On 05/01/13 02:11, David Hubbard wrote:
Hi Andrew,
On Fri, Jan 4, 2013 at 5:09 PM, Andrew Goodbody <ajg4tadpole@gmail.com mailto:ajg4tadpole@gmail.com> wrote:
Enrol your own key. Sign your own kernel. Seems to scale linearly per user to me. Security is not free. There will always be a cost.
I am actually quite conflicted because I try to look out for the underdog in every fight. Right now that would be you (no offense intended). Please view my comments as directed at Microsoft and the standard they have pushed onto us. And thanks for debating.
No offense taken. I have never been one for following the crowd just because. Debate is good.
"Security is not free"
I think the Linux kernel is a glaring hole in that argument. The Linux kernel is *free*, by many definitions. Oh, and it is the *right* way to implement security.
There is always a cost to security. The cost for Linux is that certain operations need privileged access so you have to do something special (su, sudo etc) in order to complete those operations. That is the sort of cost I am talking about when I say not free. There is also the added complexity in the code requiring careful maintenance and simply more time to implement. So yes security is not free.
Secure Boot is neither libre nor gratis. For $99 you can have a closed DRM solution. All DRM solutions are fundamentally flawed because both lock *and* key must be present on the machine. The only thing DRM has consistently done is inconvenience the average person.
You only need to pay the $99 if you do not want to enrol your own key. The point of PKI is that you can see the public key without being able to guess the private key. It is bugs in the implementation or leaks of the private key that have compromised current PKI systems, not fundamental flaws in the cryptography.
"Enrol (sic) your own key. Sign your own kernel."
'Enrol' is correct English. For some reason American English adds a superfluous 'l' :-)
For $99 I could get my kernel signed by Verisign. That does not scale. That was my point, thanks.
And my point was that you do not have to play that game. You can use Secure Boot without paying a penny to anybody. If you do not want to enrol your own key then you can use shim instead. You can go on compiling your own kernel and use Secure Boot without having to get it signed by Verisign every time.
To attempt to convince all the OEM's to sign their UEFI drivers with my key would be impossible; furthermore, the UEFI spec only has *one* slot for signatures on OEM UEFI drivers.
Not true. Current tools only implement a single signing slot but there are tools being developed to allow multiple signatures. This will then need to be supported in the Secure Boot implementations so may not work on initial implementations. http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=SecurityPkg
The whole bring-your-own-key argument is a red herring as soon as a third-party driver is involved, because the driver must then be trusted without verifying its signature. You wouldn't accept that kind of security compromise, would you?
The whole 3rd party driver thing complicates matters for sure. First of all do you even trust that driver? If you do then you can sign it and overwrite the signature it was shipped with. Also I believe that you can enrol a hash of a driver as an alternative means of verification to signature based verification although that may depend on the policy of that platform.
I know I won't. I'll ditch Secure Boot entirely and use coreboot.
Regards, David
Thanks for listening, Andrew