From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
David Howells <dhowells@redhat.com>,
dwmw2@infradead.org, herbert@gondor.apana.org.au,
davem@davemloft.net, jmorris@namei.org, serge@hallyn.com,
nayna@linux.ibm.com, Mimi Zohar <zohar@linux.ibm.com>,
erichte@linux.ibm.com, mpe@ellerman.id.au,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@hansenpartnership.com
Subject: Re: [PATCH v4] certs: Add EFI_CERT_X509_GUID support for dbx entries
Date: Thu, 21 Jan 2021 02:36:43 +0200 [thread overview]
Message-ID: <YAjMm9Gq/FFOzQYG@kernel.org> (raw)
In-Reply-To: <D9F5E0BD-E2FC-428F-91B3-35D2750493A0@oracle.com>
On Wed, Jan 20, 2021 at 03:13:11PM -0700, Eric Snowberg wrote:
>
> > On Jan 20, 2021, at 4:26 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> >
> > On Fri, Jan 15, 2021 at 09:49:02AM -0700, Eric Snowberg wrote:
> >>
> >>> On Jan 15, 2021, at 2:15 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> >>>
> >>> On Wed, Jan 13, 2021 at 05:11:10PM -0700, Eric Snowberg wrote:
> >>>>
> >>>>> On Jan 13, 2021, at 1:41 PM, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote:
> >>>>>
> >>>>> On Tue, Jan 12, 2021 at 02:57:39PM +0000, David Howells wrote:
> >>>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
> >>>>>>
> >>>>>>>> On Dec 10, 2020, at 2:49 AM, David Howells <dhowells@redhat.com> wrote:
> >>>>>>>>
> >>>>>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
> >>>>>>>>
> >>>>>>>>> Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
> >>>>>>>>> is found, it is added as an asymmetrical key to the .blacklist keyring.
> >>>>>>>>> Anytime the .platform keyring is used, the keys in the .blacklist keyring
> >>>>>>>>> are referenced, if a matching key is found, the key will be rejected.
> >>>>>>>>
> >>>>>>>> Ummm... Why this way and not as a blacklist key which takes up less space?
> >>>>>>>> I'm guessing that you're using the key chain matching logic. We really only
> >>>>>>>> need to blacklist the key IDs.
> >>>>>>>
> >>>>>>> I implemented it this way so that certs in the dbx would only impact
> >>>>>>> the .platform keyring. I was under the impression we didn’t want to have
> >>>>>>> Secure Boot UEFI db/dbx certs dictate keyring functionality within the kernel
> >>>>>>> itself. Meaning if we have a matching dbx cert in any other keyring (builtin,
> >>>>>>> secondary, ima, etc.), it would be allowed. If that is not how you’d like to
> >>>>>>> see it done, let me know and I’ll make the change.
> >>>>>>
> >>>>>> I wonder if that is that the right thing to do. I guess this is a policy
> >>>>>> decision and may depend on the particular user.
> >>>>>
> >>>>> Why would you want to allow dbx entry in any keyring?
> >>>>
> >>>> Today, DB and MOK certs go into the platform keyring. These certs are only
> >>>> referenced during kexec. They can’t be used for other things like validating
> >>>> kernel module signatures. If we follow the same pattern, the DBX and MOKX entries
> >>>> in the blacklist keyring should only impact kexec.
> >>>>
> >>>> Currently, Mickaël Salaün has another outstanding series to allow root to update
> >>>> the blacklist keyring. I assume the use case for this is around certificates used
> >>>> within the kernel, for example revoking kernel module signatures. The question I have
> >>>> is, should another keyring be introduced? One that carries DBX and MOKX, which just
> >>>> correspond to certs/hashes in the platform keyring; this keyring would only be
> >>>> referenced for kexec, just like the platform keyring is today. Then, the current
> >>>> blacklist keyring would be used for everything internal to the kernel.
> >>>
> >>> Right, I'm following actively that series.
> >>>
> >>> Why couldn't user space drive this process and use that feature to do it?
> >>
> >> I could see where the user would want to use both. With Mickaël Salaün’s
> >> series, the blacklist keyring is updated immediately. However it does
> >> not survive a reboot. With my patch, the blacklist keyring is updated
> >> during boot, based on what is in the dbx. Neither approach needs a new
> >> kernel build.
> >
> > I don't want to purposely challenge this, but why does it matter
> > that it doesn't survive the boot? I'm referring here to the golden
> > principle of kernel defining a mechanism, not policy. User space
> > can do the population however it wants to for every boot.
> >
> > E.g. systemd service could do this.
> >
> > What am I missing here?
>
> This change simply adds support for a missing type. The kernel
> already supports cert and hash entries (EFI_CERT_X509_SHA256_GUID,
> EFI_CERT_SHA256_GUID) that originate from the dbx and are loaded
> into the blacklist keyring during boot. I’m not sure why a cert
> defined with EFI_CERT_X509_GUID should be handled in a different
> manner.
>
> I suppose a user space tool could be created. But wouldn’t what is
> currently done in the kernel in this area need to be removed?
Right. I don't think this was a great idea in the first place to
do to the kernel but since it exists, I guess the patch does make
sense.
/Jarkko
next prev parent reply other threads:[~2021-01-21 0:54 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-16 0:49 [PATCH v4] certs: Add EFI_CERT_X509_GUID support for dbx entries Eric Snowberg
2020-09-16 0:49 ` Eric Snowberg
2020-09-16 18:09 ` Jarkko Sakkinen
2020-09-16 18:09 ` Jarkko Sakkinen
2020-12-10 9:49 ` David Howells
2020-12-10 18:56 ` Eric Snowberg
2021-01-12 14:57 ` David Howells
2021-01-13 20:41 ` Jarkko Sakkinen
2021-01-14 0:11 ` Eric Snowberg
2021-01-15 9:15 ` Jarkko Sakkinen
2021-01-15 16:49 ` Eric Snowberg
2021-01-20 11:26 ` Jarkko Sakkinen
2021-01-20 22:13 ` Eric Snowberg
2021-01-21 0:36 ` Jarkko Sakkinen [this message]
2021-01-27 11:46 ` David Howells
2021-01-27 14:03 ` Mimi Zohar
2021-01-27 15:41 ` Eric Snowberg
2021-01-28 4:13 ` Nayna
2021-01-30 10:24 ` Jarkko Sakkinen
2021-01-29 23:27 ` Jarkko Sakkinen
2021-01-12 17:10 ` David Howells
2021-01-12 19:13 ` Eric Snowberg
2021-01-15 17:21 ` James Bottomley
2021-01-15 23:01 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAjMm9Gq/FFOzQYG@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=erichte@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.