From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: James Morris <jamorris@linuxonhyperv.com>
Subject: Re: IMA: Data included in the key measurement
Date: Thu, 21 Nov 2019 08:38:53 -0800 [thread overview]
Message-ID: <1574354333.3277.27.camel@HansenPartnership.com> (raw)
In-Reply-To: <19242774-688e-58ff-40f8-e346d6ba4339@linux.microsoft.com>
On Thu, 2019-11-21 at 08:17 -0800, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
>
> >>> everything needed for verifying a signature is included in
> >>> the key measurement.
>
> Regarding the requirement you had stated above, I would like some
> clarification.
>
> When I started this change to measure keys through IMA, the use case
> we had in mind was enabling an attestation service, for instance, to
> verify if the client has only known good (trusted) keys - for
> example, in keyrings such as ".builtin_trusted_keys", ".ima", etc.
>
> On the client IMA verifies the signature of system binaries using
> keys in the IMA keyring. And, if the config namely
> CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is
> enabled, only keys signed by a built-in trusted key can be added to
> the IMA keyring.
>
> An attestation service can keep a list of public keys of "known good
> (trusted)" keys for various keyrings, and verify against the
> measurement data provided by the client.
>
> To achieve the above we decided to include only the public key in
> the key measurement buffer.
>
> I would like to know what benefit we'd get by including "everything
> needed for verifying a signature in the key measurement"? X.509
> itself doesn't buy this isomorphism property, which is why the
> subject key id
>
> From testing point of view, if we have the certificate (like the
> .DER file), we can validate the key measurement data in the IMA log.
>
> Do you see a need to include more data or the entire cert for the
> product code?
You're making the assumption that the public key and the certificate
are isomorphic. That's only true if you trust the issuer (which you
obviously do, since it's you [microsoft]) but nothing in X.509 prevents
the issuer from issuing multiple certificates with the same public key
and different properties. Even in your use case, I would think
attesting to whether the certificate had expired or not would be
useful.
James
next prev parent reply other threads:[~2019-11-21 16:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 16:17 IMA: Data included in the key measurement Lakshmi Ramasubramanian
2019-11-21 16:38 ` James Bottomley [this message]
2019-11-22 1:15 ` Lakshmi Ramasubramanian
2019-11-22 16:17 ` James Bottomley
2019-11-22 17:39 ` Lakshmi Ramasubramanian
2019-11-22 19:32 ` James Bottomley
2019-11-25 17:33 ` Lakshmi Ramasubramanian
2019-11-25 18:14 ` Mimi Zohar
2019-11-25 18:19 ` Lakshmi Ramasubramanian
2019-11-22 17:38 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574354333.3277.27.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=jamorris@linuxonhyperv.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).