Re: How to add additional blacklist entries?

From: David Howells
Date: Mon Feb 08 2016 - 11:43:32 EST

Next message: Suganath prabu Subramani: "[mpt3sas driver V1 6/10] mpt3sas: Added smp_affinity_enable module parameter."
Previous message: Paolo Bonzini: "Re: [PATCH 1/2] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset"
In reply to: Mimi Zohar: "Re: How to add additional blacklist entries?"
Next in thread: Mimi Zohar: "Re: How to add additional blacklist entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > > Right, this patch makes the system blacklist keyring writable by
> > > userspace and removes the IMA blacklist. What I don't understand is how
> > > to add a key that is currently on the IMA keyring to the system
> > > blacklist?
> >
> > You can do this from userspace with "keyctl link". Admittedly, this
> > attaches the entire key to the blacklist keyring, not just the ID. But
> > that's basically what you're doing at the moment, right.
>
> Does this imply that the key already has to be loaded onto a keyring in
> order to link it to the blacklist? Currently the key doesn't need to
> be on the IMA keyring in order for it to be black listed. The cert can
> be verified, that it is signed by a key on the system trusted (or
> ima_mok) keyring(s), before directly being added to the IMA blacklist
> keyring.

You can link from any key you have LINK permission on. Further, add_key() can
add directly.

> > To simply list the SKID of the key you want to blacklist, another patch
> > will be required, but the question is as to what the interface should look
> > like.
> >
> > Let's start at the beginning. First of all, let me ask the following:
> >
> > (1) How is the key-to-be-blacklisted specified? A copy of the X.509 cert
> > to be blocked? A signed list of SKIDs to be blocked? A CRL?
>
> Similar to the TBScertificate hash list, there should be support for a
> SKIDs list, either in the same file or separately.

Separately probably makes sense - and marking the blacklist keys with
something that says what is to be checked.

> > (2) How is the blacklist addition to be verified?
>
> As I recall without going back and looking at the patches, you've
> defined a new key type for just the TBScertficate hash without a
> payload.

Sort of. It carries a hash string as a description. One of the patches
matches this with the X.509 TBScertficate hash. I should look at adding
another patch to check the PE file content hash for kexec also.

> Is it possible to do the equivalent for SKIDs?

Yes.

> In both cases, these new key type(s) would need to be signed by a key on the
> system keyring (now called the builtin keyring) for it to be added to the
> blacklist.

I think you may have misunderstood the point of the question. Assuming we're
loading a SKID list from userspace, how do we validate the list? Is it
wrapped in an X.509 cert, a PKCS#7 message or is it a binary blob with an
associated signature?

Or are you proposing the SKID list be built into the kernel at compile time
and not modifiable at runtime?

David

Next message: Suganath prabu Subramani: "[mpt3sas driver V1 6/10] mpt3sas: Added smp_affinity_enable module parameter."
Previous message: Paolo Bonzini: "Re: [PATCH 1/2] KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset"
In reply to: Mimi Zohar: "Re: How to add additional blacklist entries?"
Next in thread: Mimi Zohar: "Re: How to add additional blacklist entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]