lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <78d2c13ad60b5f845cb841d257d1b41290f575c6.camel@linux.ibm.com>
Date:   Wed, 26 Jan 2022 17:06:09 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Jarkko Sakkinen <jarkko@...nel.org>,
        Eric Snowberg <eric.snowberg@...cle.com>
Cc:     dhowells@...hat.com, dwmw2@...radead.org, ardb@...nel.org,
        jmorris@...ei.org, serge@...lyn.com, nayna@...ux.ibm.com,
        keescook@...omium.org, torvalds@...ux-foundation.org,
        weiyongjun1@...wei.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        James.Bottomley@...senpartnership.com, pjones@...hat.com,
        konrad.wilk@...cle.com
Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK

Hi Jarkko,

> > Thank you. I'll pick these soon. Is there any objections?

No objections.
> 
> Mimi brought up that we need a MAINTAINERS update for this and also
> .platform.
> 
> We have these:
> 
> - KEYS/KEYRINGS
> - CERTIFICATE HANDLING
> 
> I would put them under KEYRINGS for now and would not consider further
> subdivision for the moment.

IMA has dependencies on the platform_certs/ and now on the new .machine
keyring.  Just adding "F: security/integrity/platform_certs/" to the
KEYS/KEYRINGS record, ignores that dependency.  The discussion wouldn't
even be on the linux-integrity mailing list.

Existing requirement:
- The keys on the .platform keyring are limited to verifying the kexec
image.

New requirements based on Eric Snowbergs' patch set:
- When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
the MOK keys will not be loaded directly onto the .machine keyring or
indirectly onto the .secondary_trusted_keys keyring.

- Only when a new IMA Kconfig explicitly allows the keys on the
.machine keyrings, will the CA keys stored in MOK be loaded onto the
.machine keyring.

Unfortunately I don't think there is any choice, but to define a new
MAINTAINERS entry.  Perhaps something along the lines of:

KEYS/KEYRINGS_INTEGRITY
M:     Jarkko Sakkinen <jarkko@...nel.org>
M:     Mimi Zohar <zohar@...ux.ibm.com>
L:      keyrings@...r.kernel.org
L:      linux-integrity@...r.kernel.org
F:      security/integrity/platform_certs

thanks,

Mimi

Powered by blists - more mailing lists