From: Petko Manolov <petkan@mip-labs.com>
To: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
"Mark D. Baushke" <mdb@juniper.net>,
James Morris <jmorris@namei.org>,
Marcel Holtmann <marcel@holtmann.org>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
Date: Tue, 12 Jan 2016 16:11:50 +0200 [thread overview]
Message-ID: <20160112141150.GA4806@bender.nucleusys.com> (raw)
In-Reply-To: <31422.1452593319@warthog.procyon.org.uk>
Guys, i'd like to take a step back, make a short keyring overview (the way i see
it) and see if we're all on the same page. Implementation details matters, but
only if we've agreed on the architecture first. This is how i see the _trusted_
keyrings hierarchy in the kernel. I don't claim i am right... :)
(1) I really think the system keyring should remain static. The only time you
can really trust your kernel is at it's build time. Later on, when it is
running, it may fail you in a great many and spectacular ways, thanks to the
bugs we all introduce.
Unless the kernel is terribly broken the system keyring should not contain
anything else but the built-in certificates. This will serve as foothold of
sanity in an extremely dynamic and sometimes quite messy world. Most production
grade kernels are built in a clean room environment with restricted physical
access. You can't get as good level of security once they are released in the
wild.
(2) IMA MOK and blacklist keyrings - right now they are implemented as an aid to
the IMA subsystem, but really should be system-wide keyrings. Assuming the
.system is read-only the only way you can dynamically add _trusted_ certificates
to your kernel is via some sort of read-write keyring that is _dependent_ on
the .system.
MOK (or, again, whatever the name) should be the second level of _trusted_
keyrings. .ima and .evm are the obvious users, but there may be others in the
future and represents the leafs of the trusted keyring graph.
(3) the blacklist keyring - it is at the same hierarchy level as the system
keyring, but for obvious reasons, can't be read-only. Since it should be the
first keyring we check we can't allow stuff to go there randomly. One thing i
can think of is the standard CA signature verification. Only keys that are
properly signed should go there. This check should not be enough to guarantee
entry in .blacklist otherwise it will be very easy to DoS IMA-appraisal enabled
system. Additional criteria should be introduced when moving keys to this
keyring.
I would like to once again state that .ima_mok and .ima_blacklist should really
be system wide keyrings. It so happened that i worked with Mimi Zohar and Mark
Baushke and my focus was the IMA/EVM subsystem. I (maybe naively) thought IMA
would serve as a test ground for the concept and once it mature it may move up.
It now seems that we need to agree on an architecture that will serve all newly
introduced use-cases.
Petko
next prev parent reply other threads:[~2016-01-12 14:13 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:45 [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring David Howells
2016-01-07 0:04 ` James Morris
2016-01-07 0:34 ` David Howells
2016-01-07 2:13 ` Mimi Zohar
2016-01-07 3:28 ` Mimi Zohar
2016-01-07 15:31 ` Mimi Zohar
2016-01-10 10:36 ` James Morris
2016-01-10 13:26 ` Mimi Zohar
2016-01-10 17:46 ` David Howells
2016-01-10 20:33 ` David Howells
2016-01-10 23:55 ` Mimi Zohar
2016-01-12 0:44 ` David Howells
2016-01-12 1:28 ` Mark D. Baushke
2016-01-12 2:03 ` David Howells
2016-01-12 2:25 ` Mark D. Baushke
2016-01-12 3:35 ` Mimi Zohar
2016-01-12 10:08 ` David Howells
2016-01-12 13:21 ` Mimi Zohar
2016-01-12 13:55 ` David Howells
2016-01-12 15:17 ` Mimi Zohar
2016-01-12 15:56 ` David Howells
2016-01-12 16:02 ` Mimi Zohar
2016-01-12 14:11 ` Petko Manolov [this message]
2016-01-10 20:33 ` Petko Manolov
2016-01-12 1:38 ` David Howells
2016-01-12 16:14 ` Petko Manolov
2016-01-12 17:08 ` David Howells
2016-01-13 16:31 ` Petko Manolov
2016-01-13 17:51 ` Mimi Zohar
2016-01-13 18:01 ` Petko Manolov
2016-01-13 18:19 ` David Howells
2016-01-13 18:35 ` Petko Manolov
2016-01-13 18:56 ` Mimi Zohar
2016-01-13 19:19 ` Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160112141150.GA4806@bender.nucleusys.com \
--to=petkan@mip-labs.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=mdb@juniper.net \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox