From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6D26C4332B for ; Fri, 29 Jan 2021 23:28:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8337164DDC for ; Fri, 29 Jan 2021 23:28:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232705AbhA2X2L (ORCPT ); Fri, 29 Jan 2021 18:28:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:35498 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230009AbhA2X2H (ORCPT ); Fri, 29 Jan 2021 18:28:07 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2C0D564DDB; Fri, 29 Jan 2021 23:27:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1611962846; bh=nRY2roERXFxon206XTayNLdW3D0tWgBoL27kAm2mJ38=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=sObX8n19jS4j1u0y1AoPSVGaWBIc3KYPHKTq3lUMz/O9E0eQb/l6Fzw3cBi9ZSMLP s0R19sYoGde/nkB5AzKCWtpWoIebqObVKtDG6qD7cLIEA1WIdWFp+Xze8jdn+IOnRr eZU/FGbRRjELdFfNuKq5yms5WWvaAfC1lm0aVjVadLMuyP/dOBR8iI5MlcF6+KcVYh MEtTCQloA0foZnXbE0xh5+Yp5f+YHjm8tqzn1tGyw+sLKzgsJnouXrFxTRStCOxJpp V/lgAkI1HJSRIVoUNPbp1oGrFqA5dVFWp/SmqyayLBAcKW227ub/8Ka13THoAZJQhU xvvsEEbBh2Xig== Date: Sat, 30 Jan 2021 01:27:21 +0200 From: Jarkko Sakkinen To: Mimi Zohar Cc: David Howells , linux-integrity , Eric Snowberg , Jarkko Sakkinen , dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, nayna@linux.ibm.com, erichte@linux.ibm.com, mpe@ellerman.id.au, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@hansenpartnership.com Subject: Re: [PATCH v4] certs: Add EFI_CERT_X509_GUID support for dbx entries Message-ID: References: <1360578.1607593748@warthog.procyon.org.uk> <2442460.1610463459@warthog.procyon.org.uk> <3063834.1611747971@warthog.procyon.org.uk> <61a0420790250807837b5a701bb52f3d63ff0c84.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <61a0420790250807837b5a701bb52f3d63ff0c84.camel@linux.ibm.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 27, 2021 at 09:03:59AM -0500, Mimi Zohar wrote: > [Cc'ing linux-integrity] > > On Wed, 2021-01-27 at 11:46 +0000, David Howells wrote: > > Jarkko Sakkinen wrote: > > > > > > I suppose a user space tool could be created. But wouldn’t what is > > > > currently done in the kernel in this area need to be removed? > > > > > > Right. I don't think this was a great idea in the first place to > > > do to the kernel but since it exists, I guess the patch does make > > > sense. > > > > This information needs to be loaded from the UEFI tables before the system > > starts loading any kernel modules or running any programs (if we do > > verification of such, which I think IMA can do). > > There needs to a clear distinction between the pre-boot and post-boot > keys. UEFI has its own trust model, which should be limited to UEFI. > The .platform keyring was upstreamed and limited to verifying the kexec > kernel image. Any other usage of the .platform keyring keys is > abusing its intended purpose. > > The cover letter says, "Anytime the .platform keyring is used, the > keys in the .blacklist keyring are referenced, if a matching key is > found, the key will be rejected." I don't have a problem with loading > the UEFI X509 dbx entries as long as its usage is limited to verifying > the kexec kernel image. > > Mimi Thanks Mimi, this is a valid argument. I agree. /Jarkko