Proposal for a design for signed kernel/modules/etc
Eric McCorkle
eric at metricspace.net
Sun Apr 9 14:40:12 UTC 2017
On 04/08/2017 07:52, Edward Tomasz Napierała wrote:
> On 0408T0803, Eric McCorkle wrote:
>> On 04/08/2017 07:11, Edward Tomasz Napierała wrote:
>>> On 0327T1354, Eric McCorkle wrote:
>>>> Hello everyone,
>>>>
>>>> The following is a design proposal for signed kernel and kernel module
>>>> loading, both at boot- and runtime (with the possibility open for signed
>>>> executables and libraries if someone wanted to go that route). I'm
>>>> interested in feedback on the idea before I start actually writing code
>>>> for it.
>>>
>>> I see two potential problems with this.
>>>
>>> First, our current loader(8) depends heavily on Forth code. By making
>>> it load modified 4th files, you can do absolutely anything you want;
>>> AFAIK they have unrestricted access to hardware. So you should preferably
>>> be able to sign them as well. You _might_ (not sure on this one) also
>>> want to be able to restrict access to some of the loader configuration
>>> variables.
>>
>> Loader is handled by the UEFI secure boot framework, though the concerns
>> about the 4th code are still valid. In a secure system, you'd want to
>> do something about that, but the concerns are different enough (and it's
>> isolated enough) that it could be done separately.
>
> Unless the way to address those ends up being a signature mechanism
> that doesn't depend on the format of the files being signed.
I explored the idea of wrapped or detached signatures in the previous
discussion. Envelopes or detached signatures could make sense for the
4th files. It's a small, obscure set of code that probably isn't
changed very often.
Envelopes or detached signatures for kernel modules and especially
signed executables and libraries both have extensive, far-reaching
consequences for system administration, packaging, tooling, the ports
collection, and so on, whereas signing the executable with an additional
section has no such consequences.
Config files (and the 4th files really are more like config files) have
a different set of constraints, and detached signatures are probably the
way to go there. So loader should probably support detached PKCS#7
signature checks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170409/b690a133/attachment.sig>
More information about the freebsd-security
mailing list