lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8096FB15-1766-4C0B-BCE0-BB520BAAC0B7@oracle.com>
Date:   Fri, 20 Oct 2023 15:53:22 +0000
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     Mickaël Salaün <mic@...ikod.net>
CC:     Paul Moore <paul@...l-moore.com>, Mimi Zohar <zohar@...ux.ibm.com>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        Kanth Ghatraju <kanth.ghatraju@...cle.com>,
        Konrad Wilk <konrad.wilk@...cle.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        KP Singh <kpsingh@...nel.org>
Subject: Re: RFC: New LSM to control usage of x509 certificates



> On Oct 20, 2023, at 9:05 AM, Mickaël Salaün <mic@...ikod.net> wrote:
> 
> On Thu, Oct 19, 2023 at 11:08:38PM +0000, Eric Snowberg wrote:
>> 
>> 
>>> On Oct 19, 2023, at 3:12 AM, Mickaël Salaün <mic@...ikod.net> wrote:
>>> 
>>> The more flexible approach would be to not hardcode any policy in the
>>> kernel but let sysadmins define their own, including OIDs. We "just"
>>> need to find an adequate configuration scheme to define these
>>> constraints.
>> 
>> Also, with the flexible approach, the policy would need to be given to the 
>> kernel before any kernel module loads, fs-verity starts, or anything dealing 
>> with digital signature based IMA runs, etc.  With hardcoded policies this 
>> could be setup from the kernel command line or be set from a Kconfig.  
>> I assume with a flexible approach, this would need to come in early within 
>> the initram?
> 
> Yes, either the cmdline and/or the initramfs.
> 
>> 
>>> We already have an ASN.1 parser in the kernel, so we might
>>> want to leverage that to match a certificate.
>> 
>> We have the parser, however after parsing the certificate we do not 
>> retain all the information within it.  Some of the recent changes I have 
>> done required modifications to the public_key struct.  If there isn’t any 
>> type of hard coded policy, what would be the reception of retaining the 
>> entire cert within the kernel? 
> 
> I think it would make sense to have a default policy loaded at boot
> time, then load and take into account new pieces of policies at run
> time, but only parse/tag/assign a role to certificates/keys when they
> are loaded.

Many keys are loaded into the kernel before the initram is used.  This 
includes:  builtin, platform (UEFI DB), and machine (MOK).  I believe 
these are the keys of most interest for controlling usage.  By not retaining 
all the attributes, I’m not sure how a useful filtering policy could be 
implemented afterwards.  Do you have any ideas?

Also, for revocation, today we allow any system key to vouch for inclusion 
into the blacklist keyring.  Shouldn’t only the CA with the correct attributes
that originally signed the key be able to do this?  If all attributes were retained 
this could also be possible.  There is a similar issue with keys added to the 
secondary keyring.  Any key linked to the secondary can do the vouching 
for inclusion and usage is ignored.  If a policy is added afterwards to enforce 
this, we don’t have all the information necessary to do the enforcement.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ