Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2633529rdb; Tue, 12 Sep 2023 07:46:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEro4jR0uq7mjwHoZ0/Sqg9IBiOESp+xrtFFulxv8m8mgiAwCgiLGbP3gOvp8dWc1WFKQQQ X-Received: by 2002:a17:902:e546:b0:1bb:9e6e:a9f3 with SMTP id n6-20020a170902e54600b001bb9e6ea9f3mr14636610plf.4.1694529983767; Tue, 12 Sep 2023 07:46:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694529983; cv=none; d=google.com; s=arc-20160816; b=E+EIBzN4Z3mrgcbx21Fhqvpf2d3wBUJDBpEliX/biviq3CKoZAvohUnzIetwLwuiLm kBPAS/lROqFRnPPb3VymAWrvuMD+s+ENQb/i7cNN70ChZeK5+sJS9aBVMgj/WWPz3YI0 I0AM2gq+gXDiOisf5Nt7CI8NHfRtOr0SMxCSV2RwygP3eE9KVKzpOUAhr2jakV7ZxmqC hyaBDgMNlbTT1IwQKkONCl4bvRPd49hpDpCvsZSq4CAHRXo+u2UcGjh2R/2dRVcgHLZu vmHRAAcgiOc9jCuNPdbmRvoX3ZkJP+SqMi5tocuhO8LmLYvUqMAF4te6AtkDH4M1Qchs 40SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:to:from:subject:cc :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=58AY2XdjVLYG9FG8HEusLY0yx80faRELcn9diLH5uhs=; fh=417Chztdd87gAS+pBjmmd4LpoKU16o0y/mbbqiqMELc=; b=TWSh3MPG+y1BbB+yqzvpgaP0YN9SYSz7yMQFd5h/1qNPB9dJ7jfnO9RtxJA8Jt66ue JV7wP7hNGL99QqsuiVQ/fkeEYRbqYYG7MVB5fSeNubWaQz0wCUhMg7kpW+PJOz+vPhn0 AEWoMbwTfj4tijtTURXSXQG+OjpVFxQKLAnG+djuB77qJwcWNw+JANj+dRtcj1j274+w IeoY1xtvJzfdsiPf9aMlFrUUEuD1qpKvvVFlwDvLDclcU0KNZrGLD4IU94fNyj5Id1Kb PFI0u0tl+EYVNazwBZ5qadaRo/TlQlTw78f93L0iVEiD0FvFMEvB7K8nZURp5h1R6s40 U9/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U0qjagxp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id d3-20020a170902cec300b001b9c3498510si8213164plg.469.2023.09.12.07.46.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 07:46:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=U0qjagxp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 1EEDB8213F11; Mon, 11 Sep 2023 21:36:26 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.8 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236848AbjILDRm (ORCPT + 99 others); Mon, 11 Sep 2023 23:17:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43844 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242447AbjILDR2 (ORCPT ); Mon, 11 Sep 2023 23:17:28 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C06A7107C72; Mon, 11 Sep 2023 19:07:26 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5B82C433B8; Mon, 11 Sep 2023 21:15:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694466934; bh=jKcBqdin2tQkw/Q1r5bXfoLHC2ns8OLx8oid/0xcnhI=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=U0qjagxpMzedehK9Rnp94FOB5NGS96dvp8x4TnNeUL0sRX4Z3sceopbVWxG+fOY/W 5E5/UDNHg6Y62UYTfllgBH2y2VCmrR/l17pA0SKoDc88LYupqdeF6T3jV79xZFkEN4 u+bGTtOuSkvHrNMs42+oItei4kulqAzGJUZDdRvSHn2VvZC3HxaSBJXP5SIrW7+cAN 34jhVL0dMLKxF+DLxH8igFbxdSELhrRD9mHE+b6XsXzdoAZck6XUm8vjM5450Bpb5S 2O32TFHVMKUbTjXcDMeGdi447ptRwnzVaLcAf5hEUZvOY5XqGnQMb+dCOu4eNb1BYR /WNqpkA1yMqag== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 12 Sep 2023 00:15:30 +0300 Message-Id: Cc: "dhowells@redhat.com" , "dwmw2@infradead.org" , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] certs: Add option to disallow non-CA certificates in secondary trusted keying From: "Jarkko Sakkinen" To: "Denis Glazkov" , "Sergey Shtylyov" X-Mailer: aerc 0.14.0 References: <20230908121330.4076-1-d.glazkov@omp.ru> In-Reply-To: <20230908121330.4076-1-d.glazkov@omp.ru> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 11 Sep 2023 21:36:26 -0700 (PDT) On Fri Sep 8, 2023 at 3:14 PM EEST, Denis Glazkov wrote: > The Linux kernel has an IMA (Integrity Measurement Architecture) > subsystem to check the integrity of the file system based on digital > signatures. IMA uses certificates in `.ima` keying to check integrity. > > Only certificates issued by one of the trusted CA (Certificate Authority) > certificates can be added to the `.ima` keying. > > The Linux kernel now has a secondary trusted keying to which trusted > certificates from user space can be added if you have superuser > privileges. Previously, all trusted certificates were in the built-in > trusted keying, which could not be modified from user space. > Trusted certificates were placed in the built-in trusted keying at > kernel compile time. > > The secondary trusted keying is designed so that any certificates that > are signed by one of the trusted CA certificates in the built-in or > secondary trusted keyring can be added to it. > > Let's imagine that we have the following certificate trust chain: > > =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=AC=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=90 > =E2=94=82 =E2=94=82 =E2=94=8C= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=90 = =E2=94=82 > =E2=94=82 =E2=94=82 =E2=94=82 = =E2=94=82 =E2=94=82 > =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=96=BC=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=90 =E2=94=8C= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=96=BC=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=96=BC=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=90= =E2=94=82 =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=B4= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=90 > =E2=94=82.builtin_trusted_keys=E2=94=82=E2=97=84=E2=94=80=E2=94=80=E2=94= =80=E2=94=A4.secondary_trusted_keys =E2=94=9C=E2=94=80=E2=94=80=E2=94=98 = =E2=94=82 .ima =E2=94=82 > =E2=94=9C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=A4 =E2=94=9C= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=A4= =E2=94=9C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=A4 > =E2=94=82 Root CA Cert =E2=94=82-----=E2=96=BA Intermediate CA Cer= t =E2=94=82-----=E2=96=BA IMA Cert =E2=94=82 > =E2=94=94=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=98 =E2=94=94= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=98= =E2=94=94=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=98 > > Issues Restricted by > -------------=E2=96=BA =E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=96=BA > > Since the IMA certificate is signed by a CA certificate from a secondary > trusted keying, an attacker with superuser privileges will be able to > add the IMA certificate to the secondary trusted keying. That is, the IMA > certificate will become trusted. > > Since, with `CONFIG_MODULE_SIG` option enabled, modules can only be > loaded into kernel space if they are signed with one of the trusted > certificates, an attacker could sign untrusted kernel modules with > the private key corresponding to the IMA certificate and successfully > load the untrusted modules into kernel space. > > This patch adds the configuration that once enabled, only > certificates that meet the following requirements can be added > to the secondary trusted keying: > > 1. The certificate is a CA (Certificate Authority) > 2. The certificate must be used for verifying a CA's signatures > 3. The certificate must not be used for digital signatures > > Signed-off-by: Denis Glazkov s/keying/keyring/ (multiple) Have you considered instead making mod_verify_sig() more robust? Obviously this would mean making selection of keys in verify_pkcs7_signature() more robust (see the documentation of 'trusted_keys'). The this would be also less niche feature to pick for distributors if it was just concerning module loading, and have associated config flag over there. BR, Jarkko