Re: How to add additional blacklist entries?

[Mimi Zohar]

On Mon, 2016-02-08 at 15:53 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> 
> > Right, this patch makes the system blacklist keyring writable by
> > userspace and removes the IMA blacklist.  What I don't understand is how
> > to add a key that is currently on the IMA keyring to the system
> > blacklist? 
> 
> You can do this from userspace with "keyctl link".  Admittedly, this attaches
> the entire key to the blacklist keyring, not just the ID.  But that's
> basically what you're doing at the moment, right.

Does this imply that the key already has to be loaded onto a keyring in
order to link it to the blacklist?   Currently the key doesn't need to
be on the IMA keyring in order for it to be black listed.  The cert can
be verified, that it is signed by a key on the system trusted (or
ima_mok) keyring(s), before directly being added to the IMA blacklist
keyring.

> To simply list the SKID of the key you want to blacklist, another patch will
> be required, but the question is as to what the interface should look like.
> 
> Let's start at the beginning.  First of all, let me ask the following:
> 
>  (1) How is the key-to-be-blacklisted specified?  A copy of the X.509 cert to
>      be blocked?  A signed list of SKIDs to be blocked?  A CRL?

Similar to the TBScertificate hash list, there should be support for a
SKIDs list, either in the same file or separately.

>  (2) How is the blacklist addition to be verified?

As I recall without going back and looking at the patches, you've
defined a new key type for just the TBScertficate hash without a
payload.  Is it possible to do the equivalent for SKIDs?  In both cases,
these new key type(s) would need to be signed by a key on the system
keyring (now called the builtin keyring) for it to be added to the
blacklist.

Mimi