| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Aug 2021 19:51:30 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Nayna <nayna@...ux.vnet.ibm.com>, Mimi Zohar <zohar@...ux.ibm.com>
Cc: James Bottomley <James.Bottomley@...senPartnership.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org,
linux-integrity <linux-integrity@...r.kernel.org>,
David Woodhouse <dwmw2@...radead.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
lszubowi@...hat.com, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org, pjones@...hat.com,
"konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
Patrick Uiterwijk <patrick@...terwijk.org>
Subject: Re: [PATCH v4 00/12] Enroll kernel keys thru MOK
> On Aug 31, 2021, at 6:52 PM, Nayna <nayna@...ux.vnet.ibm.com> wrote:
>
>
> On 8/30/21 1:39 PM, Eric Snowberg wrote:
>>> On Aug 27, 2021, at 2:44 PM, Nayna <nayna@...ux.vnet.ibm.com> wrote:
>>> On 8/25/21 6:27 PM, James Bottomley wrote:
>>>> Remember, a CA cert is a self signed cert with the CA:TRUE basic
>>>> constraint. Pretty much no secure boot key satisfies this (secure boot
>>>> chose deliberately NOT to use CA certificates, so they're all some type
>>>> of intermediate or leaf), so the design seems to be only to pick out
>>>> the CA certificates you put in the MOK keyring. Adding the _ca suffix
>>>> may deflect some of the "why aren't all my MOK certificates in the
>>>> keyring" emails ...
>>>
>>> My understanding is the .system_ca keyring should not be restricted only
>>> to self-signed CAs (Root CA). Any cert that can qualify as Root or
>>> Intermediate CA with Basic Constraints CA:TRUE should be allowed. In
>>> fact, the intermediate CA certificates closest to the leaf nodes would be
>>> best.
>> With an intermediate containing CA:TRUE, the intermediate cert would not
>> be self signed. Just for my clarification, does this mean I should remove
>> the check that validates if it is self signed and instead somehow check if
>> the CA flag is set? Wouldn’t this potentially allow improperly signed certs
>> into this new keyring?
>>
> In this model, we are relying on the admin to ensure the authenticity of the certificate(s) being loaded onto the new keyring. It is similar to trusting the admin to enable the variable and add keys to MOK. Following are the checks that must pass before adding it to .system_ca keyring.
>
> 1. Check against revocation_list.
> 2. Check Basic Constraints: CA=TRUE.
> 3. Check keyUsage = keyCertSign.
Originally I thought the request to only load CA certs into this new keyring
was so root of trust could be validated for the entire chain. If a portion
of the model now relies on the admin to ensure authenticity, and the complete
chain is not needed, why not have the admin also check for #2 and #3? Meaning,
when the Kconfig option is enabled and the new MokListTrustedRT UEFI is set,
whatever the admin has placed in the MOKList goes into this new keyring.
Powered by blists - more mailing lists