Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp3001131rdb;
        Tue, 12 Sep 2023 21:05:06 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGUYDyPKZjiJpBUNGFNo0RAuKvHDVx2BvKwhTToo7HOyF5NoxTvp9xBAeeyi0D8dqfJVsKM
X-Received: by 2002:a17:90a:db4a:b0:26b:56fa:87d3 with SMTP id u10-20020a17090adb4a00b0026b56fa87d3mr1045402pjx.31.1694577905977;
        Tue, 12 Sep 2023 21:05:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694577905; cv=none;
        d=google.com; s=arc-20160816;
        b=KbD6v6ja3zv7WT9jG6KK2BypT2pycsVpmVbv/zD8m6X6YBBIniy+FMztSvYEeCipX3
         n1Yzcjj237u009mJm2nN7IRU0FKqzW2t1agHVTaqD9FRbtPmf2SfruHbs1D8XfEz6dfF
         SKznY24vrS2M4CuB7OH24eEbfFBPnvOOXpOWykpMgiZmj2fli8bM15g1DmtWXHzz7tnU
         psCzwL7ho756Cnbv5hdzzgXtiwqJWUhz2Y/RZsmYa0f+3xcW5hOeT9Nejzc0uZW9EjK8
         ibG3SpKY/txQ7lLVpQqL6NDaAvOEVc980bLsXfEmfqim/FzFmEvBgUDmmRtwU1Cn7yXx
         2Htw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature;
        bh=wWnLfUaBsk8/9XZq7ZQH7mewYkodHLrDkdq6gKH9nHs=;
        fh=FfxY806JHYH5HalSYs3mhe1V4pvkBu6Z7UVTvIcllew=;
        b=zcJflzgm0rur6AXY7b26NZvh0gicSwM4x2qaMy5mbm47qAiZimgxc+m3KgS6yG5ejw
         DUG/sIMIJWS9glYbitoWAJH20Nf77meShK8Uz8Oxcl6u4OgBIj+TuHbN8UEfwb+4iUrY
         zFpDrBuZgq2M5nHXF3U8ia9uES2m+sFkeI89Tsle5UI74KeH1An9M9KYKOVC1XgSHUQJ
         0A4rf8gT2BU1LS916WUuk8Ut95cMLD47oipIKxGTMZuhTh2u7CRlzpICOmsCF/rwJDfh
         YQDu0HJBr7TYBke1Wi0VdR0/TQIB2CTwIYVWOrGHEKvpYZYTZH0SI8luIomOEdoDQjDf
         LHXw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=b+rGIeot;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id q9-20020a17090311c900b001bbaa5e95fdsi9416317plh.102.2023.09.12.21.05.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Sep 2023 21:05:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=b+rGIeot;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id B7A26816EBCA;
	Tue, 12 Sep 2023 12:22:56 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231559AbjILTWr (ORCPT <rfc822;bchau3440@gmail.com> + 99 others);
        Tue, 12 Sep 2023 15:22:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48696 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229781AbjILTWp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Sep 2023 15:22:45 -0400
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7792C1;
        Tue, 12 Sep 2023 12:22:41 -0700 (PDT)
Received: from pps.filterd (m0353724.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38CJKReI027902;
        Tue, 12 Sep 2023 19:22:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject :
 from : to : cc : date : in-reply-to : references : content-type :
 mime-version : content-transfer-encoding; s=pp1;
 bh=wWnLfUaBsk8/9XZq7ZQH7mewYkodHLrDkdq6gKH9nHs=;
 b=b+rGIeotYwJ5mm+tN5Cg3Mvkl+ATz7Iwb3w7/mN+KOnolFN67Z3rNdqMH6TebkCJms/D
 juB77jj9kdSVl8cQORe+9OacFjlBnRTWD/W2vwnlwsQ2jmOXEo+vhEaDv+h4fbgae2FL
 KojfLqUQ4L6uc78RWLDMdwTDnmjZJSofYqK41V3DS+rMq2Bm15ImsVLVCoacAp8+A0Uc
 4QFyDgMtGExEkiHg0vmVAiPdCBJuQk8v1WecfWt3k4hj1nYk1eO5jDmkWbl1JR2CIZqM
 0Q42ej1ks0lqYnOQsSs5FOM3UC/UIbaXAlzmSviuQPTU1R+SmRkd19m5tgPn/rX9twco hw== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2x24r0xe-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Tue, 12 Sep 2023 19:22:24 +0000
Received: from m0353724.ppops.net (m0353724.ppops.net [127.0.0.1])
        by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 38CJLjsN032516;
        Tue, 12 Sep 2023 19:22:24 GMT
Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2x24r0xa-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Tue, 12 Sep 2023 19:22:24 +0000
Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1])
        by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 38CIOmoM002779;
        Tue, 12 Sep 2023 19:22:23 GMT
Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4])
        by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3t14hkweur-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Tue, 12 Sep 2023 19:22:23 +0000
Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229])
        by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 38CJMMEN41353628
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 12 Sep 2023 19:22:22 GMT
Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 42AC758059;
        Tue, 12 Sep 2023 19:22:22 +0000 (GMT)
Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id E074058058;
        Tue, 12 Sep 2023 19:22:20 +0000 (GMT)
Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.watson.ibm.com (unknown [9.31.99.213])
        by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;
        Tue, 12 Sep 2023 19:22:20 +0000 (GMT)
Message-ID: <afba92bc2961c758d34ab340de207beb0a3b84b0.camel@linux.ibm.com>
Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Jarkko Sakkinen <jarkko@kernel.org>,
        Michal =?ISO-8859-1?Q?Such=E1nek?= <msuchanek@suse.de>,
        Nayna <nayna@linux.vnet.ibm.com>
Cc:     linux-integrity@vger.kernel.org,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Paul Moore <paul@paul-moore.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, joeyli <jlee@suse.com>,
        Eric Snowberg <eric.snowberg@oracle.com>,
        Nayna Jain <nayna@linux.ibm.com>,
        linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
Date:   Tue, 12 Sep 2023 15:22:20 -0400
In-Reply-To: <CVGUFUEQVCHS.37OA20PNG9EVB@suppilovahvero>
References: <20230907165224.32256-1-msuchanek@suse.de>
         <20230907173232.GD8826@kitsune.suse.cz>
         <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com>
         <20230912074116.GL8826@kitsune.suse.cz>
         <CVGUFUEQVCHS.37OA20PNG9EVB@suppilovahvero>
Content-Type: text/plain; charset="ISO-8859-15"
X-Mailer: Evolution 3.28.5 (3.28.5-22.el8) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: 3IPyqn1Wmos6pu4cDwBz0Ld8z88iSZJL
X-Proofpoint-ORIG-GUID: Hba6BnrVByWDG4ASRxD3uNw2IT8kyZ52
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26
 definitions=2023-09-12_18,2023-09-05_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 impostorscore=0 suspectscore=0 spamscore=0 clxscore=1011
 lowpriorityscore=0 malwarescore=0 adultscore=0 mlxlogscore=997
 phishscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2308100000 definitions=main-2309120160
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 12 Sep 2023 12:22:57 -0700 (PDT)
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email

On Tue, 2023-09-12 at 12:49 +0300, Jarkko Sakkinen wrote:
> On Tue Sep 12, 2023 at 10:41 AM EEST, Michal Such?nek wrote:
> > On Mon, Sep 11, 2023 at 11:39:38PM -0400, Nayna wrote:
> > > 
> > > On 9/7/23 13:32, Michal Such?nek wrote:
> > > > Adding more CC's from the original patch, looks like get_maintainers is
> > > > not that great for this file.
> > > > 
> > > > On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote:
> > > > > No other platform needs CA_MACHINE_KEYRING, either.
> > > > > 
> > > > > This is policy that should be decided by the administrator, not Kconfig
> > > > > dependencies.
> > > 
> > > We certainly agree that flexibility is important. However, in this case,
> > > this also implies that we are expecting system admins to be security
> > > experts. As per our understanding, CA based infrastructure(PKI) is the
> > > standard to be followed and not the policy decision. And we can only speak
> > > for Power.
> > > 
> > > INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf
> > > certs.
> >
> > And that's the problem.
> >
> > From a distribution point of view there are two types of leaf certs:
> >
> >  - leaf certs signed by the distribution CA which need not be imported
> >    because the distribution CA cert is enrolled one way or another
> >  - user generated ad-hoc certificates that are not signed in any way,
> >    and enrolled by the user
> >
> > The latter are vouched for by the user by enrolling the certificate, and
> > confirming that they really want to trust this certificate. Enrolling
> > user certificates is vital for usability or secure boot. Adding extra
> > step of creating a CA certificate stored on the same system only
> > complicates things with no added benefit.
> 
> This all comes down to the generic fact that kernel should not
> proactively define what it *expects* sysadmins.
> 
> CA based infrastructure like anything is a policy decision not
> a decision to be enforced by kernel.

Secure boot requires a signature chain of trust.  IMA extends the
secure and trusted boot concepts to the kernel. Missing from that
signature chain of trust is the ability of allowing the end
machine/system owner to load other certificates without recompiling the
kernel. The introduction of the machine keyring was to address this.

I'm not questioning the end user's intent on loading local or third
party keys via the normal mechanisms. If the existing mechanism(s) for
loading local or third party keys were full-proof, then loading a
single certificate, self-signed or not, would be fine. However, that
isn't the reality.  The security of the two-stage approach is simply
not equivalent to loading a single certificate.  Documentation could
help the end user/system owner to safely create (and manage) separate
certificate signing and code signing certs.

Unlike UEFI based systems, PowerVM defines two variables trustedcadb
and moduledb, for storing certificate signing and code signing
certificates respectively.  First the certs on the trustedcadb are
loaded and then the ones on moduledb are loaded.

-- 
thanks,

Mimi