Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
From: Justin Forbes
Date: Fri Aug 17 2018 - 11:42:48 EST
On Fri, Aug 17, 2018 at 9:58 AM, James Bottomley
<James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 2018-08-17 at 09:24 +0100, David Howells wrote:
>> James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> > > > As a step by step process, I agree. However, I think we can
>> > > > automate it to the point where you install a package and it
>> > > > says "insert your yubikey" every time you upgrade the kernel
>> > >
>> > > That's a very bad idea. You train people to unlock their private
>> > > key on request. It can be abused like one of those emails that
>> > > tells you that your account has been suspended - just follow the
>> > > link and put in your password please.
>> >
>> > It's exactly the same process those of us who use yubikeys for gpg
>> > or ssh keys follow. You insert your key, you activate the process
>> > that needs the key, it asks for you to confirm your key, you press
>> > the button and the operation gets performed. Since it's what we as
>> > kernel developers do, I don't see why it's a bad idea for others.
>>
>> You've completely missed the point.
>>
>> You need to think from the PoV of an ordinary user. Imagine the
>> system does an automatic upgrade and wants to upgrade the kernel. It
>> pops up a dialogue box saying "please put in your yubikey and enter
>> your password here"[**]. It might do this on a regular basis - and
>> you can be sure that some users at least will become accustomed to
>> just doing this when their computer tells them too. *That* is the
>> problem.
>
> I was assuming the kernel would get pinned, so when the system
> automatically updates it installs everything else but tells you you
> have to do the kernel manually. Presumably installing the add your own
> key package would do this.
>
> The point I'm making isn't that everything will just magically work,
> it's that we can design a process for a user to update a distro kernel
> while installing their own key. I'm sure you can imagine hundreds of
> bad processes that encourage wrong behaviour, but the realistic answer
> is we just wouldn't use them.
>
>
>> Now they follow a link to a dodgy website that causes some code to be
>> downloaded and run. *It* now pops up a dialogue box that looks
>> exactly like the kernel installer's dialogue that says "please put in
>> your yubikey and enter your password here". But now we've trained
>> those users to do this on demand...
>>
>> PEBKAC[*].
>>
>> [*] Note that I'm not trying to slight ordinary users here, it's more
>> a fact
>> of psychology. As a distribution, it's our responsibility to try
>> and
>> protect them as best we can - and training them to unthinkingly
>> bypass the
>> security mechanisms isn't in anyone's best interests.
>>
>> [**] Note also that I've never actually used a yubikey[***], so I'm
>> not sure
>> whether it takes a password or has some other mechanism to
>> unlock the
>> key.
>>
>> [***] We also don't want to require that someone buys and keeps track
>> of a
>> yubikey to be able to use, say, the NVidia driver with
>> Fedora/RHEL.
>> Using the TPM if installed would be preferable because it's
>> harder to
>> lose.
>
> I'm perfectly happy to use the TPM as well, and to help design
> processes around it (although I think we'll need both yubikey and TPM).
> I also have to confess whenever I say yubikey in the context of kernel
> processes I'm making the caveat that everyone else uses a yubikey but I
> use my TPM based keys.
>
>> We also don't necessarily want to encourage ordinary users to fiddle
>> with the system key databases unless they really know what they are
>> doing. There've been cases where doing this has bricked a machine
>> because the BIOS is buggy. Now I will grant, since you'll probably
>> raise it if I don't;-), that this might be a good reason *for* having
>> our own third party signing key as we could then build the key into
>> our kernels.
>>
>> But if they use a yubikey, they have to get the public key from there
>> into the system key list or possibly the yubikey has to be accessed
>> by the bootloader. The same for the TPM.
>
> For security reasons, a Yubikey should only be connected when you need
> it to sign something. The TPM you can assume is always available.
>
This is absolutely correct, the important word here being *should*.
The reality is, with weekly kernel updates and various uses of the
Yubikey, the average user is just going to leave it connected. We can
lay out best practices all we want, but it seems pretty obvious that
most users go with convenient or default. I really wish we could
change that, but it is unlikely. As a result, we have to make the
convenient or default path also fairly secure.
>> > > Further, you expose the unlocked key on a machine that might be
>> > > compromised.
>> >
>> > No it doesn't; the point about using a yubikey (or any other HSM
>> > type thing) is that the key is shielded inside the module so you
>> > get a signature back and the key can't be compromised even if the
>> > machine is.
>>
>> Yes, you do. Note that I don't mean necessarily exposing the actual
>> key material, but you do have to make it available for use - which
>> means someone can then use it and there's a window in which it is
>> available for that use. If there wasn't, it would be useless.
>
> Right so it's the byzantine exploit window shared by all HSMs
> (interception between authorization and use). We take that risk in our
> kernel development security model because we think it's reasonably low
> ... the same is true for this use case.
>
>> > > No, you can't. You might *think* that it is, but the signature
>> > > you're checking is after the image has being fiddled with by the
>> > > key-adder
>> >
>> > Well, yes, you have to add a new signature to the combination.
>> > However, you can always verify that the hash without the added key
>> > is the hash of the Red Hat supplied bzImage.
>>
>> At what point would you do this? You have to assume that your
>> userspace tools can be compromised unless they are also verified
>> (signature/IMA). No, this needs to be done by the bootloader.
>
> ? THe kernel is verified by the signature over the whole, which is
> bzImage plus new key; that's all the security the system needs. The
> only verification needed of the original RH bzImage is presumably for
> Red Hat to confirm support or some forensic diagnostic ... it's not a
> security relevant thing.
>
>> Sometimes I feel I've spent too much time talking to people about
>> security and their paranoia is rubbing off... ;-)
>
> When dealing with security people the trick is to separate reasonable
> from unreasonable paranoia ...
>
> James
>