From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932865AbcCHQPd (ORCPT ); Tue, 8 Mar 2016 11:15:33 -0500 Received: from e28smtp05.in.ibm.com ([125.16.236.5]:46789 "EHLO e28smtp05.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932535AbcCHQP2 (ORCPT ); Tue, 8 Mar 2016 11:15:28 -0500 X-IBM-Helo: d28relay02.in.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org;keyrings@vger.kernel.org;linux-security-module@vger.kernel.org Message-ID: <1457453700.5321.159.camel@linux.vnet.ibm.com> Subject: Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2] From: Mimi Zohar To: David Howells Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 08 Mar 2016 11:15:00 -0500 In-Reply-To: <2819.1457451134@warthog.procyon.org.uk> References: <1457449745.5321.141.camel@linux.vnet.ibm.com> <1457447480.5321.115.camel@linux.vnet.ibm.com> <1457402735.5321.14.camel@linux.vnet.ibm.com> <20160304150022.17121.34501.stgit@warthog.procyon.org.uk> <20160304150142.17121.56666.stgit@warthog.procyon.org.uk> <30699.1457442839@warthog.procyon.org.uk> <449.1457448192@warthog.procyon.org.uk> <2819.1457451134@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable x-cbid: 16030816-0017-0000-0000-00000A848D2B Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2016-03-08 at 15:32 +0000, David Howells wrote: > Mimi Zohar wrote: > > > > The problem boils down to a difficulty in concocting a name that describes a > > > complex situation that may change depending on the configuration. I can make > > > it "restrict_link_by_any_system_trusted" if you'd prefer. > > > > > > That's why I want "system trusted keyrings" to refer to the builtin and the > > > secondary - *and* an extra UEFI keyring if we grow one of those. It's a > > > collection of related keyrings. > > > > Sigh, this is the same discussion we've had for years. > > No, it isn't. Good! > > The UEFI keys should not be trusted to validate the certificates being added > > to the IMA keyring. > > A machine-security (e.g. UEFI) keyring will conceivably live in > certs/system_keyring.c and only be enabled if CONFIG_SYSTEM_TRUSTED_KEYRINGS=y > and, say, CONFIG_MACHINE_TRUSTED_KEYRING=y. I didn't say that IMA necessarily > has to use it. Ok. > What we need to do is define a set of functions allow IMA to get the > restrictions it wants, depending on configuration. In the code I currently > have, I think we have those: > > restrict_link_reject Option 1 > restrict_link_by_builtin_trusted Option 2 > restrict_link_by_system_trusted By renaming the system keyring to builtin, this is where it becomes unclear what is included by restrict_link_by_system_trusted - builtin and secondary, or builtin, secondary, and UEFI. > If you really want, I can add a restrict_link_for_ima in there, but I'd rather > not if IMA can use whichever of the above three most suits it. How about: > > restrict_link_reject > restrict_link_by_builtin_trusted > restrict_link_by_builtin_or_secondary_trusted Option 3 - "restrict_link_by_builtin_or_secondary_trusted" is a bit wordy, but there wouldn't be any confusion. Mimi > > Neither should the keys on the secondary keyring, unless specifically IMA > > Kconfig enabled, be used to validate the certificates being added to the IMA > > keyring. > > Yes. > > David >