| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <31AEC478-DEF9-49EC-AF4B-E7189E027A49@oracle.com>
Date: Tue, 13 Dec 2022 02:41:23 +0000
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
CC: Coiby Xu <coxu@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
"herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
"davem@...emloft.net" <davem@...emloft.net>,
"dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
"paul@...l-moore.com" <paul@...l-moore.com>,
"jmorris@...ei.org" <jmorris@...ei.org>,
"serge@...lyn.com" <serge@...lyn.com>,
"pvorel@...e.cz" <pvorel@...e.cz>,
"noodles@...com" <noodles@...com>, "tiwai@...e.de" <tiwai@...e.de>,
"bp@...e.de" <bp@...e.de>,
Kanth Ghatraju <kanth.ghatraju@...cle.com>,
Konrad Wilk <konrad.wilk@...cle.com>,
Elaine Palmer <erpalmer@...ux.vnet.ibm.com>,
"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions
> On Dec 12, 2022, at 2:44 PM, Mimi Zohar <zohar@...ux.ibm.com> wrote:
>
> Hi Eric, Coiby,
>
> On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote:
>>> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu@...hat.com> wrote:
>>>
>>> Thanks for your work! The patch set looks good to me except for the
>>> requirement of an intermediate CA certificate should be vouched for by a
>>> root CA certificate before it can vouch for other certificates. What if
>>> users only want to enroll an intermediate CA certificate into the MOK?
>>
>> This question would need to be answered by the maintainers. The intermediate
>> requirement was based on my understanding of previous discussions requiring
>> there be a way to validate root of trust all the way back to the root CA.
>
> That definitely did not come from me. My requirement all along has
> been to support a single self-signed CA certificate for the end
> user/customer use case, so that they could create and load their own
> public key, signed by that CA, onto the trusted IMA/EVM keyrings.
>
>>
>>> If this requirement could be dropped, the code could be simplified and
>>> some issues could be resolved automatically,
>>
>> Agreed. I will make sure the issue below is resolved one way or the other,
>> once we have an agreement on the requirements.
>
> I totally agree with Coiby that there is no need for intermediate CA
> certificates be vouched for by a root CA certificate. In fact the
> closer the CA certificate is to the leaf code signing certificate, the
> better. As much as possible we want to limit the CA keys being loaded
> onto the machine keyring to those that are absolutely required.
Ok, I will change this in the next round. The confusion around the requirement
comes from the request to validate the cert is self-signed. The intermediate in this
case will not be self signed. As long as this check is not necessary, I will drop it from
the code and allow the intermediate to vouch for the ima key without the root being
present. Thanks for clearing this up.
Powered by blists - more mailing lists