Re: How to add additional blacklist entries?

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
	petkan@mip-labs.com, linux-kernel@vger.kernel.org
Subject: Re: How to add additional blacklist entries?
Date: Mon, 08 Feb 2016 14:28:02 -0500	[thread overview]
Message-ID: <1454959682.3037.22.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <6781.1454949802@warthog.procyon.org.uk>

On Mon, 2016-02-08 at 16:43 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > > > Right, this patch makes the system blacklist keyring writable by
> > > > userspace and removes the IMA blacklist.  What I don't understand is how
> > > > to add a key that is currently on the IMA keyring to the system
> > > > blacklist? 
> > > 
> > > You can do this from userspace with "keyctl link".  Admittedly, this
> > > attaches the entire key to the blacklist keyring, not just the ID.  But
> > > that's basically what you're doing at the moment, right.
> > 
> > Does this imply that the key already has to be loaded onto a keyring in
> > order to link it to the blacklist?   Currently the key doesn't need to
> > be on the IMA keyring in order for it to be black listed.  The cert can
> > be verified, that it is signed by a key on the system trusted (or
> > ima_mok) keyring(s), before directly being added to the IMA blacklist
> > keyring.
> 
> You can link from any key you have LINK permission on.  Further, add_key() can
> add directly.

Oh, for some reason I thought the system blacklist keyring was limited
to the new key type with just a description.   I was able to add, but
also remove a key from the system blacklist.   I guess the KEY_FLAG_KEEP
is not set on the system blacklist.

> > > To simply list the SKID of the key you want to blacklist, another patch
> > > will be required, but the question is as to what the interface should look
> > > like.
> > > 
> > > Let's start at the beginning.  First of all, let me ask the following:
> > > 
> > >  (1) How is the key-to-be-blacklisted specified?  A copy of the X.509 cert
> > >      to be blocked?  A signed list of SKIDs to be blocked?  A CRL?
> > 
> > Similar to the TBScertificate hash list, there should be support for a
> > SKIDs list, either in the same file or separately.
> 
> Separately probably makes sense - and marking the blacklist keys with
> something that says what is to be checked.
> 
> > >  (2) How is the blacklist addition to be verified?
> > 
> > As I recall without going back and looking at the patches, you've
> > defined a new key type for just the TBScertficate hash without a
> > payload.
> 
> Sort of.  It carries a hash string as a description.  One of the patches
> matches this with the X.509 TBScertficate hash.  I should look at adding
> another patch to check the PE file content hash for kexec also.
> 
> > Is it possible to do the equivalent for SKIDs?
> 
> Yes.
> 
> > In both cases, these new key type(s) would need to be signed by a key on the
> > system keyring (now called the builtin keyring) for it to be added to the
> > blacklist.
> 
> I think you may have misunderstood the point of the question.  Assuming we're
> loading a SKID list from userspace, how do we validate the list?  Is it
> wrapped in an X.509 cert, a PKCS#7 message or is it a binary blob with an
> associated signature?

The keys being added to the IMA keyring are signed x509 certs (eg.
openssl ca -ss_cert).  It would be nice to be able to include the skid
in the description, without a payload, and sign that.  I have no idea if
that Is possible or if it makes sense.  I'm open to suggestions.

> Or are you proposing the SKID list be built into the kernel at compile time
> and not modifiable at runtime?

No, we definitely want to be able to blacklist keys at run time.

Mimi