From: Mike Snitzer <snitzer@redhat.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Deven Bowers" <deven.desai@linux.microsoft.com>,
linux-kernel@vger.kernel.org,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Mickaël Salaün" <mic@linux.microsoft.com>,
"Milan Broz" <gmazyland@gmail.com>,
dm-devel@redhat.com, linux-integrity@vger.kernel.org,
"Andrew Morton" <akpm@linux-foundation.org>,
"Alasdair Kergon" <agk@redhat.com>,
"Jaskaran Khurana" <jaskarankhurana@linux.microsoft.com>
Subject: Re: [dm-devel] [PATCH v2] dm verity: Add support for signature verification with 2nd keyring
Date: Fri, 23 Oct 2020 11:11:52 -0400 [thread overview]
Message-ID: <20201023151152.GA21936@redhat.com> (raw)
In-Reply-To: <54e98aa6-0e52-1147-b9ce-a640e2317b00@digikod.net>
On Fri, Oct 23 2020 at 6:20am -0400,
Mickaël Salaün <mic@digikod.net> wrote:
> It seems that there is no more question. Mike, Alasdair, could you
> please consider to merge this into the tree?
>
> On 16/10/2020 14:19, Mickaël Salaün wrote:
> >
> > On 16/10/2020 13:08, Milan Broz wrote:
> >> On 16/10/2020 10:49, Mickaël Salaün wrote:
> >>> On 16/10/2020 10:29, Mickaël Salaün wrote:
> >>>>
> >>>> On 15/10/2020 18:52, Mike Snitzer wrote:
> >>>>> Can you please explain why you've decided to make this a Kconfig CONFIG
> >>>>> knob? Why not either add: a dm-verity table argument? A dm-verity
> >>>>> kernel module parameter? or both (to allow a particular default but
> >>>>> then
> >>>>> per-device override)?
> >>>>
> >>>> The purpose of signed dm-verity images is to authenticate files, or said
> >>>> in another way, to enable the kernel to trust disk images in a flexible
> >>>> way (i.e. thanks to certificate's chain of trust). Being able to update
> >>>> such chain at run time requires to use the second trusted keyring. This
> >>>> keyring automatically includes the certificate authorities from the
> >>>> builtin trusted keyring, which are required to dynamically populate the
> >>>> secondary trusted keyring with certificates signed by an already trusted
> >>>> authority. The roots of trust must then be included at build time in the
> >>>> builtin trusted keyring.
> >>>>
> >>>> To be meaningful, using dm-verity signatures implies to have a
> >>>> restricted user space, i.e. even the root user has limited power over
> >>>> the kernel and the rest of the system. Blindly trusting data provided by
> >>>> user space (e.g. dm-verity table argument, kernel module parameter)
> >>>> defeat the purpose of (mandatory) authenticated images.
> >>>>
> >>>>>
> >>>>> Otherwise, _all_ DM verity devices will be configured to use secondary
> >>>>> keyring fallback. Is that really desirable?
> >>>>
> >>>> That is already the current state (on purpose).
> >>>
> >>> I meant that when DM_VERITY_VERIFY_ROOTHASH_SIG is set, dm-verity
> >>> signature becomes mandatory. This new configuration
> >>> DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING extend this trust to the
> >>> secondary trusted keyring, which contains certificates signed (directly
> >>> or indirectly) by CA from the builtin trusted keyring.
> >>>
> >>> So yes, this new (optional) configuration *extends* the source of trust
> >>> for all dm-verity devices, and yes, it is desirable. I think it should
> >>> have been this way from the beginning (as for other authentication
> >>> mechanisms) but it wasn't necessary at that time.
> >>
> >> Well, I understand why you need a config option here.
> >> And using the secondary keyring actually makes much more sense to me than
> >> the original approach.
> >>
> >> But please do not forget that dm-verity is sometimes used in different
> >> contexts where such strict in-kernel certificate trust is unnecessary.
> >> With your configure options set, you deliberately remove the possibility
> >> to configure such devices.
> > It doesn't make sense to set DM_VERITY_VERIFY_ROOTHASH_SIG in generic
> > distro because such policy is configured at build time in the kernel
> > with hardcoded CAs. If the new option is not set then nothing change. I
> > don't see why it could be an issue for use cases we previously defined
> > (with DM_VERITY_VERIFY_ROOTHASH_SIG).
> >
> >> I understand that it is needed for "trusted" systems, but we should be
> >> clear
> >> in the documentation.
> >> Maybe also add note to
> >> /Documentation/admin-guide/device-mapper/verity.rst ?
> >> We already mention DM_VERITY_VERIFY_ROOTHASH_SIG there.
> >
> > The current documentation remains true.
> > DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING depends on
> > DM_VERITY_VERIFY_ROOTHASH_SIG.
Yes, while true that doesn't change the fact that documenting
DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is useful to potential
consumers of baseline DM_VERITY_VERIFY_ROOTHASH_SIG.
Please update Documentation and post v3, I'll get it merged for 5.11.
Thanks,
Mike
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
WARNING: multiple messages have this Message-ID (diff)
From: Mike Snitzer <snitzer@redhat.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Alasdair Kergon" <agk@redhat.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Deven Bowers" <deven.desai@linux.microsoft.com>,
"Jaskaran Khurana" <jaskarankhurana@linux.microsoft.com>,
dm-devel@redhat.com, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Jarkko Sakkinen" <jarkko.sakkinen@linux.intel.com>,
"Mickaël Salaün" <mic@linux.microsoft.com>,
"Milan Broz" <gmazyland@gmail.com>
Subject: Re: [PATCH v2] dm verity: Add support for signature verification with 2nd keyring
Date: Fri, 23 Oct 2020 11:11:52 -0400 [thread overview]
Message-ID: <20201023151152.GA21936@redhat.com> (raw)
In-Reply-To: <54e98aa6-0e52-1147-b9ce-a640e2317b00@digikod.net>
On Fri, Oct 23 2020 at 6:20am -0400,
Mickaël Salaün <mic@digikod.net> wrote:
> It seems that there is no more question. Mike, Alasdair, could you
> please consider to merge this into the tree?
>
> On 16/10/2020 14:19, Mickaël Salaün wrote:
> >
> > On 16/10/2020 13:08, Milan Broz wrote:
> >> On 16/10/2020 10:49, Mickaël Salaün wrote:
> >>> On 16/10/2020 10:29, Mickaël Salaün wrote:
> >>>>
> >>>> On 15/10/2020 18:52, Mike Snitzer wrote:
> >>>>> Can you please explain why you've decided to make this a Kconfig CONFIG
> >>>>> knob? Why not either add: a dm-verity table argument? A dm-verity
> >>>>> kernel module parameter? or both (to allow a particular default but
> >>>>> then
> >>>>> per-device override)?
> >>>>
> >>>> The purpose of signed dm-verity images is to authenticate files, or said
> >>>> in another way, to enable the kernel to trust disk images in a flexible
> >>>> way (i.e. thanks to certificate's chain of trust). Being able to update
> >>>> such chain at run time requires to use the second trusted keyring. This
> >>>> keyring automatically includes the certificate authorities from the
> >>>> builtin trusted keyring, which are required to dynamically populate the
> >>>> secondary trusted keyring with certificates signed by an already trusted
> >>>> authority. The roots of trust must then be included at build time in the
> >>>> builtin trusted keyring.
> >>>>
> >>>> To be meaningful, using dm-verity signatures implies to have a
> >>>> restricted user space, i.e. even the root user has limited power over
> >>>> the kernel and the rest of the system. Blindly trusting data provided by
> >>>> user space (e.g. dm-verity table argument, kernel module parameter)
> >>>> defeat the purpose of (mandatory) authenticated images.
> >>>>
> >>>>>
> >>>>> Otherwise, _all_ DM verity devices will be configured to use secondary
> >>>>> keyring fallback. Is that really desirable?
> >>>>
> >>>> That is already the current state (on purpose).
> >>>
> >>> I meant that when DM_VERITY_VERIFY_ROOTHASH_SIG is set, dm-verity
> >>> signature becomes mandatory. This new configuration
> >>> DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING extend this trust to the
> >>> secondary trusted keyring, which contains certificates signed (directly
> >>> or indirectly) by CA from the builtin trusted keyring.
> >>>
> >>> So yes, this new (optional) configuration *extends* the source of trust
> >>> for all dm-verity devices, and yes, it is desirable. I think it should
> >>> have been this way from the beginning (as for other authentication
> >>> mechanisms) but it wasn't necessary at that time.
> >>
> >> Well, I understand why you need a config option here.
> >> And using the secondary keyring actually makes much more sense to me than
> >> the original approach.
> >>
> >> But please do not forget that dm-verity is sometimes used in different
> >> contexts where such strict in-kernel certificate trust is unnecessary.
> >> With your configure options set, you deliberately remove the possibility
> >> to configure such devices.
> > It doesn't make sense to set DM_VERITY_VERIFY_ROOTHASH_SIG in generic
> > distro because such policy is configured at build time in the kernel
> > with hardcoded CAs. If the new option is not set then nothing change. I
> > don't see why it could be an issue for use cases we previously defined
> > (with DM_VERITY_VERIFY_ROOTHASH_SIG).
> >
> >> I understand that it is needed for "trusted" systems, but we should be
> >> clear
> >> in the documentation.
> >> Maybe also add note to
> >> /Documentation/admin-guide/device-mapper/verity.rst ?
> >> We already mention DM_VERITY_VERIFY_ROOTHASH_SIG there.
> >
> > The current documentation remains true.
> > DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING depends on
> > DM_VERITY_VERIFY_ROOTHASH_SIG.
Yes, while true that doesn't change the fact that documenting
DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is useful to potential
consumers of baseline DM_VERITY_VERIFY_ROOTHASH_SIG.
Please update Documentation and post v3, I'll get it merged for 5.11.
Thanks,
Mike
next prev parent reply other threads:[~2020-10-23 15:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-15 15:05 [dm-devel] [PATCH v2] dm verity: Add support for signature verification with 2nd keyring Mickaël Salaün
2020-10-15 15:05 ` Mickaël Salaün
2020-10-15 16:52 ` [dm-devel] " Mike Snitzer
2020-10-15 16:52 ` Mike Snitzer
2020-10-16 8:29 ` [dm-devel] " Mickaël Salaün
2020-10-16 8:29 ` Mickaël Salaün
2020-10-16 8:49 ` [dm-devel] " Mickaël Salaün
2020-10-16 8:49 ` Mickaël Salaün
2020-10-16 11:08 ` [dm-devel] " Milan Broz
2020-10-16 11:08 ` Milan Broz
2020-10-16 12:19 ` [dm-devel] " Mickaël Salaün
2020-10-16 12:19 ` Mickaël Salaün
2020-10-23 10:20 ` [dm-devel] " Mickaël Salaün
2020-10-23 10:20 ` Mickaël Salaün
2020-10-23 15:11 ` Mike Snitzer [this message]
2020-10-23 15:11 ` Mike Snitzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201023151152.GA21936@redhat.com \
--to=snitzer@redhat.com \
--cc=agk@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mic@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.