From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: "Mark D. Baushke" <mdb@juniper.net>,
James Morris <jmorris@namei.org>,
Marcel Holtmann <marcel@holtmann.org>,
petkan@mip-labs.com, linux-security-module@vger.kernel.org,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
Date: Tue, 12 Jan 2016 10:17:08 -0500 [thread overview]
Message-ID: <1452611828.4776.181.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <14160.1452606924@warthog.procyon.org.uk>
On Tue, 2016-01-12 at 13:55 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > > (1) public_key_restrict_link() restricts to asymmetric keys that are
> > > signed by a CA in the specified keyring. It returns -ENOKEY if no
> > > matching key is found rather than -EKEYREJECTED, however, so you can
> > > call it several times for different keyrings. -EKEYREJECTED is only
> > > returned if a signature check fails. This is used by the following
> > > two functions.
> >
> > Ok, so it is restricted it to CAs. Combining it with an option to limit
> > it to the builtin CA keys based on the builtin flag would be nice.
>
> Is there a point to the builtin flag if .system_keyring is closed? Currently
> all keys that go into .system_keyring are marked BUILTIN.
It becomes a problem if the existing system keyring semantics of not
being writable change or if non builtin keys are added to the system
keyring.
Discussion continued below.
> But, yes, the restriction can include only using built in CAs.
> > > (1) .system_keyring uses restrict_link_by_system_trusted() - though it
> > > lacks any sort of write permission, so it's currently moot. It could
> > > just as well be replaced with a function that just returns -EPERM.
> >
> > Why not retain the current semantics of the system keyring of not being
> > writable and create a new keyring for new feature(s)?
>
> I think that the problem we have is that it can be argued either way. You
> would rather create a new keyring to hold additional keys, whereas I would
> prefer to use the keyring we already have.
>
> Do you have a technical reason why we can't just open the system keyring?
> It's not precisely a new feature, but rather an extension to an existing one
> that's been under consideration for a while.
There are two main concerns:
- Different keys are trusted for different things (eg. firmware,
modules, regular files) and at different levels of the OS. I guess this
could be addressed, as you've previously suggested, by identifiers.
- The other issue is transitive trust (eg. A trusts B. B trusts C.
Permit anything signed by C). In some use case scenarios this is
desired, in others it is not. We would need the option to limit trust
to just the builtin keys to support both use cases.
Even with the identifier support and ability to limit transitive trust,
I doubt it is as safe as limiting the system keyring to just the builtin
keys. Refer to Petko's post.
> > The name "restrict_link_by_ima_mok()" doesn't reflect that it is either
> > the system keyring or the IMA MOK keyring.
>
> How about restrict_link_by_ima_trusted()?
Good. restrict_link_by_ima_trusted would only check the IMA MOK keyring
if it was configured.
Mimi
next prev parent reply other threads:[~2016-01-12 15:18 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:45 [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring David Howells
2016-01-07 0:04 ` James Morris
2016-01-07 0:34 ` David Howells
2016-01-07 2:13 ` Mimi Zohar
2016-01-07 3:28 ` Mimi Zohar
2016-01-07 15:31 ` Mimi Zohar
2016-01-10 10:36 ` James Morris
2016-01-10 13:26 ` Mimi Zohar
2016-01-10 17:46 ` David Howells
2016-01-10 20:33 ` David Howells
2016-01-10 23:55 ` Mimi Zohar
2016-01-12 0:44 ` David Howells
2016-01-12 1:28 ` Mark D. Baushke
2016-01-12 2:03 ` David Howells
2016-01-12 2:25 ` Mark D. Baushke
2016-01-12 3:35 ` Mimi Zohar
2016-01-12 10:08 ` David Howells
2016-01-12 13:21 ` Mimi Zohar
2016-01-12 13:55 ` David Howells
2016-01-12 15:17 ` Mimi Zohar [this message]
2016-01-12 15:56 ` David Howells
2016-01-12 16:02 ` Mimi Zohar
2016-01-12 14:11 ` Petko Manolov
2016-01-10 20:33 ` Petko Manolov
2016-01-12 1:38 ` David Howells
2016-01-12 16:14 ` Petko Manolov
2016-01-12 17:08 ` David Howells
2016-01-13 16:31 ` Petko Manolov
2016-01-13 17:51 ` Mimi Zohar
2016-01-13 18:01 ` Petko Manolov
2016-01-13 18:19 ` David Howells
2016-01-13 18:35 ` Petko Manolov
2016-01-13 18:56 ` Mimi Zohar
2016-01-13 19:19 ` Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452611828.4776.181.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=mdb@juniper.net \
--cc=petkan@mip-labs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox