Re: Suggestion: Use a unified kernel image by default in the future.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mo, 04.07.22 19:18, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote:

> Even if initrds are (somehow) signed, the kernel command line can
> still be modified, like adding `init=/usr/bin/bash`.

Hmm? sd-stub refused any kernel cmdline passed in manually if
SecureBoot is on. The kernel cmdline allows you to do pretty much
anything you like with your system, hence in a locked down environment
we cannot allow uncontrolled access to that.

> Also, if everything is signed by fedora, then the user can not
> modify the command line. There is a lot of hardware that needs
> command line modifications to boot.

Like what?

> Also, fedora would have to revoke signatures for every vulnerable
> kernel, or there is no real security. If those kernels signatures
> are revoked, then they wont boot even when they are the currently
> installed kernel and should be able to boot.

I think as long as we get rollback protection we should be
fine. i.e. after a kernel has been deemed good and working for a bit,
we can automatically cut off older kernels via TPM logic after a
while. (this requires implementing a TPM policy against a counter
stored in the TPM. This is not implemented yet in the TPM policies
systemd supports, but can be expression in TPM2 policy language.)

> If there is a way for a fedora signed kernel image to
> load a locally signed command line, then this would work much
> better.

Well, we could add that, but this would mean doing more complex TPM
interactions from UEFI environment, and I'd rather not do that too
much.

> > However I think the initrd should be built on fedora infra
> > and signed with fedora keys by default.
>
> What about when the user has a custom kernel module, would there be
> a way for the user to use it.

You can enroll multiple certificates for validation, if you
like. i.e. if you want to sign your own modules, then enroll both the
fedora and your own cert. You could use shim for that if you like.

Or alternatively, turn off secureboot if you don't want to set up your
certs, and want to load hacky modules.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux