From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: James Morris <jamorris@linuxonhyperv.com>
Subject: Re: IMA: Data included in the key measurement
Date: Thu, 21 Nov 2019 08:38:53 -0800 [thread overview]
Message-ID: <1574354333.3277.27.camel@HansenPartnership.com> (raw)
In-Reply-To: <19242774-688e-58ff-40f8-e346d6ba4339@linux.microsoft.com>
On Thu, 2019-11-21 at 08:17 -0800, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
>
> >>> everything needed for verifying a signature is included in
> >>> the key measurement.
>
> Regarding the requirement you had stated above, I would like some
> clarification.
>
> When I started this change to measure keys through IMA, the use case
> we had in mind was enabling an attestation service, for instance, to
> verify if the client has only known good (trusted) keys - for
> example, in keyrings such as ".builtin_trusted_keys", ".ima", etc.
>
> On the client IMA verifies the signature of system binaries using
> keys in the IMA keyring. And, if the config namely
> CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is
> enabled, only keys signed by a built-in trusted key can be added to
> the IMA keyring.
>
> An attestation service can keep a list of public keys of "known good
> (trusted)" keys for various keyrings, and verify against the
> measurement data provided by the client.
>
> To achieve the above we decided to include only the public key in
> the key measurement buffer.
>
> I would like to know what benefit we'd get by including "everything
> needed for verifying a signature in the key measurement"? X.509
> itself doesn't buy this isomorphism property, which is why the
> subject key id
>
> From testing point of view, if we have the certificate (like the
> .DER file), we can validate the key measurement data in the IMA log.
>
> Do you see a need to include more data or the entire cert for the
> product code?
You're making the assumption that the public key and the certificate
are isomorphic. That's only true if you trust the issuer (which you
obviously do, since it's you [microsoft]) but nothing in X.509 prevents
the issuer from issuing multiple certificates with the same public key
and different properties. Even in your use case, I would think
attesting to whether the certificate had expired or not would be
useful.
James
next prev parent reply other threads:[~2019-11-21 16:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 16:17 IMA: Data included in the key measurement Lakshmi Ramasubramanian
2019-11-21 16:38 ` James Bottomley [this message]
2019-11-22 1:15 ` Lakshmi Ramasubramanian
2019-11-22 16:17 ` James Bottomley
2019-11-22 17:39 ` Lakshmi Ramasubramanian
2019-11-22 19:32 ` James Bottomley
2019-11-25 17:33 ` Lakshmi Ramasubramanian
2019-11-25 18:14 ` Mimi Zohar
2019-11-25 18:19 ` Lakshmi Ramasubramanian
2019-11-22 17:38 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574354333.3277.27.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=jamorris@linuxonhyperv.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.