From: Mimi Zohar <zohar@linux.ibm.com>
To: "Jarkko Sakkinen" <jarkko@kernel.org>,
"Michal Suchánek" <msuchanek@suse.de>,
Nayna <nayna@linux.vnet.ibm.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Nayna Jain <nayna@linux.ibm.com>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, joeyli <jlee@suse.com>,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING
Date: Tue, 12 Sep 2023 15:22:20 -0400 [thread overview]
Message-ID: <afba92bc2961c758d34ab340de207beb0a3b84b0.camel@linux.ibm.com> (raw)
In-Reply-To: <CVGUFUEQVCHS.37OA20PNG9EVB@suppilovahvero>
On Tue, 2023-09-12 at 12:49 +0300, Jarkko Sakkinen wrote:
> On Tue Sep 12, 2023 at 10:41 AM EEST, Michal Suchánek wrote:
> > On Mon, Sep 11, 2023 at 11:39:38PM -0400, Nayna wrote:
> > >
> > > On 9/7/23 13:32, Michal Suchánek wrote:
> > > > Adding more CC's from the original patch, looks like get_maintainers is
> > > > not that great for this file.
> > > >
> > > > On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote:
> > > > > No other platform needs CA_MACHINE_KEYRING, either.
> > > > >
> > > > > This is policy that should be decided by the administrator, not Kconfig
> > > > > dependencies.
> > >
> > > We certainly agree that flexibility is important. However, in this case,
> > > this also implies that we are expecting system admins to be security
> > > experts. As per our understanding, CA based infrastructure(PKI) is the
> > > standard to be followed and not the policy decision. And we can only speak
> > > for Power.
> > >
> > > INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf
> > > certs.
> >
> > And that's the problem.
> >
> > From a distribution point of view there are two types of leaf certs:
> >
> > - leaf certs signed by the distribution CA which need not be imported
> > because the distribution CA cert is enrolled one way or another
> > - user generated ad-hoc certificates that are not signed in any way,
> > and enrolled by the user
> >
> > The latter are vouched for by the user by enrolling the certificate, and
> > confirming that they really want to trust this certificate. Enrolling
> > user certificates is vital for usability or secure boot. Adding extra
> > step of creating a CA certificate stored on the same system only
> > complicates things with no added benefit.
>
> This all comes down to the generic fact that kernel should not
> proactively define what it *expects* sysadmins.
>
> CA based infrastructure like anything is a policy decision not
> a decision to be enforced by kernel.
Secure boot requires a signature chain of trust. IMA extends the
secure and trusted boot concepts to the kernel. Missing from that
signature chain of trust is the ability of allowing the end
machine/system owner to load other certificates without recompiling the
kernel. The introduction of the machine keyring was to address this.
I'm not questioning the end user's intent on loading local or third
party keys via the normal mechanisms. If the existing mechanism(s) for
loading local or third party keys were full-proof, then loading a
single certificate, self-signed or not, would be fine. However, that
isn't the reality. The security of the two-stage approach is simply
not equivalent to loading a single certificate. Documentation could
help the end user/system owner to safely create (and manage) separate
certificate signing and code signing certs.
Unlike UEFI based systems, PowerVM defines two variables trustedcadb
and moduledb, for storing certificate signing and code signing
certificates respectively. First the certs on the trustedcadb are
loaded and then the ones on moduledb are loaded.
--
thanks,
Mimi
next prev parent reply other threads:[~2023-09-12 19:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230907165224.32256-1-msuchanek@suse.de>
2023-09-07 17:32 ` [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING Michal Suchánek
2023-09-12 3:39 ` Nayna
2023-09-12 7:41 ` Michal Suchánek
2023-09-12 9:49 ` Jarkko Sakkinen
2023-09-12 19:22 ` Mimi Zohar [this message]
2023-09-12 19:32 ` Jarkko Sakkinen
2023-09-12 19:56 ` Mimi Zohar
2023-09-12 17:03 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afba92bc2961c758d34ab340de207beb0a3b84b0.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=msuchanek@suse.de \
--cc=nayna@linux.ibm.com \
--cc=nayna@linux.vnet.ibm.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).