Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp804531pxb; Tue, 12 Apr 2022 13:56:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuwzYJMvDqrey3+VKbKJJGRU19Wy/gtTp3HRMwVQhp64uCdPFMWa6o+w/swaxbMNNPXFNp X-Received: by 2002:a17:90a:b10d:b0:1cb:a19b:1610 with SMTP id z13-20020a17090ab10d00b001cba19b1610mr7007472pjq.138.1649797013273; Tue, 12 Apr 2022 13:56:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649797013; cv=none; d=google.com; s=arc-20160816; b=ZCncctQnKHOwAgPbIQ6o/oX8wKDD426xlrtqPwY6rwPTI/gUcKOGScYKctU7lpFzKA ywFdyv+hyDde9v+F32rn61brx3BlJoMK7YevNPgfyBRTNeavh//GzclDja0iCq3Z0pvW OoeuWcSZOcrL0CFyuysYIABcAg+hWfYWS3v5VyMemceH4kVAQCT4mWkPFL3opFvhOUhF MI0K08U/XaQXMcVb2t0hfwq9gt5EcbN+5V4yBc/qGXaTJ+wwpYfLChw+WYvcPVZXtD6h ZFO/3JcUYFxn40+L1SvnqYK86cX/NSvDYNcL7dtzN9qhGrgAHlAKAo7J06dalhfjv5EN cTKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=PECqf0nEO5GbSIx3g8O+KBj0GWVwxGq+FKiYdeazjRg=; b=dyKlmKs2fqz7CUpcxI4R2xHPlKPYRASG2K8iAathNtSI7m/7L+9eZp26syJaq6NuJr e/7CE/ewZVdUH9xvRsNhI/B8vyMTWEFyyxDiHO/9z06MnQK/hT4lCJtJJroEZAohRc09 oJT+st54gQI/1nKBuJdYTWAgakb8kYe9wMJaHtMAKMKkN2aOuuQFdwywbs+V/JRU/u8u 6pXgB/UjRuDCdkf6PA+5Y0rXxoWEG435cgk1mUpqNv3nYMj7mMQ3kcLEfH2sDfI/irSt /ACWUcwJakr05QWyBcVBOwW2Zg0Y2MKoke50Q73a2CXl+J3WdhNRAQs6Vhw4RAPoQ7g4 NxGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=biUJyy87; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=sHxv0MRj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f2-20020a63de02000000b0039d69028ffbsi3439294pgg.198.2022.04.12.13.56.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 13:56:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=biUJyy87; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=sHxv0MRj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3828042494; Tue, 12 Apr 2022 13:20:35 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348845AbiDKR1M (ORCPT + 99 others); Mon, 11 Apr 2022 13:27:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36248 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348835AbiDKR1J (ORCPT ); Mon, 11 Apr 2022 13:27:09 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55B5115FF4; Mon, 11 Apr 2022 10:24:54 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id DCF9C21606; Mon, 11 Apr 2022 17:24:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1649697892; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PECqf0nEO5GbSIx3g8O+KBj0GWVwxGq+FKiYdeazjRg=; b=biUJyy87RgJUmRdy4kFrI7/f9uix+to50p9xpy143vPw0UBkNoG3V6iIdaw8LWl49wK4BP TW0izLj7LeY4CssxvCxx9RFTfLFGTnpy50RUm9uzM9m4z1DSPkWBuElBaUO/3c2/VVufoU SA7yn9HWGft/bIgJ2+PuIzpEGzgi7eI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1649697892; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PECqf0nEO5GbSIx3g8O+KBj0GWVwxGq+FKiYdeazjRg=; b=sHxv0MRjI9JoElivSlBO8zbQFGmH8KfRgd6JYuZSZ6jzhxLy9tRg86s/egEj5dHwyesFNy FmxE8/h3MI9rmeCw== Received: from kunlun.suse.cz (unknown [10.100.128.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 2298EA3B83; Mon, 11 Apr 2022 17:24:52 +0000 (UTC) Date: Mon, 11 Apr 2022 19:24:50 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Eric Snowberg Cc: David Howells , "dwmw2@infradead.org" , "ardb@kernel.org" , Jarkko Sakkinen , "jmorris@namei.org" , "serge@hallyn.com" , "nayna@linux.ibm.com" , Mimi Zohar , "keescook@chromium.org" , "torvalds@linux-foundation.org" , "weiyongjun1@huawei.com" , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-efi@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "James.Bottomley@hansenpartnership.com" , "pjones@redhat.com" , Konrad Wilk Subject: Re: [PATCH v10 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Message-ID: <20220411172450.GD163591@kunlun.suse.cz> References: <20220126025834.255493-1-eric.snowberg@oracle.com> <20220126025834.255493-9-eric.snowberg@oracle.com> <20220411110640.GC163591@kunlun.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 11, 2022 at 04:39:42PM +0000, Eric Snowberg wrote: > > > > On Apr 11, 2022, at 5:06 AM, Michal Suchánek wrote: > > > > Hello, > > > > On Tue, Jan 25, 2022 at 09:58:34PM -0500, Eric Snowberg wrote: > >> With the introduction of uefi_check_trust_mok_keys, it signifies the end- > > > > What value does such flag have? > > > > The user is as much in control of the flag as the MOK keys. > > The flag allows the system owner (not root) the ability to determine > if they want to load MOKList into the machine keyring. Keys contained > in the machine keyring are then linked to the secondary. The flag is no > different than the '—ignore-db' currently available in shim, which then > gets propagated to Linux (uefi_check_ignore_db). These flags can be > set by the system owner, who can prove physical presence. Managing the MOK keys requires physical presence equally. Moreover, these keys are trusted for running code at ring0, in fact the running kernel is expected to be signed by one of them, and can be signed by any of them. Then what exact purpose does this extra flag serve? If such compile-time flag exists in the kernel it cannot be overriden by the root once the kernel is signed, either. > >> user wants to trust the machine keyring as trusted keys. If they have > >> chosen to trust the machine keyring, load the qualifying keys into it > >> during boot, then link it to the secondary keyring . If the user has not > >> chosen to trust the machine keyring, it will be empty and not linked to > >> the secondary keyring. > > > > Why is importing the keys and using them linked together? > > > > If later we get, say, machine keyring on powerpc managed by secvarctl > > then it has its value to import the keyring and be able to list the > > content with the same tools on EFI and powerpc. > > The machine keyring is linked to the secondary keyring, exactly the same way > the builtin is linked to it. Linking this way should eliminate the need to change > any user space tools to list the contents. That's answer to a completely different question, though. You either import the keys and use them, or you don't use them and don't import them. The option to import and not use is not available. > > It also makes sense to be able to configure the kernel to import the > > keys and not use them. I don't see any value in configuring that in > > shim, though. shim is both source of the key material and the flag so > > the flag is redundant, it does not exist on existing shim versions > > installed on user systems, and it's unlikely to exist on other > > plaltforms, either. > > I’m sure other solutions to enable it will be accepted as well. I know Mimi was testing > without shim using a different method. Like not using that extra flag at all? Thanks Michal