lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 7 Mar 2022 18:13:02 +0000
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>
CC:     Mimi Zohar <zohar@...ux.ibm.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>,
        "dwmw2@...radead.org" <dwmw2@...radead.org>,
        "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "nayna@...ux.ibm.com" <nayna@...ux.ibm.com>,
        "mic@...ux.microsoft.com" <mic@...ux.microsoft.com>,
        Konrad Wilk <konrad.wilk@...cle.com>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH 4/4] integrity: CA enforcement in machine keyring



> On Mar 4, 2022, at 4:19 PM, Stefan Berger <stefanb@...ux.ibm.com> wrote:
> 
> 
> On 3/1/22 12:36, Eric Snowberg wrote:
>> When INTEGRITY_MACHINE_KEYRING is set, all Machine Owner Keys (MOK)
>> are loaded into the machine keyring.  Add a new
>> INTEGRITY_MACHINE_KEYRING_CA_ENFORCED option where only MOK CA keys are
>> added.
>> 
>> Set the restriction check to restrict_link_by_ca.  This will only allow
>> CA keys into the machine keyring. Unlike when INTEGRITY_MACHINE_KEYRING
>> is enabled, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY may
>> also be enabled, allowing IMA to use keys in the machine keyring as
>> another trust anchor.
> 
> I tried to test this but could only do it by disabling the MokListTrustedRT variable check and then also the check for secure boot. It did load the expected keys onto the .machine keyring, enforcing the x509 indicating a self-signed CA if the compile time option CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED=y was set, loading all keys in the case of CONFIG_INTEGRITY_MACHINE_KEYRING=y.
> 
> I tried with this branch here from mokutils https://github.com/esnowberg/mokutil/tree/trust-mok but this seems to create an EFI variable with a different name. I guess this is the wrong branch?

Thanks for testing.  During the shim review, Peter requested an EFI variable name
change. This did not impact anything in the kernel.  However it did impact mokutil. 
The necessary mokutil changes are available in this pull request:

https://github.com/lcp/mokutil/pull/49

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ