[Libosinfo] [PATCH 2/8] winxp, installer: Ignore unsigned drivers

Thu Feb 7 19:19:35 UTC 2013

On Thu, Feb 7, 2013 at 5:14 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> On Thu, Feb 07, 2013 at 04:49:43PM +0200, Zeeshan Ali (Khattak) wrote:
>> On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>> > On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote:
>> >> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>> >> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote:
>> >> >> Why not let apps decide that? We are giving them info on the signed
>> >> >> status of drivers and they can make an informed decision.
>> >> >
>> >> > This is exactly my point, applications cannot say "I'm only using signed
>> >> > drivers, don't disable signature checking" with the current series as far
>> >> > as I understand it.
>> >>
>> >> If applications are only going to use signed drivers, they don't need
>> >> to disable anything. So really there is no app that is going to need
>> >> this API but to get this very important work in, I'll live with a bit
>> >> of redundant API.
>> >
>> > Yes, applications using signed drivers will not need to disable anything.
>> > However, my understanding is that you want to use *unsigned* drivers in
>> > your application, in that case you need to disable signature verification.
>> > You are designing the whole thing with the nominal case being unsigned
>> > drivers being case, which makes sense for your use case.
>>
>> Not at all. I'm providing application with information that drivers
>> are signed or not.
>
> Yes
>
>> Based on that they can make a decision. If they
>> decide to use unsigned drivers, there is absolutely no reason any app
>> would want to disable some checks as well.
>
> I think applications should be able to control whether the OS they
> install will have
> DriverSigningPolicy=Ignore
> set or not. And this should default to not be 'Ignore'. So if you want to be
> able to install unsigned drivers, you need to be able disable signature
> checking (ie tell the install script to add this line).
>
>
>> Unless you could specify a
>> (not hypothetical) usecase or example of an app that would want such a
>> thing, I don't think there is any need for what you are asking for.
>
> Once again, this is a security feature. You keep pretending it's not,
> waving it away, but this doesn't change the fact that this improves the
> system security, and you are going to disable this without letting any
> control to the library user on this.
>
>> Especially since I told you the problems with making this configurable
>> in the last mail.
>
> 'this is complicated' is not necessarily a good reason for not doing
> something. But let's first focus on what we do about this signature
> checking stuff, I haven't really looked at the mail where you describe the
> problems you have yet.
>
>> Moreover, even as security measure, its doubtful that MS thought of an
>> application being invovled in the process. The common use case
>> involves only the user and MS' software (mainly the installer). Its a
>> very usual thing to not trust users to know exactly what they are
>> doing. They can get malicious drivers from anywhere and try to install
>> them. In case of libosinfo, there is going to be an app involved,
>> making the decision for the user.
>
> But once the system is installed, the user will be in control of the OS,
> and signature checking will still be disabled!

Now you are talking. :) This is a very good point. I didn't think of
the fact that driver checking could be 'permanently' disabled by this.
I'll check it out.

Based on your following email, I think now we have an agreement on how
to proceed.

-- 
Regards,

Zeeshan Ali (Khattak)
FSF member#5124