From: Petko Manolov <petkan@mip-labs.com>
To: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, mdb@juniper.net
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
Date: Wed, 13 Jan 2016 18:31:48 +0200 [thread overview]
Message-ID: <20160113163148.GA32533@bender.nucleusys.com> (raw)
In-Reply-To: <30974.1452618524@warthog.procyon.org.uk>
On 16-01-12 17:08:44, David Howells wrote:
> Petko Manolov <petkan@mip-labs.com> wrote:
>
> > There is no need for .ima_mok if here is .mok, which should be system wide
> > keyring. I'm trying to say that once we have .mok (you're more than welcome
> > to suggest better name) we'll get rid of .ima_mok.
>
> If we really must have separate keyrings - and I still don't see that it's
> necessary - then maybe:
>
> .builtin_trusted_keys (RO)
> .secondarily_trusted_keys (RW).
Yep, that's the basic idea.
> I'd prefer to avoid "mok" as that might be misconstrued in a UEFI system.
It is a good idea to avoid confusion.
> > I still see value in immutable system keyring. Being able to reboot to a
> > known state is only one of the reasons.
>
> I'm not sure what you mean. Changes to .system_keyring would not be
> persistent across reboot.
Among other things it is nice to have a keyring with a known good state without
the need to reboot. You (the root user and only under certain circumstances)
should always be able to zap the secondary keyring, but not the .system.
> > The other is the ultimate trust one should have in .system...
>
> Do you have a use case where you would use an immutable set of keys
> exclusively?
Yep. Certain government structures will not use the machine in multi tenant
mode so they'll settle with the vendor keys.
> > Can't we incorporate this functionality in .blacklist and avoid rebooting.
>
> I think you misunderstood. Once you've discarded a builtin keyring you cannot
> get it back without rebooting (unless you hold another trusted key that signed
> it). Once you blacklist a builtin keyring you cannot get it back without
> rebooting (unless you can remove things from a blacklist).
I do not get that part about blacklisting an entire keyring. I hope we will be
able to blacklist particular key, not the whole keyring.
> Clearing .system_keyring would be equivalent to blacklisting all the keys held
> therein. However, I presume you would have it that you cannot add to
> .blacklist unless your bundle of keys to be blacklisted is appropriately
> signed.
>
> > > And why can't .system be a dynamic keyring?
> >
> > Because this makes me uneasy. What are we saving? A few pages of memory?..
>
> A key struct and some associative array metadata plus the cost of looking up
> in a second keyring.
Hopefully something that will be done only when importing new trusted key.
> I'm not sure why it makes you any more uneasy than having .ima_mok at all.
> However, if it makes you able to sleep at night (;-)), and you're willing to
> accept modification of the trust model along the lines of the patchset I
> posted (which will need a couple of alterations) and move the new trust
> keyring and blacklist keyring to the core, then okay, we can do that.
I'll sleep much better once i grasp your entire patch-set, although it will
require some lack of sleep on my part. ;-)
I am also afraid these "couple of alternations" should be communicated to all
stakeholders (Mimi, for one), especially if we decide to make .ima_mok to be
system wide .secondarily_trusted_keys. I volunteer to be excluded from the name
giving competition. :-)
It is also not clear to me how we'll move keys to the blacklist keyring. They
should obviously be signed by CA in primary/secondary trusted keyring(s), the
permissions should be set correctly, but i somehow feel this is not enough.
Mark, would you please comment on the above?
> > I don't mind linking in general as long as the permission check is
> > supplementary to the keys CA hierarchy verification.
>
> Which it currently isn't really. As things stand, the CA hierarchy
> verification takes place once at key creation and is assumed applicable to all
> trusted keyrings thereafter. KEY_FLAG_TRUSTED_ONLY was only really supposed
> to apply to the system keyring.
I am not opposed to everything what you suggest. Since we did that work in
parallel (your stuff and the IMA keyring additions) with no communication
between us, we ended up with broken IMA model. I see three possibilities:
- dump the IMA changes for this release (not happy about it);
- try to quickly adapt the IMA system to your changes (not sure if it can be
done easily and/or quickly) and do it properly for 4.6;
- elevate .ima_mok/blacklist to system wide RW keyrings (we may miss the merge
window);
Petko
next prev parent reply other threads:[~2016-01-13 16:32 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:45 [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring David Howells
2016-01-07 0:04 ` James Morris
2016-01-07 0:34 ` David Howells
2016-01-07 2:13 ` Mimi Zohar
2016-01-07 3:28 ` Mimi Zohar
2016-01-07 15:31 ` Mimi Zohar
2016-01-10 10:36 ` James Morris
2016-01-10 13:26 ` Mimi Zohar
2016-01-10 17:46 ` David Howells
2016-01-10 20:33 ` David Howells
2016-01-10 23:55 ` Mimi Zohar
2016-01-12 0:44 ` David Howells
2016-01-12 1:28 ` Mark D. Baushke
2016-01-12 2:03 ` David Howells
2016-01-12 2:25 ` Mark D. Baushke
2016-01-12 3:35 ` Mimi Zohar
2016-01-12 10:08 ` David Howells
2016-01-12 13:21 ` Mimi Zohar
2016-01-12 13:55 ` David Howells
2016-01-12 15:17 ` Mimi Zohar
2016-01-12 15:56 ` David Howells
2016-01-12 16:02 ` Mimi Zohar
2016-01-12 14:11 ` Petko Manolov
2016-01-10 20:33 ` Petko Manolov
2016-01-12 1:38 ` David Howells
2016-01-12 16:14 ` Petko Manolov
2016-01-12 17:08 ` David Howells
2016-01-13 16:31 ` Petko Manolov [this message]
2016-01-13 17:51 ` Mimi Zohar
2016-01-13 18:01 ` Petko Manolov
2016-01-13 18:19 ` David Howells
2016-01-13 18:35 ` Petko Manolov
2016-01-13 18:56 ` Mimi Zohar
2016-01-13 19:19 ` Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160113163148.GA32533@bender.nucleusys.com \
--to=petkan@mip-labs.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdb@juniper.net \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox