lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 15 Jan 2019 10:17:13 -0500
From:   nayna <nayna@...ux.vnet.ibm.com>
To:     Dave Young <dyoung@...hat.com>
Cc:     Mimi Zohar <zohar@...ux.ibm.com>, Kairui Song <kasong@...hat.com>,
        linux-kernel@...r.kernel.org, dhowells@...hat.com,
        dwmw2@...radead.org, jwboyer@...oraproject.org,
        keyrings@...r.kernel.org, jmorris@...ei.org, serge@...lyn.com,
        bauerman@...ux.ibm.com, ebiggers@...gle.com, nayna@...ux.ibm.com,
        linux-integrity@...r.kernel.org, kexec@...ts.infradead.org
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for
 signature verify

On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <dyoung@...hat.com>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded.  So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late,  I did not get chance to have a look the
>> > old series.  Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>> 
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global.  Moving where the platform keyring is defined is
>> not the problem.
> 
> Agreed, but just feel kexec depends on IMA sounds not good.

The platform keyring is not dependent on IMA, it is dependent on 
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING, 
CONFIG_EFI.

Thanks & Regards,
    - Nayna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ