Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only

From: Matthew Garrett
Date: Wed Jun 11 2014 - 11:21:17 EST


On Wed, Jun 11, 2014 at 08:30:20AM -0400, Mimi Zohar wrote:
> On Wed, 2014-06-11 at 04:23 +0100, Matthew Garrett wrote:
> > Yes. Wouldn't having a mechanism to allow userspace to drop keys that
> > have otherwise been imported be a generally useful solution to the issue
> > you have with that?
>
> There are issues removing a key from both the local system(eg. cache,
> running apps) and the attestation server (eg. ima-sig template
> verification) perspectives. We would need to address these concerns
> before supporting key removal.

For your use-case you'd want to do this before running any significant
quantity of userspace. The firmware keys are going to be hashed into PCR
7, so they're already part of your attestation.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/