Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2914314rdb; Tue, 12 Sep 2023 16:54:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGURBwXDq+E0BlPV51gq77SzTIuWt5y1nusu7Y9OuxLYhEVuy5IwClIhHTgW4Ae4ycaDg9p X-Received: by 2002:a05:6a20:8e0d:b0:14d:a97c:913 with SMTP id y13-20020a056a208e0d00b0014da97c0913mr4807684pzj.23.1694562898254; Tue, 12 Sep 2023 16:54:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694562898; cv=none; d=google.com; s=arc-20160816; b=RwyAxXl9dUKUtmfPz2MpAZFreHGP9ifoI12pMRjAYOyOdtRphqMr8nqUg/Fw280P+B yl1tQtERxcnus+galKr83yBxIUAcWgjv95w4y8o2JzD5Q6MaHuzAM+BGdM1jD3Hy3rii K9P9pl/YoSuXCKury2flhQLET//E6AVG/ZuVTJxgycXkwa10AIzAhL0NOnEFaD36ilbX WPi/A2DAR7hEeXrgp+glR4wTW1Cbzw0xMiBMpgck+20llWz4hsDPkPSlhbSkFOaCPK7o lXndSFbYCJ5iGh/00p+0J8nI7RR4k9vugHkSffQGx/1wge/6aACDIjVeBU0m6Rtxqs+l VK+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=NFU4wTwzHwHfa9+mQzTQI4YpbvlwC3kC297FAjKVUUg=; fh=qc4weEYUO63UWPqatMyzoh55Bmy7nRqeCd0DgjryS0o=; b=YGRLpuxoitXnm3gC2DloWWEA26S0esH6w8IdLNy+nJzREG2x6MyeJgoatLZF3xjCFq dTxsAuxIJrXabPRTsh9/ZfrwYnPDYGbQ9a8QDcJRBZbucZzU3qiaW2Rk5acb7VQ1jRge /tKLoQ11RpvHnQi+wuFbLN2pll69pvuo1KwopkngLfnB1QIhPahycc5gCEihEbk/ftN6 vswJQ6ltKp0h+RCgDVilbxSNYHfOD0QoGAXETezwaaZtIG0lxL6lg6ZIaLIZwtNpfPvr yRvh+vtP+njLF2QTq06Eu9XWNWyKb7l5+mtbr4L1zhMLcyNULHN+MUYvl/D5EU4JZaWB BGWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZDKiat1y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id o9-20020a634e49000000b00573faff7d3esi8487806pgl.712.2023.09.12.16.54.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 16:54:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZDKiat1y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id A1DF78452ED3; Mon, 11 Sep 2023 21:42:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237440AbjILDkN (ORCPT + 99 others); Mon, 11 Sep 2023 23:40:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237258AbjILDkL (ORCPT ); Mon, 11 Sep 2023 23:40:11 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF878CA; Mon, 11 Sep 2023 20:40:07 -0700 (PDT) Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38C3VdrO032504; Tue, 12 Sep 2023 03:39:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=NFU4wTwzHwHfa9+mQzTQI4YpbvlwC3kC297FAjKVUUg=; b=ZDKiat1y8LwzyMEyMYcler3CZrU4kc5w6ElYza9UtlwfT/zxrVgC62xkVUxscoYJqG50 kz/D35qKpaTjVNTEyQphi5Z2mheMGP1PZnGVt+Yg5jh/+LlPRvxPgxOJfTlHUgEy8kEB YPI7jYoN6X778719vA8KfWGiSi0zluO8BE/pphxJqeLWng4gGc5P8H8PwVdsYemiVT3Q wTAPmixMGN9q4014WOSTO30Rzqn7+eLSNeqfRDkccEm37drg7Av77FYcgk7RuwnNVOai QaH+DU9OKOP5tA8/rZkY50YlLICD28jRq7yVZiz5FVJwgTUoXl95JHYL5OTBNc0eKOS+ 2w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2g5f0jnv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 03:39:42 +0000 Received: from m0353723.ppops.net (m0353723.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 38C3VaJ8031310; Tue, 12 Sep 2023 03:39:41 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2g5f0jnn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 03:39:41 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 38C3Z6lm022941; Tue, 12 Sep 2023 03:39:40 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3t141nfw1d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 03:39:40 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 38C3ddI825625246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Sep 2023 03:39:39 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A6B475805A; Tue, 12 Sep 2023 03:39:39 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC19258051; Tue, 12 Sep 2023 03:39:38 +0000 (GMT) Received: from [9.61.48.18] (unknown [9.61.48.18]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 12 Sep 2023 03:39:38 +0000 (GMT) Message-ID: <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com> Date: Mon, 11 Sep 2023 23:39:38 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING To: =?UTF-8?Q?Michal_Such=c3=a1nek?= , linux-integrity@vger.kernel.org Cc: Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, joeyli , Eric Snowberg , Nayna Jain , Jarkko Sakkinen , linuxppc-dev References: <20230907165224.32256-1-msuchanek@suse.de> <20230907173232.GD8826@kitsune.suse.cz> Content-Language: en-US From: Nayna In-Reply-To: <20230907173232.GD8826@kitsune.suse.cz> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: T17CezFdhedLHXke8Gyoh1jkNFmlvHOb X-Proofpoint-ORIG-GUID: 17MJJileaVp_LAD-ypZZ54rJrf3zkS4Z X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-11_19,2023-09-05_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 mlxlogscore=999 malwarescore=0 spamscore=0 bulkscore=0 suspectscore=0 adultscore=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 impostorscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2308100000 definitions=main-2309120027 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 11 Sep 2023 21:42:21 -0700 (PDT) On 9/7/23 13:32, Michal Suchánek wrote: > Adding more CC's from the original patch, looks like get_maintainers is > not that great for this file. > > On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote: >> No other platform needs CA_MACHINE_KEYRING, either. >> >> This is policy that should be decided by the administrator, not Kconfig >> dependencies. We certainly agree that flexibility is important. However, in this case, this also implies that we are expecting system admins to be security experts. As per our understanding, CA based infrastructure(PKI) is the standard to be followed and not the policy decision. And we can only speak for Power. INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf certs. INTEGRITY_CA_MACHINE_KEYRING_MAX ensures that CA is only allowed to do key signing and not code signing. Having CA signed certs also permits easy revocation of all leaf certs. Loading certificates is completely new for Power Systems. We would like to make it as clean as possible from the start. We want to enforce CA signed leaf certificates(INTEGRITY_CA_MACHINE_KEYRING). As per keyUsage(INTEGRITY_CA_MACHINE_KEYRING_MAX), if we want more flexibility, probably a boot time override can be considered. Thanks & Regards,     - Nayna >> >> cc: joeyli >> Signed-off-by: Michal Suchanek >> --- >> security/integrity/Kconfig | 2 -- >> 1 file changed, 2 deletions(-) >> >> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig >> index 232191ee09e3..b6e074ac0227 100644 >> --- a/security/integrity/Kconfig >> +++ b/security/integrity/Kconfig >> @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING >> depends on INTEGRITY_ASYMMETRIC_KEYS >> depends on SYSTEM_BLACKLIST_KEYRING >> depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS >> - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS >> - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS >> help >> If set, provide a keyring to which Machine Owner Keys (MOK) may >> be added. This keyring shall contain just MOK keys. Unlike keys >> -- >> 2.41.0 >>