[Libosinfo] [PATCH 2/8] winxp, installer: Ignore unsigned drivers

Zeeshan Ali (Khattak) zeeshanak at gnome.org
Thu Feb 7 14:49:43 UTC 2013 

On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote:
>> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote:
>> >> Why not let apps decide that? We are giving them info on the signed
>> >> status of drivers and they can make an informed decision.
>> >
>> > This is exactly my point, applications cannot say "I'm only using signed
>> > drivers, don't disable signature checking" with the current series as far
>> > as I understand it.
>>
>> If applications are only going to use signed drivers, they don't need
>> to disable anything. So really there is no app that is going to need
>> this API but to get this very important work in, I'll live with a bit
>> of redundant API.
>
> Yes, applications using signed drivers will not need to disable anything.
> However, my understanding is that you want to use *unsigned* drivers in
> your application, in that case you need to disable signature verification.
> You are designing the whole thing with the nominal case being unsigned
> drivers being case, which makes sense for your use case.

Not at all. I'm providing application with information that drivers
are signed or not. Based on that they can make a decision. If they
decide to use unsigned drivers, there is absolutely no reason any app
would want to disable some checks as well. Unless you could specify a
(not hypothetical) usecase or example of an app that would want such a
thing, I don't think there is any need for what you are asking for.
Especially since I told you the problems with making this configurable
in the last mail.

> The fact that you are using unsigned drivers in the first place is a 'bug'
> imo,

IMO the bug is that Microsoft requires these signatures. Its obvious
that not everyone can get their drivers signed no matter how "secure"
or good they are so requiring this signature is just wrong of them.

Moreover, even as security measure, its doubtful that MS thought of an
application being invovled in the process. The common use case
involves only the user and MS' software (mainly the installer). Its a
very usual thing to not trust users to know exactly what they are
doing. They can get malicious drivers from anywhere and try to install
them. In case of libosinfo, there is going to be an app involved,
making the decision for the user.

> and the right way of handling that is doing whatever it takes to get
> signed drivers instead the unsigned ones. Hence, the unsigned driver code
> in libosinfo is just a workaround for that, and since this workaround
> involves disabling some built-in OS checks, then we need an API to
> explicitly disable these if that's what we want.

Unless you can point out any usecase, I'm not going to add confusing
API just to satisfy some particular proprietary vendor.

> I even remember you
> telling me that MS says signature checks on Win7 should only be disabled
> in test setups, not on production machines, which seems consistent with not
> doing this by default in libosinfo..

Yes? I don't live to serve MS. :)


-- 
Regards,

Zeeshan Ali (Khattak)
FSF member#5124

More information about the Libosinfo mailing list