From: Mimi Zohar <zohar@linux.ibm.com>
To: Matthias Gerstner <mgerstner@suse.de>, linux-integrity@vger.kernel.org
Subject: Re: Ramifications of INTEGRITY_PLATFORM_KEYRING
Date: Tue, 10 Dec 2019 21:56:32 -0500 [thread overview]
Message-ID: <1576032992.4579.122.camel@linux.ibm.com> (raw)
In-Reply-To: <20191204135715.GB11974@f195.suse.de>
Hi Matthias,
On Wed, 2019-12-04 at 14:57 +0100, Matthias Gerstner wrote:
> I was able to still get things to work by building my own custom kernel
> with the custom CA being built into the kernel which is a lot of more
> effort, however, and a scenario we can't easily support for our
> customers.
>
> I can understand the reasoning of that new option, that trusting
> arbitrary platform certificates shipped with the hardware might not be a
> good idea. I wonder, however, whether moving these certificates from
> .secondary_trusted_keys to .platform doesn't also affect other
> components than just IMA?
>
> I would be interested in your view on this and any advice.
The pre-boot keys were probably also being used to verify 3rd party
kernel modules. If the kernel was built with
CONFIG_SYSTEM_EXTRA_CERTIFICATE, the customer could insert their key
post build.[1] This would obviously require the kernel to be
resigned.
I agree there needs to be a simpler way of including a customer key,
without requiring them to resign the kernel. Do you have some
thoughts?
Mimi
[1] c4c361059585 ("KEYS: Reserve an extra certificate symbol for
inserting without recompiling")
prev parent reply other threads:[~2019-12-11 2:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-04 13:57 Ramifications of INTEGRITY_PLATFORM_KEYRING Matthias Gerstner
2019-12-11 2:56 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576032992.4579.122.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mgerstner@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.