LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Snowberg <eric.snowberg@oracle.com>
Cc: keyrings@vger.kernel.org,
linux-integrity <linux-integrity@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
Jarkko Sakkinen <jarkko@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
keescook@chromium.org, gregkh@linuxfoundation.org,
torvalds@linux-foundation.org, scott.branden@broadcom.com,
weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com,
ardb@kernel.org,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
lszubowi@redhat.com, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
James Bottomley <James.Bottomley@HansenPartnership.com>,
pjones@redhat.com,
"konrad.wilk@oracle.com" <konrad.wilk@oracle.com>
Subject: Re: [PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK)
Date: Thu, 12 Aug 2021 20:35:41 -0400 [thread overview]
Message-ID: <119db8a1ed406caf66c793fe8dbfaa439537c086.camel@linux.ibm.com> (raw)
In-Reply-To: <915366E7-0B86-4F38-8AFD-EDA5FC1916D5@oracle.com>
On Thu, 2021-08-12 at 16:36 -0600, Eric Snowberg wrote:
> > On Aug 12, 2021, at 3:31 PM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Wed, 2021-08-11 at 22:18 -0400, Eric Snowberg wrote:
> >> Many UEFI Linux distributions boot using shim. The UEFI shim provides
> >> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
> >> Boot DB and MOK keys to validate the next step in the boot chain. The
> >> MOK facility can be used to import user generated keys. These keys can
> >> be used to sign an end-users development kernel build. When Linux
> >> boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
> >> .platform keyring.
> >>
> >> Add a new Linux keyring called .mok. This keyring shall contain just
> >> MOK keys and not the remaining keys in the platform keyring. This new
> >> .mok keyring will be used in follow on patches. Unlike keys in the
> >> platform keyring, keys contained in the .mok keyring will be trusted
> >> within the kernel if the end-user has chosen to do so.
> >>
> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> >> ---
> >> v1: Initial version
> >> v2: Removed destory keyring code
> >> v3: Unmodified from v2
> >> ---
> >> security/integrity/Makefile | 3 ++-
> >> security/integrity/digsig.c | 1 +
> >> security/integrity/integrity.h | 3 ++-
> >> .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
> >> 4 files changed, 26 insertions(+), 2 deletions(-)
> >> create mode 100644 security/integrity/platform_certs/mok_keyring.c
> >>
> >> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> >> index 7ee39d66cf16..8e2e98cba1f6 100644
> >> --- a/security/integrity/Makefile
> >> +++ b/security/integrity/Makefile
> >> @@ -9,7 +9,8 @@ integrity-y := iint.o
> >> integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
> >> integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
> >> integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
> >> -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
> >> +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \
> >> + platform_certs/mok_keyring.o
> >> integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
> >> platform_certs/load_uefi.o \
> >> platform_certs/keyring_handler.o
> >> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> >> index 3b06a01bd0fd..e07334504ef1 100644
> >> --- a/security/integrity/digsig.c
> >> +++ b/security/integrity/digsig.c
> >> @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
> >> ".ima",
> >> #endif
> >> ".platform",
> >> + ".mok",
> >> };
> >>
> >> #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> >> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> >> index 547425c20e11..e0e17ccba2e6 100644
> >> --- a/security/integrity/integrity.h
> >> +++ b/security/integrity/integrity.h
> >> @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
> >> #define INTEGRITY_KEYRING_EVM 0
> >> #define INTEGRITY_KEYRING_IMA 1
> >> #define INTEGRITY_KEYRING_PLATFORM 2
> >> -#define INTEGRITY_KEYRING_MAX 3
> >> +#define INTEGRITY_KEYRING_MOK 3
> >> +#define INTEGRITY_KEYRING_MAX 4
> >>
> >> extern struct dentry *integrity_dir;
> >>
> >> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> >> new file mode 100644
> >> index 000000000000..b1ee45b77731
> >> --- /dev/null
> >> +++ b/security/integrity/platform_certs/mok_keyring.c
> >> @@ -0,0 +1,21 @@
> >> +// SPDX-License-Identifier: GPL-2.0
> >> +/*
> >> + * MOK keyring routines.
> >> + *
> >> + * Copyright (c) 2021, Oracle and/or its affiliates.
> >> + */
> >> +
> >> +#include "../integrity.h"
> >> +
> >> +static __init int mok_keyring_init(void)
> >> +{
> >> + int rc;
> >> +
> >> + rc = integrity_init_keyring(INTEGRITY_KEYRING_MOK);
> >> + if (rc)
> >> + return rc;
> >> +
> >> + pr_notice("MOK Keyring initialized\n");
> >> + return 0;
> >> +}
> >> +device_initcall(mok_keyring_init);
> >
> > The ordering of the patches in this patch set is not quite
> > right.
>
> I will work on reordering the patches in the next round.
>
> > Please first introduce the new keyring with the new Kconfig,
> > new restriction, and loading the keys onto the new keyring. Introduce
> > the builitin_secondary_and_ca_trusted restriction and linking the new
> > keyring to the secondary keyring. Only after everything is in place,
> > define and use the UEFI mok variable(s).
> >
> > Originally, I asked you to "Separate each **logical change** into a
> > separate patch." After re-ordering the patches, see if merging some of
> > them together now makes sense.
>
> I’ll see if merging some of them together makes sense.
>
> With the new Kconfig option, should the default be 'y' or ’n' when the secondary
> is defined? Thanks.
It definitely needs to be opt in. Please make it 'n'.
Mimi
next prev parent reply other threads:[~2021-08-13 0:36 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-12 2:18 [PATCH v3 00/14] Enroll kernel keys thru MOK Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) Eric Snowberg
2021-08-12 18:58 ` Jarkko Sakkinen
2021-08-12 22:16 ` Eric Snowberg
2021-08-13 18:26 ` Nayna
2021-08-12 21:31 ` Mimi Zohar
2021-08-12 22:36 ` Eric Snowberg
2021-08-13 0:35 ` Mimi Zohar [this message]
2021-08-12 2:18 ` [PATCH v3 02/14] KEYS: CA link restriction Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 03/14] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 04/14] integrity: add add_to_mok_keyring Eric Snowberg
2021-08-12 19:32 ` Jarkko Sakkinen
2021-08-12 22:04 ` Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 05/14] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 06/14] integrity: accessor function to get trust_moklist Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 07/14] integrity: add new keyring handler for mok keys Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 08/14] KEYS: add a reference to mok keyring Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 10/14] KEYS: change link restriction for secondary to also trust mok Eric Snowberg
2021-08-12 19:46 ` Mimi Zohar
2021-08-12 22:10 ` Eric Snowberg
2021-08-12 22:14 ` Mimi Zohar
2021-08-12 2:18 ` [PATCH v3 11/14] KEYS: link secondary_trusted_keys to mok trusted keys Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 12/14] integrity: Do not allow mok keyring updates following init Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 13/14] integrity: store reference to mok keyring Eric Snowberg
2021-08-12 2:18 ` [PATCH v3 14/14] integrity: change ima link restriction to include mok keys Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=119db8a1ed406caf66c793fe8dbfaa439537c086.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=eric.snowberg@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=scott.branden@broadcom.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).