From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: dmitry.kasatkin@intel.com, linux-kernel@vger.kernel.org,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH 2/3] KEYS: Separate the kernel signature checking keyring from module signing
Date: Thu, 17 Jan 2013 13:57:29 -0500 [thread overview]
Message-ID: <1358449049.2689.87.camel@falcor1> (raw)
In-Reply-To: <20130117180400.27885.2973.stgit@warthog.procyon.org.uk>
On Thu, 2013-01-17 at 18:04 +0000, David Howells wrote:
> Separate the kernel signature checking keyring from module signing so that it
> can be used by code other than the module-signing code.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
Sounds good, but comment below...
> ---
>
> init/Kconfig | 13 +++++
> kernel/Makefile | 17 ++++---
> kernel/modsign_certificate.S | 18 -------
> kernel/modsign_pubkey.c | 104 ------------------------------------------
> kernel/module-internal.h | 2 -
> kernel/module_signing.c | 3 +
> kernel/system_certificates.S | 18 +++++++
> kernel/system_keyring.c | 101 +++++++++++++++++++++++++++++++++++++++++
> 8 files changed, 145 insertions(+), 131 deletions(-)
> delete mode 100644 kernel/modsign_certificate.S
> delete mode 100644 kernel/modsign_pubkey.c
> create mode 100644 kernel/system_certificates.S
> create mode 100644 kernel/system_keyring.c
>
>
> diff --git a/init/Kconfig b/init/Kconfig
> index 7d30240..a5363d2 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1568,6 +1568,18 @@ config BASE_SMALL
> default 0 if BASE_FULL
> default 1 if !BASE_FULL
>
> +config SYSTEM_TRUSTED_KEYRING
> + bool "Provide system-wide ring of trusted keys"
> + select KEYS
> + help
> + Provide a system keyring to which trusted keys can be added. Keys in
> + the keyring are considered to be trusted. Keys may be added at will
> + by the kernel from compiled-in data and from hardware key stores, but
> + userspace may only add extra keys if those keys can be verified by
> + keys already in the keyring.
> +
Lets assume accepting built in keys should is acceptable for all use
cases. Adding additional keys from userspace is probably not acceptable
for all use cases. Those keys should be added to specific 'trusted'
keyrings.
EVM and IMA-appraisal have separate keyrings for this reason. I might
be interested in allowing third party packages to be installed and
executed, but that doesn't imply that a security.evm extended attribute,
signed by a third party application, is acceptable.
thanks,
Mimi
next prev parent reply other threads:[~2013-01-17 18:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-17 18:03 [PATCH 1/3] KEYS: Load *.x509 files into kernel keyring David Howells
2013-01-17 18:04 ` [PATCH 2/3] KEYS: Separate the kernel signature checking keyring from module signing David Howells
2013-01-17 18:57 ` Mimi Zohar [this message]
2013-01-17 21:20 ` David Howells
2013-01-17 18:04 ` [PATCH 3/3] KEYS: Add a 'trusted' flag and a 'trusted only' flag David Howells
2013-01-30 8:29 ` Kasatkin, Dmitry
2013-01-30 10:32 ` David Howells
2013-02-06 22:18 ` Kasatkin, Dmitry
2013-01-17 18:44 ` [PATCH 1/3] KEYS: Load *.x509 files into kernel keyring Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1358449049.2689.87.camel@falcor1 \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox