Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Thu Feb 21 2013 - 12:50:08 EST


On Thu, Feb 21, 2013 at 08:58:45AM -0800, Linus Torvalds wrote:

> If Red Hat wants to deep-throat Microsoft, that's *your* issue. That
> has nothing what-so-ever to do with the kernel I maintain. It's
> trivial for you guys to have a signing machine that parses the PE
> binary, verifies the signatures, and signs the resulting keys with
> your own key. You already wrote the code, for chissake, it's in that
> f*cking pull request.

There's one significant practical awkwardness, which is that it makes
key revocation a multi-step process - the blacklisted hash is going to
be for the PE and not the key itself. I guess the original hash could be
stuffed in some metadata in the key, but urgh.

Vendors want to ship keys that have been signed by a trusted party.
Right now the only one that fits the bill is Microsoft, because
apparently the only thing vendors love more than shitty firmware is
following Microsoft specs. The equivalent isn't just Red Hat (or anyone
else) programmatically re-signing those keys, it's re-signing those keys
with a key that's trusted by the upstream kernel. Would you be willing
to carry a default trusted key if some sucker/upstanding and
trustworthy member of society hosted a re-signing service? Or should we
just assume that anyone who wants to ship external modules is a fucking
idiot and deserves to be miserable?

(I mean, *I'm* fine with the idea that they're fucking idiots and
deserve to be miserable, but apparently there's people who think this is
a vital part of a business model)

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/