Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751172AbcCHWFq (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Mar 2016 17:05:46 -0500
Received: from e28smtp08.in.ibm.com ([125.16.236.8]:60129 "EHLO
	e28smtp08.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750787AbcCHWFg (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Mar 2016 17:05:36 -0500
X-IBM-Helo: d28relay01.in.ibm.com
X-IBM-MailFrom: zohar@linux.vnet.ibm.com
X-IBM-RcptTo: linux-kernel@vger.kernel.org;keyrings@vger.kernel.org;linux-security-module@vger.kernel.org
Message-ID: <1457474724.5321.170.camel@linux.vnet.ibm.com>
Subject: Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings
 instead of .ima_mok [ver #2]
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petko Manolov <petkan@mip-labs.com>
Cc: David Howells <dhowells@redhat.com>, linux-security-module@vger.kernel.org,
        keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Date: Tue, 08 Mar 2016 17:05:24 -0500
In-Reply-To: <20160308163758.GA4934@localhost>
References: <20160308141429.GC2243@p310>
	 <1457403993.5321.33.camel@linux.vnet.ibm.com>
	 <20160304150022.17121.34501.stgit@warthog.procyon.org.uk>
	 <20160304150149.17121.31855.stgit@warthog.procyon.org.uk>
	 <30481.1457442516@warthog.procyon.org.uk>
	 <3362.1457453220@warthog.procyon.org.uk> <20160308163758.GA4934@localhost>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
x-cbid: 16030822-0029-0000-0000-00000B65CEE2
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1915
Lines: 44

On Tue, 2016-03-08 at 18:37 +0200, Petko Manolov wrote:
> On 16-03-08 16:07:00, David Howells wrote:
> > Petko Manolov <petkan@mip-labs.com> wrote:
> > 
> > > > How about I change it to a choice-type item, with the following options:
> > > > 
> > > >  (1) No addition.
> > > > 
> > > >  (2) Addition restricted by built-in keyring.
> > > > 
> > > >  (3) Addition restricted by secondary keyring + built-in keyring.
> > > > 
> > > > where the second and third options then depend on the appropriate keyrings 
> > > > being enabled.
> > > 
> > > I would suggest leaving (1) and (3).  Since secondary keyring only accepts
> > > keys signed by certificate in the system keyring I think (2) is redundant.
> > > It adds extra complexity (Kconfig is vague enough already) while it doesn't
> > > increase the overall security by much.
> > 
> > If I remove option (2), that would mean that if you want to allow keys to be 
> > added to .ima if they're signed by the built-in keyring, then you also allow 
> > keys to be added to .ima if they're signed by the secondary keyring if 
> > enabled.
> 
> Exactly.  The primary difference between the built-in and secondary keyring is 
> that the latter is R/W.  Chances are the user want either no addition or need 
> dynamic key add/remove.

Option 1 will prevent ANY keys from being added to the IMA keyring that
were not builtin and loaded by the kernel, similar to the existing
system certificate list.  The keyring itself would need to allow the
builtin keys to be added with the "KEY_ALLOC_BYPASS_RESTRICTION"
override.

Option 2 only allows certificates signed by a key on the builtin keyring
to be added to the IMA keyring.  (This should be the default.)

> I don't have strong opinions against (2).  This is more of a discussion whether 
> we should sacrifice in favor of simplicity or flexibility.

I disagree.  There is a major difference between option 2 and 3.

Mimi