User: Password:
|
|
Subscribe / Log in / New account

Re: enable CONFIG_INTEL_TXT

From:  "Tom \"spot\" Callaway" <tcallawa-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org>
To:  Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA-AT-public.gmane.org>
Subject:  Re: enable CONFIG_INTEL_TXT
Date:  Thu, 01 Apr 2010 10:22:51 -0400
Cc:  gcwilson-r/Jw6+rmf7HQT0dZR+AlfA-AT-public.gmane.org, Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org>, kernel-TuqUDEhatI4ANWPb/1PvSmm0pvjS0E/A-AT-public.gmane.org
Archive-link:  Article, Thread

On 04/01/2010 10:14 AM, Stephen Smalley wrote:
> On Thu, 2010-04-01 at 10:06 -0400, Tom "spot" Callaway wrote:
>> On 04/01/2010 10:04 AM, Stephen Smalley wrote:
>>> In any event, while I'd prefer that the config option be enabled in both
>>> Fedora and RHEL, I'd take the latter if that were the only option.  But
>>> is it really likely that RHEL will enable a kernel config option if it
>>> isn't enabled first in Fedora?
>>
>> In a situation where Fedora is unlikely to provide any useful testing,
>> it has been known to happen.
> 
> Hmmm...well, there would be testing of it in Fedora if it were enabled
> there.

By whom exactly? I don't doubt that the NSA could test it, but surely,
they are both capable and qualified to build a custom kernel and equally
unlikely to push Fedora for certification (nor could they purchase
support for it from Red Hat).

Here is my core concern:

We enable this in Fedora. This sends a message to Fedora's users that
altering their bootup configuration to support SINIT (whether loaded
from BIOS or from a binary-only blob that Intel will be so happy to
provide) is _Supported_.

And then, it breaks. And we get bugs filed. Which we have absolutely 0
chance of being able to fix.

Then we get to say "what you've done is unsupported, even though we
enabled a config option in the kernel that does nothing but enable the
way you've setup your system."

Or, far more likely, no one in Fedora, outside of a few people at the
NSA testing behind closed doors, ever uses this. The enablement of this
config option in Fedora is used to justify the stability of the
technology, and subsequent enablement in RHEL. And then Red Hat is on
the hook for truly supporting something that they have no realistic
chance of being able to support, when it breaks. Then the powers-that-be
ask me why we enabled this in Fedora, and what testing we did?

*****

At its core, we're being asked to enable functionality for the sole
purpose of supporting a chunk of proprietary software, in a
configuration that requires that we explicitly trust a third party
vendor for security.

This makes me extremely uncomfortable, and also makes me wonder why the
NSA seems comfortable with such a scenario in practice.

~spot


(Log in to post comments)


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds