Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

From: Mimi Zohar
Date: Tue Mar 08 2016 - 10:09:41 EST


On Tue, 2016-03-08 at 14:43 +0000, David Howells wrote:
> The problem boils down to a difficulty in concocting a name that describes a
> complex situation that may change depending on the configuration. I can make
> it "restrict_link_by_any_system_trusted" if you'd prefer.
>
> That's why I want "system trusted keyrings" to refer to the builtin and the
> secondary - *and* an extra UEFI keyring if we grow one of those. It's a
> collection of related keyrings.

Sigh, this is the same discussion we've had for years. The UEFI keys
should not be trusted to validate the certificates being added to the
IMA keyring. Neither should the keys on the secondary keyring, unless
specifically IMA Kconfig enabled, be used to validate the certificates
being added to the IMA keyring. Just because the UEFI keys or the
secondary keyring is enabled, doesn't mean that certificates signed by a
key on either of those keyrings, should be added to the IMA keyring.

The machine/system owner should control which keys can be used to verify
certificates being added to the IMA keyring.

Mimi