Date: Sat, 8 Apr 2017 08:03:40 -0400 From: Eric McCorkle <eric@metricspace.net> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> In-Reply-To: <20170408111144.GC14604@brick> References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qBnpgPE5iiBH2Q2URRsv4WA5VCo3qAhHN Content-Type: multipart/mixed; boundary="KQKRohTHn9LW4Ce3DD5LtEgm1pORiCnQU"; protected-headers="v1" From: Eric McCorkle <eric@metricspace.net> To: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Message-ID: <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> Subject: Re: Proposal for a design for signed kernel/modules/etc References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick> In-Reply-To: <20170408111144.GC14604@brick> --KQKRohTHn9LW4Ce3DD5LtEgm1pORiCnQU Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 04/08/2017 07:11, Edward Tomasz Napiera=C5=82a wrote: > On 0327T1354, Eric McCorkle wrote: >> Hello everyone, >> >> The following is a design proposal for signed kernel and kernel module= >> loading, both at boot- and runtime (with the possibility open for sign= ed >> executables and libraries if someone wanted to go that route). I'm >> interested in feedback on the idea before I start actually writing cod= e >> for it. >=20 > I see two potential problems with this. >=20 > First, our current loader(8) depends heavily on Forth code. By making > it load modified 4th files, you can do absolutely anything you want; > AFAIK they have unrestricted access to hardware. So you should prefera= bly > be able to sign them as well. You _might_ (not sure on this one) also > want to be able to restrict access to some of the loader configuration > variables. Loader is handled by the UEFI secure boot framework, though the concerns about the 4th code are still valid. In a secure system, you'd want to do something about that, but the concerns are different enough (and it's isolated enough) that it could be done separately. > Second - given OpenSSL track record, moving signature verification > and the x.509 stuff into the kernel (to verify userland) and loader > (to verify the kernel and modules)... well, it just doesn't seem > to be a good idea. Integrating all of OpenSSL would be massively overkill. All you need is RSA/Ed25519 signature verification and parsing a subset of PKCS#7. My thoughts here are to grab the RSA/Ed25519 implementations from libsodium and just write a minimal PKCS#7 parser. > Also: do you know about veriexec? >=20 > https://reviews.freebsd.org/D8575 Is there some documentation of this other than a code review? --KQKRohTHn9LW4Ce3DD5LtEgm1pORiCnQU-- --qBnpgPE5iiBH2Q2URRsv4WA5VCo3qAhHN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEzzhiNNveVG6nWjcH1w0wQIFco2cFAljo0ZwACgkQ1w0wQIFc o2eLWhAAyJJZKs/vQzV+/CLs2gm+xA4F+kkYFnTiuPgzanOnE0N24DBfQ01ODIwI bV9M+yXxJMcmNbLsmjQs3GQjrXF9eclobs2q9juhjm3hcs0XxV0i6j00v0TtIHxW xCyqEt506u6FsAApasBj6s+cvDL/KeSnXIZTB8VeMriXV+SRK2yl6rPRch51mjvC Ph88Rvxe9i2G49DqRigpsbMYgvd/Q/60cPdciLLq2KJYbgMKJY7nejZJF3A0L5bS 9S5dbkl9kmMtNBknOeQZxF9JcuIesymrz0WOjtPpB837lDjOtLhrtrbCcvZ5lYzo Uw6qLS5junOPNQi+xsSW14EnxgIMIMMvd9WqBRh0Jl+mzHiZDUY83SnvwEu48Nzp 5FBbhbv4cH5wrXpHzjAFt2eKRdnksSFG2xGGuRXAIf81xzNmZGfsM1+Q6ms/sBu9 BNxdgIoZdzcawA+ItJVplrMXTTfjJ94cwUPMUXm1F1MJNvS8c4wZr9Velvq+gF4b 9dsoN6/JlmjKkbZPpot+UvVkMUtGOFUBQf/Gcu+L3cM6NTIDLzSpgoVRzwbdMm/h AIlsFF3r664qntaT1cgOQcw5IN9k3rVXmhCm31XFoZzqFQdsL+AcrRSc0UiKrk29 OozqrwCyOX0brwQQixBLERu86nzacsQl3/8L1EMFY7NiFQvvqh0= =jbMq -----END PGP SIGNATURE----- --qBnpgPE5iiBH2Q2URRsv4WA5VCo3qAhHN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?181f7b78-64c3-53a6-a143-721ef0cb5186>