於 四,2013-12-12 於 08:33 -0500,Josh Boyer 提到:
On Thu, Dec 12, 2013 at 11:46:22AM +0800, joeyli wrote:
> Hi Josh,
>
> Thanks for your review and suggestions!
>
> 於 三,2013-12-11 於 11:07 -0500,Josh Boyer 提到:
> > On Wed, Dec 11, 2013 at 03:26:16PM +0800, Lee, Chun-Yi wrote:
> > > This patch introduces a blacklist list of kernel module's hash. It
check
> > > the blacklist before checking kernel module signature.
> > > It didn't limit what hash algorithm used but the module of hash
algorithm
> > > need build-in or put in initrd for verify kernel module in initrd.
> > >
> ...
> > > + const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
> > > +
> > > + /* truncate the module to discard the signature when it signed */
> > > + if (modlen > markerlen &&
> > > + memcmp(mod + modlen - markerlen, MODULE_SIG_STRING, markerlen) == 0)
{
> > > + modlen -= markerlen;
> > > + if (modlen <= sizeof(ms))
> > > + return -EBADMSG;
> > > + memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
> > > + modlen -= sizeof(ms);
> > > + sig_len = be32_to_cpu(ms.sig_len);
> > > + if (sig_len >= modlen)
> > > + return -EBADMSG;
> > > + modlen -= sig_len;
> > > + if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
> > > + return -EBADMSG;
> > > + modlen -= (size_t)ms.signer_len + ms.key_id_len;
> > > + }
> >
> > Hm. Why do we discard the signature before we calculate the hash? It
> > seems we might need to check for a hash of both the signed and unsigned
> > module, correct?
> >
>
> Yes, the reason of blacklisted a kernel module is there have security
> weakness in the code of module. So, no matter who signed the kernel
> module or even the module didn't sign, we don't want it loaded by
> kernel.
>
> For another situation, if we want revoke a KEY, then just direct import
> the public key to MOKx but not add hash of signed kernel module one by
> one.
That is all true, but we don't necessarily control what hash is actually
stored in dbx/MokXRT. If a user (or in the case of dbx, the CA)
happened to hash the module with the signature attached and enrolled
that hash into UEFI/Mok, then doing a comparison with the signature
stripped against that will fail, won't it? That is why I was suggesting
we needed to compare against both.
I agree that the ideal situation would be for the enrolled hash to be
free of signatures, but there's nothing that guarantees that will be the
case.
OK, I will also computing the hash with signature and compare.
(I also think the vast majority of blacklisting will be with certs, not
with individual modules so this is somewhat minor. I think that even
small build-time variances will make module blacklisting difficult to
actually make viable.)
josh
For the situation we don't want revoke key of certificate, it's the way
we need carry out.
Thanks a lot!
Joey Lee