lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <31422.1452593319@warthog.procyon.org.uk>
Date:	Tue, 12 Jan 2016 10:08:39 +0000
From:	David Howells <dhowells@...hat.com>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	dhowells@...hat.com, "Mark D. Baushke" <mdb@...iper.net>,
	James Morris <jmorris@...ei.org>,
	Marcel Holtmann <marcel@...tmann.org>, petkan@...-labs.com,
	linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:

> The IMA MOK and blacklist are restricted to "public_key_restrict_link".
> Does this only allow keys signed by keys on the respective keyring or
> also by the system keyring? 

As my patches stand, the following are implemented:

 (1) public_key_restrict_link() restricts to asymmetric keys that are signed
     by a CA in the specified keyring.  It returns -ENOKEY if no matching key
     is found rather than -EKEYREJECTED, however, so you can call it several
     times for different keyrings.  -EKEYREJECTED is only returned if a
     signature check fails.  This is used by the following two functions.

 (2) restrict_link_by_system_trusted() restricts to asymmetric keys that are
     signed by a CA in the system keyring.  This ignores the keyring argument
     it is given.

     Note that the system_trusted_keyring is then no longer exported because
     verify_pkcs7_signature() is also in certs/system_keyring.c and uses that
     by default if NULL is passed.

 (3) restrict_link_by_ima_mok() restricts to asymmetric keys signed by a CA in
     either .system_keyring or .ima_mok.

So the trusted keyrings are then restricted as follows:

 (1) .system_keyring uses restrict_link_by_system_trusted() - though it lacks
     any sort of write permission, so it's currently moot.  It could just as
     well be replaced with a function that just returns -EPERM.

 (2) .ima_mok should be using restrict_link_by_system_trusted(), but I failed
     to update this when I split the public_key_restrict_link() function.
     I've updated this in my patch.  This would then be correct according to
     Petko's commit log:

	To successfully import a key into .ima_mok it must be signed by a
	key which CA is in .system keyring.

     However, from what Petko says, this is wrong and it should instead be
     using restrict_link_by_ima_mok().

 (3) .ima_blacklist should be using restrict_link_by_system_trusted() also.
     I've no idea whether additions to this should be permitted by keys in
     .ima_mok also.

 (4) .ima uses restrict_link_by_ima_mok(), as per:

	On turn any key that needs to go in .ima keyring must be signed by CA
	in either .system or .ima_mok keyrings.
    
 (5) .evm is not restricted by my patches.  This is a mistake on my part - but
     I'm not sure what the restriction actually needs to be as it's not
     mentioned in Petko's commit message.  Presumably it needs the same as
     .ima.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ