Received: by 2002:a05:7412:f690:b0:e2:908c:2ebd with SMTP id ej16csp1086506rdb; Fri, 20 Oct 2023 08:06:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFX0RiLoQXyHoQgnpG+ITYQYWAmZaJep15XiLoeXNKIIfhQTIeFYL+NO3uzRjH1cEsKWQU+ X-Received: by 2002:a17:903:2447:b0:1c5:ecfc:2650 with SMTP id l7-20020a170903244700b001c5ecfc2650mr7259148pls.14.1697814370395; Fri, 20 Oct 2023 08:06:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697814370; cv=none; d=google.com; s=arc-20160816; b=ozilTrI4PQhqdO5Tl7ZNFDjfhizUXSLoaak0rPFIW5VDzZIE7bfVWYkzSzDRMK6bu5 gT9BU0fBfTqqQJ63oSmY13dFzyH0vQ7oMR8OoxnIB7fJgvxbnpxS92Q9evJRr64BMuLf sGYZMwyPKNC8AIGYHdU66sxPnXEmnf6eKq4vdfO8RmQ0CMxzywX7wlA8sZGwmf2snDtT wY1tEJ3RBJdrzYmrx34p2LOTY1v7gHTPC1Jeqe6pt++542b/64d0HRKk3Xti9HLqKuoA troy/v1WULa8fhnp6b2YUkEh4yk5xp1GHLOlx4xQFSoYw2P86nU3Aotm1U8d3QcWnNAQ Nq8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=fEwYQ59Y7v7aSssFlQAf1Gr3q8w7y2mQarClqUliuxE=; fh=HFXNyub40Ex1Fg01bDllEqLWOTj0PKhtHUedh+Pq464=; b=bjrXahYDBaYAx+E18i0WkTgtGeVfyPHPGO/EuyMxE2C85OA0D4becIHLwvLOvp6GrE Sp1d46jm6JZCSjms8bqeC4k5UxJstb/p2MS1waN7IuZqiB5zVihpr9Mt2HmKhrv+U4TJ 5VeAogW9m7ZXdlIDhR2R16cjneW5SMZEtsbEZrC2JtNsr0+Xc0/bewdx5qRgkppIsMhc xXURly5/T1n3wze23K+tzFlRaGtCmxbw5GIhd6k7ctdng0YsKNRQNnPPG4fQTKd/gMTY KaZ+q8JjQBSID7JveP/52LdckZKCGEIm/t1uAHYv0Zj6j1LszcNa5tuOVoXe/Q5wYBvE bQyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b="1R/2CEEI"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id j14-20020a170902da8e00b001c5db1e47c3si2058703plx.553.2023.10.20.08.06.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Oct 2023 08:06:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b="1R/2CEEI"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 8B0118047057; Fri, 20 Oct 2023 08:05:49 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377577AbjJTPFm (ORCPT + 99 others); Fri, 20 Oct 2023 11:05:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377578AbjJTPFk (ORCPT ); Fri, 20 Oct 2023 11:05:40 -0400 Received: from smtp-bc0c.mail.infomaniak.ch (smtp-bc0c.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1251FA for ; Fri, 20 Oct 2023 08:05:37 -0700 (PDT) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4SBnvg6nBDzMqHLL; Fri, 20 Oct 2023 15:05:35 +0000 (UTC) Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4SBnvg2176z3b; Fri, 20 Oct 2023 17:05:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1697814335; bh=njuqT2Dtzt8yD2SS29IDyPbGdkQ7KqlUSdyk8Y00fEw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=1R/2CEEIjZpCzEI5IaiHOAoSCZTzCcczh2J9P0+9cEY4bG5fjoD29S1DvB8v4fNZZ o3WWCJwyg3PKNRTtM0G4sRouZ0AOeGcLMiBpZMs5gytpno/ssnLjERUQzd6cgOKqvt x+zgYJnq4HfYZ7TsTo2KqnMTqxERGpY5ZIF5ONyM= Date: Fri, 20 Oct 2023 17:05:33 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Snowberg Cc: Paul Moore , Mimi Zohar , "Serge E. Hallyn" , Jarkko Sakkinen , David Howells , David Woodhouse , Kanth Ghatraju , Konrad Wilk , "linux-integrity@vger.kernel.org" , "keyrings@vger.kernel.org" , open list , linux-security-module , KP Singh Subject: Re: RFC: New LSM to control usage of x509 certificates Message-ID: <20231020.wae7johZae2i@digikod.net> References: <5c795b4cf6d7460af205e85a36194fa188136c38.camel@linux.ibm.com> <2512D2AE-4ACA-41B9-B9FB-C2B4802B9A10@oracle.com> <20231018.heiju2Shexai@digikod.net> <18FC67B7-7966-49B7-8C27-F815F1568781@oracle.com> <20231019.vair7OoRie7w@digikod.net> <0296DA27-7CAF-4605-AF67-3645F82BEE4D@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0296DA27-7CAF-4605-AF67-3645F82BEE4D@oracle.com> X-Infomaniak-Routing: alpha X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 20 Oct 2023 08:05:49 -0700 (PDT) On Thu, Oct 19, 2023 at 11:08:38PM +0000, Eric Snowberg wrote: > > > > On Oct 19, 2023, at 3:12 AM, Mickaël Salaün wrote: > > > > On Wed, Oct 18, 2023 at 11:12:45PM +0000, Eric Snowberg wrote: > >> > >> > >>> On Oct 18, 2023, at 8:14 AM, Mickaël Salaün wrote: > >>> > >>> On Tue, Oct 17, 2023 at 07:34:25PM +0000, Eric Snowberg wrote: > >>>> > >>>> > >>>>> On Oct 17, 2023, at 12:51 PM, Paul Moore wrote: > >>>>> > >>>>> On Tue, Oct 17, 2023 at 1:59 PM Mimi Zohar wrote: > >>>>>> On Tue, 2023-10-17 at 13:29 -0400, Paul Moore wrote: > >>>>>>> On Tue, Oct 17, 2023 at 1:09 PM Mimi Zohar wrote: > >>>>>>>> On Tue, 2023-10-17 at 11:45 -0400, Paul Moore wrote: > >>>>>>>>> On Tue, Oct 17, 2023 at 9:48 AM Mimi Zohar wrote: > >>>>>>>>>> On Thu, 2023-10-05 at 12:32 +0200, Mickaël Salaün wrote: > >>>>>>>>>>>>>> A complementary approach would be to create an > >>>>>>>>>>>>>> LSM (or a dedicated interface) to tie certificate properties to a set of > >>>>>>>>>>>>>> kernel usages, while still letting users configure these constraints. > >>>>>>>>>>>>> > >>>>>>>>>>>>> That is an interesting idea. Would the other security maintainers be in > >>>>>>>>>>>>> support of such an approach? Would a LSM be the correct interface? > >>>>>>>>>>>>> Some of the recent work I have done with introducing key usage and CA > >>>>>>>>>>>>> enforcement is difficult for a distro to pick up, since these changes can be > >>>>>>>>>>>>> viewed as a regression. Each end-user has different signing procedures > >>>>>>>>>>>>> and policies, so making something work for everyone is difficult. Letting the > >>>>>>>>>>>>> user configure these constraints would solve this problem. > >>>>>>>>>> > >>>>>>>>>> Something definitely needs to be done about controlling the usage of > >>>>>>>>>> x509 certificates. My concern is the level of granularity. Would this > >>>>>>>>>> be at the LSM hook level or even finer granaularity? > >>>>>>>>> > >>>>>>>>> You lost me, what do you mean by finer granularity than a LSM-based > >>>>>>>>> access control? Can you give an existing example in the Linux kernel > >>>>>>>>> of access control granularity that is finer grained than what is > >>>>>>>>> provided by the LSMs? > >>>>>>>> > >>>>>>>> The current x509 certificate access control granularity is at the > >>>>>>>> keyring level. Any key on the keyring may be used to verify a > >>>>>>>> signature. Finer granularity could associate a set of certificates on > >>>>>>>> a particular keyring with an LSM hook - kernel modules, BPRM, kexec, > >>>>>>>> firmware, etc. Even finer granularity could somehow limit a key's > >>>>>>>> signature verification to files in particular software package(s) for > >>>>>>>> example. > >>>>>>>> > >>>>>>>> Perhaps Mickaël and Eric were thinking about a new LSM to control usage > >>>>>>>> of x509 certificates from a totally different perspective. I'd like to > >>>>>>>> hear what they're thinking. > >>>>>>>> > >>>>>>>> I hope this addressed your questions. > >>>>>>> > >>>>>>> Okay, so you were talking about finer granularity when compared to the > >>>>>>> *current* LSM keyring hooks. Gotcha. > >>>>>>> > >>>>>>> If we need additional, or modified, hooks that shouldn't be a problem. > >>>>>>> Although I'm guessing the answer is going to be moving towards > >>>>>>> purpose/operation specific keyrings which might fit in well with the > >>>>>>> current keyring level controls. > >>>>>> > >>>>>> I don't believe defining per purpose/operation specific keyrings will > >>>>>> resolve the underlying problem of granularity. > >>>>> > >>>>> Perhaps not completely, but for in-kernel operations I believe it is > >>>>> an attractive idea. > >>>> > >>>> Could the X.509 Extended Key Usage (EKU) extension [1], be used here? > >>>> Various OIDs would need to be defined or assigned for each purpose. > >>>> Once assigned, the kernel could parse this information and do the > >>>> enforcement. Then all keys could continue to remain in the .builtin, > >>>> .secondary, and .machine keyrings. Only a subset of each keyring > >>>> would be used for verification based on what is contained in the EKU. > >>>> > >>>> 1. https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12 > >>> > >>> I was also thinking about this kind of use cases. Because it might be > >>> difficult in practice to control all certificate properties, we might > >>> want to let sysadmins configure these subset of keyring according to > >>> various certificate properties. > >> > >> I agree, a configuration component for a sysadmin would be needed. > >> > >>> There are currently LSM hooks to control > >>> interactions with kernel keys by user space, and keys are already tied > >>> to LSM blobs. New LSM hooks could be added to dynamically filter > >>> keyrings according to kernel usages (e.g. kernel module verification, a > >>> subset of an authentication mechanism according to the checked object). > >> > >> If an LSM hook could dynamically filter keyrings, and the EKU was used, > >> is there an opinion on how flexible this should be? Meaning, should there > >> be OIDs defined and carried in mainline code? This would make it easier > >> to setup and use. However who would be the initial OID owner? Or would > >> predefined OIDs not be contained within mainline code, leaving it to the > >> sysadmin to create a policy that would be fed to the LSM to do the filtering. > > > > The more flexible approach would be to not hardcode any policy in the > > kernel but let sysadmins define their own, including OIDs. We "just" > > need to find an adequate configuration scheme to define these > > constraints. > > Also, with the flexible approach, the policy would need to be given to the > kernel before any kernel module loads, fs-verity starts, or anything dealing > with digital signature based IMA runs, etc. With hardcoded policies this > could be setup from the kernel command line or be set from a Kconfig. > I assume with a flexible approach, this would need to come in early within > the initram? Yes, either the cmdline and/or the initramfs. > > > We already have an ASN.1 parser in the kernel, so we might > > want to leverage that to match a certificate. > > We have the parser, however after parsing the certificate we do not > retain all the information within it. Some of the recent changes I have > done required modifications to the public_key struct. If there isn’t any > type of hard coded policy, what would be the reception of retaining the > entire cert within the kernel? I think it would make sense to have a default policy loaded at boot time, then load and take into account new pieces of policies at run time, but only parse/tag/assign a role to certificates/keys when they are loaded.