From: Eric Snowberg <eric.snowberg@oracle.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
David Howells <dhowells@redhat.com>,
"dwmw2@infradead.org" <dwmw2@infradead.org>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"paul@paul-moore.com" <paul@paul-moore.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"serge@hallyn.com" <serge@hallyn.com>,
"pvorel@suse.cz" <pvorel@suse.cz>,
"tadeusz.struk@intel.com" <tadeusz.struk@intel.com>,
Kanth Ghatraju <kanth.ghatraju@oracle.com>,
Konrad Wilk <konrad.wilk@oracle.com>,
"erpalmer@linux.vnet.ibm.com" <erpalmer@linux.vnet.ibm.com>,
"coxu@redhat.com" <coxu@redhat.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v4 6/6] integrity: machine keyring CA configuration
Date: Fri, 10 Feb 2023 22:42:02 +0000 [thread overview]
Message-ID: <6E99904E-3725-4235-990F-BD89E59492A1@oracle.com> (raw)
In-Reply-To: <4bda209dfc891ac9044ce847785c383e89f14f97.camel@linux.ibm.com>
> On Feb 10, 2023, at 6:05 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Eric,
>
> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote:
>> Add a machine keyring CA restriction menu option to control the type of
>> keys that may be added to it. The options include none, min and max
>> restrictions.
>>
>> When no restrictions are selected, all Machine Owner Keys (MOK) are added
>> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is
>> selected, the CA bit must be true. Also the key usage must contain
>> keyCertSign, any other usage field may be set as well.
>>
>> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
>> be true. Also the key usage must contain keyCertSign and the
>> digitialSignature usage may not be set.
>>
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>
> Missing from the patch description is the motivation for this change.
> The choices none, min, max implies a progression, which is good, and
> the technical differences between the choices, but not the reason.
>
> The motivation, at least from my perspective, is separation of
> certificate signing from code signing keys, where "none" is no
> separation and "max" being total separation of keys based on usage.
>
> Subsequent work, as discussed in the cover letter thread, will limit
> certificates being loaded onto the IMA keyring to code signing keys
> used for signature verification.
I will include this in the next round too, thanks.
next prev parent reply other threads:[~2023-02-10 22:43 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-07 2:59 [PATCH v4 0/6] Add CA enforcement keyring restrictions Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2023-02-10 3:39 ` Jarkko Sakkinen
2023-02-10 22:38 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 2/6] KEYS: Add missing function documentation Eric Snowberg
2023-02-08 21:48 ` Mimi Zohar
2023-02-10 3:40 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2023-02-08 21:01 ` Mimi Zohar
2023-02-10 3:46 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Eric Snowberg
2023-02-08 21:02 ` Mimi Zohar
2023-02-10 3:48 ` Jarkko Sakkinen
2023-02-10 22:39 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 5/6] KEYS: CA link restriction Eric Snowberg
2023-02-09 2:55 ` Mimi Zohar
2023-02-07 2:59 ` [PATCH v4 6/6] integrity: machine keyring CA configuration Eric Snowberg
2023-02-10 13:05 ` Mimi Zohar
2023-02-10 22:42 ` Eric Snowberg [this message]
2023-02-13 7:54 ` Jarkko Sakkinen
2023-02-14 21:24 ` Eric Snowberg
2023-02-08 12:38 ` [PATCH v4 0/6] Add CA enforcement keyring restrictions Mimi Zohar
2023-02-08 23:26 ` Eric Snowberg
2023-02-09 2:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6E99904E-3725-4235-990F-BD89E59492A1@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tadeusz.struk@intel.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).