* Question on signing the IMA signing key for kernel trusted keyrings?
@ 2020-01-16 18:39 Clay Chang
2020-01-16 19:04 ` Mimi Zohar
0 siblings, 1 reply; 2+ messages in thread
From: Clay Chang @ 2020-01-16 18:39 UTC (permalink / raw)
To: linux-integrity
Hi,
We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys.
In the .builtin_trusted_keys keyring of a fresh CentOS, for example,
there are public keys created by CentOS. And the private key counterparts
were not available publicly. So I think there is technically no way for
others to sign the IMA or EVM key by the private keys of those CA.
Is there a possibility of getting the IMA or EVM signing keys signed
(probably by the public key in .builtin_trusted_keys) without rolling own
CA and re-gen the kernel?
Thanks,
Clay
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Question on signing the IMA signing key for kernel trusted keyrings?
2020-01-16 18:39 Question on signing the IMA signing key for kernel trusted keyrings? Clay Chang
@ 2020-01-16 19:04 ` Mimi Zohar
0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2020-01-16 19:04 UTC (permalink / raw)
To: Clay Chang, linux-integrity
On Fri, 2020-01-17 at 02:39 +0800, Clay Chang wrote:
> Hi,
>
> We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys.
> In the .builtin_trusted_keys keyring of a fresh CentOS, for example,
> there are public keys created by CentOS. And the private key counterparts
> were not available publicly. So I think there is technically no way for
> others to sign the IMA or EVM key by the private keys of those CA.
>
> Is there a possibility of getting the IMA or EVM signing keys signed
> (probably by the public key in .builtin_trusted_keys) without rolling own
> CA and re-gen the kernel?
If the kernel was built with CONFIG_SYSTEM_EXTRA_CERTIFICATE, the
customer could insert their public key post build.[1] This would
obviously require the kernel to be resigned.
I agree there needs to be a simpler way of including a customer key,
without requiring them to resign the kernel.
Mimi
[1] c4c361059585 ("KEYS: Reserve an extra certificate symbol for
inserting without recompiling")
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-16 19:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-16 18:39 Question on signing the IMA signing key for kernel trusted keyrings? Clay Chang
2020-01-16 19:04 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).