From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
petkan@mip-labs.com, linux-kernel@vger.kernel.org
Subject: Re: How to add additional blacklist entries?
Date: Mon, 08 Feb 2016 11:32:28 -0500 [thread overview]
Message-ID: <1454949148.2648.215.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <14858.1454946832@warthog.procyon.org.uk>
On Mon, 2016-02-08 at 15:53 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > Right, this patch makes the system blacklist keyring writable by
> > userspace and removes the IMA blacklist. What I don't understand is how
> > to add a key that is currently on the IMA keyring to the system
> > blacklist?
>
> You can do this from userspace with "keyctl link". Admittedly, this attaches
> the entire key to the blacklist keyring, not just the ID. But that's
> basically what you're doing at the moment, right.
Does this imply that the key already has to be loaded onto a keyring in
order to link it to the blacklist? Currently the key doesn't need to
be on the IMA keyring in order for it to be black listed. The cert can
be verified, that it is signed by a key on the system trusted (or
ima_mok) keyring(s), before directly being added to the IMA blacklist
keyring.
> To simply list the SKID of the key you want to blacklist, another patch will
> be required, but the question is as to what the interface should look like.
>
> Let's start at the beginning. First of all, let me ask the following:
>
> (1) How is the key-to-be-blacklisted specified? A copy of the X.509 cert to
> be blocked? A signed list of SKIDs to be blocked? A CRL?
Similar to the TBScertificate hash list, there should be support for a
SKIDs list, either in the same file or separately.
> (2) How is the blacklist addition to be verified?
As I recall without going back and looking at the patches, you've
defined a new key type for just the TBScertficate hash without a
payload. Is it possible to do the equivalent for SKIDs? In both cases,
these new key type(s) would need to be signed by a key on the system
keyring (now called the builtin keyring) for it to be added to the
blacklist.
Mimi
next prev parent reply other threads:[~2016-02-08 16:33 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-19 11:30 [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings [ver #2] David Howells
2016-01-19 11:30 ` [RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key " David Howells
2016-01-20 18:58 ` Mimi Zohar
2016-02-03 15:30 ` David Howells
2016-01-19 11:30 ` [RFC PATCH 02/20] KEYS: Add a system blacklist keyring " David Howells
2016-01-20 19:31 ` Mimi Zohar
2016-01-20 20:26 ` Mimi Zohar
2016-02-03 15:27 ` David Howells
2016-02-08 13:34 ` Mimi Zohar
2016-02-08 13:55 ` David Howells
2016-02-08 15:03 ` Mimi Zohar
2016-02-08 15:53 ` How to add additional blacklist entries? David Howells
2016-02-08 16:32 ` Mimi Zohar [this message]
2016-02-08 16:43 ` David Howells
2016-02-08 19:28 ` Mimi Zohar
2016-02-09 10:42 ` David Howells
2016-02-10 14:07 ` Mimi Zohar
2016-02-08 14:55 ` [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2] David Howells
2016-02-08 16:39 ` Mimi Zohar
2016-02-19 11:48 ` David Howells
2016-02-03 15:29 ` David Howells
2016-01-19 11:30 ` [RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted " David Howells
2016-01-20 20:33 ` Mimi Zohar
2016-02-03 15:46 ` David Howells
2016-02-05 16:16 ` Mimi Zohar
2016-01-19 11:30 ` [RFC PATCH 04/20] X.509: Don't treat self-signed keys specially " David Howells
2016-01-20 20:40 ` Mimi Zohar
2016-01-19 11:31 ` [RFC PATCH 05/20] KEYS: Generalise system_verify_data() to provide access to internal content " David Howells
2016-01-19 11:31 ` [RFC PATCH 06/20] PKCS#7: Make trust determination dependent on contents of trust keyring " David Howells
2016-01-19 11:31 ` [RFC PATCH 07/20] KEYS: Add a facility to restrict new links into a " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-02-29 15:49 ` David Howells
2016-01-19 11:31 ` [RFC PATCH 08/20] KEYS: Allow authentication data to be stored in an asymmetric key " David Howells
2016-01-19 11:31 ` [RFC PATCH 09/20] KEYS: Add identifier pointers to public_key_signature struct " David Howells
2016-01-19 11:31 ` [RFC PATCH 10/20] X.509: Retain the key verification data " David Howells
2016-01-19 11:31 ` [RFC PATCH 11/20] X.509: Extract signature digest and make self-signed cert checks earlier " David Howells
2016-01-19 11:31 ` [RFC PATCH 12/20] PKCS#7: Make the signature a pointer rather than embedding it " David Howells
2016-02-08 12:00 ` Mimi Zohar
2016-02-19 11:56 ` David Howells
2016-01-19 11:32 ` [RFC PATCH 13/20] X.509: Move the trust validation code out to its own file " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 14/20] KEYS: Generalise x509_request_asymmetric_key() " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 15/20] KEYS: Move the point of trust determination to __key_link() " David Howells
2016-01-19 11:32 ` [RFC PATCH 16/20] KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED " David Howells
2016-01-19 11:32 ` [RFC PATCH 17/20] PKCS#7: Handle blacklisted certificates " David Howells
2016-01-19 11:32 ` [RFC PATCH 18/20] IMA: Use the system blacklist keyring " David Howells
2016-02-10 19:12 ` Mimi Zohar
2016-02-19 11:58 ` David Howells
2016-02-19 12:16 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 19/20] certs: Add a secondary system keyring that can be added to dynamically " David Howells
2016-01-19 11:32 ` [RFC PATCH 20/20] IMA: Replace the .ima_mok keyring with the secondary system keyring " David Howells
2016-01-20 17:24 ` [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings " Petko Manolov
2016-01-20 18:57 ` Mimi Zohar
2016-02-03 15:47 ` David Howells
2016-02-03 15:56 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454949148.2648.215.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=petkan@mip-labs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).