From: David Howells <dhowells@redhat.com>
To: Petko Manolov <petkan@mip-labs.com>
Cc: dhowells@redhat.com, Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, mdb@juniper.net
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
Date: Tue, 12 Jan 2016 17:08:44 +0000 [thread overview]
Message-ID: <30974.1452618524@warthog.procyon.org.uk> (raw)
In-Reply-To: <20160112161449.GB4806@bender.nucleusys.com>
Petko Manolov <petkan@mip-labs.com> wrote:
> There is no need for .ima_mok if here is .mok, which should be system wide
> keyring. I'm trying to say that once we have .mok (you're more than welcome
> to suggest better name) we'll get rid of .ima_mok.
If we really must have separate keyrings - and I still don't see that it's
necessary - then maybe:
.builtin_trusted_keys (RO)
.secondarily_trusted_keys (RW).
I'd prefer to avoid "mok" as that might be misconstrued in a UEFI system.
> I still see value in immutable system keyring. Being able to reboot to a
> known state is only one of the reasons.
I'm not sure what you mean. Changes to .system_keyring would not be
persistent across reboot.
> The other is the ultimate trust one should have in .system...
Do you have a use case where you would use an immutable set of keys
exclusively?
> > The one thing I grant that enabling the .system keyring will allow is
> > deletion of trusted keys - and once you've deleted them, you can't
> > necessarily get them back without rebooting.
>
> Can't we incorporate this functionality in .blacklist and avoid rebooting.
I think you misunderstood. Once you've discarded a builtin keyring you cannot
get it back without rebooting (unless you hold another trusted key that signed
it). Once you blacklist a builtin keyring you cannot get it back without
rebooting (unless you can remove things from a blacklist).
Clearing .system_keyring would be equivalent to blacklisting all the keys held
therein. However, I presume you would have it that you cannot add to
.blacklist unless your bundle of keys to be blacklisted is appropriately
signed.
> > And why can't .system be a dynamic keyring?
>
> Because this makes me uneasy. What are we saving? A few pages of memory?..
A key struct and some associative array metadata plus the cost of looking up
in a second keyring.
I'm not sure why it makes you any more uneasy than having .ima_mok at all.
However, if it makes you able to sleep at night (;-)), and you're willing to
accept modification of the trust model along the lines of the patchset I
posted (which will need a couple of alterations) and move the new trust
keyring and blacklist keyring to the core, then okay, we can do that.
> I don't mind linking in general as long as the permission check is
> supplementary to the keys CA hierarchy verification.
Which it currently isn't really. As things stand, the CA hierarchy
verification takes place once at key creation and is assumed applicable to all
trusted keyrings thereafter. KEY_FLAG_TRUSTED_ONLY was only really supposed
to apply to the system keyring.
David
next prev parent reply other threads:[~2016-01-12 17:08 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:45 [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring David Howells
2016-01-07 0:04 ` James Morris
2016-01-07 0:34 ` David Howells
2016-01-07 2:13 ` Mimi Zohar
2016-01-07 3:28 ` Mimi Zohar
2016-01-07 15:31 ` Mimi Zohar
2016-01-10 10:36 ` James Morris
2016-01-10 13:26 ` Mimi Zohar
2016-01-10 17:46 ` David Howells
2016-01-10 20:33 ` David Howells
2016-01-10 23:55 ` Mimi Zohar
2016-01-12 0:44 ` David Howells
2016-01-12 1:28 ` Mark D. Baushke
2016-01-12 2:03 ` David Howells
2016-01-12 2:25 ` Mark D. Baushke
2016-01-12 3:35 ` Mimi Zohar
2016-01-12 10:08 ` David Howells
2016-01-12 13:21 ` Mimi Zohar
2016-01-12 13:55 ` David Howells
2016-01-12 15:17 ` Mimi Zohar
2016-01-12 15:56 ` David Howells
2016-01-12 16:02 ` Mimi Zohar
2016-01-12 14:11 ` Petko Manolov
2016-01-10 20:33 ` Petko Manolov
2016-01-12 1:38 ` David Howells
2016-01-12 16:14 ` Petko Manolov
2016-01-12 17:08 ` David Howells [this message]
2016-01-13 16:31 ` Petko Manolov
2016-01-13 17:51 ` Mimi Zohar
2016-01-13 18:01 ` Petko Manolov
2016-01-13 18:19 ` David Howells
2016-01-13 18:35 ` Petko Manolov
2016-01-13 18:56 ` Mimi Zohar
2016-01-13 19:19 ` Petko Manolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30974.1452618524@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdb@juniper.net \
--cc=petkan@mip-labs.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox