Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp307400ybi; Thu, 1 Aug 2019 19:31:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqxi3gM2Y4ejEXD+vdEnYF0Fmasn0l5ulkV+FHps3J3FUCORdVRPHk0Y+DiBbLy+6aYmXtYC X-Received: by 2002:a17:902:7894:: with SMTP id q20mr124434864pll.339.1564713095991; Thu, 01 Aug 2019 19:31:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564713095; cv=none; d=google.com; s=arc-20160816; b=Yadecop2iLKRMq6zC5RDSMzfUwDLD0duVJJt/xoksiZYXMBYgw+JaCtrp50pSn/BwP rZUjjXspR3qcBRg97Doe+vB0HO9ZU8ydkm9te80ZInE2455kn1f9PneGaqhJJN3IHAWo qfL7GymBUNvXKidhCFFX3tHqXyasKgfBsXFBg7ZQoHE7Ll/7QJMtMhIM3ghiA77cmCF6 iCjS0GTMlJcNjDO0iU7GOU8wAi4S7iUSHI7DsYvASFmBZmULd78yNQgBZcvRKujrlyJm xJBg5MYtei7jAygGeqTE4uyoUhJ/Eu3OorccPdzXUbz84TG14wIAFwMsfXUeJN6+KbnH vUJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=PgyPL2VKs7fsg41vQcmHCMZk+gphQs7NqEOtNU3cvUc=; b=hhpYUNfF45UvQFAuvnjovRx05q9BVCLz8yPyNdqbQG9KZEUY8H/EvBBZJLyNqEsF2X 9BSsjS56By5kwYDUiHQcM7asYlGvGFTrBW1Xttwk8vWKbjl8tqZ2h3Ca9I2WBjXh/otK 9Ksy3O5AGJ3BWFNjqKTFsiN1dqplpHyPxRMIeMEFD8mU9CgxVC/y++LsmFaO7i0GHfyR Nuo2ouffA3ZDC/3n61+7nHmYw41W4N7OohDYGAfjBdCXQ/ogP79pDZRrnRwoV7DVvCZi +lNKJncLgk9Vnsf041uE8wVVBN7346FHX3azxBq+ILp5qDhhrHeu8BnKMXkf5nIhoPbH xiYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z26si37832317pfj.247.2019.08.01.19.31.21; Thu, 01 Aug 2019 19:31:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731769AbfHBBmb (ORCPT + 99 others); Thu, 1 Aug 2019 21:42:31 -0400 Received: from out30-130.freemail.mail.aliyun.com ([115.124.30.130]:39435 "EHLO out30-130.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731411AbfHBBmb (ORCPT ); Thu, 1 Aug 2019 21:42:31 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R131e4;CH=green;DM=||false|;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04446;MF=zhang.jia@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0TYR759._1564710146; Received: from ali-6c96cfd98fb5.local(mailfrom:zhang.jia@linux.alibaba.com fp:SMTPD_---0TYR759._1564710146) by smtp.aliyun-inc.com(127.0.0.1); Fri, 02 Aug 2019 09:42:27 +0800 Subject: Re: [PATCH] ima: Allow to import the blacklisted cert signed by secondary CA cert To: Mimi Zohar , dhowells@redhat.com, dmitry.kasatkin@gmail.com Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, "Mark D. Baushke" , Petko Manolov References: <1564622625-112173-1-git-send-email-zhang.jia@linux.alibaba.com> <1564700229.11223.9.camel@linux.ibm.com> From: Jia Zhang Message-ID: Date: Fri, 2 Aug 2019 09:42:26 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <1564700229.11223.9.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/8/2 上午6:57, Mimi Zohar wrote: > Hi Jia, > > On Thu, 2019-08-01 at 09:23 +0800, Jia Zhang wrote: >> Similar to .ima, the cert imported to .ima_blacklist is able to be >> authenticated by a secondary CA cert. >> >> Signed-off-by: Jia Zhang > > The IMA blacklist, which is defined as experimental for a reason, was > upstreamed prior to the system blacklist.  Any reason you're not using > the system blacklist?  Before making this sort of change, I'd like > some input from others. In our trusted cloud service, the IMA private key is controlled by tenant for some reason. Some unprofessional operations made by tenant may lead to the leakage of IMA private key. So the need for importing the blacklisted is necessary,without system/kexec reboot, on the contrary, the system blacklist needs a kernel rebuild and system/kexec reboot, without runtime and fine-grained control. The secondary CA cert has a similar story, but it is not controlled by tenant. It is always imported during system/kexec boot to serve importing IMA trusted cert and IMA blacklisted cert. Jia > > thanks, > > Mimi >