On Thu, Feb 7, 2013 at 5:14 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > On Thu, Feb 07, 2013 at 04:49:43PM +0200, Zeeshan Ali (Khattak) wrote: >> On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: >> > On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote: >> >> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: >> >> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote: >> >> >> Why not let apps decide that? We are giving them info on the signed >> >> >> status of drivers and they can make an informed decision. >> >> > >> >> > This is exactly my point, applications cannot say "I'm only using signed >> >> > drivers, don't disable signature checking" with the current series as far >> >> > as I understand it. >> >> >> >> If applications are only going to use signed drivers, they don't need >> >> to disable anything. So really there is no app that is going to need >> >> this API but to get this very important work in, I'll live with a bit >> >> of redundant API. >> > >> > Yes, applications using signed drivers will not need to disable anything. >> > However, my understanding is that you want to use *unsigned* drivers in >> > your application, in that case you need to disable signature verification. >> > You are designing the whole thing with the nominal case being unsigned >> > drivers being case, which makes sense for your use case. >> >> Not at all. I'm providing application with information that drivers >> are signed or not. > > Yes > >> Based on that they can make a decision. If they >> decide to use unsigned drivers, there is absolutely no reason any app >> would want to disable some checks as well. > > I think applications should be able to control whether the OS they > install will have > DriverSigningPolicy=Ignore > set or not. And this should default to not be 'Ignore'. So if you want to be > able to install unsigned drivers, you need to be able disable signature > checking (ie tell the install script to add this line). > > >> Unless you could specify a >> (not hypothetical) usecase or example of an app that would want such a >> thing, I don't think there is any need for what you are asking for. > > Once again, this is a security feature. You keep pretending it's not, > waving it away, but this doesn't change the fact that this improves the > system security, and you are going to disable this without letting any > control to the library user on this. > >> Especially since I told you the problems with making this configurable >> in the last mail. > > 'this is complicated' is not necessarily a good reason for not doing > something. But let's first focus on what we do about this signature > checking stuff, I haven't really looked at the mail where you describe the > problems you have yet. > >> Moreover, even as security measure, its doubtful that MS thought of an >> application being invovled in the process. The common use case >> involves only the user and MS' software (mainly the installer). Its a >> very usual thing to not trust users to know exactly what they are >> doing. They can get malicious drivers from anywhere and try to install >> them. In case of libosinfo, there is going to be an app involved, >> making the decision for the user. > > But once the system is installed, the user will be in control of the OS, > and signature checking will still be disabled! Now you are talking. :) This is a very good point. I didn't think of the fact that driver checking could be 'permanently' disabled by this. I'll check it out. Based on your following email, I think now we have an agreement on how to proceed. -- Regards, Zeeshan Ali (Khattak) FSF member#5124 _______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo
