Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Mon Feb 25 2013 - 22:13:49 EST

Next message: Stephen Rothwell: "linux-next: Tree for Feb 24"
Previous message: Rafael J. Wysocki: "Re: [GIT PULL] ACPI and power management fixes for v3.9-rc1"
In reply to: Greg KH: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: Theodore Ts'o: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 25, 2013 at 07:02:49PM -0800, Greg KH wrote:
> On Tue, Feb 26, 2013 at 02:33:32AM +0000, Matthew Garrett wrote:
> > Oh, come on Greg. Allowing unsigned modules allows loading arbitrary
> > code into the kernel, and allowing arbitrary code into the kernel means
> > that the kernel can be used to directly boot a modified copy of the
> > Windows kernel. Avoiding that scenario is *explicitly* mandated by
> > Microsoft.
>
> Then why is the signed shim is currently being used by successfully by
> distros that do not use signed kernel modules?

Because Microsoft have indicated that they'd be taking a reactive
approach to blacklisting and because, so far, nobody has decided to
write the trivial proof of concept that demonstrates the problem.

> > We can avoid it by either not using Microsoft as the root of
> > trust or by requiring explicit key installation during the OS install
> > process, but both of those make OS installation more difficult. If we
> > want Linux to Just Work out of the box on Microsoft-certified hardware,
> > this is one of the rules we have to live by.
>
> I don't see that being required in the wording for the Microsoft signing
> authority, and in personal discussions with them, they say it would be
> nice, but they can't force the issue. Where does it say this in the
> agreement specifically?

"In addition, in the case of Microsoftâs digital signatures of UEFI
Code, Microsoft may remove a Compatible Product from the Microsoft
Compatibility Lists and/or revoke the digital signature upon 30 daysâ
notice to Company in the event Microsoft determines in its sole judgment
that the security of the UEFI Code is compromised."

The ability to use the signed code to boot an untrusted copy of the
Windows kernel is a clear breach of the trust model.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Rothwell: "linux-next: Tree for Feb 24"
Previous message: Rafael J. Wysocki: "Re: [GIT PULL] ACPI and power management fixes for v3.9-rc1"
In reply to: Greg KH: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: Theodore Ts'o: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]