On May 19, 2015 8:30 AM, "David Howells" <[email protected]> wrote: > > Andy Lutomirski <[email protected]> wrote: > > > I'll assume that everyone uses a 256-bit hash. > > UEFI makes it very likely that SHA256 is in use, at least on x86_64. > > > The public key is tiny, and the signature is 512 bytes per module. > > (Actually, it's probably more because of PKCS garbage. > > There is metadata selecting the particular key to be checked against, so with > a 512-byte signature, you get around 500 bytes of metadata and ASN.1 > wrappings. We could probably trim that some more by removing PKCS#7 attribute > sections.
You could trim even more by simply not using PKCS#7. A raw PKCS#1 signature would be just fine. (We should really be using PSS, though.) > > We do have to allow people to load external modules. Yes, you could argue > that you should just disable all your security systems if you want to do > that... > Or use signatures for external modules. I'm not arguing for removal of signature support; I'm arguing that the automatically generated key mechanism be removed in favor of hashes. > > This is a total of ~21kB of non-swappable storage and 2MB of disk space for > > all the signatures. > > Disk space is a lot cheaper than RAM. > > > Ed25519 > > Is it endorsed by various governmental authorities? It's not entirely clear. For users who care about cryptographic security instead of compliance with poorly designed standards, this is completely irrelevant... > And also the aforementioned authorities may mandate minimum key (eg. 2048) and > digest sizes (eg. 256) which we need to deal with. ...and for users who need to comply with unfortunate standards, there's ECDSA on P-256, which is blessed by NIST. > > > With the hash-based scheme I outlined, the kernel text needed is > > nearly zero. > > What matters is kernel text *plus* kernel data. The kernel data involved is 32 bytes. > > > What integrity stuff? IIRC dm-verity doesn't use asymmetric crypto at > > all. IMA probably does, though. > > IMA. I don't think that the needs of IMA users should affect normal people who run 'make' on their kernel tree. > > > For firmware validation, there's no good reason it couldn't work exactly > > like module signatures. > > That's really impractical. It would mean that the kernel would have to be > built with a hash, grand-hash, great-grand-hash or whatever that covers every > possible firmware blob you might want to load. > > If a vendor releases a new firmware blob, this has to be added to the > linux-firmware hash list, say, then the hash of that added to the kernel, say, > and the kernel rebuilt and reissued before the firmware blob can be used. Deterministic builds can't apply to firmware regardless, so users are trusting a vendor one way or another. And for Chromebook or Atomic-like uses, hashes are fine. > > With a key-based approach, you just need to get a signature for the new > firmware blob. You can even sign it yourself and add your key to your UEFI > database. Agreed, although I don't understand why UEFI is a reasonable place for firmware or module keys. UEFI is a giant implementation detail, whereas module and firmware validation is really a cross-architecture thing. > > > For kexec, I think that the main use is for crash dumps > > We also want to be able to kexec new kernels on servers to avoid heavy duty > hardware reboot cycles. But you can't put the new kernel's hash in the old > kernel. That should use signatures, too. AFAICS, none of the cases for which signatures seem better than hashes make sense in the signing_key.priv model. If distros want to configure a public key, too, they're welcome to. When I do "make && make install", I think we shouldn't generate a key pair. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
