lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 30 Aug 2021 11:39:49 -0600
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     Nayna <nayna@...ux.vnet.ibm.com>, Mimi Zohar <zohar@...ux.ibm.com>
Cc:     James Bottomley <James.Bottomley@...senPartnership.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org,
        linux-integrity <linux-integrity@...r.kernel.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S . Miller" <davem@...emloft.net>,
        James Morris <jmorris@...ei.org>,
        "Serge E . Hallyn" <serge@...lyn.com>, keescook@...omium.org,
        gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
        scott.branden@...adcom.com, weiyongjun1@...wei.com,
        nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
        Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        lszubowi@...hat.com, linux-kernel@...r.kernel.org,
        linux-crypto@...r.kernel.org,
        linux-security-module@...r.kernel.org, pjones@...hat.com,
        "konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
        Patrick Uiterwijk <patrick@...terwijk.org>
Subject: Re: [PATCH v4 00/12] Enroll kernel keys thru MOK


> On Aug 27, 2021, at 2:44 PM, Nayna <nayna@...ux.vnet.ibm.com> wrote:
> On 8/25/21 6:27 PM, James Bottomley wrote:
>> 
>> Remember, a CA cert is a self signed cert with the CA:TRUE basic
>> constraint.  Pretty much no secure boot key satisfies this (secure boot
>> chose deliberately NOT to use CA certificates, so they're all some type
>> of intermediate or leaf), so the design seems to be only to pick out
>> the CA certificates you put in the MOK keyring.  Adding the _ca suffix
>> may deflect some of the "why aren't all my MOK certificates in the
>> keyring" emails ...
> 
> 
> My understanding is the .system_ca keyring should not be restricted only
> to self-signed CAs (Root CA). Any cert that can qualify as Root or
> Intermediate CA with Basic Constraints CA:TRUE should be allowed. In
> fact, the intermediate CA certificates closest to the leaf nodes would be
> best.

With an intermediate containing CA:TRUE, the intermediate cert would not 
be self signed. Just for my clarification, does this mean I should remove
the check that validates if it is self signed and instead somehow check if 
the CA flag is set?  Wouldn’t this potentially allow improperly signed certs 
into this new keyring?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ