Received: by 10.192.165.148 with SMTP id m20csp210224imm;
        Thu, 3 May 2018 18:21:28 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrWj2OGau+uqOIYRxHVA4efnVaZVOhv/aEdEnqP5V13K2H9ilV79asmu81I3S4KfKJHZ3Vt
X-Received: by 2002:a65:6117:: with SMTP id z23-v6mr20431312pgu.72.1525396888798;
        Thu, 03 May 2018 18:21:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525396888; cv=none;
        d=google.com; s=arc-20160816;
        b=yoARoVJyUjTt2c1D7QKKzhPvB849OX68/3IOdUb8oML8yBUU978F/wOVTwC8/s9B5P
         M6jr4ew2h7w5yTQR0HDZYUpSax0c5GxjmmfBTH2cLFG9hH2D1HwDn8OBVOCwxy3dsU/G
         9dKauoRZS/UalHAO7TRp1lvDEEnZRJrH7Zy3a+7fHAOIKJuRM4Sq2N1Z4ZRYQDBlSgOS
         ojRUh00vgFtyRbzIglM4ekj/G2HwbFF/qV3URXHQ300XsdiqZiFP2xt7Q/l9Ot4Zzgpp
         uJ5Gg7Sdl151dCyWTn66ONst5tDUXvOV2l3fpWa+LdO8lp2g1RfTfTG3/fFJIo4ofg1F
         nQRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:to:references
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:arc-authentication-results;
        bh=AhyH+1xSnpkDS4Idh7BZD+99baJqXhwiwjqhnvS0OzQ=;
        b=WGWwkDoWyNisnLXMeSEIazi3dICvkFNxyQrwNeKiLi48XYdmJdTvBu3k7qtt+VIgRo
         2utlob3yHhOoTmu5SYksCNq1wWmcbfjVfoIP1cKYxtUDE7hVZtu96Cm1V4exGLBGBfKz
         HWHhCtEG09UlyBWWAiFfkrtNR4gyymFP7O/+hP1r6l5mgcLpKU80IdffDPdJr71Wlxmh
         +8KHnvQ+z//ZU4aUbnEMsv9GDaGSD+mys/wE9Bsli+gbSQlIl46UH9FRADL3HYV0fmNE
         gcrsyD3n7bX6S+8u7hIXvdFveAjx6mCWmKKWxIgF19OHNVXph9eUCKfciAs+xWbpT6Xi
         8qCg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v12-v6si15249868plz.33.2018.05.03.18.21.14;
        Thu, 03 May 2018 18:21:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751461AbeEDBU3 convert rfc822-to-8bit (ORCPT
        <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 21:20:29 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:46494 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751423AbeEDBUX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 21:20:23 -0400
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w441JETx143447
        for <linux-kernel@vger.kernel.org>; Thu, 3 May 2018 21:20:23 -0400
Received: from e13.ny.us.ibm.com (e13.ny.us.ibm.com [129.33.205.203])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2hramkx913-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 03 May 2018 21:20:22 -0400
Received: from localhost
        by e13.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <mkayaalp@linux.vnet.ibm.com>;
        Thu, 3 May 2018 21:20:21 -0400
Received: from b01cxnp23032.gho.pok.ibm.com (9.57.198.27)
        by e13.ny.us.ibm.com (146.89.104.200) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 3 May 2018 21:20:18 -0400
Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107])
        by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w441KFeq47382684;
        Fri, 4 May 2018 01:20:17 GMT
Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id EE65F12403D;
        Thu,  3 May 2018 22:22:15 -0400 (EDT)
Received: from [9.85.172.130] (unknown [9.85.172.130])
        by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id AD026124035;
        Thu,  3 May 2018 22:22:15 -0400 (EDT)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Subject: Re: [PATCH v6 0/4] Certificate insertion support for x86 bzImages
From:   Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
In-Reply-To: <1525383720.3539.76.camel@linux.vnet.ibm.com>
Date:   Thu, 3 May 2018 21:20:16 -0400
Cc:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Keyrings <keyrings@vger.kernel.org>,
        Linux Integrity <linux-integrity@vger.kernel.org>,
        Linux Security <linux-security-module@vger.kernel.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>,
        George Wilson <gcwilson@us.ibm.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Patrick Callaghan <patrickc@us.ibm.com>
Content-Transfer-Encoding: 8BIT
References: <20180502230811.2751-1-mkayaalp@linux.vnet.ibm.com>
 <alpine.LRH.2.21.1805040311050.12843@namei.org>
 <1525383720.3539.76.camel@linux.vnet.ibm.com>
To:     James Morris <jmorris@namei.org>
X-Mailer: Apple Mail (2.3445.6.18)
X-TM-AS-GCONF: 00
x-cbid: 18050401-0008-0000-0000-00000302904A
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00008965; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000258; SDB=6.01027141; UDB=6.00524651; IPR=6.00806274;
 MB=3.00020917; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-04 01:20:20
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18050401-0009-0000-0000-000039203FCF
Message-Id: <04EE0041-8DF1-4FF3-9C59-64ECF0182CC5@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-03_10:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805040011
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> On May 3, 2018, at 5:42 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> On Fri, 2018-05-04 at 03:11 +1000, James Morris wrote:
>> On Wed, 2 May 2018, Mehmet Kayaalp wrote:
>> 
>>> These patches add support for modifying the reserved space for extra
>>> certificates in a compressed bzImage in x86. This allows separating the
>>> system keyring certificate from the kernel build process. After the kernel
>>> image is distributed, the insert-sys-cert script can be used to insert the
>>> certificate for x86.
>> 
>> Can you provide more explanation of how this is useful and who would use 
>> it?
> 
> I'm involved in a number projects that rely on a kernel build group to
> actually build kernels for their systems.  Reserving memory for
> additional public keys, allows product groups to insert public keys
> post build.  Initially the product groups might insert development
> keys, but eventually they would insert the product's public key.
> 
> Mimi

With CONFIG_SYSTEM_TRUSTED_KEYRING, we have a system keyring populated
with keys that we trust. Initial keys are compiled-in:
-The module signing key, as specified by CONFIG_MODULE_SIG_KEY,
-Additional keys, as specified by CONFIG_SYSTEM_TRUSTED_KEYS.

In userspace, we can add more keys to the system keyring, only if they can be
verified by keys already in the keyring.

In kernel or modules, we can bypass this restriction by using the
KEY_ALLOC_BYPASS_RESTRICTION flag. As far as I can tell, only the compiled-in
keys are loaded this way in the upstream kernel.

Other asymmetric keyrings can specify the same restriction using the
"builtin_trusted" option. Currently, CONFIG_INTEGRITY_TRUSTED_KEYRING creates
".ima" and ".evm" keyrings with this restriction. As a result, in order to
add a key to an integrity keyring, either that key needs to be compiled-in,
or it must be signed with a key that is in the system keyring, which again
needs to be compiled-in.

If a user is not compiling their own kernel, and has no access to the module
signing key (or any other compiled-in key), then how can they add their own
keys to the integrity keyrings?

This patchset allows the user to take the kernel from a distro, insert their 
own key, sign the resulting image as required for their secure boot method,  
and when booted, the system keyring will include their key, which can be used 
to control the integrity keys.

An alternative way is to allow the "secondary" trusted keyring to verify the 
IMA keys with CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY, but 
it is the same problem. Some distros carry patches that populate the 
secondary keyring with UEFI keys during kernel initialization, which would 
mean having access to a UEFI key (which is also needed with this patchset, 
for signing the resulting image), would be enough to add integrity keys. But 
that is much more permissive, since ANY key that goes into the secondary 
keyring, coming from UEFI, could then be used to control the integrity keys. 

Mehmet