Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2770680rdb; Tue, 12 Sep 2023 11:30:04 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFkgioRbmUxs2iNw2oqJ1HMqyj1IGV2xcm6qPtV86efjX5wLwOWow01oKi0iocGqwvFJjaY X-Received: by 2002:a17:902:ecc3:b0:1b3:d8ac:8db3 with SMTP id a3-20020a170902ecc300b001b3d8ac8db3mr525042plh.6.1694543403864; Tue, 12 Sep 2023 11:30:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694543403; cv=none; d=google.com; s=arc-20160816; b=OmjpChOoXW9BqnTXBQdS4kKAs0/tRKV8Yl4830dqJJ643xSivIN/BsPXBwy+4IqIEw q/S0YVUHlgkCcmreTpeNSiHRiVZHsVjN+4Pwg3wy5xKlc42zyNu3urZoTCsYShtCsxNg 7NlMGIwnslFFUe4kt34XH44QYlpAYql5QlEmPaanVmt5b1TrmCXzeIUo7lyaluT90+ER EWY9hkHu+H+kVCht5w2l9vrAxSAqam4kmeqaMdnk2rDdZ+5FbQ5UT/vgSLFReL8cHyk+ wKEPk9FA3i9IXg8FG7/ZKd6n3EjQyUSFcLS2qWDoXYH2Qv7OVGFVYmjI1u9ECaxsZQsF E9xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:cc:to:from:subject :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=NoRn6H3ApNZ/weyc/IxFCY/yfmawhQgZ1JCkAOgCfhQ=; fh=A+iIG52c0TqWJv1U3MmRMHIjykjnWpAWQmpQgYMZylQ=; b=R1WEPYv2eIJbIkcJXRTf6m84N1rsywhq4ldInBY17D66A1kspLVc8RA8YaZLu92VOz MJMGnYjp9RNP9bc/VoKmkbOsF93kZavPGvdf6WIefDZ6TbbmKX5S//l3mmLfHl+E6tyO a2hA33kW71ScAlsSvkMX2yCtEan1X4InixEWXb99O9VYi80BoFTftk8BfQl6E7bI3o8R IZScVG4SfWgn3V4oRPnYJU62I2OXz2ZqIR5Lrwc7gKbqK7FBHroVNeubVXFRSJHoTeor PLMUIz56WxQkZi95btiJz5T9q5H35Y/r239wBU3KBu0tVBZKYTe8HJ/RfzYvXTwX6bJH cqTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Fwvnn18e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id u8-20020a17090341c800b001c36705bce1si8747682ple.474.2023.09.12.11.29.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 11:30:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Fwvnn18e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 2091B834E754; Mon, 11 Sep 2023 21:45:15 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.8 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241178AbjILC7R (ORCPT + 99 others); Mon, 11 Sep 2023 22:59:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241325AbjILC7E (ORCPT ); Mon, 11 Sep 2023 22:59:04 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3D95116B0C; Mon, 11 Sep 2023 18:22:25 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8E053C116AE; Mon, 11 Sep 2023 22:04:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694469891; bh=d7+LLwsZ5NfE/HD2sW7mmL/65WCoPD7FlRtaiVBTjTU=; h=Date:Subject:From:To:Cc:References:In-Reply-To:From; b=Fwvnn18e5ySS+jeBQ5Z7YYsIXDqZs5bd9/Bkd3tAZ1j7Q5rXp877lI4+WZ6Z9uTcl IOP0R1j5clAdbPvdxnxkQlkKXDV6l5jZ90mx33q6hgYcrcmt0+5w1Z3fJqLPmNp9sC AOe1MoaMobwA0MpjLBEf9OPKkKtSG3Jr1KfZOu7ghKRB1e1s4Avuk/aqlEaBhJDPGV wptddAH6X+eKOTS/CwqlmWlQWl9rsEnt7R4ZT/v71jgSDk1ktfJf+Xo7mYav42/fgw yaRLP6yZIdQ2JhnAkcctN54Oo2oHdyWRcAWK1wJdtj/W8oMO4+0NSe94wmtsZjLIKJ gwDGimdkS7DYw== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 12 Sep 2023 01:04:47 +0300 Message-Id: Subject: Re: [PATCH] certs: Restrict blacklist updates to the secondary trusted keyring From: "Jarkko Sakkinen" To: "Mimi Zohar" , "Eric Snowberg" , , Cc: , , , , , X-Mailer: aerc 0.14.0 References: <20230908213428.731513-1-eric.snowberg@oracle.com> <097a0413b27ed9792dc598ff184730bcf6ae8fcf.camel@linux.ibm.com> In-Reply-To: <097a0413b27ed9792dc598ff184730bcf6ae8fcf.camel@linux.ibm.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 11 Sep 2023 21:45:15 -0700 (PDT) On Mon Sep 11, 2023 at 4:29 PM EEST, Mimi Zohar wrote: > Hi Eric, > > On Fri, 2023-09-08 at 17:34 -0400, Eric Snowberg wrote: > > Currently root can dynamically update the blacklist keyring if the hash > > being added is signed and vouched for by the builtin trusted keyring. > > Currently keys in the secondary trusted keyring can not be used. > >=20 > > Keys within the secondary trusted keyring carry the same capabilities a= s > > the builtin trusted keyring. Relax the current restriction for updatin= g > > the .blacklist keyring and allow the secondary to also be referenced as > > a trust source. Since the machine keyring is linked to the secondary > > trusted keyring, any key within it may also be used. > >=20 > > An example use case for this is IMA appraisal. Now that IMA both > > references the blacklist keyring and allows the machine owner to add > > custom IMA CA certs via the machine keyring, this adds the additional > > capability for the machine owner to also do revocations on a running > > system. > >=20 > > IMA appraisal usage example to add a revocation for /usr/foo: > >=20 > > sha256sum /bin/foo | awk '{printf "bin:" $1}' > hash.txt > >=20 > > openssl smime -sign -in hash.txt -inkey machine-private-key.pem \ > > -signer machine-certificate.pem -noattr -binary -outform DER \ > > -out hash.p7s > >=20 > > keyctl padd blacklist "$(< hash.txt)" %:.blacklist < hash.p7s > >=20 > > Signed-off-by: Eric Snowberg > > The secondary keyring may include both CA and code signing keys. With > this change any key loaded onto the secondary keyring may blacklist a > hash. Wouldn't it make more sense to limit blacklisting > certificates/hashes to at least CA keys?=20 I think a bigger issue is that if a kernel is updated with this patch it will change the behavior. It is nothing to do whether the "old" or "new" is better but more like kind of backwards compatibility issue. BR, Jarkko