Re: Automating signing of DKMS modules with machine owner key

To: debian-devel@lists.debian.org
Subject: Re: Automating signing of DKMS modules with machine owner key
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 6 Aug 2020 20:07:42 +0000
Message-id: <[🔎] 20200806200741.5rrylobrytjfnitv@yuggoth.org>
In-reply-to: <[🔎] 20200806195545.533112037C@bendel.debian.org>
References: <[🔎] 3a6018a0-cb4d-7943-7051-9ef34dc6a750@debian.org> <[🔎] 20200804123103.ek5zzpotv2wrj2dg@yuggoth.org> <[🔎] 877duc3n64.fsf@vostro.rath.org> <[🔎] 20200805201248.inpaqlbbmxika4lq@yuggoth.org> <[🔎] 87bljo1ch3.fsf@vostro.rath.org> <[🔎] 20200806172408.iejkte4yx34bedsp@yuggoth.org> <[🔎] 20200806195545.533112037C@bendel.debian.org>

On 2020-08-06 21:49:06 +0200 (+0200), Sven Bartscher wrote:
> Am Thu, 6 Aug 2020 17:24:08 +0000
> schrieb Jeremy Stanley <fungi@yuggoth.org>:
> 
> > The idea is that UEFI/BIOS checks the signature for GRUB before
> > executing it, and does so instructing GRUB to verify the signature
> > for its config. GRUB then checks the signatures on the kernel and
> > initrd before handing off control. To alter GRUB or its
> > configuration or the kernel or initrd ultimately (in theory, barring
> > bugs like the "Boot Hole" vulnerability everyone was talking about
> > over the weekend) you'll have to guess the BIOS password or have
> > access to reflash it with your own. Ideally this tampering also
> > invalidates cryptographic attestation for the entire chain, which
> > the user should then be able to detect.
> 
> Are you talking about the Debian default setup or some custom setup? I
> don't really see how the Debian setup can do this, because the grub
> configuration and the initrd are generated on the end user machine.
> By default Debian doesn't enroll a MOK, so I don't see how the end user
> machine would sign the grub configuration and the initrd, as there is
> simply no key available that would be accepted by the UEFI.

As noted earlier, this does require user interaction and direct
configuration of things (including things outside Debian's sphere of
control, including but not limited to BIOS configuration and even
hardware selection). This is part of why I question the benefits of
having DKMS auto-sign modules with a key maintained on the rootfs,
when so much else is necessary to make that have any tangible
security benefit. I'm wary of automated "security" mechanisms which
ignore the fact that they're dependent on non-automated layers. This
is often referred to as "security theater" in other realms, but
boils down to engendering a false sense of security in users because
they turned on the automated thing and don't realize there's a ton
of other setup they need or else it's just pointless complication.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Automating signing of DKMS modules with machine owner key
  - From: Thomas Goirand <zigo@debian.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Automating signing of DKMS modules with machine owner key
  - From: Sven Bartscher <kritzefitz@debian.org>

Prev by Date: Re: Automating signing of DKMS modules with machine owner key
Next by Date: Re: Videoconference Friday 2020-07-31 18:00 UTC (Was: For those who want to keep on contributing (Was: Debian @ COVID-19 Biohackathon (April 5-11, 2020))
Previous by thread: Re: Automating signing of DKMS modules with machine owner key
Next by thread: Re: It's Time to Talk About Free Software Again
Index(es):
- Date
- Thread