Re: [GIT PULL] Load keys from signed PE binaries

From: Greg KH
Date: Mon Feb 25 2013 - 23:13:33 EST


On Tue, Feb 26, 2013 at 04:04:56AM +0000, Matthew Garrett wrote:
> On Mon, Feb 25, 2013 at 07:54:16PM -0800, Greg KH wrote:
> > On Tue, Feb 26, 2013 at 03:38:04AM +0000, Matthew Garrett wrote:
> > > On Mon, Feb 25, 2013 at 07:31:56PM -0800, Greg KH wrote:
> > > > So, once that proof is written, suddenly all of the working Linux
> > > > distros's keys will be revoked? That will be fun to watch happen, and
> > > > odds are, it will not. Imagine the PR fun that will cause :)
> > >
> > > No. Why would they be?
> >
> > Because they are using the "public" shim that you provided them, or the
> > Linux Foundation's shim. Almost no distro, other than the "main" 3-4
> > will end up getting their own shim signed, the rest will just use the
> > one you so helpfully provided them :)
>
> There's no reason for the LF or generic shim to be blacklisted, since
> neither will load anything without manual intervention. But that also
> means that anyone trying to boot them has to have some knowledge of
> English, and that there's no way to netboot them. But sure, anyone
> planning that approach has much less to worry about.

I don't see anything about "manual intervention" in the wording that you
provided from Microsoft absolving you from the "duty" you feel you owe
them. I understand you are worried about "automated" exploits, but that
really is just a semantic overall, as we know it is easy to get people
to hit a key when booting just to get on with the process.

> > Yes you can. There are all sorts of fun ways you can do this, I can
> > think of a few more at the moment as well. So, where does it stop?
> > And why stop it at all? Why not just forbid root users at all?
>
> Because there's a distinction between ring 0 and ring 3?

Since when did you start trusting ring 0 code? Bozos like me write this
stuff, surely it isn't secure :)

> > > Microsoft aren't dictating anything here. We're free not to use their
> > > signatures. However, if we do use their signatures, we agree to play by
> > > their rules. Nobody seems to have come up with a viable alternative, so
> > > here we are.
> >
> > Ok, I keep hearing people say, "why doesn't someone else create a
> > signing authority!" all the time. And it comes down to one big thing,
> > money.
>
> Right. We've failed at creating an alternative. That doesn't mean that
> we get to skip the responsibilities associated with the choice we've
> made.

Wait, who is "we" here? The community? The community over-all didn't
agree with anything with Microsoft, that is between the people getting a
signed key and Microsoft. Again, you are trying to push your (prior)
company's agreement between them and Microsoft onto the community, and
now the community is pushing back, is that a surprise?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/