From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
Ben Hutchings <ben@decadent.org.uk>,
nayna@linux.vnet.ibm.com
Subject: Re: linux-next: UEFI Secure boot lockdown patchset
Date: Tue, 01 May 2018 19:43:40 -0400 [thread overview]
Message-ID: <1525218220.5669.164.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACdnJuu11tPS+hpsri4tkgrWn-EEgLWgXT-Bb1m=s4Dx3478JQ@mail.gmail.com>
On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 3:21 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote:
> > > Oh, is kexec verified off the _module keyring? We still end up with the
> > > problem that distributions don't have a mechanism to ship IMA signatures
> > > yet, but that avoids the user modification problem. I've just posted a
> > > patchset to debian-dpkg, we'll see how that goes.
>
> > I'm not aware of a _module keyring. With IMA-appraisal, the signature
> > verification of the kernel image (kexec_file_load) uses the trusted
> > IMA keyring. Nayna Jain posted a patch that defines a new platform
> > keyring[1], which would only be used to validate the kernel image and
> > initramfs signatures.
>
> INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> anywhere. Odd. Anyway, distributions are unlikely to ship with
> CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users to
> determine which set of IMA or EVM signatures they want to trust. So if
> validation is against the IMA keyring rather than builtin_trusted_keys,
> it's going to be possible for users to extend the set of trusted keys. If
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> right thing here, but it's not clear to me how that's supposed to interact
> with IMA?
>From your description, whatever keys the distros are loading onto the
builtin_trusted_keys keyring for verifying the kexec kernel image,
could just as easily be added to the IMA trusted keyring
(CONFIG_INTEGRITY_TRUSTED_KEYRING). I don't see the difference.
Loading other keys requires reserving memory for a local CA public
key.
Mimi
next prev parent reply other threads:[~2018-05-01 23:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <26787.1519902415@warthog.procyon.org.uk>
2018-05-01 17:28 ` linux-next: UEFI Secure boot lockdown patchset Matthew Garrett
2018-05-01 19:00 ` David Howells
2018-05-01 20:15 ` Mimi Zohar
2018-05-01 21:02 ` Matthew Garrett
2018-05-01 21:50 ` Mimi Zohar
2018-05-01 21:59 ` Matthew Garrett
2018-05-01 22:21 ` Mimi Zohar
2018-05-01 22:32 ` Matthew Garrett
2018-05-01 23:43 ` Mimi Zohar [this message]
2018-05-01 23:46 ` Matthew Garrett
2018-05-02 1:00 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525218220.5669.164.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ben@decadent.org.uk \
--cc=dhowells@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=nayna@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox