From: joeyli <jlee@suse.com>
To: Elaine Palmer <erpalmerny@gmail.com>
Cc: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
Dimitri Ledkov <dimitri.ledkov@canonical.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Nayna Jain <nayna@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: keyrings, key usage, and trust models
Date: Wed, 28 Sep 2022 13:59:00 +0800 [thread overview]
Message-ID: <20220928055900.GT4909@linux-l9pv.suse> (raw)
In-Reply-To: <de0b6e61-2f6e-c215-65a9-428c3bf1bfb8@gmail.com>
Hi,
On Wed, Jul 20, 2022 at 02:43:54PM -0400, Elaine Palmer wrote:
>
> At LSS 2022 NA, a recent talk titled, "Establishing Trust
> in Linux Keyrings – Is trust built-in, imputed, or transitive?"[1]
> triggered some discussion, which is best continued here.
>
> Background and current state as of Linux 5.18
> ---------------------------------------------
> To save space, some terms are abbreviated:
>
> Official name abbreviated Origin of trust / who vouches
> ------------- ----------- -----------------------------
> secure boot keys SB keys hardware keys (if present)
> bootloader bootloader SB keys
> kernel signer signer bootloader
> .builtin_trusted_keys builtin kernel signer
> .secondary_trusted_keys secondary builtin & (new in 5.18) machine
> .ima ima builtin & secondary
> .platform platform firmware, SB, MOK
> .machine machine MOK, management system
>
> In simplified story form, hardware keys authorize secure boot keys,
> which authorize the bootloader, which authorizes whoever signs
> the kernel, who authorizes the builtin keys, which (along with
> the machine keys) authorize the secondary keys, which
> (along with builtin) authorize the ima keys.
>
> The firmware, secure boot keys, or machine owner keys (MOK)
> authorize the platform keys. MOK or a management system
> authorizes the machine keys.
>
There is a case where the platform manufacturer is also the machine
ower. Is it possible that they use keys in db as mok?
On the other hand, why kernel only allows keys in db for kexec? Is it
because UEFI spec says db is the signature store only for secure boot?
Thanks a lot!
Joey Lee
prev parent reply other threads:[~2022-09-28 5:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <e3c62f26-861b-57c9-4d86-6af68c3433b0@gmail.com>
2022-07-20 18:43 ` keyrings, key usage, and trust models Elaine Palmer
2022-07-21 22:53 ` Eric Snowberg
2022-09-28 5:59 ` joeyli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220928055900.GT4909@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dimitri.ledkov@canonical.com \
--cc=eric.snowberg@oracle.com \
--cc=erpalmerny@gmail.com \
--cc=gcwilson@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.