All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Jan Lübbe" <jlu@pengutronix.de>,
	"Jarkko Sakkinen" <jarkko@kernel.org>,
	"Ahmad Fatoum" <a.fatoum@pengutronix.de>,
	"James Bottomley" <jejb@linux.ibm.com>,
	"David Howells" <dhowells@redhat.com>,
	keyrings@vger.kernel.org, "Sumit Garg" <sumit.garg@linaro.org>
Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, kernel@pengutronix.de
Subject: Re: Migration to trusted keys: sealing user-provided key?
Date: Mon, 08 Feb 2021 16:50:12 -0500	[thread overview]
Message-ID: <9bd1eaab236f095f1dbdc01752c3c6f487f33525.camel@linux.ibm.com> (raw)
In-Reply-To: <b6ee219924e7195070062b6453931595faa640af.camel@pengutronix.de>

On Mon, 2021-02-08 at 15:38 +0100, Jan Lübbe wrote:

> As it seems that this feature would not be appropriate for all use-cases and
> threat models, I wonder if making it optional would be acceptable. Something
> like:
> 
> config TRUSTED_KEYS_IMPORT

To me "IMPORT" implies from a trusted source, which this is not. 
Perhaps "UNSAFE_IMPORT", "DEBUGGING_IMPORT, "DEVELOPMENT_IMPORT", ...

Defining a Kconfig with any of these names and the other changes below,
makes it very clear using predefined key data is not recommended.  My
concern with extending trusted keys to new trust sources is the
implication that the security/integrity is equivalent to the existing
discrete TPM.

>         bool "Allow creating TRUSTED KEYS from existing key material"
>         depends on TRUSTED_KEYS

Missing "default n"

>         help
>           This option adds support for creating new trusted keys from existing 
>           key material supplied by userspace, instead of using random numbers.
>           As with random trusted keys, userspace cannot extract the plain-text 

Once defined, as with random trusted keys, userspace cannot ...

>           key material again and will only ever see encrypted blobs.
>           
>           This option should *only* be enabled for use in a trusted
>           environment (such as during debugging/development or in a secured
>           factory). Also, consider using 'keyctl padd' instead of 'keyctl add' 

Even the "secured factory" is not a good idea.  Please limit the usage
to debugging/development.

>           to avoid exposing the plain-text key on the process command line.
> 
>           If you are unsure as to whether this is required, answer N.

The above would be fine.

thanks,

Mimi


  reply	other threads:[~2021-02-08 21:51 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-28 17:31 Migration to trusted keys: sealing user-provided key? Ahmad Fatoum
2021-01-30 17:53 ` Jarkko Sakkinen
2021-01-30 18:07   ` James Bottomley
2021-01-31 12:09   ` Mimi Zohar
2021-01-31 14:14     ` Jan Lübbe
2021-01-31 18:09       ` James Bottomley
2021-02-02 12:15         ` Sumit Garg
2021-02-02 12:34           ` Jan Lübbe
2021-02-03 11:50             ` Sumit Garg
2021-02-03 13:46               ` Jan Lübbe
2021-02-04  5:30                 ` Sumit Garg
     [not found]       ` <d4eeefa0c13395e91850630e22d0d9e3690f43ac.camel@linux.ibm.com>
2021-02-01 15:31         ` Jan Lübbe
2021-02-01 16:11           ` Mimi Zohar
2021-02-01 16:38             ` Jan Lübbe
2021-02-01 19:46               ` Mimi Zohar
2021-02-08 14:38                 ` Jan Lübbe
2021-02-08 21:50                   ` Mimi Zohar [this message]
2021-02-09  7:16                     ` Jan Lübbe
2021-02-01 11:36     ` David Howells
2021-02-01 15:50       ` Jan Lübbe
2021-02-01 17:04       ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9bd1eaab236f095f1dbdc01752c3c6f487f33525.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=a.fatoum@pengutronix.de \
    --cc=dhowells@redhat.com \
    --cc=jarkko@kernel.org \
    --cc=jejb@linux.ibm.com \
    --cc=jlu@pengutronix.de \
    --cc=kernel@pengutronix.de \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sumit.garg@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.