Re: [PATCH 0/4] Add CA enforcement in the machine keyring

From: Mimi Zohar
Date: Sun Mar 06 2022 - 18:34:04 EST


Hi Eric,

On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:
> A key added to the IMA keyring must be signed by a key contained in either the
> built-in trusted or secondary trusted keyring. IMA also requires these keys
> to be a CA. The only option for an end-user to add their own CA is to compile
> it into the kernel themselves or to use the insert-sys-cert. Many end-users
> do not want to compile their own kernels. With the insert-sys-cert option,
> there are missing upstream changes.
>
> Currently, all Machine Owner Keys (MOK) load into the machine keyring. Add
> a new Kconfig option to only allow CA keys into the machine keyring. When
> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA
> keys will load into the platform keyring instead. This will allow the end-
> user to enroll their own CA key into the machine keyring for use with IMA.

In addition to only loading the MOK CA keys onto the .machine keyring,
the keyUsage should be required and limited to keyCertSign. Certs
with keyUsage of keyCertSign should not be allowed on the IMA keyring.

thanks,

Mimi

>
> These patches are based on Jarkko's linux-tpmdd tree.
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
>