Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Lakshmi <nramas@linux.microsoft.com>
To: Ken Goldman <kgold@linux.ibm.com>,
	Linux Integrity <linux-integrity@vger.kernel.org>,
	Mimi Zohar <zohar@linux.ibm.com>,
	David Howells <dhowells@redhat.com>,
	James Morris <jamorris@linux.microsoft.com>,
	Linux Kernel <linux-kernel@vger.kernel.org>
Cc: Balaji Balasubramanyan <balajib@linux.microsoft.com>,
	Prakhar Srivastava <prsriva@linux.microsoft.com>
Subject: Re: [PATCH 0/2] public key: IMA signer logging: Log public key of IMA Signature signer in IMA log
Date: Thu, 16 May 2019 18:29:31 -0700
Message-ID: <9c944ba6-f520-96e1-3631-1e21bbc4c327@linux.microsoft.com> (raw)
In-Reply-To: <750fdb9f-fc9b-24bf-42c3-32156ecdc16f@linux.ibm.com>

On 5/16/19 7:34 AM, Ken Goldman wrote:

>> But outside the client machine this key id is not sufficient to
>> uniquely determine which key the signature corresponds to.
> 
> Why is this not sufficient?
> 
> In my implementation, I create a lookup table at the attestation service 
> that maps the 4-byte IMA log key identifier to the signing public key.
> 
> Are you concerned about collisions?  Something else?

Yes - the concern is collision.

The "Subject Key Identifier" (SKI) for no two certificate can be the 
same. But since we are using only the last 4 bytes of the SKI it can 
collide. That's mainly the reason I want to log the entire public key.

> 
> Are you suggesting that the client supply the verification public key 
> and that the verifier trust it?  Wouldn't that make the log self signed?
> 
> How would the verifier determine that the key from the IMA log is valid 
> / trusted / not revoked from the log itself?

IMA log is backed by the TPM. So if the public key is added to the IMA 
log the attestation service can validate the key information.
I am not sure if that answers your question.

> 
> A minor question here.
> 
> Are you proposing that the IMA log contain a single ima-sigkey entry per 
> public key followed by ima-sig entries?
> 
> Or are you proposing that ima-sig be replaced by ima-sigkey, and that 
> each event would contain both the signature and the public key?
> 
> If the latter, this could add 25M to a server's 100K log.  Would that 
> increase in size concern anyone?  Could it be a concern on the other 
> end, an IoT device with limited memory?

Mimi had raised the same concern. I will update my implementation to 
include the certification information in the IMA log only once per key - 
when that key is added to the IMA or Platform keyring.

Thanks,
  -lakshmi


  reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-14 17:14 Lakshmi
2019-05-14 17:29 ` Mimi Zohar
2019-05-15 18:17   ` Lakshmi
2019-05-16 22:45     ` Mimi Zohar
2019-05-16 14:34 ` Ken Goldman
2019-05-17  1:29   ` Lakshmi [this message]
2019-05-17 14:41     ` Ken Goldman
2019-05-20 23:15       ` Lakshmi
2019-05-22 18:57         ` Ken Goldman
2019-05-22 19:37           ` Lakshmi

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9c944ba6-f520-96e1-3631-1e21bbc4c327@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=balajib@linux.microsoft.com \
    --cc=dhowells@redhat.com \
    --cc=jamorris@linux.microsoft.com \
    --cc=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=prsriva@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox