Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp792534rwb; Thu, 10 Nov 2022 07:29:32 -0800 (PST) X-Google-Smtp-Source: AA0mqf4IMbfJ08DMkuoachI/0o4QjCMfzHpWGbaj9/Nr775k7GYoURnjKpusZ49A+IaaGDZtXvnr X-Received: by 2002:a05:6402:5510:b0:459:5ea:9bc0 with SMTP id fi16-20020a056402551000b0045905ea9bc0mr6936435edb.152.1668094172516; Thu, 10 Nov 2022 07:29:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668094172; cv=none; d=google.com; s=arc-20160816; b=UoToze3QeZSv7lwMg5m6EfXjYcznvd5cot5p0nAhdN9DLStQgdwczvs50l4h7KgtEf TDMwdM5SMgfrJEXU0Nb08RdAOKWbM6jmm6794JfqAozr5xIVLLjov9v6NqbCbVp5JvS6 y02Dzpir0aCtT4H6egahonMdkOnNIlDMVWFl8Gl9j4zzusOrIB2dlAHlZhR8R0H6KiZC BFufBW8vB9mS45Y4hES96CNJfdptnLHpznAA1iyKQJ6mq9ExYGG7Pmox9lkjXRAZ3yfO gMr3n/OeLM3ohOBF576XGvfTe6cIMcrfbgSE0UJrTi+gymOnjUkp8QXLC/JXXDdsfvRj UA9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=yuGSUQ5kQhi5ryh8cQWVjCOQsA5n+fnerxDIcBwu5ds=; b=TzznZiv871nSY4W1FpUXgBA/j3svdqIA5oms1EJ3mgKPx9EXB20BfM/SGem8bOi85/ Sd+QjDGBqpcdC5b0br2OSeZY2hRfGBOufNyk6YaKL//RuY8uLco8s62Z9tmMX42VE26P oteZtIaJKDKzKE3cMAyv+poEpAl+2oETir0I12LQ2NksS/NCEjjkGG+uycCQynYpkmjw gfFkfetLyQYjKujy0fWoRRcH2h40ANrg3IN99OUBficgdE1/NKTwgBjMH3N4CceQ+tk/ 9E6KBORB8QDa0K1Z9kxoqtpXXFm7XD3W3Lv6gSbhE20eaNauqDlUGGTtlY2E1SKaWGZ2 gE5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=ud4jobt2; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kq+CmaEP; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l14-20020aa7d94e000000b004597b778b3bsi17514187eds.75.2022.11.10.07.29.01; Thu, 10 Nov 2022 07:29:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=ud4jobt2; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kq+CmaEP; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230087AbiKJP23 (ORCPT + 99 others); Thu, 10 Nov 2022 10:28:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231204AbiKJP1e (ORCPT ); Thu, 10 Nov 2022 10:27:34 -0500 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D980B3F054; Thu, 10 Nov 2022 07:27:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1668094051; bh=JR33g8gWlSZGidJuKivTgbq5ECjLpcLYApf6iPOEG4w=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=ud4jobt2vwD795E+KzwUN6dmloAtvJnv237I9aQOWFlYSMugYNh7X/5QAlOgP10Hw shu82adBq6GPRCVeMKyQKWc7fHBmWgCS+dl6RZAEZMjSrGlICLe3hXbsAj5U3E4A49 jeahL4oHCgMKm6FdvPgIzjko01lbA5wDSJ/TplKs= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id AD6DB1285F6D; Thu, 10 Nov 2022 10:27:31 -0500 (EST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-df-yN8V5IA; Thu, 10 Nov 2022 10:27:31 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1668094050; bh=JR33g8gWlSZGidJuKivTgbq5ECjLpcLYApf6iPOEG4w=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=kq+CmaEP+hl8WK8iJn9Oiow8bNpyykjPeEzKJebMmy/YDGGGCRfa/FFR9L9H+DrKr OgD9kxYnHQuyo4RNMN7ZekqaOIo3H7NOno1DhnPjA/zuHmTjbtBq520z4p4x7u4qnx DZ5fiNQES6FbjQUxUXmOxwmdo60xLLqodNtdeK+k= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 0026C1286591; Thu, 10 Nov 2022 10:27:27 -0500 (EST) Message-ID: <47ae05f8d3a67ee5e1607ab8e718cc4b3e95cebb.camel@HansenPartnership.com> Subject: Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found From: James Bottomley To: Morten Linderud , Eric Snowberg Cc: "keyrings@vger.kernel.org" , "linux-integrity@vger.kernel.org" , Mimi Zohar , David Howells , David Woodhouse , "herbert@gondor.apana.org.au" , "davem@davemloft.net" , Jarkko Sakkinen , "jmorris@namei.org" , "serge@hallyn.com" , "keescook@chromium.org" , "torvalds@linux-foundation.org" , "weiyongjun1@huawei.com" , Nayna Jain , Eric Biggers , "ardb@kernel.org" , Lakshmi Ramasubramanian , "lszubowi@redhat.com" , "jason@zx2c4.com" , "linux-kernel@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-efi@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "pjones@redhat.com" , Konrad Wilk Date: Thu, 10 Nov 2022 10:27:24 -0500 In-Reply-To: <20221110150607.h4iaymkgc4f7kuue@framework> References: <20211124044124.998170-1-eric.snowberg@oracle.com> <20211124044124.998170-17-eric.snowberg@oracle.com> <20221110000129.kl6pjy5mafpuptbk@framework> <4A479B96-4B41-4323-9920-5A909423F998@oracle.com> <20221110150607.h4iaymkgc4f7kuue@framework> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 2022-11-10 at 16:06 +0100, Morten Linderud wrote: > I'm not really sure what Peter means with "much more reliable" > though. It's that in-head knowledge you referred to. You can't see the true MoK variables because they're BootServices, meaning they're not visible in the RunTime, which is why the shadow RT variables exist (this is a security property: BS only variables can only be altered by trusted, signed entities). However lots of things can create RT variables so you have to run through a sequence of checks on the RT shadows to try to defeat clever attackers (like verifying the variable attributes), because the chain of custody from BS to RT is not guaranteed. If you use a configuration table instead, that is BS only, the kernel (which is also a trusted entity) has to pick it out before ExitBootServices, so if the kernel has the table, you have a reliable chain of custody for the entries. James