware Signing

On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > > Luis R. Rodriguez wrote: > > > > > >> "PKCS#7: Add an optional authenticated attribute to hold firmware name" > > >> https://git.kernel.org/cgit/linux/kernel/git/dho

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 3:36 PM, Luis R. Rodriguez wrote: > On Wed, Aug 26, 2015 at 10:35:19PM -0400, Paul Moore wrote: >> On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez wrote: >> > On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: >> > Now let's review the SELinux stuff before w

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > Luis R. Rodriguez wrote: > > > >> "PKCS#7: Add an optional authenticated attribute to hold firmware name" > >> https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7&id=1448377a369993f864915743c

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 11:38:58AM +0100, David Howells wrote: > Luis R. Rodriguez wrote: > > > "PKCS#7: Add an optional authenticated attribute to hold firmware name" > > https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7&id=1448377a369993f864915743cfb34772

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 10:35:19PM -0400, Paul Moore wrote: > On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez wrote: > > On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: > > Now let's review the SELinux stuff before we jump back into firmware / > > system > > data stuff again as

Re: Linux Firmware Signing

See http://www.infradead.org/rpr.html > Luis R. Rodriguez wrote: > >> "PKCS#7: Add an optional authenticated attribute to hold firmware name" >> https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7&id=1448377a369993f864915743cfb34772e730213good >> >>

Re: Linux Firmware Signing

Luis R. Rodriguez wrote: > "PKCS#7: Add an optional authenticated attribute to hold firmware name" > https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7&id=1448377a369993f864915743cfb34772e730213good > > 1.3.6.1.4.1.2312.16 Linux kernel >

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez wrote: > On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: > Now let's review the SELinux stuff before we jump back into firmware / system > data stuff again as there is a joint criteria to consider for all of these. > For other peopl

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: > Luis R. Rodriguez wrote: > > > But note, we also have kexec_file_load() syscall and an arch specific > > signature verification feature, arch_kexec_kernel_verify_sig(). > > Sad trombone, no LSM hook and only x86 supports this :( >