Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

From: David Howells
Date: Tue Jan 12 2016 - 12:08:51 EST


Petko Manolov <petkan@xxxxxxxxxxxx> wrote:

> There is no need for .ima_mok if here is .mok, which should be system wide
> keyring. I'm trying to say that once we have .mok (you're more than welcome
> to suggest better name) we'll get rid of .ima_mok.

If we really must have separate keyrings - and I still don't see that it's
necessary - then maybe:

.builtin_trusted_keys (RO)
.secondarily_trusted_keys (RW).

I'd prefer to avoid "mok" as that might be misconstrued in a UEFI system.

> I still see value in immutable system keyring. Being able to reboot to a
> known state is only one of the reasons.

I'm not sure what you mean. Changes to .system_keyring would not be
persistent across reboot.

> The other is the ultimate trust one should have in .system...

Do you have a use case where you would use an immutable set of keys
exclusively?

> > The one thing I grant that enabling the .system keyring will allow is
> > deletion of trusted keys - and once you've deleted them, you can't
> > necessarily get them back without rebooting.
>
> Can't we incorporate this functionality in .blacklist and avoid rebooting.

I think you misunderstood. Once you've discarded a builtin keyring you cannot
get it back without rebooting (unless you hold another trusted key that signed
it). Once you blacklist a builtin keyring you cannot get it back without
rebooting (unless you can remove things from a blacklist).

Clearing .system_keyring would be equivalent to blacklisting all the keys held
therein. However, I presume you would have it that you cannot add to
.blacklist unless your bundle of keys to be blacklisted is appropriately
signed.

> > And why can't .system be a dynamic keyring?
>
> Because this makes me uneasy. What are we saving? A few pages of memory?..

A key struct and some associative array metadata plus the cost of looking up
in a second keyring.

I'm not sure why it makes you any more uneasy than having .ima_mok at all.
However, if it makes you able to sleep at night (;-)), and you're willing to
accept modification of the trust model along the lines of the patchset I
posted (which will need a couple of alterations) and move the new trust
keyring and blacklist keyring to the core, then okay, we can do that.

> I don't mind linking in general as long as the permission check is
> supplementary to the keys CA hierarchy verification.

Which it currently isn't really. As things stand, the CA hierarchy
verification takes place once at key creation and is assumed applicable to all
trusted keyrings thereafter. KEY_FLAG_TRUSTED_ONLY was only really supposed
to apply to the system keyring.

David