Date: Sat, 8 Apr 2017 12:11:44 +0100 From: Edward Tomasz =?utf-8?Q?Napiera=C5=82a?= <trasz@FreeBSD.org> To: Eric McCorkle <eric@metricspace.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <20170408111144.GC14604@brick> In-Reply-To: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 0327T1354, Eric McCorkle wrote: > Hello everyone, > > The following is a design proposal for signed kernel and kernel module > loading, both at boot- and runtime (with the possibility open for signed > executables and libraries if someone wanted to go that route). I'm > interested in feedback on the idea before I start actually writing code > for it. I see two potential problems with this. First, our current loader(8) depends heavily on Forth code. By making it load modified 4th files, you can do absolutely anything you want; AFAIK they have unrestricted access to hardware. So you should preferably be able to sign them as well. You _might_ (not sure on this one) also want to be able to restrict access to some of the loader configuration variables. Second - given OpenSSL track record, moving signature verification and the x.509 stuff into the kernel (to verify userland) and loader (to verify the kernel and modules)... well, it just doesn't seem to be a good idea. Also: do you know about veriexec? https://reviews.freebsd.org/D8575
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170408111144.GC14604>