Received: by 10.223.185.116 with SMTP id b49csp5028511wrg; Wed, 7 Mar 2018 05:19:54 -0800 (PST) X-Google-Smtp-Source: AG47ELuxWNxk9NbrUHVaGIARIJ5umI+74lWDswpvL3qR+Bn+GdbBvWZsLVqvEKVptF+8vO3EQWZ8 X-Received: by 10.99.56.11 with SMTP id f11mr18350255pga.63.1520428794559; Wed, 07 Mar 2018 05:19:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520428794; cv=none; d=google.com; s=arc-20160816; b=COomrH6ipCPIF/s85VrXW0t7kSd4QCPl9EBQJ7GJMQjKOfOHpQAfBc0/RXW1TOmGCD q+PPYn9jJny/fMeu1a40gl7dDIjPsspOI4SwSiS4TZlP5D1BLj5ngE4P5A2I0kBSvLVr DFrMm3vGGMQFB2K2z/ORgyKpY1xQDiZmPtuN0P0Fa+Uvs0vBs5Ezm3zNczMjpaX4gslV 8XpL5VEYY0og9X9qkhqjBQnSP19qLQJOF4jm75Uo57kdQGZDTHMko0vIi9GBnN1glG1r 3nsQIVbud5cNMrKdcUiRhahteuvZtKgO+WDWiIcL3sjvIYiBnE/PB7GfDgneSa7Z+sVr sCXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=DTmQeHTAFILPdZAAUx7Yy8Mg9r9sUXC6W5gnX3l5m8c=; b=APWE5i8skEATga3CjjYJsdlWVQH+HEGJGFTNQ4FL0t47Zu5ixmai041cSY31tiRv/W 310vuiPpJ76xpz+qXQGWNSBRGOyPMln1um4oVI8fPTI877gNfQIQvsRE1RZJsAOAsPpq 2SvT+2pUy1fm4VIbhxlRVBB/pNteIee+aDDbnPQcDScYuaIdVFertUHIldDvE7iNuFTx MbbIfZhafKEpGXlrxMw9TxOKqYkTNfd3OYxZbTh/uCLTnhRyEf+/NKz3nX81C2SS1bya BGma/yRAf5t+g7m8sUF2c1a8UaMTNcVCI03wyM4N98nLdZeZZhLw64iWcNyHj35VF4fW THPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w8si11272597pgt.182.2018.03.07.05.19.39; Wed, 07 Mar 2018 05:19:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754496AbeCGNSN (ORCPT + 99 others); Wed, 7 Mar 2018 08:18:13 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41574 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754480AbeCGNSL (ORCPT ); Wed, 7 Mar 2018 08:18:11 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w27DFISb009833 for ; Wed, 7 Mar 2018 08:18:11 -0500 Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gjfev3v7u-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Wed, 07 Mar 2018 08:18:11 -0500 Received: from localhost by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 7 Mar 2018 13:18:08 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 7 Mar 2018 13:18:04 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w27DI4xg39583944; Wed, 7 Mar 2018 13:18:04 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A0B2AE059; Wed, 7 Mar 2018 13:08:40 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 799CEAE04D; Wed, 7 Mar 2018 13:08:39 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.81.183]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 7 Mar 2018 13:08:39 +0000 (GMT) Subject: Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load From: Mimi Zohar To: Jiri Slaby , David Howells , keyrings@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 07 Mar 2018 08:18:02 -0500 In-Reply-To: <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18030713-0040-0000-0000-0000043BEC5E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18030713-0041-0000-0000-000020DF07A3 Message-Id: <1520428682.10396.445.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-07_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803070154 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote: > On 11/16/2016, 07:10 PM, David Howells wrote: > > Here are two sets of patches. Firstly, the first three patches provide a > > blacklist, making the following changes: > ... > > Secondly, the remaining patches allow the UEFI database to be used to load > > the system keyrings: > ... > > Dave Howells (2): > > efi: Add EFI signature data types > > efi: Add an EFI signature blob parser > > > > David Howells (5): > > KEYS: Add a system blacklist keyring > > X.509: Allow X.509 certs to be blacklisted > > PKCS#7: Handle blacklisted certificates > > KEYS: Allow unrestricted boot-time addition of keys to secondary keyring > > efi: Add SHIM and image security database GUID definitions > > > > Josh Boyer (2): > > MODSIGN: Import certificates from UEFI Secure Boot > > MODSIGN: Allow the "db" UEFI variable to be suppressed > > Hi, > > what's the status of this please? Distributors (I checked SUSE, RedHat > and Ubuntu) have to carry these patches and every of them have to > forward-port the patches to new kernels. So are you going to resend the > PR to have this merged? With secure boot enabled, we establish a signature chain of trust, rooted in HW, up to the kernel and then transition from those keys to a new set of keys builtin the kernel and loaded onto the builtin_trusted_keys (builtin). Enabling the secondary_builtin_keys (secondary) allows keys signed by a key on the builtin keyring to be added to the secondary keyring.  Any key, signed by a key on either the builtin or secondary keyring, can be added to the IMA trusted keyring. The "KEYS: Allow unrestricted boot-time addition of keys to secondary keyring" patch loads the platform keys directly onto the secondary keyring, without requiring them to be signed by a key on the builtin or secondary keyring.  With this change, any key signed by a platfrom key on the secondary, can be loaded onto the .ima trusted keyring. Just because I trust the platform keys prior to booting the kernel, doesn't mean that I *want* to trust those keys once booted.  There are, however, places where we need access to those keys to verify a signature (eg. kexec kernel image). Nayna Jain's "certs: define a trusted platform keyring" patch set introduces a new, separate keyring for these platform keys. Mimi