lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4235e559d00cd90701e05befe87b06e904f008b2.camel@linux.ibm.com>
Date:   Sun, 06 Mar 2022 18:33:23 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Eric Snowberg <eric.snowberg@...cle.com>, jarkko@...nel.org,
        dhowells@...hat.com, dwmw2@...radead.org
Cc:     herbert@...dor.apana.org.au, davem@...emloft.net,
        jmorris@...ei.org, serge@...lyn.com, stefanb@...ux.ibm.com,
        nayna@...ux.ibm.com, mic@...ux.microsoft.com,
        konrad.wilk@...cle.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-security-module@...r.kernel.org
Subject: Re: [PATCH 0/4] Add CA enforcement in the machine keyring

Hi Eric,

On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:
> A key added to the IMA keyring must be signed by a key contained in either the
> built-in trusted or secondary trusted keyring. IMA also requires these keys 
> to be a CA. The only option for an end-user to add their own CA is to compile
> it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
> do not want to compile their own kernels.  With the insert-sys-cert option, 
> there are missing upstream changes. 
> 
> Currently, all Machine Owner Keys (MOK) load into the machine keyring.  Add 
> a new Kconfig option to only allow CA keys into the machine keyring.  When 
> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
> keys will load into the platform keyring instead. This will allow the end-
> user to enroll their own CA key into the machine keyring for use with IMA.

In addition to only loading the MOK CA keys onto the .machine keyring,
the keyUsage should be required and limited to keyCertSign.   Certs
with keyUsage of keyCertSign should not be allowed on the IMA keyring.

thanks,

Mimi

> 
> These patches are based on Jarkko's linux-tpmdd tree.
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ