[Libosinfo] [PATCH 2/8] winxp, installer: Ignore unsigned drivers

Zeeshan Ali (Khattak) zeeshanak at gnome.org
Sat Feb 9 02:09:03 UTC 2013 

On Fri, Feb 8, 2013 at 2:07 AM, Zeeshan Ali (Khattak)
<zeeshanak at gnome.org> wrote:
> On Thu, Feb 7, 2013 at 9:19 PM, Zeeshan Ali (Khattak)
> <zeeshanak at gnome.org> wrote:
>> On Thu, Feb 7, 2013 at 5:14 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>>> On Thu, Feb 07, 2013 at 04:49:43PM +0200, Zeeshan Ali (Khattak) wrote:
>>>> On Thu, Feb 7, 2013 at 10:56 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>>>> > On Thu, Feb 07, 2013 at 02:16:52AM +0200, Zeeshan Ali (Khattak) wrote:
>>>> >> On Wed, Feb 6, 2013 at 3:23 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
>>>> >> > On Wed, Feb 06, 2013 at 03:17:00PM +0200, Zeeshan Ali (Khattak) wrote:
>>>> >> >> Why not let apps decide that? We are giving them info on the signed
>>>> >> >> status of drivers and they can make an informed decision.
>>>> >> >
>>>> >> > This is exactly my point, applications cannot say "I'm only using signed
>>>> >> > drivers, don't disable signature checking" with the current series as far
>>>> >> > as I understand it.
>>>> >>
>>>> >> If applications are only going to use signed drivers, they don't need
>>>> >> to disable anything. So really there is no app that is going to need
>>>> >> this API but to get this very important work in, I'll live with a bit
>>>> >> of redundant API.
>>>> >
>>>> > Yes, applications using signed drivers will not need to disable anything.
>>>> > However, my understanding is that you want to use *unsigned* drivers in
>>>> > your application, in that case you need to disable signature verification.
>>>> > You are designing the whole thing with the nominal case being unsigned
>>>> > drivers being case, which makes sense for your use case.
>>>>
>>>> Not at all. I'm providing application with information that drivers
>>>> are signed or not.
>>>
>>> Yes
>>>
>>>> Based on that they can make a decision. If they
>>>> decide to use unsigned drivers, there is absolutely no reason any app
>>>> would want to disable some checks as well.
>>>
>>> I think applications should be able to control whether the OS they
>>> install will have
>>> DriverSigningPolicy=Ignore
>>> set or not. And this should default to not be 'Ignore'. So if you want to be
>>> able to install unsigned drivers, you need to be able disable signature
>>> checking (ie tell the install script to add this line).
>>>
>>>
>>>> Unless you could specify a
>>>> (not hypothetical) usecase or example of an app that would want such a
>>>> thing, I don't think there is any need for what you are asking for.
>>>
>>> Once again, this is a security feature. You keep pretending it's not,
>>> waving it away, but this doesn't change the fact that this improves the
>>> system security, and you are going to disable this without letting any
>>> control to the library user on this.
>>>
>>>> Especially since I told you the problems with making this configurable
>>>> in the last mail.
>>>
>>> 'this is complicated' is not necessarily a good reason for not doing
>>> something. But let's first focus on what we do about this signature
>>> checking stuff, I haven't really looked at the mail where you describe the
>>> problems you have yet.
>>>
>>>> Moreover, even as security measure, its doubtful that MS thought of an
>>>> application being invovled in the process. The common use case
>>>> involves only the user and MS' software (mainly the installer). Its a
>>>> very usual thing to not trust users to know exactly what they are
>>>> doing. They can get malicious drivers from anywhere and try to install
>>>> them. In case of libosinfo, there is going to be an app involved,
>>>> making the decision for the user.
>>>
>>> But once the system is installed, the user will be in control of the OS,
>>> and signature checking will still be disabled!
>>
>> Now you are talking. :) This is a very good point. I didn't think of
>> the fact that driver checking could be 'permanently' disabled by this.
>> I'll check it out.
>
> So checked it out and your fears are very justified: setting this
> means setting it permanently. I looked around for enabling the
> signature check after installation but the only working solution I
> find was this:
>
> http://www.remkoweijnen.nl/blog/2010/11/11/programmatically-changing-the-driver-signing-options/
>
> But seems the binary is non-free so we can't just ship that. :( I
> really don't want to permanently disable driver signature checks, not
> even in Boxes. So I'd rather we don't do this all together. If any
> apps need this in future, we can add it (probably as configuration
> param) later.

Would someone kill me if i change my mind on this yet again. :) I just
saw the huge difference in guest with and without QXL drivers and I
really would hate to see this not working out of the box, upstream. So
unless you have any objections, I'll go with your original suggestion
to make this configurable and Boxes disabling driver signature checks.

-- 
Regards,

Zeeshan Ali (Khattak)
FSF member#5124

More information about the Libosinfo mailing list