Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

[PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 01/27] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 01/27] Add the ability to lock down access to the running kernel image · James Morris <hidden> · 2017-10-20
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Randy Dunlap <hidden> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Thiago Jung Bauermann <hidden> · 2017-11-07
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-07
[PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
[PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · Ethan Zhao <hidden> · 2017-10-24
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-24
[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · James Morris <hidden> · 2017-10-20
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-23
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-29
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
[PATCH 08/27] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 08/27] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 09/27] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · Alan Cox <hidden> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-21
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 19/27] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 21/27] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 25/27] Lock down /proc/kcore · James Morris <hidden> · 2017-10-21
Re: [PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · James Morris <hidden> · 2017-10-21
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 27/27] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-11
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-16
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-12-04
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-12-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08

From: mcgrof@kernel.org (Luis R. Rodriguez)
Date: 2017-11-07 23:07:05
Also in: linux-efi, lkml

On Thu, Nov 02, 2017 at 06:10:41PM -0400, Mimi Zohar wrote:

On Thu, 2017-11-02 at 22:04 +0000, David Howells wrote:

quoted

Mimi Zohar [off-list ref] wrote:

quoted

Only validly signed device firmware may be loaded.

fw_get_filesystem_firmware() calls kernel_read_file_from_path() to
read the firmware, which calls into the security hooks. Is there
another place that validates the firmware signatures. ?I'm not seeing
which patch requires firmware to be signed?

Luis has a set of patches for this.  However, I'm not sure if that's going
anywhere at the moment.  Possibly I should remove this from the manpage for
the moment.

Remove it for now. The state of of affairs for firmware signing is complex given
that we first wanted to address how to properly grow the API without making
the API worse. This in and of itself was an effort, and that effort also
evaluated two different development paradigms:

	o functional API
	o data driven API

I only recently was convinced that functional API should be used, even for
commonly used exported symbols, and as such I've been going back and slowly
grooming the firmware API with small atomic changes to first clean up the
complex flag mess we have.

Since I'm busy with that Takahiro AKASHI has taken up firmware singing effort
but this will depend on the above small cleanup to be done first. I was busy
with addressing existing bugs on the firmware API for a while, then company
travel / conferences so was not able to address this, but I'm back now and
I believe I should be able to tackle the cleanup now.

Only after this is merged can we expect a final respin of the firmware signing
effort.

Or reflect that IMA-appraisal, if enabled, will enforce firmware being
validly signed.

But FWICT lockdown is a built-in kernel thingy, unless lockdown implies IMA
it would not be the place to refer to it.

It seems the documentation was proposed to help users if an error was caught.
That error should cover only what is being addressed in code on the kernel.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help