[Ksummit-discuss] [TECH TOPIC] Firmware signing

David Woodhouse dwmw2 at infradead.org
Wed Jul 29 08:39:40 UTC 2015


On Tue, 2015-07-28 at 15:44 -0700, Andy Lutomirski wrote:
> On Tue, Jul 28, 2015 at 3:39 PM, David Howells <dhowells at redhat.com> wrote:
> > James Bottomley <James.Bottomley at HansenPartnership.com> wrote:
> > 
> > > Um, wouldn't the hash be in the module ... and the module is validated
> > > at load time by whatever kernel mechanism we're using.
> > 
> > I think we're talking at cross-purposes.  The point was:
> > 
> >     (6) Should module signatures contain the module name - to be matched
> >         against the modinfo structure after the signature is checked?
> > 
> > I'm asking about whether a *module* signature should be tied to the name of
> > the *module* it is signing.  Nothing to do with firmware.
> > 
> 
> I vote "no" because I can't see a threat model under which it matters.
> If you can sign a module at all, then root can load it regardless of
> what it's called.  Nonroot can't supply the module under a forged
> name, regardless of whether the signature covers the name.

Right.

Including the module name in the signature *only* protects you against
an attacker who can provide a rogue module which *happens* to match the
digest of a genuine module.... but their rogue module has a different
name in the modinfo struct.

And quite frankly, if the attacker can manage that much, they'll manage
to get the name to match soon after. Meanwhile, I'll be in the bunker
because the world is about to end.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150729/23fe14f1/attachment-0001.bin>


More information about the Ksummit-discuss mailing list