Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]
From: Mimi Zohar
Date: Tue Mar 08 2016 - 11:15:35 EST
On Tue, 2016-03-08 at 15:32 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > > The problem boils down to a difficulty in concocting a name that describes a
> > > complex situation that may change depending on the configuration. I can make
> > > it "restrict_link_by_any_system_trusted" if you'd prefer.
> > >
> > > That's why I want "system trusted keyrings" to refer to the builtin and the
> > > secondary - *and* an extra UEFI keyring if we grow one of those. It's a
> > > collection of related keyrings.
> > Sigh, this is the same discussion we've had for years.
> No, it isn't.
> > The UEFI keys should not be trusted to validate the certificates being added
> > to the IMA keyring.
> A machine-security (e.g. UEFI) keyring will conceivably live in
> certs/system_keyring.c and only be enabled if CONFIG_SYSTEM_TRUSTED_KEYRINGS=y
> and, say, CONFIG_MACHINE_TRUSTED_KEYRING=y. I didn't say that IMA necessarily
> has to use it.
> What we need to do is define a set of functions allow IMA to get the
> restrictions it wants, depending on configuration. In the code I currently
> have, I think we have those:
By renaming the system keyring to builtin, this is where it becomes
unclear what is included by restrict_link_by_system_trusted - builtin
and secondary, or builtin, secondary, and UEFI.
> If you really want, I can add a restrict_link_for_ima in there, but I'd rather
> not if IMA can use whichever of the above three most suits it. How about:
Option 3 - "restrict_link_by_builtin_or_secondary_trusted" is a bit
wordy, but there wouldn't be any confusion.
> > Neither should the keys on the secondary keyring, unless specifically IMA
> > Kconfig enabled, be used to validate the certificates being added to the IMA
> > keyring.