Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp659944pxb; Wed, 13 Jan 2021 12:43:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJyrj2S07ym3wvybLlFpnnxaoSaECLsn67FiF0FqBBIZ7jSFUZHIag0K2aFgWBS0XYf5ONdI X-Received: by 2002:a17:906:56ca:: with SMTP id an10mr2936564ejc.498.1610570635883; Wed, 13 Jan 2021 12:43:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610570635; cv=none; d=google.com; s=arc-20160816; b=N3EanBjC2u5sLiBslwJ2a6vz/BIAPgRxnRPEUZFJylHMcp95ydplzdYgrMkRyedFCt D6HCPVK0l6VGqrndl2EqUuYdaqSmdBJ4wgDLypN2VwHFn0YzP2TjOcDFeywioX5gkH03 Vyu7I2iMuhddZNsVc0GAEqqG0uJ6X76tX1fMmKsnojloFaFmkIRvTnQajjdvOKlAbzel e7m4BtwiPO5FE7dBpw3alBov4SXj68byTH2A2uEHjvkhKCggxHsSd0/OVsj7LK+iuAzw F+ORpeT5z2FgnkuFin/DgXQkObiauU5x+6kgatRDrO5w4R/JT5lYKFdQ5FHeuZfEdbIK TvOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:organization:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:ironport-sdr :ironport-sdr; bh=J+7PjRqHdjWIuMk9seASvF+weKYKwszd0uY0lwrbOKM=; b=v72FHtIg9NaJUutKFjzqqyeYNlGACpCz9zS78EypBxlQJq8DxjPJ7MlG2f3QfulcmP jrFoYuks3IRugox2/lzeBDtsI132OfSBctw84gVYCW4pp808/ftzxrAenpWFBmEgwnrT w7XP0gq0jJb6NEFEb+D1vXltj0Ej9rKdhsqCPRw6aDeiK42OqOJW6ZBk7XFK1ZYNkIpl MirNa/I1JowLNUTFZ/t8ZW2eExpzvOnly9InIz2abFu0aARXuIu9I/A2FR8fWABPe9Vk GGlUXBNFFK79YL0wwQKsrGTMwxpkMMTaVLs2CnRBeaCDBImRlGA5CdLX3TPRNYpWbBXK vU1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i16si1383197ejc.454.2021.01.13.12.43.35; Wed, 13 Jan 2021 12:43:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726599AbhAMUnV (ORCPT + 99 others); Wed, 13 Jan 2021 15:43:21 -0500 Received: from mga17.intel.com ([192.55.52.151]:54856 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725885AbhAMUnU (ORCPT ); Wed, 13 Jan 2021 15:43:20 -0500 IronPort-SDR: BqaGB00I+jlC5kgp/DHIu8bh76+w4eWrCEFnpHF7R6HP8XxaVwuesaLsnvEz1EA+gO2bGGDkuZ 9LECEuMvh5Dw== X-IronPort-AV: E=McAfee;i="6000,8403,9863"; a="158042589" X-IronPort-AV: E=Sophos;i="5.79,345,1602572400"; d="scan'208";a="158042589" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2021 12:41:34 -0800 IronPort-SDR: rik8a87SibAyMJx9YKB+Yvhcm7UmFbqnOu9ufcOhQmN2c4wRi6q5norGHVwSJSr2k/7CmYTXPb XZJ5/YuhbBig== X-IronPort-AV: E=Sophos;i="5.79,345,1602572400"; d="scan'208";a="381998210" Received: from oslutsk1-mobl1.ccr.corp.intel.com (HELO linux.intel.com) ([10.249.40.71]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2021 12:41:27 -0800 Date: Wed, 13 Jan 2021 22:41:22 +0200 From: Jarkko Sakkinen To: David Howells Cc: Eric Snowberg , dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, nayna@linux.ibm.com, Mimi Zohar , erichte@linux.ibm.com, mpe@ellerman.id.au, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v4] certs: Add EFI_CERT_X509_GUID support for dbx entries Message-ID: References: <20200916004927.64276-1-eric.snowberg@oracle.com> <1360578.1607593748@warthog.procyon.org.uk> <2442460.1610463459@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2442460.1610463459@warthog.procyon.org.uk> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Jan 12, 2021 at 02:57:39PM +0000, David Howells wrote: > Eric Snowberg wrote: > > > > On Dec 10, 2020, at 2:49 AM, David Howells wrote: > > > > > > Eric Snowberg wrote: > > > > > >> Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID > > >> is found, it is added as an asymmetrical key to the .blacklist keyring. > > >> Anytime the .platform keyring is used, the keys in the .blacklist keyring > > >> are referenced, if a matching key is found, the key will be rejected. > > > > > > Ummm... Why this way and not as a blacklist key which takes up less space? > > > I'm guessing that you're using the key chain matching logic. We really only > > > need to blacklist the key IDs. > > > > I implemented it this way so that certs in the dbx would only impact > > the .platform keyring. I was under the impression we didn’t want to have > > Secure Boot UEFI db/dbx certs dictate keyring functionality within the kernel > > itself. Meaning if we have a matching dbx cert in any other keyring (builtin, > > secondary, ima, etc.), it would be allowed. If that is not how you’d like to > > see it done, let me know and I’ll make the change. > > I wonder if that is that the right thing to do. I guess this is a policy > decision and may depend on the particular user. Why would you want to allow dbx entry in any keyring? /Jarkko