[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com>
Date: Mon, 11 Sep 2023 23:39:38 -0400
From: Nayna <nayna@...ux.vnet.ibm.com>
To: Michal Suchánek <msuchanek@...e.de>,
linux-integrity@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, joeyli <jlee@...e.com>,
Eric Snowberg <eric.snowberg@...cle.com>,
Nayna Jain <nayna@...ux.ibm.com>,
Jarkko Sakkinen <jarkko@...nel.org>,
linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>
Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING
On 9/7/23 13:32, Michal Suchánek wrote:
> Adding more CC's from the original patch, looks like get_maintainers is
> not that great for this file.
>
> On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote:
>> No other platform needs CA_MACHINE_KEYRING, either.
>>
>> This is policy that should be decided by the administrator, not Kconfig
>> dependencies.
We certainly agree that flexibility is important. However, in this case,
this also implies that we are expecting system admins to be security
experts. As per our understanding, CA based infrastructure(PKI) is the
standard to be followed and not the policy decision. And we can only
speak for Power.
INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf
certs.
INTEGRITY_CA_MACHINE_KEYRING_MAX ensures that CA is only allowed to do
key signing and not code signing.
Having CA signed certs also permits easy revocation of all leaf certs.
Loading certificates is completely new for Power Systems. We would like
to make it as clean as possible from the start. We want to enforce CA
signed leaf certificates(INTEGRITY_CA_MACHINE_KEYRING). As per
keyUsage(INTEGRITY_CA_MACHINE_KEYRING_MAX), if we want more flexibility,
probably a boot time override can be considered.
Thanks & Regards,
- Nayna
>>
>> cc: joeyli <jlee@...e.com>
>> Signed-off-by: Michal Suchanek <msuchanek@...e.de>
>> ---
>> security/integrity/Kconfig | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
>> index 232191ee09e3..b6e074ac0227 100644
>> --- a/security/integrity/Kconfig
>> +++ b/security/integrity/Kconfig
>> @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
>> depends on INTEGRITY_ASYMMETRIC_KEYS
>> depends on SYSTEM_BLACKLIST_KEYRING
>> depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
>> - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
>> - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
>> help
>> If set, provide a keyring to which Machine Owner Keys (MOK) may
>> be added. This keyring shall contain just MOK keys. Unlike keys
>> --
>> 2.41.0
>>
Powered by blists - more mailing lists