[Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust
Ben Hutchings
ben at decadent.org.uk
Wed Aug 17 11:38:56 UTC 2016
On Thu, 2016-08-04 at 00:01 +0100, Ben Hutchings wrote:
> On Wed, 2016-08-03 at 09:46 -0700, Andy Lutomirski wrote:
> [...]
> >
> > And it gets rid of the IMO extremely nasty temporary key. I
> > personally think that reproducible builds would add considerable
> > value
> > to many use cases, and we currently can't simultaneously support
> > reproducible builds and Secure Boot without a big mess involving
> > trusted parties, and the whole point of reproducible builds is to
> > avoid needed to trust the packager.
> [...]
>
> You need that trusted party to supply a signature for the kernel, so
> why is it so much worse to have them do that for the modules as well?
[...]
I think I can now answer this myself.
Where there's a separate certificate store, the signing stage can be
entirely independent of the initial build. A user of a distribution
can reproduce the distribution's unsigned binaries and then use their
own keys to build signed binaries for their own use.
However, the module signing certificate embedded in the kernel - even
if it refers to a persistent signing key, making it reproducible - has
to be established before the initial build, so it doesn't allow for
users to use a different root of trust. So there ought to be an option
to require signatures but without defining any trusted keys at build
time.
Ben.
--
Ben Hutchings
Kids! Bringing about Armageddon can be dangerous. Do not attempt it
in
your own home. - Terry Pratchett and Neil Gaiman, `Good Omens'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20160817/ba0ece3b/attachment.sig>
More information about the Ksummit-discuss
mailing list