From: Petko Manolov <petkan@mip-labs.com>
To: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, mdb@juniper.net
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
Date: Sun, 10 Jan 2016 22:33:39 +0200 [thread overview]
Message-ID: <20160110203339.GE10864@localhost> (raw)
In-Reply-To: <2033.1452447990@warthog.procyon.org.uk>
On 16-01-10 17:46:30, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > > Is this a NAK on the patch?
> >
> > Yes
>
> I would like to counter Mimi's NAK:
>
> (1) Commit 41c89b64d7184a780f12f2cccdabe65cb2408893 doesn't do what it
> says. Given the change I want to revert, this bit of the description:
>
>
> To successfully import a key into .ima_mok it must be signed by a
> key which CA is in .system keyring.
>
> is *not* true. A key in the .ima_mok keyring will *also* allow a key
This is correct, but is also the desired result. Assume that you have multi
tenant machine where the manufacturer signs the owner's/tenant's key and those
also need to sign other sub-tenant keys. One can't put them on the system
keyring so they end up in .ima_mok.
> into the .ima_mok keyring. Thus the .ima_mok keyring is redundant and
> should be merged into the .system keyring.
I share Mimi's opinion that .system keyring must be static and ultimately
trusted. Since .ima_mok is a dynamic keyring, merging them will break the
semantics.
> (2) You can use KEYCTL_LINK to link trusted keys between trusted keyrings
> if the key being linked grants permission. Add a new key to one open
> keyring and you can then link it across to another.
>
> Keyrings need to guard against *link* as per my recently posted
> patches.
I'd rather rely on a certificate being properly signed in order to land in a
particular keyring, rather than being linked based on permissions model.
> (3) In the current model, the trusted-only keyring and trusted-key concept
> ought really to apply only to the .system keyring as the concept of
> 'trust' is boolean in this implementation.
The .system keyring should be read-only, IOW static. Only keys present at build
time should go there. Everything else goes to the machine owner keyring (MOK)
or whatever the name. MOK should be read-write and (maybe) hold only second
level CAs, signed by CA in the system keyring.
I introduced .ima_mok just because my work had limited scope at the time and i
consider the name as misleading.
The way i see kernel's keyrings:
/---> .ima
/----> MOK ---<
.system ---< \---> .evm
\----> BL \---> .whatever need to be "trusted"
The graph could be a lot more complex, but to wrap your head around the idea
think of big ass machine with years of uptime and multiple simultaneous users,
all pre-installed files IMA signed, ability to add other IMA signed packages on
the fly. The machine must be FIPS certifiable, etc. A terabit switching
machine should be able to do that and there are real users for this scenario out
there.
The black-list keyring is equally important so one can revoke CAs if need be.
On the fly.
Petko
next prev parent reply other threads:[~2016-01-10 20:33 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:45 [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring David Howells
2016-01-07 0:04 ` James Morris
2016-01-07 0:34 ` David Howells
2016-01-07 2:13 ` Mimi Zohar
2016-01-07 3:28 ` Mimi Zohar
2016-01-07 15:31 ` Mimi Zohar
2016-01-10 10:36 ` James Morris
2016-01-10 13:26 ` Mimi Zohar
2016-01-10 17:46 ` David Howells
2016-01-10 20:33 ` David Howells
2016-01-10 23:55 ` Mimi Zohar
2016-01-12 0:44 ` David Howells
2016-01-12 1:28 ` Mark D. Baushke
2016-01-12 2:03 ` David Howells
2016-01-12 2:25 ` Mark D. Baushke
2016-01-12 3:35 ` Mimi Zohar
2016-01-12 10:08 ` David Howells
2016-01-12 13:21 ` Mimi Zohar
2016-01-12 13:55 ` David Howells
2016-01-12 15:17 ` Mimi Zohar
2016-01-12 15:56 ` David Howells
2016-01-12 16:02 ` Mimi Zohar
2016-01-12 14:11 ` Petko Manolov
2016-01-10 20:33 ` Petko Manolov [this message]
2016-01-12 1:38 ` David Howells
2016-01-12 16:14 ` Petko Manolov
2016-01-12 17:08 ` David Howells
2016-01-13 16:31 ` Petko Manolov
2016-01-13 17:51 ` Mimi Zohar
2016-01-13 18:01 ` Petko Manolov
2016-01-13 18:19 ` David Howells
2016-01-13 18:35 ` Petko Manolov
2016-01-13 18:56 ` Mimi Zohar
2016-01-13 19:19 ` Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160110203339.GE10864@localhost \
--to=petkan@mip-labs.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdb@juniper.net \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.