Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Apr 2017 10:40:07 -0400
From:      Eric McCorkle <eric@metricspace.net>
To:        "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org
Subject:   Re: Proposal for a design for signed kernel/modules/etc
Message-ID:  <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net>
In-Reply-To: <20170408115222.GA64207@brick>
References:  <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick> <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> <20170408115222.GA64207@brick>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r
Content-Type: multipart/mixed; boundary="LRivelBAQdLMTNuKBGmlcXn2bavWRRppf";
 protected-headers="v1"
From: Eric McCorkle <eric@metricspace.net>
To: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>,
 freebsd-security@freebsd.org
Message-ID: <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net>
Subject: Re: Proposal for a design for signed kernel/modules/etc
References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net>
 <20170408111144.GC14604@brick>
 <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net>
 <20170408115222.GA64207@brick>
In-Reply-To: <20170408115222.GA64207@brick>

--LRivelBAQdLMTNuKBGmlcXn2bavWRRppf
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 04/08/2017 07:52, Edward Tomasz Napiera=C5=82a wrote:
> On 0408T0803, Eric McCorkle wrote:
>> On 04/08/2017 07:11, Edward Tomasz Napiera=C5=82a wrote:
>>> On 0327T1354, Eric McCorkle wrote:
>>>> Hello everyone,
>>>>
>>>> The following is a design proposal for signed kernel and kernel modu=
le
>>>> loading, both at boot- and runtime (with the possibility open for si=
gned
>>>> executables and libraries if someone wanted to go that route).  I'm
>>>> interested in feedback on the idea before I start actually writing c=
ode
>>>> for it.
>>>
>>> I see two potential problems with this.
>>>
>>> First, our current loader(8) depends heavily on Forth code.  By makin=
g
>>> it load modified 4th files, you can do absolutely anything you want;
>>> AFAIK they have unrestricted access to hardware.  So you should prefe=
rably
>>> be able to sign them as well.  You _might_ (not sure on this one) als=
o
>>> want to be able to restrict access to some of the loader configuratio=
n
>>> variables.
>>
>> Loader is handled by the UEFI secure boot framework, though the concer=
ns
>> about the 4th code are still valid.  In a secure system, you'd want to=

>> do something about that, but the concerns are different enough (and it=
's
>> isolated enough) that it could be done separately.
>=20
> Unless the way to address those ends up being a signature mechanism
> that doesn't depend on the format of the files being signed.

I explored the idea of wrapped or detached signatures in the previous
discussion.  Envelopes or detached signatures could make sense for the
4th files.  It's a small, obscure set of code that probably isn't
changed very often.

Envelopes or detached signatures for kernel modules and especially
signed executables and libraries both have extensive, far-reaching
consequences for system administration, packaging, tooling, the ports
collection, and so on, whereas signing the executable with an additional
section has no such consequences.

Config files (and the 4th files really are more like config files) have
a different set of constraints, and detached signatures are probably the
way to go there.  So loader should probably support detached PKCS#7
signature checks.


--LRivelBAQdLMTNuKBGmlcXn2bavWRRppf--

--mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWOpHyAAKCRBWwohAqoAE
jT0zAQCjaQTkFbS5xkr4eixhwOysahTZRg1iKojdfj/NpbIwyQEAj8MuUJvPSi12
xIqgCFSa47WyfCEAoAMOcjMqwdSEpgs=
=i63w
-----END PGP SIGNATURE-----

--mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7611f7a3-3e50-65f2-4347-e37018ae1abc>