Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]
From: Mimi Zohar
Date: Mon Feb 08 2016 - 08:35:39 EST
On Wed, 2016-02-03 at 15:27 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > > (3) The ability to configure a list of blacklisted hashes into the kernel
> > > at build time. This is done by setting
> > > CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
> > > that are in the form:
> > >
> > > "<hash>", "<hash>", ..., "<hash>"
> > >
> > > where each <hash> is a hex string representation of the hash and must
> > > include all necessary leading zeros to pad the hash to the right size.
> >
> > Is the output of "keyctl print" the hex string representation?
>
> No, there is no payload and no read method. "keyctl desc" will return the hex
> string representation.
>
> > Update keys documentation?
>
> Not a bad idea, but it should probably go in a separate document, along with
> info about asymmetric keys.
>
> > > The blacklist cannot currently be modified by userspace, but it will be
> > > possible to load it, for example, from the UEFI blacklist database.
> >
> > When loading the UEFI blacklist database is enabled, it should be
> > configurable.
>
> Probably. That patch isn't added yet though.
>
> > > In the future, it should also be made possible to load blacklisted
> > > asymmetric keys in here too.
> >
> > Please update to reflect patch 3/20 "X.509: Allow X.509 certs to be
> > blacklisted" adds this support.
>
> Changed to:
>
> A later commit will make it possible to load blacklisted asymmetric
> keys in here too.
As you said, only the kernel can load keys on the blacklist, not
userspace, and the patch for loading the UEFI blacklist keys on the
system blacklist keyring is not included in this patch set, wouldn't it
be better to separate the concept of a general blacklist keyring from
the concept of trust? In addition, this patch set removes the IMA
blacklist without any method for adding blacklisted IMA keys to the
system blacklist keyring. I suggest a separate blacklist patch set
that adds support: for a system blacklist keyring, different types of
keys being black listed, allow userspace to load blacklisted keys on the
system blacklist keyring, convert the ima_blacklist to use the general
system blacklist keyring and, optionally, include the UEFI blacklist
keys on the blacklist keyring.
This patch set would then be limited to "how certificates/keys are
determined to be trusted." By separating out the blacklist keyring from
the issue of trust, you'll have smaller patch sets that can more easily
be reviewed. (Reviewing anything having to do with certificates is
difficult enough.) It would also allow you to upstream the two patch
sets independently of each other.
Mimi