From: Eric Snowberg <eric.snowberg@oracle.com>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"paul@paul-moore.com" <paul@paul-moore.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"serge@hallyn.com" <serge@hallyn.com>,
"pvorel@suse.cz" <pvorel@suse.cz>,
"tadeusz.struk@intel.com" <tadeusz.struk@intel.com>,
Kanth Ghatraju <kanth.ghatraju@oracle.com>,
Konrad Wilk <konrad.wilk@oracle.com>,
Elaine Palmer <erpalmer@linux.vnet.ibm.com>,
Coiby Xu <coxu@redhat.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v4 6/6] integrity: machine keyring CA configuration
Date: Tue, 14 Feb 2023 21:24:53 +0000 [thread overview]
Message-ID: <8724445E-5D0B-4A44-935A-1DCA3AC4D7AA@oracle.com> (raw)
In-Reply-To: <Y+nszt7I9rGem1az@kernel.org>
> On Feb 13, 2023, at 12:54 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
>
> On Fri, Feb 10, 2023 at 08:05:22AM -0500, Mimi Zohar wrote:
>> Hi Eric,
>>
>> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote:
>>> Add a machine keyring CA restriction menu option to control the type of
>>> keys that may be added to it. The options include none, min and max
>>> restrictions.
>>>
>>> When no restrictions are selected, all Machine Owner Keys (MOK) are added
>>> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is
>>> selected, the CA bit must be true. Also the key usage must contain
>>> keyCertSign, any other usage field may be set as well.
>>>
>>> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
>>> be true. Also the key usage must contain keyCertSign and the
>>> digitialSignature usage may not be set.
>>>
>>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>>
>> Missing from the patch description is the motivation for this change.
>> The choices none, min, max implies a progression, which is good, and
>> the technical differences between the choices, but not the reason.
>>
>> The motivation, at least from my perspective, is separation of
>> certificate signing from code signing keys, where "none" is no
>> separation and "max" being total separation of keys based on usage.
>>
>> Subsequent work, as discussed in the cover letter thread, will limit
>> certificates being loaded onto the IMA keyring to code signing keys
>> used for signature verification.
>
>
> It would be more robust just to have two binary options for CA bit and
> keyCertSign. You can use "select" for setting keyCertSign, when CA bit
> option is selected.
Ok, I will make that change in the next round, thanks.
next prev parent reply other threads:[~2023-02-14 21:26 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-07 2:59 [PATCH v4 0/6] Add CA enforcement keyring restrictions Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2023-02-10 3:39 ` Jarkko Sakkinen
2023-02-10 22:38 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 2/6] KEYS: Add missing function documentation Eric Snowberg
2023-02-08 21:48 ` Mimi Zohar
2023-02-10 3:40 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2023-02-08 21:01 ` Mimi Zohar
2023-02-10 3:46 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Eric Snowberg
2023-02-08 21:02 ` Mimi Zohar
2023-02-10 3:48 ` Jarkko Sakkinen
2023-02-10 22:39 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 5/6] KEYS: CA link restriction Eric Snowberg
2023-02-09 2:55 ` Mimi Zohar
2023-02-07 2:59 ` [PATCH v4 6/6] integrity: machine keyring CA configuration Eric Snowberg
2023-02-10 13:05 ` Mimi Zohar
2023-02-10 22:42 ` Eric Snowberg
2023-02-13 7:54 ` Jarkko Sakkinen
2023-02-14 21:24 ` Eric Snowberg [this message]
2023-02-08 12:38 ` [PATCH v4 0/6] Add CA enforcement keyring restrictions Mimi Zohar
2023-02-08 23:26 ` Eric Snowberg
2023-02-09 2:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8724445E-5D0B-4A44-935A-1DCA3AC4D7AA@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tadeusz.struk@intel.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).