From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
Ben Hutchings <ben@decadent.org.uk>,
nayna@linux.vnet.ibm.com
Subject: Re: linux-next: UEFI Secure boot lockdown patchset
Date: Tue, 01 May 2018 21:00:54 -0400 [thread overview]
Message-ID: <1525222854.5669.169.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACdnJuvSjpUS-fvURrrYOnLLPpasYgr6kJkncbfvMuOCYEL1EQ@mail.gmail.com>
On Tue, 2018-05-01 at 23:46 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 4:43 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> > > INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> > > anywhere. Odd. Anyway, distributions are unlikely to ship with
> > > CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users
> to
> > > determine which set of IMA or EVM signatures they want to trust. So if
> > > validation is against the IMA keyring rather than builtin_trusted_keys,
> > > it's going to be possible for users to extend the set of trusted keys.
> If
> > > CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> > > right thing here, but it's not clear to me how that's supposed to
> interact
> > > with IMA?
>
> > From your description, whatever keys the distros are loading onto the
> > builtin_trusted_keys keyring for verifying the kexec kernel image,
> > could just as easily be added to the IMA trusted keyring
> > (CONFIG_INTEGRITY_TRUSTED_KEYRING). I don't see the difference.
>
> If CONFIG_INTEGRITY_TRUSTED_KEYRING isn't set then you can load new (and
> unsigned) IMA keys from userspace. So if IMA is the lockdown control
> mechanism for kexec, distros must either set
> CONFIG_INTEGRITY_TRUSTED_KEYRING (which I don't think is practical) or IMA
> should test kexec against the builtin_trusted_keys keyring rather than the
> IMA keyring. Or have I misunderstood how this works?
Another option is enabling both CONFIG_INTEGRITY_TRUSTED_KEYRING and
CONFIG_SYSTEM_EXTRA_CERTIFICATE.
Mimi
prev parent reply other threads:[~2018-05-02 1:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 11:06 linux-next: UEFI Secure boot lockdown patchset David Howells
2018-03-01 11:06 ` David Howells
2018-03-01 11:08 ` Ard Biesheuvel
2018-03-01 11:08 ` Ard Biesheuvel
2018-03-01 11:24 ` David Howells
2018-03-01 11:24 ` David Howells
2018-03-01 12:15 ` Stephen Rothwell
2018-05-01 17:28 ` Matthew Garrett
2018-05-01 19:00 ` David Howells
2018-05-01 20:15 ` Mimi Zohar
2018-05-01 21:02 ` Matthew Garrett
2018-05-01 21:50 ` Mimi Zohar
2018-05-01 21:59 ` Matthew Garrett
2018-05-01 22:21 ` Mimi Zohar
2018-05-01 22:32 ` Matthew Garrett
2018-05-01 23:43 ` Mimi Zohar
2018-05-01 23:46 ` Matthew Garrett
2018-05-02 1:00 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525222854.5669.169.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ben@decadent.org.uk \
--cc=dhowells@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=nayna@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.