Re: F38 proposal: Unified Kernel Support Phase 1 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Do, 22.12.22 10:43, Neal Gompa (ngompa13@xxxxxxxxx) wrote:

> On Thu, Dec 22, 2022 at 10:39 AM Lennart Poettering
> <mzerqung@xxxxxxxxxxx> wrote:
> >
> > On Do, 22.12.22 05:38, Neal Gompa (ngompa13@xxxxxxxxx) wrote:
> >
> > > > I understand the big issue you have is that the certificate store for
> > > > Linux (i.e. the mokutil db) is limited in size because EFI variable
> > > > NVRAM is limited in size? If that's the big issue you are having then
> > > > that's absolutely something the Linux community can fix, and can
> > > > address. Specifically, shim could allow storing the cert store on
> > > > disk, and authenticate it at boot via the TPM. Not trivial, but
> > > > doable. And certainly not the firmware's fault...
> > > >
> > > > I mean, UEFI has its warts, but I don't see that it's UEFI's fault if
> > > > the way Linux/shim/mokutil implement the cert db is done the way it is
> > > > currently done.
> > >
> > > Frankly, I'm aggravated by the increased reliance on UEFI features
> > > without fixing Linux's problems with UEFI features. If we stopped
> > > relying on UEFI for the cert store, a lot of my issues would go away,
> > > because then we can design better workflows for managing
> > > certificates.
> >
> > Well, the thing is: a chain of trust is a *chain*, hence you must
> > ultimately hook validation to what the firmware provides you with as
> > root. And that ultimately is the SecureBoot db on commodity hardware.
> >
> > If I buy a boring laptop at a store it will come with a UEFI cert
> > store, and nothing else. Linux cannot really ignore that. If it did,
> > then you'd not have a trusted boot chain, hence the whole excercsie
> > would be pointless.
> >
>
> Shim trusts MS and the main distro cert, grub is trusted from there,
> then the OS trusts those and anything else the admin adds. That's how
> It should work. Trust chains are sensible as long as they're
> extensible.

Hmm, that chain is partly backwards? it's the firmware that has to
trust the msft cert which trusts shim, which trusts the distro cert,
which trusts grub and the kernel. The thing that comes first
at boot must trust the next, otherwise we'd have to boot into
untrusted stuff first, which really misses the point? not grokking
what you are trying tosay?

> > > You *need* to think about these problems when designing this stuff.
> > > You can't take a myopic x86-only view to this. I have not heard of
> > > anything about UKI security for non-x86 because it seems to all be
> > > tied up in UEFI stuff.
> >
> > I work for a company that is working on ARM UEFI systems booting UKIs
> > in massive scale.
>
> One company is one company. It's not a variety of people and users.
> Scale means nothing if it's not distributed.

Well, you said you have not "heard" of anyone doing UKI security on
non-x86. Now you have.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux