From: David Howells <dhowells@redhat.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: dhowells@redhat.com,
Roberto Sassu <roberto.sassu@huaweicloud.com>,
dwmw2@infradead.org, davem@davemloft.net,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, zohar@linux.ibm.com,
linux-integrity@vger.kernel.org, torvalds@linux-foundation.org,
roberto.sassu@huawei.com
Subject: Re: [PATCH v3 00/14] KEYS: Add support for PGP keys and signatures
Date: Fri, 13 Sep 2024 10:32:30 +0100 [thread overview]
Message-ID: <1266435.1726219950@warthog.procyon.org.uk> (raw)
In-Reply-To: <ZuPDZL_EIoS60L1a@gondor.apana.org.au>
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> Personally I don't think the argument above holds water. With
> IPsec we had a similar issue of authenticating untrusted peers
> using public key cryptography. In that case we successfully
> delegated the task to user-space and it is still how it works
> to this day.
It transpires that we do actually need at least a PGP parser in the kernel -
and it needs to be used prior to loading any modules: some Lenovo Thinkpads,
at least, may have EFI variables holding a list of keys in PGP form, not X.509
form.
For example, in dmesg, you might see:
May 16 04:01:01 localhost kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
May 16 04:01:01 localhost kernel: integrity: Problem loading X.509 certificate -126
On my laptop, if I dump this variable:
efivar -e /tmp/q --name=605dab50-e046-4300-abb6-3dd810dd8b23-MokListRT
And then looking at the data exported:
file /tmp/q
I see:
/tmp/q: PGP Secret Sub-key -
The kernel doesn't currently have a PGP parser. I've checked and the value
doesn't parse as ASN.1:
openssl asn1parse -in /tmp/q -inform DER
0:d=0 hl=2 l= 21 prim: cont [ 23 ]
Error in encoding
001EBA93B67F0000:error:0680007B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:105:
which would suggest that it isn't X.509.
David
next prev parent reply other threads:[~2024-09-13 9:32 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 12:28 [PATCH v3 00/14] KEYS: Add support for PGP keys and signatures Roberto Sassu
2024-09-11 12:28 ` [PATCH v3 01/14] mpi: Introduce mpi_key_length() Roberto Sassu
2024-09-12 13:26 ` Jarkko Sakkinen
2024-09-11 12:28 ` [PATCH v3 02/14] rsa: add parser of raw format Roberto Sassu
2024-09-12 13:33 ` Jarkko Sakkinen
2024-09-11 12:29 ` [PATCH v3 03/14] PGPLIB: PGP definitions (RFC 9580) Roberto Sassu
2024-09-12 13:54 ` Jarkko Sakkinen
2024-09-11 12:29 ` [PATCH v3 04/14] PGPLIB: Basic packet parser Roberto Sassu
2024-09-12 13:57 ` Jarkko Sakkinen
2024-09-11 12:29 ` [PATCH v3 05/14] PGPLIB: Signature parser Roberto Sassu
2024-09-12 13:58 ` Jarkko Sakkinen
2024-09-11 12:29 ` [PATCH v3 06/14] KEYS: PGP data parser Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 07/14] KEYS: Provide PGP key description autogeneration Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 08/14] KEYS: PGP-based public key signature verification Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 09/14] KEYS: Retry asym key search with partial ID in restrict_link_by_signature() Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 10/14] KEYS: Calculate key digest and get signature of the key Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 11/14] verification: introduce verify_pgp_signature() Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 12/14] PGP: Provide a key type for testing PGP signatures Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob Roberto Sassu
2024-09-11 12:29 ` [PATCH v3 14/14] KEYS: Introduce load_pgp_public_keyring() Roberto Sassu
2024-09-13 4:45 ` [PATCH v3 00/14] KEYS: Add support for PGP keys and signatures Herbert Xu
2024-09-13 8:30 ` Roberto Sassu
2024-09-13 9:00 ` Herbert Xu
2024-09-15 7:11 ` Linus Torvalds
2024-09-15 8:07 ` Herbert Xu
2024-09-15 8:40 ` Linus Torvalds
2024-09-15 9:15 ` Herbert Xu
2024-09-15 9:31 ` Herbert Xu
2024-09-15 17:52 ` Roberto Sassu
2024-09-17 11:27 ` Dr. Greg
2024-09-26 9:41 ` Roberto Sassu
2024-09-27 1:25 ` Dr. Greg
2024-10-04 10:42 ` Roberto Sassu
2024-09-15 10:51 ` Roberto Sassu
2024-09-13 9:32 ` David Howells [this message]
2024-09-13 10:46 ` Ard Biesheuvel
2024-09-14 11:29 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1266435.1726219950@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).