Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

From: David Howells
Date: Tue Jan 12 2016 - 05:08:52 EST

Next message: tip-bot for Wang Nan: "[tip:perf/urgent] perf tools: Add -lutil in python lib list for broken python-config"
Previous message: Jan Stancek: "[PATCH] perf tests: objdump output can contain multi byte chunks"
In reply to: Mimi Zohar: "Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring"
Next in thread: Mimi Zohar: "Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> The IMA MOK and blacklist are restricted to "public_key_restrict_link".
> Does this only allow keys signed by keys on the respective keyring or
> also by the system keyring?

As my patches stand, the following are implemented:

(1) public_key_restrict_link() restricts to asymmetric keys that are signed
by a CA in the specified keyring. It returns -ENOKEY if no matching key
is found rather than -EKEYREJECTED, however, so you can call it several
times for different keyrings. -EKEYREJECTED is only returned if a
signature check fails. This is used by the following two functions.

(2) restrict_link_by_system_trusted() restricts to asymmetric keys that are
signed by a CA in the system keyring. This ignores the keyring argument
it is given.

Note that the system_trusted_keyring is then no longer exported because
verify_pkcs7_signature() is also in certs/system_keyring.c and uses that
by default if NULL is passed.

(3) restrict_link_by_ima_mok() restricts to asymmetric keys signed by a CA in
either .system_keyring or .ima_mok.

So the trusted keyrings are then restricted as follows:

(1) .system_keyring uses restrict_link_by_system_trusted() - though it lacks
any sort of write permission, so it's currently moot. It could just as
well be replaced with a function that just returns -EPERM.

(2) .ima_mok should be using restrict_link_by_system_trusted(), but I failed
to update this when I split the public_key_restrict_link() function.
I've updated this in my patch. This would then be correct according to
Petko's commit log:

To successfully import a key into .ima_mok it must be signed by a
key which CA is in .system keyring.

However, from what Petko says, this is wrong and it should instead be
using restrict_link_by_ima_mok().

(3) .ima_blacklist should be using restrict_link_by_system_trusted() also.
I've no idea whether additions to this should be permitted by keys in
.ima_mok also.

(4) .ima uses restrict_link_by_ima_mok(), as per:

On turn any key that needs to go in .ima keyring must be signed by CA
in either .system or .ima_mok keyrings.

(5) .evm is not restricted by my patches. This is a mistake on my part - but
I'm not sure what the restriction actually needs to be as it's not
mentioned in Petko's commit message. Presumably it needs the same as
.ima.

David

Next message: tip-bot for Wang Nan: "[tip:perf/urgent] perf tools: Add -lutil in python lib list for broken python-config"
Previous message: Jan Stancek: "[PATCH] perf tests: objdump output can contain multi byte chunks"
In reply to: Mimi Zohar: "Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring"
Next in thread: Mimi Zohar: "Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]