Re: [PATCH 4/4] integrity: CA enforcement in machine keyring
From: Eric Snowberg
Date: Mon Mar 07 2022 - 13:13:27 EST
> On Mar 4, 2022, at 4:19 PM, Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:
>
>
> On 3/1/22 12:36, Eric Snowberg wrote:
>> When INTEGRITY_MACHINE_KEYRING is set, all Machine Owner Keys (MOK)
>> are loaded into the machine keyring. Add a new
>> INTEGRITY_MACHINE_KEYRING_CA_ENFORCED option where only MOK CA keys are
>> added.
>>
>> Set the restriction check to restrict_link_by_ca. This will only allow
>> CA keys into the machine keyring. Unlike when INTEGRITY_MACHINE_KEYRING
>> is enabled, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY may
>> also be enabled, allowing IMA to use keys in the machine keyring as
>> another trust anchor.
>
> I tried to test this but could only do it by disabling the MokListTrustedRT variable check and then also the check for secure boot. It did load the expected keys onto the .machine keyring, enforcing the x509 indicating a self-signed CA if the compile time option CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED=y was set, loading all keys in the case of CONFIG_INTEGRITY_MACHINE_KEYRING=y.
>
> I tried with this branch here from mokutils https://github.com/esnowberg/mokutil/tree/trust-mok but this seems to create an EFI variable with a different name. I guess this is the wrong branch?
Thanks for testing. During the shim review, Peter requested an EFI variable name
change. This did not impact anything in the kernel. However it did impact mokutil.
The necessary mokutil changes are available in this pull request:
https://github.com/lcp/mokutil/pull/49