From owner-freebsd-hackers@freebsd.org Sat Apr 8 11:39:30 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98862D34BFE; Sat, 8 Apr 2017 11:39:30 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2FAED1DC; Sat, 8 Apr 2017 11:39:30 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mail-wm0-x241.google.com with SMTP id d79so2165782wmi.2; Sat, 08 Apr 2017 04:39:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=i2+i21H7oFNUJzp/Dy4+LY4YaX0mUfWAahwmt8ZUCtM=; b=cowhy8IOu/8d83ZOu2YtmHrP0bkr+oaQ6NL7/0mZT66lbnkS7q0i3sEKn9lMR+f5w7 WJN2YzqYBX2Oyi2alNX0fJ47K0zIBGS4L+YbURM4eiAdvlpuOLwK05UozAKJgZt4ycW3 BBqAseuHUuRaJuCIEpaVCdyGfa5VY6IXG7YeeEx2djmZIIwijY0CvanZy4nlEwy4eSms 2qs4OTZiNXfYwYVqgQebZ3wK9hQpfZm7yczH5eNpE21RBLQlQUUuBJelWT/c2JPC1WXL Xon1J+lRiFn8jkQIXPu26AO8AvjB5fByzHDdMHo/9nPmc+7AlfA9u849vEef4hwW/ZKV gKyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=i2+i21H7oFNUJzp/Dy4+LY4YaX0mUfWAahwmt8ZUCtM=; b=NbG9ydy+jPLbtffeEEck4YeKP8ToE4Hr8kpzeAayYOz3nLuv1jeAwgsT0gl3mrC5rX T5LFHyeTW6bnKAo++fLGBjTxRVKNzAseYrLogfLFdpPqDnXtKsiueMuBOwpkrGuNcD2T X/BOAag7+DrK9p5VzH7WSb2Ul8utLdbiNXMZHatosI3iee/bzXN11X/3rrI3C1Jfw/bQ gzmAoeEnovgCM6p6+fbWWFi/jjFKo3DOAwhp2JwSPsNXFYIdQ9mXVAax2Jska3+5272z /Ttqb/afRvo/8G8QdsgXjpY2sNsvznE9/sjJ3bNrATVkozVjP+/kXzhse2HstJSnLRoE AKdw== X-Gm-Message-State: AN3rC/4Yl1B+6t9Cb9KdFPYofePyzfTnA7tkTL4VEuKFBdrt/K6fK3BHTIeeolvbxcS7Lg== X-Received: by 10.28.186.3 with SMTP id k3mr1669973wmf.74.1491651568551; Sat, 08 Apr 2017 04:39:28 -0700 (PDT) Received: from brick (cpc92310-cmbg19-2-0-cust934.5-4.cable.virginm.net. [82.9.227.167]) by smtp.gmail.com with ESMTPSA id u36sm5399485wrc.20.2017.04.08.04.39.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Apr 2017 04:39:28 -0700 (PDT) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Date: Sat, 8 Apr 2017 12:11:44 +0100 From: Edward Tomasz =?utf-8?Q?Napiera=C5=82a?= To: Eric McCorkle Cc: "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <20170408111144.GC14604@brick> Mail-Followup-To: Eric McCorkle , "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> User-Agent: Mutt/1.8.0 (2017-02-23) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Apr 2017 11:39:30 -0000 On 0327T1354, Eric McCorkle wrote: > Hello everyone, > > The following is a design proposal for signed kernel and kernel module > loading, both at boot- and runtime (with the possibility open for signed > executables and libraries if someone wanted to go that route). I'm > interested in feedback on the idea before I start actually writing code > for it. I see two potential problems with this. First, our current loader(8) depends heavily on Forth code. By making it load modified 4th files, you can do absolutely anything you want; AFAIK they have unrestricted access to hardware. So you should preferably be able to sign them as well. You _might_ (not sure on this one) also want to be able to restrict access to some of the loader configuration variables. Second - given OpenSSL track record, moving signature verification and the x.509 stuff into the kernel (to verify userland) and loader (to verify the kernel and modules)... well, it just doesn't seem to be a good idea. Also: do you know about veriexec? https://reviews.freebsd.org/D8575