[PATCH 0/2] ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY cleanup
@ 2023-11-02 17:06 Eric Snowberg
  2023-11-02 17:06 ` [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
  2023-11-02 17:06 ` [PATCH 2/2] ima: Remove EXPERIMENTAL from IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
  0 siblings, 2 replies; 5+ messages in thread
From: Eric Snowberg @ 2023-11-02 17:06 UTC (permalink / raw)
  To: zohar
  Cc: dmitry.kasatkin, jarkko, paul, jmorris, serge, eric.snowberg,
	linux-integrity, linux-security-module, linux-kernel

Clean up the information in the
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig.

Eric Snowberg (2):
  ima: Add machine keyring reference to
    IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  ima: Remove EXPERIMENTAL from
    IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

 security/integrity/ima/Kconfig | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)


base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.39.3


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  2023-11-02 17:06 [PATCH 0/2] ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY cleanup Eric Snowberg
@ 2023-11-02 17:06 ` Eric Snowberg
  2023-11-06 19:33   ` Mimi Zohar
  2023-11-02 17:06 ` [PATCH 2/2] ima: Remove EXPERIMENTAL from IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
  1 sibling, 1 reply; 5+ messages in thread
From: Eric Snowberg @ 2023-11-02 17:06 UTC (permalink / raw)
  To: zohar
  Cc: dmitry.kasatkin, jarkko, paul, jmorris, serge, eric.snowberg,
	linux-integrity, linux-security-module, linux-kernel

When the machine keyring is enabled, it may be used as a trust source
for the .ima keyring.  Add a reference to this in
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/ima/Kconfig | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index a6bd817efc1a..c5dc0fabbc8b 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
 	   to accept such signatures.
 
 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
+	bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)"
 	depends on SYSTEM_TRUSTED_KEYRING
 	depends on SECONDARY_TRUSTED_KEYRING
 	depends on INTEGRITY_ASYMMETRIC_KEYS
@@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	default n
 	help
 	  Keys may be added to the IMA or IMA blacklist keyrings, if the
-	  key is validly signed by a CA cert in the system built-in or
-	  secondary trusted keyrings. The key must also have the
-	  digitalSignature usage set.
+	  key is validly signed by a CA cert in the system built-in,
+	  machine (if configured), or secondary trusted keyrings. The
+	  key must also have the digitalSignature usage set.
 
 	  Intermediate keys between those the kernel has compiled in and the
 	  IMA keys to be added may be added to the system secondary keyring,
 	  provided they are validly signed by a key already resident in the
-	  built-in or secondary trusted keyrings.
+	  built-in, machine (if configured) or secondary trusted keyrings.
 
 config IMA_BLACKLIST_KEYRING
 	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
-- 
2.39.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  2023-11-02 17:06 ` [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
@ 2023-11-06 19:33   ` Mimi Zohar
  2023-11-06 21:33     ` Eric Snowberg
  0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2023-11-06 19:33 UTC (permalink / raw)
  To: Eric Snowberg
  Cc: dmitry.kasatkin, jarkko, paul, jmorris, serge, linux-integrity,
	linux-security-module, linux-kernel

Hi Eric,

The subject line is referred to as the 'summary' phrase.  As far as I'm
aware the length is still between 70-75 charcaters.  Refer to 
https://www.kernel.org/doc/Documentation/process/submitting-patches.rst
.

On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote:
> When the machine keyring is enabled, it may be used as a trust source
> for the .ima keyring.  Add a reference to this in
> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  security/integrity/ima/Kconfig | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index a6bd817efc1a..c5dc0fabbc8b 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
>  	   to accept such signatures.
>  
>  config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> -	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
> +	bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)"

Please add 'machine' in between built-in and secondary, like described
below.

>  	depends on SYSTEM_TRUSTED_KEYRING
>  	depends on SECONDARY_TRUSTED_KEYRING
>  	depends on INTEGRITY_ASYMMETRIC_KEYS
> @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
>  	default n
>  	help
>  	  Keys may be added to the IMA or IMA blacklist keyrings, if the
> -	  key is validly signed by a CA cert in the system built-in or
> -	  secondary trusted keyrings. The key must also have the
> -	  digitalSignature usage set.
> +	  key is validly signed by a CA cert in the system built-in,
> +	  machine (if configured), or secondary trusted keyrings. The
> +	  key must also have the digitalSignature usage set.
>  
>  	  Intermediate keys between those the kernel has compiled in and the
>  	  IMA keys to be added may be added to the system secondary keyring,
>  	  provided they are validly signed by a key already resident in the
> -	  built-in or secondary trusted keyrings.
> +	  built-in, machine (if configured) or secondary trusted keyrings.
>  
>  config IMA_BLACKLIST_KEYRING
>  	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"

-- 
thanks,

Mimi



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  2023-11-06 19:33   ` Mimi Zohar
@ 2023-11-06 21:33     ` Eric Snowberg
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Snowberg @ 2023-11-06 21:33 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: dmitry.kasatkin@gmail.com, Jarkko Sakkinen, Paul Moore,
	jmorris@namei.org, serge@hallyn.com,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org



> On Nov 6, 2023, at 12:33 PM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> 
> Hi Eric,
> 
> The subject line is referred to as the 'summary' phrase.  As far as I'm
> aware the length is still between 70-75 charcaters.  Refer to 
> https://www.kernel.org/doc/Documentation/process/submitting-patches.rst
> .
> 
> On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote:
>> When the machine keyring is enabled, it may be used as a trust source
>> for the .ima keyring.  Add a reference to this in
>> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
>> 
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>> ---
>> security/integrity/ima/Kconfig | 10 +++++-----
>> 1 file changed, 5 insertions(+), 5 deletions(-)
>> 
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index a6bd817efc1a..c5dc0fabbc8b 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
>>    to accept such signatures.
>> 
>> config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
>> - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
>> + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)"
> 
> Please add 'machine' in between built-in and secondary, like described
> below.

I'll make both changes and send out a new version, thanks.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] ima: Remove EXPERIMENTAL from IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  2023-11-02 17:06 [PATCH 0/2] ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY cleanup Eric Snowberg
  2023-11-02 17:06 ` [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
@ 2023-11-02 17:06 ` Eric Snowberg
  1 sibling, 0 replies; 5+ messages in thread
From: Eric Snowberg @ 2023-11-02 17:06 UTC (permalink / raw)
  To: zohar
  Cc: dmitry.kasatkin, jarkko, paul, jmorris, serge, eric.snowberg,
	linux-integrity, linux-security-module, linux-kernel

Remove the EXPERIMENTAL from the
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig
now that digitalSignature usage enforcement is set.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
link: https://lore.kernel.org/all/20230508220708.2888510-4-eric.snowberg@oracle.com/
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index c5dc0fabbc8b..2b99c734d5ac 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
 	   to accept such signatures.
 
 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-	bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)"
+	bool "Permit keys validly signed by a built-in, secondary or machine CA cert"
 	depends on SYSTEM_TRUSTED_KEYRING
 	depends on SECONDARY_TRUSTED_KEYRING
 	depends on INTEGRITY_ASYMMETRIC_KEYS
-- 
2.39.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-11-06 21:33 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-02 17:06 [PATCH 0/2] ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY cleanup Eric Snowberg
2023-11-02 17:06 ` [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg
2023-11-06 19:33   ` Mimi Zohar
2023-11-06 21:33     ` Eric Snowberg
2023-11-02 17:06 ` [PATCH 2/2] ima: Remove EXPERIMENTAL from IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Eric Snowberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).