Re: Linux Firmware Signing

On Thu, Sep 03, 2015 at 02:14:18PM -0700, Kees Cook wrote: > [removed bounced email addresses] > > On Wed, Sep 2, 2015 at 2:37 PM, Luis R. Rodriguez wrote: > > On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: > >> On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez

Re: Linux Firmware Signing

[removed bounced email addresses] On Wed, Sep 2, 2015 at 2:37 PM, Luis R. Rodriguez wrote: > On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: >> On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: >> > On Tue, Sep 01, 2015 at 11:35:05PM -0400,

Re: Linux Firmware Signing

On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: > On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: >> On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: >> > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: >> >> > > eBPF/seccomp

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 08:28 -0700, Kees Cook wrote: > On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: > > On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: > >> On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > >> > On Mon, Aug 31, 2015 at

Re: Linux Firmware Signing

On 2015-09-02 12:45, Mimi Zohar wrote: On Wed, 2015-09-02 at 08:28 -0700, Kees Cook wrote: On Tue, Sep 1, 2015 at 8:44 PM, Mimi Zohar wrote: On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez

Re: Linux Firmware Signing

On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > OK great, I think that instead of passing the actual routine name we should > > instead pass an enum type for to the LSM, that'd be easier to parse and we'd > > then have each case well documented. Each LSM then could add its own > >

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 07:54:13PM -0400, Mimi Zohar wrote: > On Wed, 2015-09-02 at 01:43 +0200, Luis R. Rodriguez wrote: > > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > > > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > > > On Thu, Aug 27, 2015 at 07:54:33PM

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 01:43 +0200, Luis R. Rodriguez wrote: > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > > > On Thu, 2015-08-27 at 23:29 +0200,

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > OK great, I think that instead of passing the actual routine name we > > > should > > > instead pass an enum type for to the LSM, that'd be easier to parse and > > >

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote: > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > > OK great, I think that instead of passing the actual routine name we > > > > should > > > > instead

Re: Linux Firmware Signing

On Thu, 2015-09-03 at 02:29 +0200, Luis R. Rodriguez wrote: > On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote: > > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote: > > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > > > We want something that is not only

Re: Linux Firmware Signing

On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: >> > OK great, I think that instead of passing the actual routine name we should >> > instead pass an enum type for to the LSM, that'd be easier to parse and

Re: Linux Firmware Signing

On Wed, Sep 02, 2015 at 01:54:43PM -0700, Kees Cook wrote: > On Wed, Sep 2, 2015 at 11:46 AM, Luis R. Rodriguez wrote: > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote: > >> > OK great, I think that instead of passing the actual routine name we > >> > should > >> >

Re: Linux Firmware Signing

On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > > On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > > > > On Thu, Aug 27, 2015 at 10:57:23AM

Re: Linux Firmware Signing

On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: >> > > eBPF/seccomp > > OK I knew nothing about this but I just looked into it, here are my notes: > > * old BPF - how far do we want to go? This goes so far

Re: Linux Firmware Signing

On Mon, Aug 31, 2015 at 12:45:36PM -0400, Mimi Zohar wrote: > On Mon, 2015-08-31 at 17:05 +0100, David Woodhouse wrote: > > On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > > > I'm not real happy about it, but since we can't break the existing ABI > > > of loading data into the kernel via a

Re: Linux Firmware Signing

On Tue, Sep 01, 2015 at 01:20:37PM -0700, Kees Cook wrote: > On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > Right so now that firmware usermode helper is behind us (systemd ripped it) > > we > >

RE: Linux Firmware Signing

er.kernel.org; Andy Lutomirski; > linux- > security-mod...@vger.kernel.org; Greg Kroah-Hartman; Vitaly Kuznetsov; David > Woodhouse > Subject: Re: Linux Firmware Signing > > Paul Moore wrote: > > > > > Yes, there are lots of way we could solve the signed policy format

Re: Linux Firmware Signing

...@vger.kernel.org; Greg Kroah-Hartman; Vitaly Kuznetsov; David Woodhouse Subject: Re: Linux Firmware Signing Paul Moore wrote: Yes, there are lots of way we could solve the signed policy format issue, I just don't have one in mind at this moment. Also, to be honest, there are enough limitations

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 22:52 -0400, Paul Moore wrote: > On Fri, Aug 28, 2015 at 10:03 PM, Luis R. Rodriguez > wrote: > > On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: > > > On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C > > > wrote:

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: >> In conversation with Mimi last week she was very keen on the model where >> we load modules & firmware in such a fashion that the kernel has access to

Re: Linux Firmware Signing

On Tue, 2015-09-01 at 20:08 -0700, Kees Cook wrote: > On Tue, Sep 1, 2015 at 4:43 PM, Luis R. Rodriguez wrote: > > On Mon, Aug 31, 2015 at 10:18:55AM -0400, Mimi Zohar wrote: > >> > > eBPF/seccomp > > > > OK I knew nothing about this but I just looked into it, here are my notes:

Re: Linux Firmware Signing

On Wed, 2015-09-02 at 02:09 +0200, Luis R. Rodriguez wrote: > On Tue, Sep 01, 2015 at 01:20:37PM -0700, Kees Cook wrote: > > On Thu, Aug 27, 2015 at 2:29 PM, Luis R. Rodriguez wrote: > > As long as the LSM know what kind of file it's loading, and has access > > to the fd (and for

Re: Linux Firmware Signing

Paul Moore wrote: Yes, there are lots of way we could solve the signed policy format issue, I just don't have one in mind at this moment. Also, to be honest, there are enough limitations to signing SELinux policies that this isn't very high onmy personal SELinux priority list. The fact

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 10:03 PM, Luis R. Rodriguez wrote: > On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: >> On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C >> wrote: >> > Even triggered updates make sense, since you can at least

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > I'm not real happy about it, but since we can't break the existing ABI > of loading data into the kernel via a buffer, a stop gap method of > signing and verifying a buffer would be needed. Actually I think we can. The usermode helper is

Re: Linux Firmware Signing

On Mon, 2015-08-31 at 17:05 +0100, David Woodhouse wrote: > On Mon, 2015-08-31 at 10:18 -0400, Mimi Zohar wrote: > > I'm not real happy about it, but since we can't break the existing ABI > > of loading data into the kernel via a buffer, a stop gap method of > > signing and verifying a buffer

Re: Linux Firmware Signing

On Sat, 2015-08-29 at 04:16 +0200, Luis R. Rodriguez wrote: > On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: > > On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: > > > On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: > > > > > Luis R. Rodriguez

RE: Linux Firmware Signing

; Kyle McMartin; Seth Forshee; Matthew Garrett; Johannes Berg Subject: Re: Linux Firmware Signing On Thu, Aug 27, 2015 at 5:29 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: SELinux uses: security_load_policy(data, len), refer

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote: On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C william.c.robe...@intel.com wrote: Even triggered updates make sense, since you can at least have some form of trust of where that binary policy came from. It isn't always

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 07:54:33PM -0400, Mimi Zohar wrote: On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold

Re: Linux Firmware Signing

On Fri, Aug 28, 2015 at 11:20:10AM +, Roberts, William C wrote: -Original Message- From: Paul Moore [mailto:p...@paul-moore.com] While I question the usefulness of a SELinux policy signature in the general case, there are some situations where it might make sense, e.g.

Re: Linux Firmware Signing

; Greg Kroah-Hartman; Peter Jones; Takashi Iwai; Ming Lei; Joey Lee; Vojtěch Pavlík; Kyle McMartin; Seth Forshee; Matthew Garrett; Johannes Berg Subject: Re: Linux Firmware Signing On Thu, Aug 27, 2015 at 5:29 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Thu, Aug 27, 2015 at 10:57:23AM

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 11:38:58AM +0100, David Howells wrote: Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold firmware name

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 10:35:19PM -0400, Paul Moore wrote: On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: Now let's review the SELinux stuff before we jump back into firmware / system data stuff

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold firmware name

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 3:36 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Wed, Aug 26, 2015 at 10:35:19PM -0400, Paul Moore wrote: On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: Now let's review the

Re: Linux Firmware Signing

Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold firmware name https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7id=1448377a369993f864915743cfb34772e730213good 1.3.6.1.4.1.2312.16 Linux kernel

Re: Linux Firmware Signing

See http://www.infradead.org/rpr.html Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold firmware name https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/commit/?h=fwsign-pkcs7id=1448377a369993f864915743cfb34772e730213good

Re: Linux Firmware Signing

On Thu, 2015-08-27 at 23:29 +0200, Luis R. Rodriguez wrote: On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: Luis R. Rodriguez mcg...@suse.com wrote: PKCS#7: Add an optional authenticated attribute to hold firmware name

Re: Linux Firmware Signing

On Thu, Aug 27, 2015 at 5:29 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Thu, Aug 27, 2015 at 10:57:23AM -, David Woodhouse wrote: SELinux uses: security_load_policy(data, len), refer to selinuxfs sel_load_ops. Since its write operation on its file_operation is sel_write_load() and

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: Luis R. Rodriguez mcg...@suse.com wrote: But note, we also have kexec_file_load() syscall and an arch specific signature verification feature, arch_kexec_kernel_verify_sig(). Sad trombone, no LSM hook and only x86 supports

Re: Linux Firmware Signing

On Wed, Aug 26, 2015 at 7:26 PM, Luis R. Rodriguez mcg...@suse.com wrote: On Wed, Aug 26, 2015 at 03:33:04PM +0100, David Howells wrote: Now let's review the SELinux stuff before we jump back into firmware / system data stuff again as there is a joint criteria to consider for all of these. For