Re: [PATCH 3/4] KEYS: validate key trust only with selected owner key
From: Mimi Zohar
Date: Thu Jun 12 2014 - 13:17:20 EST
On Thu, 2014-06-12 at 13:00 -0400, Vivek Goyal wrote:
> On Thu, Jun 12, 2014 at 12:55:26PM -0400, Mimi Zohar wrote:
> > On Thu, 2014-06-12 at 12:03 -0400, Vivek Goyal wrote:
> > > On Tue, Jun 10, 2014 at 11:48:17AM +0300, Dmitry Kasatkin wrote:
> > > > This patch provides kernel parameter to specify owner's key id which
> > > > must be used for trust validate of keys. Keys signed with other keys
> > > > are not trusted.
> > > >
> > > > Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
> > >
> > > Hi,
> > >
> > > I am continuing to work on verifying kernel signature for kexec/kdump. I
> > > am planning to take david howell's patches for pkcs7 signature
> > > verification and verify bzImage signature.
> > >
> > > Part of that process will boil down to verifying a certificate in
> > > pkcs7 x509 cert chain using a key in system_trusted_keyring.
> > >
> > > I think the OS vendor key which signs the kernel signing key propagates to
> > > system_trusted_keyring. (shim has that and I am not sure how shim makes
> > > it propogate all they way to system_trusted_keyring).
> >
> > The shim patches are here
> > http://pkgs.fedoraproject.org/cgit/kernel.git/tree/modsign-uefi.patch
> >
> > > So I was planning to use same functionality where I look for any key
> > > which can verify the signing cert of kernel. As OS vendor key will be
> > > in system_trusted_keyring, it should work.
> > >
> > > Now with this change where you will trust only one selected owner key.
> > > That means you will not even trust the OS vendor key which signs kernel
> > > signing key. I think this will stop working with keys_ownerid=<....>
> > >
> > > As I am doing that work in parallel and I saw these patches, I thought
> > > I will bring it up.
> >
> > Right, the current discussion is whether we need an owner trusted
> > keyring or if just one key was enough. Thanks for chiming in.
> >
> > The other option would be to sign the bzImage file creating a
> > 'security.ima' extended attribute and verifying it. Have you created a
> > security kexec hook?
>
> No, I have not created another hook. As bzImage is already signed it is
> much simpler to verify same signature instead of carrying another set
> of detached signatures and key management etc.
Fin (cc'ed) has patches that include the file signatures in the RPM
header and installs them. There wouldn't be any need for a separate
detached signature.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/