Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932301AbcCHPcd (ORCPT ); Tue, 8 Mar 2016 10:32:33 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50815 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751256AbcCHPcQ convert rfc822-to-8bit (ORCPT ); Tue, 8 Mar 2016 10:32:16 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1457449745.5321.141.camel@linux.vnet.ibm.com> References: <1457449745.5321.141.camel@linux.vnet.ibm.com> <1457447480.5321.115.camel@linux.vnet.ibm.com> <1457402735.5321.14.camel@linux.vnet.ibm.com> <20160304150022.17121.34501.stgit@warthog.procyon.org.uk> <20160304150142.17121.56666.stgit@warthog.procyon.org.uk> <30699.1457442839@warthog.procyon.org.uk> <449.1457448192@warthog.procyon.org.uk> To: Mimi Zohar Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2818.1457451134.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Tue, 08 Mar 2016 15:32:14 +0000 Message-ID: <2819.1457451134@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1588 Lines: 44 Mimi Zohar wrote: > > The problem boils down to a difficulty in concocting a name that describes a > > complex situation that may change depending on the configuration. I can make > > it "restrict_link_by_any_system_trusted" if you'd prefer. > > > > That's why I want "system trusted keyrings" to refer to the builtin and the > > secondary - *and* an extra UEFI keyring if we grow one of those. It's a > > collection of related keyrings. > > Sigh, this is the same discussion we've had for years. No, it isn't. > The UEFI keys should not be trusted to validate the certificates being added > to the IMA keyring. A machine-security (e.g. UEFI) keyring will conceivably live in certs/system_keyring.c and only be enabled if CONFIG_SYSTEM_TRUSTED_KEYRINGS=y and, say, CONFIG_MACHINE_TRUSTED_KEYRING=y. I didn't say that IMA necessarily has to use it. What we need to do is define a set of functions allow IMA to get the restrictions it wants, depending on configuration. In the code I currently have, I think we have those: restrict_link_reject restrict_link_by_builtin_trusted restrict_link_by_system_trusted If you really want, I can add a restrict_link_for_ima in there, but I'd rather not if IMA can use whichever of the above three most suits it. How about: restrict_link_reject restrict_link_by_builtin_trusted restrict_link_by_builtin_or_secondary_trusted > Neither should the keys on the secondary keyring, unless specifically IMA > Kconfig enabled, be used to validate the certificates being added to the IMA > keyring. Yes. David