Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934862Ab3DKIIM (ORCPT ); Thu, 11 Apr 2013 04:08:12 -0400 Received: from mail-wi0-f176.google.com ([209.85.212.176]:40783 "EHLO mail-wi0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751784Ab3DKIII (ORCPT ); Thu, 11 Apr 2013 04:08:08 -0400 MIME-Version: 1.0 In-Reply-To: <1365627922.2452.32.camel@falcor1.watson.ibm.com> References: <20130205181926.GA13942@srcf.ucam.org> <20130205183436.GC12853@redhat.com> <20130405135000.GB6299@redhat.com> <1365450229.3847.56.camel@falcor1.watson.ibm.com> <20130408200904.GI28292@redhat.com> <20130409143852.GH6320@redhat.com> <1365563230.3074.107.camel@falcor1.watson.ibm.com> <20130410194209.GF6602@redhat.com> <1365627922.2452.32.camel@falcor1.watson.ibm.com> Date: Thu, 11 Apr 2013 11:08:05 +0300 Message-ID: Subject: Re: [RFC 2/2] initramfs with digital signature protection From: Dmitry Kasatkin To: Mimi Zohar Cc: Vivek Goyal , Josh Boyer , Matthew Garrett , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2234 Lines: 56 Hello, (in plain text) I respond to the original question of this thread. signed initramfs allows not only to add keys to the keyrings but perform other initialization, which requires user-space. Keys can be embedded into the kernel. This is fine. Regards - Dmitry On Thu, Apr 11, 2013 at 12:05 AM, Mimi Zohar wrote: > On Wed, 2013-04-10 at 15:42 -0400, Vivek Goyal wrote: >> On Tue, Apr 09, 2013 at 11:07:10PM -0400, Mimi Zohar wrote: >> >> [..] >> > The module keyring is a special case. Loading these keys from the >> > kernel and, presumably, locking the keyring is probably fine. In the >> > case of IMA, however, files will be signed by any number of package >> > owners. If the _ima keyring is locked by the kernel, how would you add >> > these other keys? >> >> Who are package owners here. IOW, in typical IMA setup, where are the keys >> and when are these keys loaded in ima keyring? > > Suppose I install third party packages not signed by the distro, but by > the package owner (eg. google, rpmfusion, ...). Not only does the > package signature need to be verified on installation, but the files > need to be installed with signatures. For IMA to enforce file > integrity, the package owner's public key needs to be added to the _ima > keyring. > >> If we trust root and keys can be loaded any time later, then signed >> initramfs will not solve the problem either. > > Locking the keyring in the kernel will limit the set of permitted keys > to only those specified in UEFI db or builtin. Locking the keyring in > the "early" initramfs, will allow the system owner, whose key is in the > UEFI db, to specify additional keys, such as those for third party > packages. Not all public keys belong in the UEFI db. > > Mimi > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/