Re: [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring

From: Mimi Zohar
Date: Mon Jun 09 2014 - 09:48:24 EST

Next message: Steven Rostedt: "Re: [PATCH ftrace/core V5] ftrace: Introduce saved_cmdlines_size file"
Previous message: B_B_Singh: "[PATCH] firmware loader: allow disabling of udev as firmware loader"
In reply to: Dmitry Kasatkin: "Re: [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring"
Next in thread: Dmitry Kasatkin: "Re: [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2014-06-09 at 16:05 +0300, Dmitry Kasatkin wrote:
> On 09/06/14 15:51, Mimi Zohar wrote:
> > On Mon, 2014-06-09 at 15:13 +0300, Dmitry Kasatkin wrote:
> >> On 03/06/14 20:58, Mimi Zohar wrote:
> >>> Instead of allowing public keys, with certificates signed by any
> >>> key on the system trusted keyring, to be added to a trusted
> >>> keyring, this patch further restricts the certificates to those
> >>> signed by a particular key on the system keyring.
> >>>
> >>> When the UEFI secure boot keys are added to the system keyring, the
> >>> platform owner will be able to load their key in one of the UEFI DBs
> >>> (eg. Machine Owner Key(MOK) list) and select their key, without
> >>> having to rebuild the kernel.
> >>>
> >>> This patch defines an owner trusted keyring, a new boot command
> >>> line option 'keys_ownerid=', and defines a new function
> >>> get_system_or_owner_trusted_keyring().
> >> Hello,
> >>
> >> The functionality of this entire patch can be replaced by only ~2 lines
> >> of code in x509_request_asymmetric_key()
> >>
> >> if (keys_ownerid || strcmp(keys_ownerid, id))
> >> return -EPERM;
> >>
> >> Right?
> > Are you suggesting only add the one matching key to the system keyring?
>
> No. I am not suggesting this.
>
> All built in keys are allocated with KEY_ALLOC_TRUSTED flag and
> prep.trusted is set to "true".
>
> So the following statement has no effect.

Ok, so it has no affect on adding builtin keys to the system keyring.

>
> #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
> ret = x509_validate_trust(cert, system_trusted_keyring);
> if (!ret)
> prep->trusted = 1;
> #endif

The last patch set changes the test to:
ret = x509_validate_trust(cert, get_system_or_owner_trusted_keyring());

> Keys which come from user-space will check for
>
> if (keys_ownerid && strcmp(keys_ownerid, id))
> return -EPERM;
>
>
> So 2 lines patch works fine..

It works based on the assumption, that you would ever only want a single
key on the 'owner' keyring, which is probably not the case.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "Re: [PATCH ftrace/core V5] ftrace: Introduce saved_cmdlines_size file"
Previous message: B_B_Singh: "[PATCH] firmware loader: allow disabling of udev as firmware loader"
In reply to: Dmitry Kasatkin: "Re: [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring"
Next in thread: Dmitry Kasatkin: "Re: [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]