lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 09 Jan 2022 16:57:06 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Eric Snowberg <eric.snowberg@...cle.com>, dhowells@...hat.com,
        dwmw2@...radead.org, ardb@...nel.org, jarkko@...nel.org
Cc:     jmorris@...ei.org, serge@...lyn.com, nayna@...ux.ibm.com,
        keescook@...omium.org, torvalds@...ux-foundation.org,
        weiyongjun1@...wei.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        James.Bottomley@...senPartnership.com, pjones@...hat.com,
        konrad.wilk@...cle.com
Subject: Re: [PATCH v9 2/8] integrity: Introduce a Linux keyring called
 machine

On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
> Many UEFI Linux distributions boot using shim.  The UEFI shim provides
> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
> Boot DB and MOK keys to validate the next step in the boot chain.  The
> MOK facility can be used to import user generated keys.  These keys can
> be used to sign an end-users development kernel build.  When Linux
> boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
> .platform keyring.
> 
> Define a new Linux keyring called machine.  This keyring shall contain just
> MOK CA keys and not the remaining keys in the platform keyring. This new
> machine keyring will be used in follow on patches.  Unlike keys in the
> platform keyring, keys contained in the machine keyring will be trusted
> within the kernel if the end-user has chosen to do so.

True, from an IMA perspective only the CA keys should be loaded onto
the .machine keyring, but this version (v9) of the patch set does not
enforce that.  The patch set and this paragraph are out of sync.

Jarkko, my concern is that once this version of the patch set is
upstreamed, would limiting which keys may be loaded onto the .machine
keyring be considered a regression?

thanks,

Mimi

> 
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> ---
> v1: Initial version
> v2: Removed destory keyring code
> v3: Unmodified from v2
> v4: Add Kconfig, merged in "integrity: add add_to_mok_keyring" 
> v5: Rename to machine keyring
> v6: Depend on EFI in kconfig  (suggested by Mimi)
>     Test to see if ".platform" keyring is configured in
>       add_to_machine_keyring (suggested by Mimi)
> v7: Depend on LOAD_UEFI_KEYS instead EFI for mokvar code
> v8: Code unmodified from v7 added Mimi's Reviewed-by
> v9: Removed Reviewed-by. Prevent IMA from being able to
>      use the machine keyring since the CA restrictions
>      have been removed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ