Question on signing the IMA signing key for kernel trusted keyrings?

Question on signing the IMA signing key for kernel trusted keyrings?

[Clay Chang]

Hi,

We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys.
In the .builtin_trusted_keys keyring of a fresh CentOS, for example,
there are public keys created by CentOS. And the private key counterparts
were not available publicly. So I think there is technically no way for
others to sign the IMA or EVM key by the private keys of those CA.

Is there a possibility of getting the IMA or EVM signing keys signed
(probably by the public key in .builtin_trusted_keys) without rolling own
CA and re-gen the kernel?

Thanks,
Clay

Re: Question on signing the IMA signing key for kernel trusted keyrings?

[Mimi Zohar]

On Fri, 2020-01-17 at 02:39 +0800, Clay Chang wrote:
> Hi,
> 
> We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys.
> In the .builtin_trusted_keys keyring of a fresh CentOS, for example,
> there are public keys created by CentOS. And the private key counterparts
> were not available publicly. So I think there is technically no way for
> others to sign the IMA or EVM key by the private keys of those CA.
> 
> Is there a possibility of getting the IMA or EVM signing keys signed
> (probably by the public key in .builtin_trusted_keys) without rolling own
> CA and re-gen the kernel?

If the kernel was built with CONFIG_SYSTEM_EXTRA_CERTIFICATE, the
customer could insert their public key post build.[1]  This would
obviously require the kernel to be resigned.

I agree there needs to be a simpler way of including a customer key,
without requiring them to resign the kernel.

Mimi

[1] c4c361059585 ("KEYS: Reserve an extra certificate symbol for
inserting without recompiling")