From: Vivek Goyal <vgoyal@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Josh Boyer <jwboyer@gmail.com>,
"Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC 2/2] initramfs with digital signature protection
Date: Thu, 11 Apr 2013 10:52:25 -0400 [thread overview]
Message-ID: <20130411145225.GC21260@redhat.com> (raw)
In-Reply-To: <1365627922.2452.32.camel@falcor1.watson.ibm.com>
On Wed, Apr 10, 2013 at 05:05:22PM -0400, Mimi Zohar wrote:
> On Wed, 2013-04-10 at 15:42 -0400, Vivek Goyal wrote:
> > On Tue, Apr 09, 2013 at 11:07:10PM -0400, Mimi Zohar wrote:
> >
> > [..]
> > > The module keyring is a special case. Loading these keys from the
> > > kernel and, presumably, locking the keyring is probably fine. In the
> > > case of IMA, however, files will be signed by any number of package
> > > owners. If the _ima keyring is locked by the kernel, how would you add
> > > these other keys?
> >
> > Who are package owners here. IOW, in typical IMA setup, where are the keys
> > and when are these keys loaded in ima keyring?
>
> Suppose I install third party packages not signed by the distro, but by
> the package owner (eg. google, rpmfusion, ...). Not only does the
> package signature need to be verified on installation, but the files
> need to be installed with signatures. For IMA to enforce file
> integrity, the package owner's public key needs to be added to the _ima
> keyring.
Ok, got it.
>
> > If we trust root and keys can be loaded any time later, then signed
> > initramfs will not solve the problem either.
>
> Locking the keyring in the kernel will limit the set of permitted keys
> to only those specified in UEFI db or builtin. Locking the keyring in
> the "early" initramfs, will allow the system owner, whose key is in the
> UEFI db, to specify additional keys, such as those for third party
> packages. Not all public keys belong in the UEFI db.
Ok, so third party public key you don't want to add in UEFI db. Instead
platform owner (whose key is in UEFI db) will regenerate initrafs and
sign it.
So above use case is primarily for user space files and verifying its
integrity and IMA keyring is used for that. secureboot does not require
IMA keyring to be locked as none of that code runs at ring0.
This locking requirement of IMA keyring is coming in only because we are
trying to also verify the integrity of a process who will load code which
runs at ring0.
So how do you like the idea of using another keyring (say system keyring)
for this purpose and what keyring to use integrity of a file can be
encoded in file signature.
This is something similar to INTEGRITY_KEYRING_MODULE keyring for modules.
(Though I don't see this code fully hooked up yet).
Or, given the fact that module signature and here /sbin/kexec verification
will make use of similar keys, we can create a system keyring, make module
code make use of that keyring. And IMA code can make use of that keyring
too if a file's digital signature indicates so.
Thanks
Vivek
next prev parent reply other threads:[~2013-04-11 14:53 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-05 12:34 [RFC 0/2] initramfs with digital signature protection Dmitry Kasatkin
2013-02-05 12:34 ` [RFC 1/2] export unpack_to_rootfs Dmitry Kasatkin
2013-02-05 16:48 ` Peter Jones
2013-02-05 17:16 ` Kasatkin, Dmitry
2013-02-08 8:30 ` Kasatkin, Dmitry
2013-02-05 12:34 ` [RFC 2/2] initramfs with digital signature protection Dmitry Kasatkin
2013-02-05 18:03 ` Peter Jones
2013-02-05 20:08 ` Mimi Zohar
2013-02-05 22:03 ` Kasatkin, Dmitry
2013-02-05 18:19 ` Matthew Garrett
2013-02-05 18:30 ` Matthew Garrett
2013-02-05 18:34 ` Vivek Goyal
2013-02-05 21:55 ` Kasatkin, Dmitry
2013-04-05 13:50 ` Vivek Goyal
2013-04-08 19:43 ` Mimi Zohar
2013-04-08 20:09 ` Vivek Goyal
2013-04-08 20:17 ` Josh Boyer
2013-04-09 14:38 ` Vivek Goyal
2013-04-10 3:07 ` Mimi Zohar
2013-04-10 19:42 ` Vivek Goyal
2013-04-10 21:05 ` Mimi Zohar
2013-04-11 8:08 ` Dmitry Kasatkin
2013-04-11 14:52 ` Vivek Goyal [this message]
2013-04-12 11:54 ` Mimi Zohar
[not found] ` <CACE9dm-GZpjco8u6jNxLQpYA8LYSeoVjsyyRXVwxXHzjO-LvGw@mail.gmail.com>
2013-04-11 14:55 ` Vivek Goyal
2013-04-11 18:42 ` Dmitry Kasatkin
2013-04-11 21:13 ` Vivek Goyal
2013-04-12 12:03 ` Mimi Zohar
2013-02-05 20:36 ` Peter Jones
2013-02-05 22:09 ` Kasatkin, Dmitry
2013-02-06 5:04 ` H. Peter Anvin
2013-02-06 8:01 ` Kasatkin, Dmitry
2013-02-06 16:41 ` H. Peter Anvin
2013-02-08 9:16 ` Kasatkin, Dmitry
2013-02-08 15:49 ` H. Peter Anvin
2013-02-08 16:24 ` Kasatkin, Dmitry
2013-02-08 16:50 ` H. Peter Anvin
2013-02-07 17:05 ` Vivek Goyal
2013-02-08 8:34 ` Kasatkin, Dmitry
2013-02-08 13:27 ` Kasatkin, Dmitry
2013-02-11 21:59 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130411145225.GC21260@redhat.com \
--to=vgoyal@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jwboyer@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox