Re: [RFC PATCH 00/15] KEYS: Restrict additions to 'trusted' keyrings

From: David Howells
Date: Mon Jan 11 2016 - 19:37:17 EST

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > The kernel may add implicitly trusted keys to a trusted-only keyring by
> > asserting KEY_ALLOC_BYPASS_RESTRICTION when the key is created, but
> > otherwise the key will only be allowed to be added to the keyring if it can
> > be verified. The system trusted keyring is not then special in this sense
> > and other trusted keyrings can be set up that are wholly independent of
> > it.
> In order to have a certificate chain of trust on any of these trusted
> keyrings, the system keyring needs to be special. Even if we permit
> transitive trust, meaning keys on a keyring can be used to validate
> other keys being added to the same keyring, the first key added to a
> trusted keyring needs to be vetted against something. That something
> needs to be the builtin keys on the system keyring.

Note that the KEY_ALLOC_BYPASS_RESTRICTION flag is there to permit built in
keys to be added by the kernel in the first place. It would not be available
to userspace to use.