Re: [GIT PULL] Load keys from signed PE binaries

From: Greg KH
Date: Mon Feb 25 2013 - 22:31:12 EST


On Tue, Feb 26, 2013 at 03:13:38AM +0000, Matthew Garrett wrote:
> On Mon, Feb 25, 2013 at 07:02:49PM -0800, Greg KH wrote:
> > On Tue, Feb 26, 2013 at 02:33:32AM +0000, Matthew Garrett wrote:
> > > Oh, come on Greg. Allowing unsigned modules allows loading arbitrary
> > > code into the kernel, and allowing arbitrary code into the kernel means
> > > that the kernel can be used to directly boot a modified copy of the
> > > Windows kernel. Avoiding that scenario is *explicitly* mandated by
> > > Microsoft.
> >
> > Then why is the signed shim is currently being used by successfully by
> > distros that do not use signed kernel modules?
>
> Because Microsoft have indicated that they'd be taking a reactive
> approach to blacklisting and because, so far, nobody has decided to
> write the trivial proof of concept that demonstrates the problem.

So, once that proof is written, suddenly all of the working Linux
distros's keys will be revoked? That will be fun to watch happen, and
odds are, it will not. Imagine the PR fun that will cause :)

> > > We can avoid it by either not using Microsoft as the root of
> > > trust or by requiring explicit key installation during the OS install
> > > process, but both of those make OS installation more difficult. If we
> > > want Linux to Just Work out of the box on Microsoft-certified hardware,
> > > this is one of the rules we have to live by.
> >
> > I don't see that being required in the wording for the Microsoft signing
> > authority, and in personal discussions with them, they say it would be
> > nice, but they can't force the issue. Where does it say this in the
> > agreement specifically?
>
> "In addition, in the case of Microsoftâs digital signatures of UEFI
> Code, Microsoft may remove a Compatible Product from the Microsoft
> Compatibility Lists and/or revoke the digital signature upon 30 daysâ
> notice to Company in the event Microsoft determines in its sole judgment
> that the security of the UEFI Code is compromised."
>
> The ability to use the signed code to boot an untrusted copy of the
> Windows kernel is a clear breach of the trust model.

I don't buy it. Yes, I understand this is your position, and has been
all along, and _maybe_ you can extend it to "we should sign our kernel
modules", but to take it farther than that, like the list David has
described, is not required by anyone here.

Yes, they are all "nice" things to have, but I fail to see how Microsoft
should be dictating how Linux, or any other operating system, works,
especially when they aren't even signing the kernel, they are merely
signing a bootloader shim and saying "do your best for keeping the rest
of the system secure please."

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/