lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8e9e4bc3bbd831a606f264ec3f4dfcafdeebece6.camel@linux.ibm.com>
Date:   Tue, 22 Feb 2022 06:59:25 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Jarkko Sakkinen <jarkko@...nel.org>
Cc:     Eric Snowberg <eric.snowberg@...cle.com>, dhowells@...hat.com,
        dwmw2@...radead.org, ardb@...nel.org, jmorris@...ei.org,
        serge@...lyn.com, nayna@...ux.ibm.com, keescook@...omium.org,
        torvalds@...ux-foundation.org, weiyongjun1@...wei.com,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-efi@...r.kernel.org, linux-security-module@...r.kernel.org,
        James.Bottomley@...senpartnership.com, pjones@...hat.com,
        konrad.wilk@...cle.com
Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK

On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote:
> On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote:

> > > 
> > > Mimi brought up that we need a MAINTAINERS update for this and also
> > > .platform.
> > > 
> > > We have these:
> > > 
> > > - KEYS/KEYRINGS
> > > - CERTIFICATE HANDLING
> > > 
> > > I would put them under KEYRINGS for now and would not consider further
> > > subdivision for the moment.
> > 
> > IMA has dependencies on the platform_certs/ and now on the new .machine
> > keyring.  Just adding "F: security/integrity/platform_certs/" to the
> > KEYS/KEYRINGS record, ignores that dependency.  The discussion wouldn't
> > even be on the linux-integrity mailing list.
> > 
> > Existing requirement:
> > - The keys on the .platform keyring are limited to verifying the kexec
> > image.
> > 
> > New requirements based on Eric Snowbergs' patch set:
> > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
> > the MOK keys will not be loaded directly onto the .machine keyring or
> > indirectly onto the .secondary_trusted_keys keyring.
> > 
> > - Only when a new IMA Kconfig explicitly allows the keys on the
> > .machine keyrings, will the CA keys stored in MOK be loaded onto the
> > .machine keyring.
> > 
> > Unfortunately I don't think there is any choice, but to define a new
> > MAINTAINERS entry.  Perhaps something along the lines of:
> > 
> > KEYS/KEYRINGS_INTEGRITY
> > M:     Jarkko Sakkinen <jarkko@...nel.org>
> > M:     Mimi Zohar <zohar@...ux.ibm.com>
> > L:      keyrings@...r.kernel.org
> > L:      linux-integrity@...r.kernel.org
> > F:      security/integrity/platform_certs
> > 
> 
> This would work for me.

Thanks, Jarkko.  Are you planning on upstreaming this change, as you
previously said, or would you prefer I do it?

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ