Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3598076pxf;
        Mon, 15 Mar 2021 13:24:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwg5gAhRhkLdSKTyQPMq/8hIwoTro9nspKNihG/mRuwBlKPMUC1GNDpJgeCumH/9wbRg6k2
X-Received: by 2002:a17:906:3882:: with SMTP id q2mr25319458ejd.540.1615839890277;
        Mon, 15 Mar 2021 13:24:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1615839890; cv=none;
        d=google.com; s=arc-20160816;
        b=AHpirMDrGQ5YjnKABvPGBRarPt6F/sDqM3apkVs7kK6w3cF/QCJyItBz99PcBXsmqn
         QksGPATtiPsF4wnMJ5xl/ubZMvduaabiG+DAcpB98kskZ5TV0RyRfDYZtt8kRb9STnpQ
         vbejoMjGBjs3r0l54ciiPE0k1Hcvgxd2ih7afiNyCT2CfxnruFfMC8FO0ba8F1mW7ojG
         W/EE9YceyA1Aelr2zkROagunGhn0QG+vtc3wbSLwAtiNcOKTT2DuRtoX3y1ghqI08Izd
         o3EBskCp7I4ASkrfXFkJ1wKwPRI4g372Qwyzl0nM+u8DjOfkRrd1DNn4TRsWK4x4OjDe
         AUFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=Ndxg2sBdQhhR0h9zAD2GysJBt101J/4PI1ypr+0w0K4=;
        b=frK30hMgwcymda59WFKMnVXslRwyPrnigDUUr0Xpdot4T8uOgqu3KNIxUpASFcqELp
         2tbqIoYhBkLyockS3PeODqcGAZS3t+A2NiouICPk2UEfGRIqdFoLtfv7D8nbagzm/E0w
         2MHvJP05GL0SIP2+ZorNd3hQuMsJRTRBr2kF2sBiwKH0sAWYWSwoyROYHvoFZIRNeVva
         L7kYWjTPd2m3AbE07ckVjeS8VDGe02CVICxIan9rV9oIy/3Bs4P+lnoGtiB9QQlD6jGX
         8EFg5Zgg4hTfeIUvXq4pcYFnwLiXzmrD9RzjMAW+jRgRd/J94w1apJeuvnXfQ73j8TcV
         coIg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id qw16si10853419ejb.673.2021.03.15.13.24.07;
        Mon, 15 Mar 2021 13:24:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230239AbhCOSC1 (ORCPT <rfc822;toshivichauhan@gmail.com>
        + 99 others); Mon, 15 Mar 2021 14:02:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41344 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231361AbhCOSB6 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 15 Mar 2021 14:01:58 -0400
Received: from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch [IPv6:2001:1600:3:17::190f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DF62C06175F
        for <linux-crypto@vger.kernel.org>; Mon, 15 Mar 2021 11:01:58 -0700 (PDT)
Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108])
        by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Dzkl642lMzMqGSq;
        Mon, 15 Mar 2021 19:01:54 +0100 (CET)
Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149])
        by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Dzkl16VGbzlh8T3;
        Mon, 15 Mar 2021 19:01:49 +0100 (CET)
Subject: Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to
 the blacklist keyring
To:     Eric Snowberg <eric.snowberg@oracle.com>
Cc:     David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        "David S . Miller" <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        James Morris <jmorris@namei.org>,
        =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@linux.microsoft.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Tyler Hicks <tyhicks@linux.microsoft.com>,
        keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
        linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org
References: <20210312171232.2681989-1-mic@digikod.net>
 <20210312171232.2681989-6-mic@digikod.net>
 <A4CD568A-6D8E-4043-971B-8E79FFB58709@oracle.com>
From:   =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
Message-ID: <bd28dd0b-b183-44bd-1928-59e3e1274045@digikod.net>
Date:   Mon, 15 Mar 2021 19:01:36 +0100
User-Agent: 
MIME-Version: 1.0
In-Reply-To: <A4CD568A-6D8E-4043-971B-8E79FFB58709@oracle.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


On 15/03/2021 17:59, Eric Snowberg wrote:
> 
>> On Mar 12, 2021, at 10:12 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>
>> Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
>> to dynamically add new keys to the blacklist keyring.  This enables to
>> invalidate new certificates, either from being loaded in a keyring, or
>> from being trusted in a PKCS#7 certificate chain.  This also enables to
>> add new file hashes to be denied by the integrity infrastructure.
>>
>> Being able to untrust a certificate which could have normaly been
>> trusted is a sensitive operation.  This is why adding new hashes to the
>> blacklist keyring is only allowed when these hashes are signed and
>> vouched by the builtin trusted keyring.  A blacklist hash is stored as a
>> key description.  The PKCS#7 signature of this description must be
>> provided as the key payload.
>>
>> Marking a certificate as untrusted should be enforced while the system
>> is running.  It is then forbiden to remove such blacklist keys.
>>
>> Update blacklist keyring, blacklist key and revoked certificate access rights:
>> * allows the root user to search for a specific blacklisted hash, which
>>  make sense because the descriptions are already viewable;
>> * forbids key update (blacklist and asymmetric ones);
>> * restricts kernel rights on the blacklist keyring to align with the
>>  root user rights.
>>
>> See help in tools/certs/print-cert-tbs-hash.sh .
>>
>> Cc: David Howells <dhowells@redhat.com>
>> Cc: David Woodhouse <dwmw2@infradead.org>
>> Cc: Eric Snowberg <eric.snowberg@oracle.com>
>> Cc: Jarkko Sakkinen <jarkko@kernel.org>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20210312171232.2681989-6-mic@digikod.net
> 
> I tried testing this, it doesn’t work as I would expect.  
> Here is my test setup:
> 
> Kernel built with two keys compiled into the builtin_trusted_keys keyring
> 
> Generated a tbs cert from one of the keys and signed it with the other key
> 
> As root, added the tbs cert hash to the blacklist keyring
> 
> Verified the tbs hash is in the blacklist keyring
> 
> Enabled lockdown to enforce kernel module signature checking
> 
> Signed a kernel module with the key I just blacklisted
> 
> Load the kernel module 
> 
> I’m seeing the kernel module load, I would expect this to fail, since the 
> key is now blacklisted.  Or is this change just supposed to prevent new keys 
> from being added in the future?

This is the expected behavior and the way the blacklist keyring is
currently used, as explained in the commit message:
"This enables to invalidate new certificates, either from being loaded
in a keyring, or from being trusted in a PKCS#7 certificate chain."

If you want a (trusted root) key to be untrusted, you need to remove it
from the keyring, which is not allowed for the builtin trusted keyring.