Re: [PATCH 0/4] Add CA enforcement in the machine keyring

From: Eric Snowberg
Date: Mon Mar 07 2022 - 13:55:45 EST




> On Mar 6, 2022, at 4:33 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> Hi Eric,
>
> On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:
>> A key added to the IMA keyring must be signed by a key contained in either the
>> built-in trusted or secondary trusted keyring. IMA also requires these keys
>> to be a CA. The only option for an end-user to add their own CA is to compile
>> it into the kernel themselves or to use the insert-sys-cert. Many end-users
>> do not want to compile their own kernels. With the insert-sys-cert option,
>> there are missing upstream changes.
>>
>> Currently, all Machine Owner Keys (MOK) load into the machine keyring. Add
>> a new Kconfig option to only allow CA keys into the machine keyring. When
>> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA
>> keys will load into the platform keyring instead. This will allow the end-
>> user to enroll their own CA key into the machine keyring for use with IMA.
>
> In addition to only loading the MOK CA keys onto the .machine keyring,
> the keyUsage should be required and limited to keyCertSign.

Ok, I’ll add this in the next round.