Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2933378rdb; Tue, 12 Sep 2023 17:43:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFKkFJ9fhltiO98xQPWarr4LM6xAFzzw5FQgQpnjs5yjmvOevoU9wbNLsSP+grxLPZiowMA X-Received: by 2002:a05:6870:b014:b0:1d5:bda7:132d with SMTP id y20-20020a056870b01400b001d5bda7132dmr1314744oae.4.1694565837021; Tue, 12 Sep 2023 17:43:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694565836; cv=none; d=google.com; s=arc-20160816; b=P7qzu1+myHjQsJq4hSaru/2oY6O1YWXoPHpSItjk+swrP519jij6NG9jil3a8XNoVV qr4YI9T58hwJYonM9yLUKPja5ghlS4khAEtZN7/Ll5eMpZuUpVAXl+ag8R4oxWFxZHp1 +VKkWo1yDNdLbz/JA8BmragK0jSg7iVGbRyTPz4Awr/O8vnYdHb3J48VehPaYa0E3CKp M8HZDJrj4wtqIvtidl6mT16Tz6WQDBGG3ERkrpg677Wg2tzt5YGC995HNryFVxZS6OVA wi/esLPPLYMhMTIZC+sFZlqJfrcrKyWJBx8awZQA2EfUyx/yIXrsiJSSSAmB5P6eKLQM wkTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=dTICBUf7E+hE+S8045VvIlps+lXGngZTeEQFyd8jt4g=; fh=GbuVm8MB9BZx0IbCRENWqP6n1ac9a84LDKfbFnKdj4I=; b=dHitcXp6sCgmDTT3T0MTp5OK8zrJIWLcHnEcQGKHyIDKlpkTKFkRgC7xyXR4gjhZm5 jKD4Y+BaGIrj8jq+dx1nOxjZlXBHylS2e/9EKTX0xlT2rW/VTInISM1pcm5AB9RD8acQ +X71Ata4CMFDnSwvlII4YkjBtNzSviykJFkNNKkjT1J71gPNca9DaklZ6693JJVxpK6u EPHoHuWJloDLKsRAGPdF+/8jebc7bxD2oqDJ0GrD8p08KnSErcQVRlAV9oBN1F57OOdl d6L7V4WhF2SQ0/o7pi4L5qjnsvxfM4rXKMofIkA7u+WQgs/nzW3g6g8LkrBkqBGyaKQO xgeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=qfpMKXaj; dkim=neutral (no key) header.i=@suse.de header.b=QkoiDsZl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id e18-20020a637452000000b00563e6fd0bf6si8690690pgn.792.2023.09.12.17.43.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 17:43:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=qfpMKXaj; dkim=neutral (no key) header.i=@suse.de header.b=QkoiDsZl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 8F018818EC0C; Tue, 12 Sep 2023 00:41:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.8 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231705AbjILHlZ (ORCPT + 99 others); Tue, 12 Sep 2023 03:41:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36210 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230366AbjILHlY (ORCPT ); Tue, 12 Sep 2023 03:41:24 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4B5FB9; Tue, 12 Sep 2023 00:41:20 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 3842C215EE; Tue, 12 Sep 2023 07:41:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1694504479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dTICBUf7E+hE+S8045VvIlps+lXGngZTeEQFyd8jt4g=; b=qfpMKXajaRD3rIzXEgIGHFvpTNknPjk3p1OXq8hRp7wJsIRjJLDaj53OAHIS5UWF+W4BT5 J2Wpk5acv0uq49e9ergvHEUjC03/hUMpQT/VueImfd5evSwEf7O45WI2NoKmaPSzLPwZQm sSrtfETIYlq2qV6PSB11hDDhvwWMSU4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1694504479; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dTICBUf7E+hE+S8045VvIlps+lXGngZTeEQFyd8jt4g=; b=QkoiDsZlT/iyfgcS7nwVRil93cjCF/rjF8cIJyvj/thDtj8fOsw6TrzU+WwKN7S6IecVtx LTxSAHn7h7gp6CBQ== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 23F502C142; Tue, 12 Sep 2023 07:41:17 +0000 (UTC) Date: Tue, 12 Sep 2023 09:41:16 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Nayna Cc: linux-integrity@vger.kernel.org, Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, joeyli , Eric Snowberg , Nayna Jain , Jarkko Sakkinen , linuxppc-dev Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING Message-ID: <20230912074116.GL8826@kitsune.suse.cz> References: <20230907165224.32256-1-msuchanek@suse.de> <20230907173232.GD8826@kitsune.suse.cz> <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 12 Sep 2023 00:41:24 -0700 (PDT) On Mon, Sep 11, 2023 at 11:39:38PM -0400, Nayna wrote: > > On 9/7/23 13:32, Michal Such?nek wrote: > > Adding more CC's from the original patch, looks like get_maintainers is > > not that great for this file. > > > > On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote: > > > No other platform needs CA_MACHINE_KEYRING, either. > > > > > > This is policy that should be decided by the administrator, not Kconfig > > > dependencies. > > We certainly agree that flexibility is important. However, in this case, > this also implies that we are expecting system admins to be security > experts. As per our understanding, CA based infrastructure(PKI) is the > standard to be followed and not the policy decision. And we can only speak > for Power. > > INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf > certs. And that's the problem. From a distribution point of view there are two types of leaf certs: - leaf certs signed by the distribution CA which need not be imported because the distribution CA cert is enrolled one way or another - user generated ad-hoc certificates that are not signed in any way, and enrolled by the user The latter are vouched for by the user by enrolling the certificate, and confirming that they really want to trust this certificate. Enrolling user certificates is vital for usability or secure boot. Adding extra step of creating a CA certificate stored on the same system only complicates things with no added benefit. > INTEGRITY_CA_MACHINE_KEYRING_MAX ensures that CA is only allowed to do key > signing and not code signing. > > Having CA signed certs also permits easy revocation of all leaf certs. Revocation can be also done be removing the certificate from the keyring. If the user can add it they should also be able to remove it. > Loading certificates is completely new for Power Systems. We would like to > make it as clean as possible from the start. We want to enforce CA signed > leaf certificates(INTEGRITY_CA_MACHINE_KEYRING). As per > keyUsage(INTEGRITY_CA_MACHINE_KEYRING_MAX), if we want more flexibility, > probably a boot time override can be considered. If boot time override can exist it can as well be made permanent with a Kconfig option. I think that a boot time override is even more problematic for security than a Kconfig option - the kernel arguments are rarely signed. Thanks Michal > > Thanks & Regards, > > ??? - Nayna > > > > > > > > cc: joeyli > > > Signed-off-by: Michal Suchanek > > > --- > > > security/integrity/Kconfig | 2 -- > > > 1 file changed, 2 deletions(-) > > > > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > > > index 232191ee09e3..b6e074ac0227 100644 > > > --- a/security/integrity/Kconfig > > > +++ b/security/integrity/Kconfig > > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING > > > depends on INTEGRITY_ASYMMETRIC_KEYS > > > depends on SYSTEM_BLACKLIST_KEYRING > > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS > > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS > > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS > > > help > > > If set, provide a keyring to which Machine Owner Keys (MOK) may > > > be added. This keyring shall contain just MOK keys. Unlike keys > > > -- > > > 2.41.0 > > >