Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp3038824rdb; Tue, 12 Sep 2023 23:05:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEZ7u18L2A1rScrsnh3VLs8shuFzPt4uwl8tV+Hysf3ZpbSHWImu9e/b/27Z6lQ8y5IPd6Y X-Received: by 2002:a17:902:e841:b0:1b6:bced:1dc2 with SMTP id t1-20020a170902e84100b001b6bced1dc2mr2403508plg.0.1694585157122; Tue, 12 Sep 2023 23:05:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694585157; cv=none; d=google.com; s=arc-20160816; b=PiHzyjzjGJhAKQksdkzphKCVp6WRQo5BS8ri4bytivQyM5hDFAOIdDXd/jJhYTQfpe CIAnuy3rN+0XKcnjNWCuCagzd4Yq2bt4OfI20IZ73PBniRMFEyy8Bn9oL43+D7jv+Wv9 CXddO3hG8Emhum4UdwJ/OU8C7KFQkxt4w8JgG0yfSNa//o92i3RWIweKzxz3KKj9nlZZ pUSz7kq6ssOVxPSyd3PnCwXihh5pyl3XbXG/IK4N0rgDzDYZODnpNvK/jGxRjx0gQ94+ NwgFzNv8LiwURKPFzYPz5SAy/GXQE8sKFAm3zlpIRC4WxFsLEsf9mp/V9h0dR6H13li3 5ijw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=O5R4yk5s81mOKD4h+HS+3H/HYrvHD/FA/TtAzZs+wtk=; fh=FfxY806JHYH5HalSYs3mhe1V4pvkBu6Z7UVTvIcllew=; b=mL96FpnbZb4t7vzcuGuZCy8gpnQnQ+5ZpgDawyzd/RQIGf/dd9CtoHP9erWOw/yao8 icW2VrdtFRVrjqxoYWsgneXuFvwVdQr/PR8TZYkEF0Axaxff5ATW4oMerVEi2prUUQ24 GItSSIEc0xCH0nlXF7J4C5MgDeClSLe/Y52RExL5LX+iX5ZCixA2j0mvSR2g2d58bXpg vc+DHU6Hfzxn835TzzdxGm1hNiIC0agnkUo2YkDx++YNkAEXWm3t4/Fz9d3AbAH0Q+5j Sz2pvIdeRScy7wIpbudiqGKHabpAaYjkN4zr7IuyPoe0p9aXARHeydoI00Ns3aEvatdI ytrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=k+gAYzMd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id u12-20020a170902e5cc00b001b845157b69si10283747plf.414.2023.09.12.23.05.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 23:05:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=k+gAYzMd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 04601816038B; Tue, 12 Sep 2023 12:57:28 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232876AbjILT5Z (ORCPT + 99 others); Tue, 12 Sep 2023 15:57:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229500AbjILT5Y (ORCPT ); Tue, 12 Sep 2023 15:57:24 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5AFD41AE; Tue, 12 Sep 2023 12:57:20 -0700 (PDT) Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38CJcrws013557; Tue, 12 Sep 2023 19:56:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=O5R4yk5s81mOKD4h+HS+3H/HYrvHD/FA/TtAzZs+wtk=; b=k+gAYzMdGXSJShL9MVK90k054Kmgtg0UMWgXF0bRV35WUl82jvT8kdk18L3i7fAqnv8W QpIQp2OhN4RMwNUjwIkVIIhzXD6WyzoWs7EeGjyUy64wdzR6lw5mXCGPr2lJWglVn8MZ MqNUcHwVfMxbKJtKevZse9oHVKYL7Y8Pyczj7VgqTcw6JihgBRviJeDqQDkNL9Vu3G0O HzzUZXdw9w6mX4uhpyJp9ZJUdnWaUmcl2FNh8f/WV+QXh/WC4I3OqwJB+cCvv6iJAURB EaKqeIycfLoDSECLZqOIik8f5emLufcxiurRHQQB4fEWgqoNVgSz6rDTsHmv0O9c1U6K Dw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2wxc1087-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 19:56:56 +0000 Received: from m0360083.ppops.net (m0360083.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 38CJd6u1014071; Tue, 12 Sep 2023 19:56:56 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3t2wxc107x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 19:56:56 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 38CJcchK012069; Tue, 12 Sep 2023 19:56:55 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3t13dyp022-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Sep 2023 19:56:55 +0000 Received: from smtpav01.wdc07v.mail.ibm.com (smtpav01.wdc07v.mail.ibm.com [10.39.53.228]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 38CJuriP39649768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Sep 2023 19:56:54 GMT Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D7EC758055; Tue, 12 Sep 2023 19:56:53 +0000 (GMT) Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 881865804B; Tue, 12 Sep 2023 19:56:52 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.watson.ibm.com (unknown [9.31.99.213]) by smtpav01.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 12 Sep 2023 19:56:52 +0000 (GMT) Message-ID: Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING From: Mimi Zohar To: Jarkko Sakkinen , Michal =?ISO-8859-1?Q?Such=E1nek?= , Nayna Cc: linux-integrity@vger.kernel.org, Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, joeyli , Eric Snowberg , Nayna Jain , linuxppc-dev Date: Tue, 12 Sep 2023 15:56:52 -0400 In-Reply-To: References: <20230907165224.32256-1-msuchanek@suse.de> <20230907173232.GD8826@kitsune.suse.cz> <92e23f29-1a16-54da-48d1-59186158e923@linux.vnet.ibm.com> <20230912074116.GL8826@kitsune.suse.cz> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-22.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: E3ajPj7DuwbxoSFWxRgrwOFdKkY5sMzQ X-Proofpoint-GUID: JgKj7eWT6P6o28yIE9BTYJDkdKpjp4DP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-12_19,2023-09-05_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 bulkscore=0 spamscore=0 priorityscore=1501 impostorscore=0 mlxlogscore=999 phishscore=0 adultscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2308100000 definitions=main-2309120165 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 12 Sep 2023 12:57:28 -0700 (PDT) X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email On Tue, 2023-09-12 at 22:32 +0300, Jarkko Sakkinen wrote: > On Tue Sep 12, 2023 at 10:22 PM EEST, Mimi Zohar wrote: > > On Tue, 2023-09-12 at 12:49 +0300, Jarkko Sakkinen wrote: > > > On Tue Sep 12, 2023 at 10:41 AM EEST, Michal Such?nek wrote: > > > > On Mon, Sep 11, 2023 at 11:39:38PM -0400, Nayna wrote: > > > > > > > > > > On 9/7/23 13:32, Michal Such?nek wrote: > > > > > > Adding more CC's from the original patch, looks like get_maintainers is > > > > > > not that great for this file. > > > > > > > > > > > > On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote: > > > > > > > No other platform needs CA_MACHINE_KEYRING, either. > > > > > > > > > > > > > > This is policy that should be decided by the administrator, not Kconfig > > > > > > > dependencies. > > > > > > > > > > We certainly agree that flexibility is important. However, in this case, > > > > > this also implies that we are expecting system admins to be security > > > > > experts. As per our understanding, CA based infrastructure(PKI) is the > > > > > standard to be followed and not the policy decision. And we can only speak > > > > > for Power. > > > > > > > > > > INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf > > > > > certs. > > > > > > > > And that's the problem. > > > > > > > > From a distribution point of view there are two types of leaf certs: > > > > > > > > - leaf certs signed by the distribution CA which need not be imported > > > > because the distribution CA cert is enrolled one way or another > > > > - user generated ad-hoc certificates that are not signed in any way, > > > > and enrolled by the user > > > > > > > > The latter are vouched for by the user by enrolling the certificate, and > > > > confirming that they really want to trust this certificate. Enrolling > > > > user certificates is vital for usability or secure boot. Adding extra > > > > step of creating a CA certificate stored on the same system only > > > > complicates things with no added benefit. > > > > > > This all comes down to the generic fact that kernel should not > > > proactively define what it *expects* sysadmins. > > > > > > CA based infrastructure like anything is a policy decision not > > > a decision to be enforced by kernel. > > > > Secure boot requires a signature chain of trust. IMA extends the > > secure and trusted boot concepts to the kernel. Missing from that > > signature chain of trust is the ability of allowing the end > > machine/system owner to load other certificates without recompiling the > > kernel. The introduction of the machine keyring was to address this. > > > > I'm not questioning the end user's intent on loading local or third > > party keys via the normal mechanisms. If the existing mechanism(s) for > > loading local or third party keys were full-proof, then loading a > > single certificate, self-signed or not, would be fine. However, that > > isn't the reality. The security of the two-stage approach is simply > > not equivalent to loading a single certificate. Documentation could > > help the end user/system owner to safely create (and manage) separate > > certificate signing and code signing certs. > > > > Unlike UEFI based systems, PowerVM defines two variables trustedcadb > > and moduledb, for storing certificate signing and code signing > > certificates respectively. First the certs on the trustedcadb are > > loaded and then the ones on moduledb are loaded. > > There's pragmatic reasons to make things more open than they should be > in production. As a hardware example I still possess Raspberry Pi 3B for > test workloads because it has a broken TZ implementation. The world is > really bigger than production workloads. > > It would be better to document what you said rather than enforce the > right choice IMHO (e.g. extend Kconfig documentation). PowerVM LPARs are more about production workloads than a Raspberry Pi. :) -- thanks, Mimi