From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matthew Garrett <mjg59@google.com>
Cc: David Howells <dhowells@redhat.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
Ben Hutchings <ben@decadent.org.uk>,
nayna@linux.vnet.ibm.com
Subject: Re: linux-next: UEFI Secure boot lockdown patchset
Date: Tue, 01 May 2018 21:00:54 -0400 [thread overview]
Message-ID: <1525222854.5669.169.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACdnJuvSjpUS-fvURrrYOnLLPpasYgr6kJkncbfvMuOCYEL1EQ@mail.gmail.com>
On Tue, 2018-05-01 at 23:46 +0000, Matthew Garrett wrote:
> On Tue, May 1, 2018 at 4:43 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > On Tue, 2018-05-01 at 22:32 +0000, Matthew Garrett wrote:
> > > INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used
> > > anywhere. Odd. Anyway, distributions are unlikely to ship with
> > > CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users
> to
> > > determine which set of IMA or EVM signatures they want to trust. So if
> > > validation is against the IMA keyring rather than builtin_trusted_keys,
> > > it's going to be possible for users to extend the set of trusted keys.
> If
> > > CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the
> > > right thing here, but it's not clear to me how that's supposed to
> interact
> > > with IMA?
>
> > From your description, whatever keys the distros are loading onto the
> > builtin_trusted_keys keyring for verifying the kexec kernel image,
> > could just as easily be added to the IMA trusted keyring
> > (CONFIG_INTEGRITY_TRUSTED_KEYRING). I don't see the difference.
>
> If CONFIG_INTEGRITY_TRUSTED_KEYRING isn't set then you can load new (and
> unsigned) IMA keys from userspace. So if IMA is the lockdown control
> mechanism for kexec, distros must either set
> CONFIG_INTEGRITY_TRUSTED_KEYRING (which I don't think is practical) or IMA
> should test kexec against the builtin_trusted_keys keyring rather than the
> IMA keyring. Or have I misunderstood how this works?
Another option is enabling both CONFIG_INTEGRITY_TRUSTED_KEYRING and
CONFIG_SYSTEM_EXTRA_CERTIFICATE.
Mimi
prev parent reply other threads:[~2018-05-02 1:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <26787.1519902415@warthog.procyon.org.uk>
2018-05-01 17:28 ` linux-next: UEFI Secure boot lockdown patchset Matthew Garrett
2018-05-01 19:00 ` David Howells
2018-05-01 20:15 ` Mimi Zohar
2018-05-01 21:02 ` Matthew Garrett
2018-05-01 21:50 ` Mimi Zohar
2018-05-01 21:59 ` Matthew Garrett
2018-05-01 22:21 ` Mimi Zohar
2018-05-01 22:32 ` Matthew Garrett
2018-05-01 23:43 ` Mimi Zohar
2018-05-01 23:46 ` Matthew Garrett
2018-05-02 1:00 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525222854.5669.169.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ben@decadent.org.uk \
--cc=dhowells@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=nayna@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox