[Libosinfo] [PATCH 2/8] winxp, installer: Ignore unsigned drivers

Thu Feb 7 15:14:27 UTC 2013

On Thu, Feb 07, 2013 at 04:49:43PM +0200, Zeeshan Ali (Khattak) wrote:
> On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> > On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote:
> >> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> >> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote:
> >> >> Why not let apps decide that? We are giving them info on the signed
> >> >> status of drivers and they can make an informed decision.
> >> >
> >> > This is exactly my point, applications cannot say "I'm only using signed
> >> > drivers, don't disable signature checking" with the current series as far
> >> > as I understand it.
> >>
> >> If applications are only going to use signed drivers, they don't need
> >> to disable anything. So really there is no app that is going to need
> >> this API but to get this very important work in, I'll live with a bit
> >> of redundant API.
> >
> > Yes, applications using signed drivers will not need to disable anything.
> > However, my understanding is that you want to use *unsigned* drivers in
> > your application, in that case you need to disable signature verification.
> > You are designing the whole thing with the nominal case being unsigned
> > drivers being case, which makes sense for your use case.
> 
> Not at all. I'm providing application with information that drivers
> are signed or not.

Yes

> Based on that they can make a decision. If they
> decide to use unsigned drivers, there is absolutely no reason any app
> would want to disable some checks as well.

I think applications should be able to control whether the OS they
install will have
DriverSigningPolicy=Ignore
set or not. And this should default to not be 'Ignore'. So if you want to be
able to install unsigned drivers, you need to be able disable signature
checking (ie tell the install script to add this line).

> Unless you could specify a
> (not hypothetical) usecase or example of an app that would want such a
> thing, I don't think there is any need for what you are asking for.

Once again, this is a security feature. You keep pretending it's not,
waving it away, but this doesn't change the fact that this improves the
system security, and you are going to disable this without letting any
control to the library user on this.

> Especially since I told you the problems with making this configurable
> in the last mail.

'this is complicated' is not necessarily a good reason for not doing
something. But let's first focus on what we do about this signature
checking stuff, I haven't really looked at the mail where you describe the
problems you have yet.

> Moreover, even as security measure, its doubtful that MS thought of an
> application being invovled in the process. The common use case
> involves only the user and MS' software (mainly the installer). Its a
> very usual thing to not trust users to know exactly what they are
> doing. They can get malicious drivers from anywhere and try to install
> them. In case of libosinfo, there is going to be an app involved,
> making the decision for the user.

But once the system is installed, the user will be in control of the OS,
and signature checking will still be disabled! And this patch is disabling
this even when no unsigned drivers are involved at all.

> Unless you can point out any usecase, I'm not going to add confusing
> API just to satisfy some particular proprietary vendor.

Ok, then we should not do all this work to support unsigned drivers, or to
postinstall windows drivers, and we can drop this patch series (in other
words, not a useful argument at all).

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libosinfo/attachments/20130207/8a2395dc/attachment.sig>