linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Morten Linderud <morten@linderud.pw>
To: Eric Snowberg <eric.snowberg@oracle.com>
Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com,
	keescook@chromium.org, torvalds@linux-foundation.org,
	weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com,
	ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com,
	jason@zx2c4.com, linux-kernel@vger.kernel.org,
	linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	James.Bottomley@hansenpartnership.com, pjones@redhat.com,
	konrad.wilk@oracle.com
Subject: Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found
Date: Thu, 10 Nov 2022 01:01:29 +0100	[thread overview]
Message-ID: <20221110000129.kl6pjy5mafpuptbk@framework> (raw)
In-Reply-To: <20211124044124.998170-17-eric.snowberg@oracle.com>

On Tue, Nov 23, 2021 at 11:41:23PM -0500, Eric Snowberg wrote:
> A new Machine Owner Key (MOK) variable called MokListTrustedRT has been
> introduced in shim. When this UEFI variable is set, it indicates the
> end-user has made the decision themselves that they wish to trust MOK keys
> within the Linux trust boundary.  It is not an error if this variable
> does not exist. If it does not exist, the MOK keys should not be trusted
> within the kernel.

Hi Eric,

I've been milling around on this patch-set for a while and I have a few issues
with the description of the commit and what the code actually does.

efi_mokvar_entry_find doesn't simply read an UEFI variable as the commit message
suggests, it will look for the MOK variable loaded into the EFI configuration
table. This implies we need this table setup in early boot to take usage of this
patch set.

The only bootloader that does setup this table, is the `shim` as described. But
no other bootloader implements support for the MOK EFI configuration table.

This effectively means that there is still no way for Machine Owners to load
keys into the keyring, for things like module signing, without the shim present
in the bootchain. I find this a bit weird.

Is this an intentional design decision, or could other ways be supported as
well?

-- 
Morten Linderud
PGP: 9C02FF419FECBE16

  parent reply	other threads:[~2022-11-10  0:57 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-24  4:41 [PATCH v8 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-24  4:41 ` [PATCH v8 01/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-24  4:41 ` [PATCH v8 02/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-24  4:41 ` [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-25  2:49   ` Mimi Zohar
2021-11-29 22:50     ` Eric Snowberg
2021-11-27  0:39   ` Jarkko Sakkinen
2021-11-24  4:41 ` [PATCH v8 04/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-27  0:42   ` Jarkko Sakkinen
2021-11-24  4:41 ` [PATCH v8 05/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-27  0:43   ` Jarkko Sakkinen
2021-11-24  4:41 ` [PATCH v8 06/17] KEYS: CA link restriction Eric Snowberg
2021-11-27  0:44   ` Jarkko Sakkinen
2021-11-24  4:41 ` [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-02-14 12:42   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-27  0:46   ` Jarkko Sakkinen
2021-11-24  4:41 ` [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-27  0:49   ` Jarkko Sakkinen
2021-11-30 17:21     ` Eric Snowberg
2021-12-01 10:27       ` Jarkko Sakkinen
2021-12-01 13:46         ` Mimi Zohar
2021-12-04 17:39           ` Jarkko Sakkinen
2021-12-15 18:14           ` Eric Snowberg
2021-12-15 19:54             ` Mimi Zohar
2021-11-24  4:41 ` [PATCH v8 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2022-02-14 12:18   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-02-14 12:23   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-24  4:41 ` [PATCH v8 13/17] integrity: store reference to " Eric Snowberg
2022-02-14 12:27   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 14/17] KEYS: link machine trusted keys to secondary_trusted_keys Eric Snowberg
2022-02-14 12:28   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 15/17] efi/mokvar: move up init order Eric Snowberg
2022-02-14 12:29   ` Darren Kenny
2021-11-24  4:41 ` [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-02-14 12:31   ` Darren Kenny
2022-11-10  0:01   ` Morten Linderud [this message]
2022-11-10  0:54     ` Eric Snowberg
2022-11-10 15:06       ` Morten Linderud
2022-11-10 15:27         ` James Bottomley
2022-11-10 15:30           ` Ard Biesheuvel
2022-11-10  7:42     ` Ard Biesheuvel
2022-11-10 14:27       ` Morten Linderud
2022-11-10 14:15     ` James Bottomley
2021-11-24  4:41 ` [PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-02-14 12:37   ` Darren Kenny
2022-02-20 23:23 ` [PATCH v8 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221110000129.kl6pjy5mafpuptbk@framework \
    --to=morten@linderud.pw \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@google.com \
    --cc=eric.snowberg@oracle.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jason@zx2c4.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).