From owner-freebsd-security@freebsd.org Sun Apr 9 14:40:12 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A0EDD3661E; Sun, 9 Apr 2017 14:40:12 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 4DF8417D; Sun, 9 Apr 2017 14:40:12 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.205] (unknown [172.16.0.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id B1EF8186E; Sun, 9 Apr 2017 14:40:11 +0000 (UTC) Subject: Re: Proposal for a design for signed kernel/modules/etc To: "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick> <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> <20170408115222.GA64207@brick> From: Eric McCorkle Message-ID: <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net> Date: Sun, 9 Apr 2017 10:40:07 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170408115222.GA64207@brick> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2017 14:40:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r Content-Type: multipart/mixed; boundary="LRivelBAQdLMTNuKBGmlcXn2bavWRRppf"; protected-headers="v1" From: Eric McCorkle To: "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org Message-ID: <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net> Subject: Re: Proposal for a design for signed kernel/modules/etc References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick> <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> <20170408115222.GA64207@brick> In-Reply-To: <20170408115222.GA64207@brick> --LRivelBAQdLMTNuKBGmlcXn2bavWRRppf Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/08/2017 07:52, Edward Tomasz Napiera=C5=82a wrote: > On 0408T0803, Eric McCorkle wrote: >> On 04/08/2017 07:11, Edward Tomasz Napiera=C5=82a wrote: >>> On 0327T1354, Eric McCorkle wrote: >>>> Hello everyone, >>>> >>>> The following is a design proposal for signed kernel and kernel modu= le >>>> loading, both at boot- and runtime (with the possibility open for si= gned >>>> executables and libraries if someone wanted to go that route). I'm >>>> interested in feedback on the idea before I start actually writing c= ode >>>> for it. >>> >>> I see two potential problems with this. >>> >>> First, our current loader(8) depends heavily on Forth code. By makin= g >>> it load modified 4th files, you can do absolutely anything you want; >>> AFAIK they have unrestricted access to hardware. So you should prefe= rably >>> be able to sign them as well. You _might_ (not sure on this one) als= o >>> want to be able to restrict access to some of the loader configuratio= n >>> variables. >> >> Loader is handled by the UEFI secure boot framework, though the concer= ns >> about the 4th code are still valid. In a secure system, you'd want to= >> do something about that, but the concerns are different enough (and it= 's >> isolated enough) that it could be done separately. >=20 > Unless the way to address those ends up being a signature mechanism > that doesn't depend on the format of the files being signed. I explored the idea of wrapped or detached signatures in the previous discussion. Envelopes or detached signatures could make sense for the 4th files. It's a small, obscure set of code that probably isn't changed very often. Envelopes or detached signatures for kernel modules and especially signed executables and libraries both have extensive, far-reaching consequences for system administration, packaging, tooling, the ports collection, and so on, whereas signing the executable with an additional section has no such consequences. Config files (and the 4th files really are more like config files) have a different set of constraints, and detached signatures are probably the way to go there. So loader should probably support detached PKCS#7 signature checks. --LRivelBAQdLMTNuKBGmlcXn2bavWRRppf-- --mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWOpHyAAKCRBWwohAqoAE jT0zAQCjaQTkFbS5xkr4eixhwOysahTZRg1iKojdfj/NpbIwyQEAj8MuUJvPSi12 xIqgCFSa47WyfCEAoAMOcjMqwdSEpgs= =i63w -----END PGP SIGNATURE----- --mtArbQXOnqfKwxkx45JFK13QqcR6Jn47r--