Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2571460rdb; Tue, 12 Sep 2023 06:10:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFVKR1kthGD8aHjnPt8R92Rv0JoYVw2qGrPujJeN2Sp+/f7JIwwJILW3mN+S6Ei7Njxse4D X-Received: by 2002:a17:902:e74b:b0:1b9:ea60:cd82 with SMTP id p11-20020a170902e74b00b001b9ea60cd82mr15171887plf.5.1694524243677; Tue, 12 Sep 2023 06:10:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694524243; cv=none; d=google.com; s=arc-20160816; b=sVYkvfS2A+UQbpbKxQ4dnF2t0j8ZzudHpHZQtLvNN+iUjjKDTtN/5BTPyFQ0FhBWDm o1vtDkYhfYE+h8ThsgEfcFDwAd7TKz2zkwx6qPHrRa0lphsiYE0ky4R9mCRn33UC38SA YLkf+uhNBvzpizNmQSuNAcQsc+gsTJAMnK7M8C07R34SX5cpG7yqpUoZ1E/vZsiMJrzr /HnhVMKzVMYtwXrlhtFwbPnCoR+xit/pNg9vUowAp3ccW5Yz0eo0Q0ToDXNzH8f9QQ3x BVumnilcBnEbULaxTgwaA68Nxy65Vy9zYP28337sElUtrBkbJRVv9HDtXH+RaFvE9d06 E2rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:to:from:subject:cc :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=DerHbyglmsqa6ewiiFpmO+NvOiYLP3rm7st3oVwPHeI=; fh=k+BfFMxK1dVcw8Lglh7moliJ4EYKvWjutr3ZYdKfBOw=; b=MLx0+vDl1Yf38W/bwmvg0W6K5nOIjDExGiR8sSSYOswJHz9OXMvmJL6JZJL4avqTx3 AabPemohpg0TEgaYzeuneFLmnZJRove7GDwx5P8IrS7sZ6krpAQr3/K5q4t+ix6Y+VaM NsBEy5sCtgP4D/Ai9eUwSt+aLiChQC35AH5kG9u+CzLRtAFnbPEU1/w+Rx3NSo9TAAcx GrVvhXthNPRI24K2az74MrPJy7jHDku3/TXDQP7Z3YA3f2hLApbP+TbubPnwdKUPHOum beB/S2luXtLnVT1ako2BFpjFQZr0u30yz6bwWGW4sYtII0QC1EmLs0bGunocM66LDUvj Q4vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Jqu8WLZl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id kw3-20020a170902f90300b001bc02b730f3si7833902plb.242.2023.09.12.06.10.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:10:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Jqu8WLZl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id BA4E88725CC7; Mon, 11 Sep 2023 21:44:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241778AbjILDEQ (ORCPT + 99 others); Mon, 11 Sep 2023 23:04:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241362AbjILDD7 (ORCPT ); Mon, 11 Sep 2023 23:03:59 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4EDC1F9F5A; Mon, 11 Sep 2023 18:37:26 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2359C116A9; Mon, 11 Sep 2023 22:01:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694469695; bh=t0v/8DwhZ2XTEQS0bqVLXsYjSFysr5rhj5sH1kGkl+U=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=Jqu8WLZlx+u3A+ZjgZ4w+1ZrSjel5diyioaKxfCD3EU4XjjB2m/aNRfzgYqQuUCmO hNRXEjBrfRAV8+ZFgysEQt3/HLfNMErWaCdVpTGeYgwNreWYltqqDDf7rq41cntP0W imp1fr8hgHnuu4othbADNuOgzJgb7YPbleLcAen5LQRUWNXz1P9QfWof9QDLU5B+uS S3B1NVPN3ieNkEFr6+lmY3qWgIhKHZHsrKls42c8YqkevUmzbRPeXOp32QAkslaNRX P7PjG0CH64wEI5u0QrXzYO/kSKQ3Xxob7bbvsGHYvsPJFyEJqW3ugQ6iNTjjWLSRj2 A1cXjKiQ7b+Kg== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 12 Sep 2023 01:01:31 +0300 Message-Id: Cc: , , , , , Subject: Re: [PATCH] certs: Restrict blacklist updates to the secondary trusted keyring From: "Jarkko Sakkinen" To: "Eric Snowberg" , , , X-Mailer: aerc 0.14.0 References: <20230908213428.731513-1-eric.snowberg@oracle.com> In-Reply-To: <20230908213428.731513-1-eric.snowberg@oracle.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 11 Sep 2023 21:44:40 -0700 (PDT) On Sat Sep 9, 2023 at 12:34 AM EEST, Eric Snowberg wrote: > Currently root can dynamically update the blacklist keyring if the hash > being added is signed and vouched for by the builtin trusted keyring. > Currently keys in the secondary trusted keyring can not be used. > > Keys within the secondary trusted keyring carry the same capabilities as > the builtin trusted keyring. Relax the current restriction for updating > the .blacklist keyring and allow the secondary to also be referenced as > a trust source. Since the machine keyring is linked to the secondary > trusted keyring, any key within it may also be used. > > An example use case for this is IMA appraisal. Now that IMA both > references the blacklist keyring and allows the machine owner to add > custom IMA CA certs via the machine keyring, this adds the additional > capability for the machine owner to also do revocations on a running > system. > > IMA appraisal usage example to add a revocation for /usr/foo: > > sha256sum /bin/foo | awk '{printf "bin:" $1}' > hash.txt > > openssl smime -sign -in hash.txt -inkey machine-private-key.pem \ > -signer machine-certificate.pem -noattr -binary -outform DER \ > -out hash.p7s > > keyctl padd blacklist "$(< hash.txt)" %:.blacklist < hash.p7s > > Signed-off-by: Eric Snowberg > --- > certs/Kconfig | 2 +- > certs/blacklist.c | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/certs/Kconfig b/certs/Kconfig > index 1f109b070877..23dc87c52aff 100644 > --- a/certs/Kconfig > +++ b/certs/Kconfig > @@ -134,7 +134,7 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE > depends on SYSTEM_DATA_VERIFICATION > help > If set, provide the ability to load new blacklist keys at run time if > - they are signed and vouched by a certificate from the builtin trusted > + they are signed and vouched by a certificate from the secondary trust= ed > keyring. The PKCS#7 signature of the description is set in the key > payload. Blacklist keys cannot be removed. > =20 > diff --git a/certs/blacklist.c b/certs/blacklist.c > index 675dd7a8f07a..0b346048ae2d 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -102,12 +102,12 @@ static int blacklist_key_instantiate(struct key *ke= y, > =20 > #ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE > /* > - * Verifies the description's PKCS#7 signature against the builtin > + * Verifies the description's PKCS#7 signature against the secondary > * trusted keyring. > */ > err =3D verify_pkcs7_signature(key->description, > strlen(key->description), prep->data, prep->datalen, > - NULL, VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); > + VERIFY_USE_SECONDARY_KEYRING, VERIFYING_UNSPECIFIED_SIGNATURE, NULL, = NULL); > if (err) > return err; > #else > --=20 > 2.39.3 What if a live system in the wild assumes the old policy? I feel that this is "sort of" breaking backwards compatibility but please prove me wrong. BR, Jarkko