Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7368303rwb; Mon, 12 Dec 2022 13:47:54 -0800 (PST) X-Google-Smtp-Source: AA0mqf6Mqj8MHXkBp83fF2vU2k4C5cQ+UI4PYqyhhPewZn/OMYqO4qLiQORpkoyoIZP9uOqTuoht X-Received: by 2002:a17:906:8543:b0:7c0:d88e:4b37 with SMTP id h3-20020a170906854300b007c0d88e4b37mr12782204ejy.52.1670881674540; Mon, 12 Dec 2022 13:47:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670881674; cv=none; d=google.com; s=arc-20160816; b=UcmH4ySh89bWvmVSc1ddEy/A1G3BX4TzeMZ5wtrqtLaFUI8cZJ5EZ6bkzvG3i/N8ed kif0DHA6JpU5gZMQG4eOcu5vQxmn+kzi658GwUwt/ykuuYTrMXjLdImhPk+kRakNg/FP 2QijYcdceTd1kTfejXOoJIxBX/Q4lVkOd+zRTZfB+B8YtJ4ciGBjH7ABvbpWWHS4IKfS APqIwhUxsAy9WSQ50Fd6MhBp5zcEebT2vQgA5P7myOEK6ynmzPiuqmGOtG3wfGfdMzWS BViQ0+F7DzM0QCs45EpVf7fKjkBQfUufICVtiYs3pwfBO9AliU8HIC4BXA/qaPAaAMEa vg+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=Sa/IMRCUcp/NqiNJFzuydVhh4vOLra4e/tBGYGanhFw=; b=Xi8aKeiBr2SWuJ+vAOxYHZyypzYhqi4AabQ35Kf6nhiAnuJ1+ByJ36Il0tCSVvJLAP fkdkE/qc4EKE8rFA/Y581/ERMXbUYpHb4hzAzy2oauQJyfW5ZTJrZ07jfjB0ZGbqWf3G qkB26W6TXdPzj1x1UFdOTgL9UJptcSguivAPWbo2rA7OI9eE+w2FK+M7qyljrWez0A/8 VjEzM0o3ftP+JLWDA/MTH4xflbpv1kL5mRoIpif1ANrJqyg3/XqvoUEFwD4K72+ErW3r 92hee8Sp0mH8mOQMRCiVHoi31jIbKgFqzVUXSZRLWJF2KNRG+NyjQVcRQmJLrUSrhnMN n1ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="Fe/eb6Kn"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dn12-20020a17090794cc00b007ac60b82ea5si7972725ejc.96.2022.12.12.13.47.24; Mon, 12 Dec 2022 13:47:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="Fe/eb6Kn"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233481AbiLLVo4 (ORCPT + 99 others); Mon, 12 Dec 2022 16:44:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233465AbiLLVoy (ORCPT ); Mon, 12 Dec 2022 16:44:54 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0A9F13E35; Mon, 12 Dec 2022 13:44:53 -0800 (PST) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BCKhp1C023462; Mon, 12 Dec 2022 21:44:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=pp1; bh=Sa/IMRCUcp/NqiNJFzuydVhh4vOLra4e/tBGYGanhFw=; b=Fe/eb6Kn9AZQ/kGL6ODzsA50b2vllLCRVzEIyxNAkVI+Ni0TSCTIuLRqtYmOIh3bVEKK cUb0ng/pn2r6hWsQFj7frCW2Hssq27Qxm1QCsvkVBdiPV5UorqwISKIog1PTvmUEJxb2 2nTeD8lX6ierMjWsywrPMmZlX1sdlmF7vFH7HypALrwT9DEuZxD8aYoHVh9MhONVlcL1 mHOrifEn7ekXiBDdbtZz32k7ryEOF/oyl3F1QCmgjQNA4wcmR8N2/zT5zE+x1ggX7Q83 PeNIL5eEoVOA7QFIS3Ju88ORJkUyvBrG8JZDnDuZrEi5LQM/fPfyfflzHZHeZpIZpNQe 4g== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3mebk7178j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Dec 2022 21:44:27 +0000 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 2BCLUNjE015744; Mon, 12 Dec 2022 21:44:26 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3mebk7178c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Dec 2022 21:44:26 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.17.1.19/8.16.1.2) with ESMTP id 2BCKMvBP019461; Mon, 12 Dec 2022 21:44:25 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([9.208.130.99]) by ppma02dal.us.ibm.com (PPS) with ESMTPS id 3mchr6k9e5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Dec 2022 21:44:25 +0000 Received: from smtpav04.dal12v.mail.ibm.com (smtpav04.dal12v.mail.ibm.com [10.241.53.103]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 2BCLiOfk37552482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 12 Dec 2022 21:44:24 GMT Received: from smtpav04.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 369795805A; Mon, 12 Dec 2022 21:44:24 +0000 (GMT) Received: from smtpav04.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 696735804E; Mon, 12 Dec 2022 21:44:22 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com (unknown [9.160.60.25]) by smtpav04.dal12v.mail.ibm.com (Postfix) with ESMTP; Mon, 12 Dec 2022 21:44:22 +0000 (GMT) Message-ID: Subject: Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions From: Mimi Zohar To: Eric Snowberg , Coiby Xu , Jarkko Sakkinen Cc: David Howells , David Woodhouse , "herbert@gondor.apana.org.au" , "davem@davemloft.net" , "dmitry.kasatkin@gmail.com" , "paul@paul-moore.com" , "jmorris@namei.org" , "serge@hallyn.com" , "pvorel@suse.cz" , "noodles@fb.com" , "tiwai@suse.de" , "bp@suse.de" , Kanth Ghatraju , Konrad Wilk , Elaine Palmer , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" Date: Mon, 12 Dec 2022 16:44:22 -0500 In-Reply-To: <5AF81A9E-C4E7-4BEB-86E1-4D2DB613FBF1@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> <20221209102612.wa3oftpqupzplx6h@Rk> <5AF81A9E-C4E7-4BEB-86E1-4D2DB613FBF1@oracle.com> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) X-TM-AS-GCONF: 00 X-Proofpoint-GUID: YIa0V5D9cmF90M6ofJtbgv6Ib7eypmZi X-Proofpoint-ORIG-GUID: hycEuVe5LoG_BQbYT14ivtjmP1FHOjyX Content-Transfer-Encoding: 7bit X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-12_02,2022-12-12_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxlogscore=837 lowpriorityscore=0 phishscore=0 clxscore=1011 mlxscore=0 malwarescore=0 suspectscore=0 impostorscore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212120187 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Eric, Coiby, On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote: > > On Dec 9, 2022, at 3:26 AM, Coiby Xu wrote: > > > > Thanks for your work! The patch set looks good to me except for the > > requirement of an intermediate CA certificate should be vouched for by a > > root CA certificate before it can vouch for other certificates. What if > > users only want to enroll an intermediate CA certificate into the MOK? > > This question would need to be answered by the maintainers. The intermediate > requirement was based on my understanding of previous discussions requiring > there be a way to validate root of trust all the way back to the root CA. That definitely did not come from me. My requirement all along has been to support a single self-signed CA certificate for the end user/customer use case, so that they could create and load their own public key, signed by that CA, onto the trusted IMA/EVM keyrings. > > > If this requirement could be dropped, the code could be simplified and > > some issues could be resolved automatically, > > Agreed. I will make sure the issue below is resolved one way or the other, > once we have an agreement on the requirements. I totally agree with Coiby that there is no need for intermediate CA certificates be vouched for by a root CA certificate. In fact the closer the CA certificate is to the leaf code signing certificate, the better. As much as possible we want to limit the CA keys being loaded onto the machine keyring to those that are absolutely required. thanks, Mimi > > > 1. "[PATCH v2 03/10] KEYS: X.509: Parse Basic > > a root_ca filed to a certificate to indicate the subject of the > > certificate is a CA. The name root_ca implies it's also a root CA. But > > according to [1], both an intermediate and root CA will have > > root_ca=True. For example, the intermediate certificate of > > https://www.kernel.org/ has "Certificate Authority=Yes" in the basic > > constraints. Btw, a root CA certificate by definition is self-signed, > > so the following code in "[PATCH v2 05/10] KEYS: Introduce a CA > > endorsed flag" looks a bit strange to me, > > if (cert->kcs_set && cert->self_signed && cert->root_ca) > > prep->payload_flags |= KEY_ALLOC_PECA; > > > > 2. Since an intermediate CA certificate also has root_ca=True, > > "[PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as > > endorsed" won't work as intended i.e. this following else branch > > will never be reached, > > else if (!cert->self_signed && !cert->root_ca) > > prep->payload_flags |= KEY_MAYBE_PECA; > > > > 3. I see nowhere public_key->key_is_ca is set to true for an intermediate > > CA certificate after it gains the KEY_ALLOC_PECA flag. So it will fail > > restrict_link_by_ca even if the KEY_MAYBE_PECA flag is added. > > > > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 > > Thanks for reviewing the series. >