Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>, Josh Boyer <jwboyer@redhat.com>
Cc: dhowells@redhat.com, keyrings@linux-nfs.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, dmitry.kasatkin@gmail.com,
	mjg59@srcf.ucam.org
Subject: Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only
Date: Tue, 10 Jun 2014 16:21:36 +0300	[thread overview]
Message-ID: <53970660.4030101@samsung.com> (raw)
In-Reply-To: <1402404750.5350.7.camel@dhcp-9-2-203-236.watson.ibm.com>

On 10/06/14 15:52, Mimi Zohar wrote:
> On Tue, 2014-06-10 at 08:20 -0400, Josh Boyer wrote: 
>> On Tue, Jun 10, 2014 at 11:48:14AM +0300, Dmitry Kasatkin wrote:
>>> Also I want to discuss here Fedora UEFI patches as they are the reason for
>>> the these original patchset.
>>>
>>> http://pkgs.fedoraproject.org/cgit/kernel.git/tree/modsign-uefi.patch
>>>
>>> They provide functionality to specify MokIgnoreDb variable to limit loading of
>>> UEFI keys only from MOK List, while ignoring DB. This is certainly a good
>>> functionality. But once MODULE_SIG_UEFI is enabled, it looks there is no way
>>> to prevent loading keys from UEFI at all. And this might not be a good default
>>> functionality. Someone might want not allow loading of keys from UEFI unless
>>> kernel parameter is specified to allow it without recompiling the kernel
>>> and disabling MODULE_SIG_UEFI.
>>>
>>> Josh, why such design decision was made?
>> IIRC, it's because kernel parameters can be added programmatically from a
>> remote user if they gain root access.  Having a kernel parameter to
>> disable a key piece of secure boot isn't all that great.  We disable
>> other kernel parameters like acpi_rspd as well.
> In this case, there shouldn't be a problem as the kernel parameters
> would further limit the keys usage.
>
> Mimi

Josh probably means that it can be removed and restriction is lifted..
And after reboot, all keys come to the keyring..


>

next prev parent reply	other threads:[~2014-06-10 13:22 UTC|newest]

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-03 17:58 [RFC PATCH v5 0/4] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-03 17:58 ` [RFC PATCH v5 1/4] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-06 21:48   ` Dmitry Kasatkin
2014-06-06 22:00     ` Mimi Zohar
2014-06-09  7:56       ` Dmitry Kasatkin
2014-06-09  8:17         ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 2/4] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-06 21:50   ` Dmitry Kasatkin
2014-06-09 13:13     ` Dmitry Kasatkin
2014-06-09 13:48       ` Mimi Zohar
2014-06-09 14:57         ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 3/4] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-06 21:53   ` Dmitry Kasatkin
2014-06-06 23:27     ` Mimi Zohar
2014-06-09  8:45       ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring Mimi Zohar
2014-06-09 12:13   ` Dmitry Kasatkin
2014-06-09 12:51     ` Mimi Zohar
2014-06-09 13:05       ` Dmitry Kasatkin
2014-06-09 13:48         ` Mimi Zohar
2014-06-09 13:58           ` Dmitry Kasatkin
2014-06-09 14:06             ` Dmitry Kasatkin
2014-06-09 16:33               ` Mimi Zohar
2014-06-10  8:48                 ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Dmitry Kasatkin
2014-06-10  8:48                   ` [PATCH 1/4] KEYS: define an owner trusted keyring Dmitry Kasatkin
2014-06-10 12:24                     ` Josh Boyer
2014-06-10 12:41                       ` Dmitry Kasatkin
2014-06-10 13:07                       ` Mimi Zohar
2014-06-10  8:48                   ` [PATCH 2/4] KEYS: fix couple of things Dmitry Kasatkin
2014-06-10  8:48                   ` [PATCH 3/4] KEYS: validate key trust only with selected owner key Dmitry Kasatkin
2014-06-12 16:03                     ` Vivek Goyal
2014-06-12 16:55                       ` Mimi Zohar
2014-06-12 17:00                         ` Vivek Goyal
2014-06-12 17:17                           ` Mimi Zohar
2014-06-12 17:23                             ` Vivek Goyal
2014-06-12 17:23                       ` Dmitry Kasatkin
2014-06-12 17:32                         ` Vivek Goyal
2014-06-12 17:37                           ` Mimi Zohar
2014-06-12 18:36                           ` Dmitry Kasatkin
2014-06-12 19:01                             ` Vivek Goyal
2014-06-12 19:04                               ` Dmitry Kasatkin
2014-06-12 19:05                               ` Vivek Goyal
2014-06-12 19:15                                 ` Dmitry Kasatkin
2014-06-10  8:48                   ` [PATCH 4/4] KEYS: validate key trust only with builtin keys Dmitry Kasatkin
2014-06-10 12:20                   ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Josh Boyer
2014-06-10 12:52                     ` Mimi Zohar
2014-06-10 13:21                       ` Dmitry Kasatkin [this message]
2014-06-10 13:29                         ` Josh Boyer
2014-06-10 14:53                           ` Mimi Zohar
2014-06-10 12:58                     ` Dmitry Kasatkin
2014-06-10 15:08                       ` Matthew Garrett
2014-06-10 20:39                     ` Dmitry Kasatkin
     [not found]                     ` <CACE9dm9Ff6b3J=05QfcgBv-c_y=5qGNq1-ZSfo4smtj34i1e-A@mail.gmail.com>
2014-06-10 20:40                       ` Matthew Garrett
2014-06-10 21:00                         ` Dmitry Kasatkin
2014-06-10 21:17                           ` Dmitry Kasatkin
2014-06-10 21:25                             ` Matthew Garrett
2014-06-10 21:34                               ` Dmitry Kasatkin
2014-06-10 21:40                                 ` Matthew Garrett
2014-06-10 21:45                                   ` Dmitry Kasatkin
2014-06-11  1:24                                   ` Mimi Zohar
2014-06-11  2:22                                     ` Matthew Garrett
2014-06-11  3:08                                       ` Mimi Zohar
2014-06-11  3:23                                         ` Matthew Garrett
2014-06-11 12:30                                           ` Mimi Zohar
2014-06-11 15:20                                             ` Matthew Garrett
2014-06-27 14:16                                           ` David Howells
2014-06-10 21:40                                 ` Dmitry Kasatkin
2014-06-10 12:45                   ` Mimi Zohar
2014-06-10 12:49                     ` Dmitry Kasatkin
2014-06-11 20:49                       ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53970660.4030101@samsung.com \
    --to=d.kasatkin@samsung.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jwboyer@redhat.com \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox