From owner-freebsd-security@freebsd.org Sun Apr 9 15:52:45 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6378AD3642C; Sun, 9 Apr 2017 15:52:45 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E00DC370; Sun, 9 Apr 2017 15:52:44 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mail-wm0-x22a.google.com with SMTP id t189so21549268wmt.1; Sun, 09 Apr 2017 08:52:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=cSWNPRDYzpXGgut0TcmsMKgHX9IWDb8BS4PWSe4Bwrw=; b=d+XCugcs4eR/vvrYVnu2s8AMj4oCtvs8SlCR/PjpqarV7L9pGpe8ISWF3NxMME7Xar E/xg/MGw9d1P9O8Qm7DRZ4oR5uV6rXmYwbF8+oMrIofSBaIB/s9skvcSKZiQwVVMs4/7 bTx/EXcc2akVr64wmdJIj3vDnDmk6Dm/iPCYqsrQxjbGIbK0fpsRw2uDWZOrcyUCYdCi caefe7TtRMXx8bjDg2d05/PO04X/beUpMhi+Cf6gSHB/It/m0mc/y7P3s0RM6RNxb2q9 SebnWXt2osiNi9Coa83Q3NZXt9fH5YSc77MrTc0NZL1ejYFVQSlmmwtkw1ozJQ/iIp2y DrBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=cSWNPRDYzpXGgut0TcmsMKgHX9IWDb8BS4PWSe4Bwrw=; b=f96PP7XQuGTIM6Sb+omP1tmo/ytWysmcJ+pEiElt7HiJDcNvkPNf2+CDVotrPl/V35 rmtytIqBHxn+OxUNxNGDcL1Q/C2S87Hlv/5rUolLZh1LDWmolcKzX37qgftIj7yK1GAd iEJXe2GOnuW79DbaadBqpWyBNmAFTANYecjc1FiKRrivf8q8Xcj/WL5keDSVHXptwmjV ttTtZbyIk2tSJjFzdTcdyEpn8gKkoEW+iGRPjjcBhONQE7RMYr+9hK2fMe/ZIsV1AtJQ 3HDEAtVS7KP4a9ypFzplB+mu0qt6agiA7H7aGkFLsAxJ/A1soPtH+qlsB2WkVktpdkRX JdVg== X-Gm-Message-State: AN3rC/49buf3i1xQMGn6u86ZX/cq55QDm863joY2x9oMXvZgbM7ikqgK SS95vJU8tHE7p/gk X-Received: by 10.28.90.2 with SMTP id o2mr6544309wmb.53.1491753162403; Sun, 09 Apr 2017 08:52:42 -0700 (PDT) Received: from brick (cpc92310-cmbg19-2-0-cust934.5-4.cable.virginm.net. [82.9.227.167]) by smtp.gmail.com with ESMTPSA id v186sm6809403wmv.2.2017.04.09.08.52.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Apr 2017 08:52:41 -0700 (PDT) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Date: Sun, 9 Apr 2017 16:52:40 +0100 From: Edward Tomasz =?utf-8?Q?Napiera=C5=82a?= To: Eric McCorkle Cc: "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <20170409155240.GA18363@brick> Mail-Followup-To: Eric McCorkle , "freebsd-hackers@freebsd.org" , freebsd-security@freebsd.org References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170408111144.GC14604@brick> <181f7b78-64c3-53a6-a143-721ef0cb5186@metricspace.net> <20170408115222.GA64207@brick> <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7611f7a3-3e50-65f2-4347-e37018ae1abc@metricspace.net> User-Agent: Mutt/1.8.0 (2017-02-23) X-Mailman-Approved-At: Sun, 09 Apr 2017 19:44:03 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2017 15:52:45 -0000 On 0409T1040, Eric McCorkle wrote: > On 04/08/2017 07:52, Edward Tomasz Napierała wrote: > > On 0408T0803, Eric McCorkle wrote: > >> On 04/08/2017 07:11, Edward Tomasz Napierała wrote: > >>> On 0327T1354, Eric McCorkle wrote: > >>>> Hello everyone, > >>>> > >>>> The following is a design proposal for signed kernel and kernel module > >>>> loading, both at boot- and runtime (with the possibility open for signed > >>>> executables and libraries if someone wanted to go that route). I'm > >>>> interested in feedback on the idea before I start actually writing code > >>>> for it. > >>> > >>> I see two potential problems with this. > >>> > >>> First, our current loader(8) depends heavily on Forth code. By making > >>> it load modified 4th files, you can do absolutely anything you want; > >>> AFAIK they have unrestricted access to hardware. So you should preferably > >>> be able to sign them as well. You _might_ (not sure on this one) also > >>> want to be able to restrict access to some of the loader configuration > >>> variables. > >> > >> Loader is handled by the UEFI secure boot framework, though the concerns > >> about the 4th code are still valid. In a secure system, you'd want to > >> do something about that, but the concerns are different enough (and it's > >> isolated enough) that it could be done separately. > > > > Unless the way to address those ends up being a signature mechanism > > that doesn't depend on the format of the files being signed. > > I explored the idea of wrapped or detached signatures in the previous > discussion. Envelopes or detached signatures could make sense for the > 4th files. It's a small, obscure set of code that probably isn't > changed very often. > > Envelopes or detached signatures for kernel modules and especially > signed executables and libraries both have extensive, far-reaching > consequences for system administration, packaging, tooling, the ports > collection, and so on, whereas signing the executable with an additional > section has no such consequences. > > Config files (and the 4th files really are more like config files) have > a different set of constraints, and detached signatures are probably the > way to go there. So loader should probably support detached PKCS#7 > signature checks. The third way that might be worth considering would be to just append the signature. This would work for both 4th (if you prepend it with whatever is the 4th comment character) and ELF, without the need for changing or extending either format.