From: Jarkko Sakkinen <jarkko@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
tadeusz.struk@intel.com, kanth.ghatraju@oracle.com,
konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com,
coxu@redhat.com, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v4 6/6] integrity: machine keyring CA configuration
Date: Mon, 13 Feb 2023 09:54:54 +0200 [thread overview]
Message-ID: <Y+nszt7I9rGem1az@kernel.org> (raw)
In-Reply-To: <4bda209dfc891ac9044ce847785c383e89f14f97.camel@linux.ibm.com>
On Fri, Feb 10, 2023 at 08:05:22AM -0500, Mimi Zohar wrote:
> Hi Eric,
>
> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote:
> > Add a machine keyring CA restriction menu option to control the type of
> > keys that may be added to it. The options include none, min and max
> > restrictions.
> >
> > When no restrictions are selected, all Machine Owner Keys (MOK) are added
> > to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is
> > selected, the CA bit must be true. Also the key usage must contain
> > keyCertSign, any other usage field may be set as well.
> >
> > When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> > be true. Also the key usage must contain keyCertSign and the
> > digitialSignature usage may not be set.
> >
> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>
> Missing from the patch description is the motivation for this change.
> The choices none, min, max implies a progression, which is good, and
> the technical differences between the choices, but not the reason.
>
> The motivation, at least from my perspective, is separation of
> certificate signing from code signing keys, where "none" is no
> separation and "max" being total separation of keys based on usage.
>
> Subsequent work, as discussed in the cover letter thread, will limit
> certificates being loaded onto the IMA keyring to code signing keys
> used for signature verification.
It would be more robust just to have two binary options for CA bit and
keyCertSign. You can use "select" for setting keyCertSign, when CA bit
option is selected.
BR, Jarkko
next prev parent reply other threads:[~2023-02-13 7:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-07 2:59 [PATCH v4 0/6] Add CA enforcement keyring restrictions Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2023-02-10 3:39 ` Jarkko Sakkinen
2023-02-10 22:38 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 2/6] KEYS: Add missing function documentation Eric Snowberg
2023-02-08 21:48 ` Mimi Zohar
2023-02-10 3:40 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2023-02-08 21:01 ` Mimi Zohar
2023-02-10 3:46 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Eric Snowberg
2023-02-08 21:02 ` Mimi Zohar
2023-02-10 3:48 ` Jarkko Sakkinen
2023-02-10 22:39 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 5/6] KEYS: CA link restriction Eric Snowberg
2023-02-09 2:55 ` Mimi Zohar
2023-02-07 2:59 ` [PATCH v4 6/6] integrity: machine keyring CA configuration Eric Snowberg
2023-02-10 13:05 ` Mimi Zohar
2023-02-10 22:42 ` Eric Snowberg
2023-02-13 7:54 ` Jarkko Sakkinen [this message]
2023-02-14 21:24 ` Eric Snowberg
2023-02-08 12:38 ` [PATCH v4 0/6] Add CA enforcement keyring restrictions Mimi Zohar
2023-02-08 23:26 ` Eric Snowberg
2023-02-09 2:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+nszt7I9rGem1az@kernel.org \
--to=jarkko@kernel.org \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tadeusz.struk@intel.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).