Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp278973pxb; Mon, 8 Feb 2021 23:20:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJwfN5arsCUaoZ/4sEK+JOW+ehPXElICVoyUAwLsMtWCOeFwd9jElW7HKXZZp5ivKEHqOfTv X-Received: by 2002:a05:6402:35ca:: with SMTP id z10mr21691145edc.174.1612855238533; Mon, 08 Feb 2021 23:20:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612855238; cv=none; d=google.com; s=arc-20160816; b=h7BoRXezyIEcIpZwcPFCY+GVE9WFHTN1DfUz0hYBy8GNcPyiKHMbknWcM99XhY+R+1 7siTkvYVbJu/UJh6gNforQdVxJE2mbOAeZsrtD8xQVMS7fleBdI/lTkVnq8vva+eyEye 4FeUGRWZOMOap73/0i+m8n1+J0ZmThHtzcr5HwHZy4tGlE95dzv6jGz9fu3BuBPAMlGg mdt4fdl2rs1ivN8lKB5TE2h4nWCHWqKl3KvOTTPL37KEFi/qNKPGryrp2GZJA2Fa6WZT Q69XI+OAaMHNNaBRMJBHkJRVs6FfZu3ENEz4cdZG6PUn7uK54tDH7mF0s62TjEQMSLor /CdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=3JGGQ7G931Lcs38TUcwdfct7Sei7eM6xcXqjtyt+bRo=; b=nXLhZ/8jPRXfPjIFvC2nBN+BY2Qt3gpEKqdCrzj60AggtX7XWyELEXLiyMVUo7rHDm Ia+jqtsPQchHy9jcJ3qRMQ3Qi8Hzmo/77+KYWLLwesN8zKKEPQY9eGca251npeN40uP8 5M9lK1T7uf+XxZjWl7eWr97PXMAsQsMmiJ0dho5aAaOCPr/Ehau3amuv5HOqG8WiAgcj fEAl2CV/RalpXFyD1fXUbnza83CTJkBvpCTHptQ56huYlDjVeQfY9gBgnu0uoGo1nudA RCAI2NCkz7J3HU27/prRFrSICFVbpHDhZU0TjjGHpIwz8fXv8afs96UurweHtKJsV9U6 ZIOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m15si12767351eje.225.2021.02.08.23.20.14; Mon, 08 Feb 2021 23:20:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229464AbhBIHR3 (ORCPT + 99 others); Tue, 9 Feb 2021 02:17:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229584AbhBIHRY (ORCPT ); Tue, 9 Feb 2021 02:17:24 -0500 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 156A9C06178A for ; Mon, 8 Feb 2021 23:16:44 -0800 (PST) Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l9NGC-0006mV-H4; Tue, 09 Feb 2021 08:16:32 +0100 Received: from localhost ([127.0.0.1]) by ptx.hi.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1l9NGB-0000sq-8K; Tue, 09 Feb 2021 08:16:31 +0100 Message-ID: Subject: Re: Migration to trusted keys: sealing user-provided key? From: Jan =?ISO-8859-1?Q?L=FCbbe?= To: Mimi Zohar , Jarkko Sakkinen , Ahmad Fatoum , James Bottomley , David Howells , keyrings@vger.kernel.org, Sumit Garg Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, kernel@pengutronix.de Date: Tue, 09 Feb 2021 08:16:30 +0100 In-Reply-To: <9bd1eaab236f095f1dbdc01752c3c6f487f33525.camel@linux.ibm.com> References: <74830d4f-5a76-8ba8-aad0-0d79f7c01af9@pengutronix.de> <6dc99fd9ffbc5f405c5f64d0802d1399fc6428e4.camel@kernel.org> <8b9477e150d7c939dc0def3ebb4443efcc83cd85.camel@pengutronix.de> <64472434a367060ddce6e03425156b8312a5ad6c.camel@pengutronix.de> <0be34899c9686b95cd22aa016f466523579cbeed.camel@pengutronix.de> <9bd1eaab236f095f1dbdc01752c3c6f487f33525.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::c0 X-SA-Exim-Mail-From: jlu@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2021-02-08 at 16:50 -0500, Mimi Zohar wrote: > On Mon, 2021-02-08 at 15:38 +0100, Jan Lübbe wrote: > > > As it seems that this feature would not be appropriate for all use-cases and > > threat models, I wonder if making it optional would be acceptable. Something > > like: > > > > config TRUSTED_KEYS_IMPORT > > To me "IMPORT" implies from a trusted source, which this is not. > Perhaps "UNSAFE_IMPORT", "DEBUGGING_IMPORT, "DEVELOPMENT_IMPORT", ... > > Defining a Kconfig with any of these names and the other changes below, > makes it very clear using predefined key data is not recommended. My > concern with extending trusted keys to new trust sources is the > implication that the security/integrity is equivalent to the existing > discrete TPM. > > >         bool "Allow creating TRUSTED KEYS from existing key material" > >         depends on TRUSTED_KEYS > > Missing "default n" According to Documentation/kbuild/kconfig-language.rst: "The default value deliberately defaults to 'n' in order to avoid bloating the build.". So an explicit "default n" should not be needed. I'll add it though, for now. > >         help > >           This option adds support for creating new trusted keys from > > existing > >           key material supplied by userspace, instead of using random > > numbers. > >           As with random trusted keys, userspace cannot extract the plain- > > text > > Once defined, as with random trusted keys, userspace cannot ... > > >           key material again and will only ever see encrypted blobs. > >            > > > >           This option should *only* be enabled for use in a trusted > >           environment (such as during debugging/development or in a secured > >           factory). Also, consider using 'keyctl padd' instead of 'keyctl > > add' > > Even the "secured factory" is not a good idea. Please limit the usage > to debugging/development. > > >           to avoid exposing the plain-text key on the process command line. > > > >           If you are unsure as to whether this is required, answer N. > > The above would be fine. OK, that would result in: config TRUSTED_KEYS_DEVELOPMENT_IMPORT         bool "Allow creating TRUSTED KEYS from existing key material for development"         depends on TRUSTED_KEYS default n         help           This option adds support for creating new trusted keys from existing key material supplied by userspace, instead of using random numbers. Once defined,  as with random trusted keys, userspace cannot extract the plain-text key material again and will only ever see encrypted blobs.                      This option should *only* be enabled for debugging/development. Also, consider using 'keyctl padd' instead of 'keyctl add' to avoid exposing the plain-text key on the process command line.           If you are unsure as to whether this is required, answer N. Thanks, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |