From:   Eric Snowberg <eric.snowberg@oracle.com>
To:     Jarkko Sakkinen <jarkko@kernel.org>
CC:     Mimi Zohar <zohar@linux.ibm.com>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
        "davem@davemloft.net" <davem@davemloft.net>,
        "dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
        "paul@paul-moore.com" <paul@paul-moore.com>,
        "jmorris@namei.org" <jmorris@namei.org>,
        "serge@hallyn.com" <serge@hallyn.com>,
        "pvorel@suse.cz" <pvorel@suse.cz>,
        "tadeusz.struk@intel.com" <tadeusz.struk@intel.com>,
        Kanth Ghatraju <kanth.ghatraju@oracle.com>,
        Konrad Wilk <konrad.wilk@oracle.com>,
        Elaine Palmer <erpalmer@linux.vnet.ibm.com>,
        Coiby Xu <coxu@redhat.com>,
        "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
        "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v4 6/6] integrity: machine keyring CA configuration
Thread-Topic: [PATCH v4 6/6] integrity: machine keyring CA configuration
Thread-Index: AQHZOqBI+C56J107yEO2w74T/LxRwq7IK2kAgARgQACAAnSfgA==
Date:   Tue, 14 Feb 2023 21:24:53 +0000
Message-ID: <8724445E-5D0B-4A44-935A-1DCA3AC4D7AA@oracle.com>
References: <20230207025958.974056-1-eric.snowberg@oracle.com>
 <20230207025958.974056-7-eric.snowberg@oracle.com>
 <4bda209dfc891ac9044ce847785c383e89f14f97.camel@linux.ibm.com>
 <Y+nszt7I9rGem1az@kernel.org>
In-Reply-To: <Y+nszt7I9rGem1az@kernel.org>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?diQk3Z8DndnpJMSIiYfAg4SJNdJ6aHH5BzdIKGUAi3st3BwC9H6K4cpoosg1?=
 =?us-ascii?Q?62tGzt3yDTkH0h+MnzsokrSHk0quiOxZlS/+Ffe5MYpy/A019SnyeetLv+dy?=
 =?us-ascii?Q?bkYVKyJcfpMYxQwGTyJcaUKN6bVlKBeq/aXjTRKUTfv2CmKg7lzwXmMWm9Fo?=
 =?us-ascii?Q?b2cGDt8lgo6EzHfYySOe2WQj3nvNb2tekzTIk1HDn77S+0heDyWFizlXFUIy?=
 =?us-ascii?Q?4uDkP94N7b6hn/cHhjgpfWXkA06VrotGLLnsc7bapZFqQPY+tw6uNaSQdkGH?=
 =?us-ascii?Q?yJnBXjaLs63JDszwPDlhJ3ZSyQLefeHQugRKI9TwqXBLazSWKFs6+Aed3r4s?=
 =?us-ascii?Q?+gDU/CLdTIcbxUuo7vtOnjP/GL03yGBmj2awoV5P+NWFd8WZjl+eh8XwisxS?=
 =?us-ascii?Q?p2XxN8gv8pteDrFkQU+LKmZsJSkGtli8/A68yFPm6lUcxQG3KXJX80E1c15K?=
 =?us-ascii?Q?v1N4vTIijLD/KzKbqx3EeYmWzi1zTHd5NiHHRfnJ5GSqtYkLR2/8RqODwDQ/?=
 =?us-ascii?Q?DVbSUSd4WM+KL4U/++/58redXt3xtnEVlF1Tc3yhrYK1Z77TBbdSMMugIIVZ?=
 =?us-ascii?Q?TuCkUaHxKr278kzF6cC/xatxXAWVyE2R2YqTy2XXbxO50pM3Yt+JFzCC4Ua2?=
 =?us-ascii?Q?bI5zWujVS1FARipBi3abgHsJrkZBsbL6pzjukFngHzYHg0xtfYwDJLXg4Jun?=
 =?us-ascii?Q?I2zdGN0bdD+Llgz+Nx7O0KGsP/tfDd/Y5SLR+KPv5kUv9kQxDX1KlUxbfi7f?=
 =?us-ascii?Q?iNCMqHfoD3yZeEtZxo0xXIYpjuu63/zW1YQQCaASTU17wp235pCT/EyIgjCl?=
 =?us-ascii?Q?tUuHqRbOFpq99TMZWChcztULWbHkOB2BpH9A9t5R9KbvyyNh3qGAj7azxtnr?=
 =?us-ascii?Q?pi0mtfpUuSzmMWv3/knJs9XcBqC6eYnTNGfWvp8SWjE3G1CJDlQkRfZn6l8U?=
 =?us-ascii?Q?uLOnG5IXS1O9AeYjwJwDK2hHh6Ju9ALbPn0mk/je05n8EDwt0ZmAIztu3z/u?=
 =?us-ascii?Q?uDwQgYI6BE5BCscRgP4lYvTND7S18zj+31U0D77AvwvjhoIAztMsxaG/AOqd?=
 =?us-ascii?Q?PwVgmotq5++BGpr4omzgztz0BFjH209Mauiu5e5gLNuj7I6lWw8qaAbIYdzK?=
 =?us-ascii?Q?J3c1Fq7/+QQjTtLld+SVtWQJ5dMsWThyb2erXxRVRLtFxGsBcAk/oOl5UKrX?=
 =?us-ascii?Q?lzxhkbQXIh0yZfb5ckGSR5CQLuo/Y6XsKOAdhGTkTpUtMQQtPjqAZ/na7zt2?=
 =?us-ascii?Q?RIZM94heR+AehQL5pLhTLmNSlDkbDjL1fjbP6gOCwrIJ6SujCdZnAnsCBC42?=
 =?us-ascii?Q?zQmrk725AKcJOwf5J/NZ3SRO/khUXHH8zdapPJLIy/HWdbUHcLWRvW28iq6Y?=
 =?us-ascii?Q?ZScH97MDDFmHTP0n4UwWKmbaZhKMqxvusriKcLKwsfeqy5mU5KgG0iA8Q3SY?=
 =?us-ascii?Q?Pl5YpVqJLgszZyO+O65+pEbZ+ZATyEPrGyLnwM6wdf9H+R/VsKmmexdHMxVn?=
 =?us-ascii?Q?y0wBbYpYRr3SMRyU56PwDXdAG7dCoA6cH6F3HgnLuDynZZMHBmDLsPaPuz+I?=
 =?us-ascii?Q?Y4eF7x0Duu/hJ4mIY36OGYDRrPlWhEJBZWOCccveX/AF69IbfDvwSwBS4NPm?=
 =?us-ascii?Q?dg=3D=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5CA9AA903164844484CF3144165C4F61@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?us-ascii?Q?UNzUkaMiwer9mBiuVWDVJ3xCcJYU1LoRiQXsFNZRPz/ouJVqFKrTKE0pLREK?=
 =?us-ascii?Q?FEbHCXEzQlCQ2Vn9+UvKq61Rw+5DCWG7l6CrCKeLJg4toPqik+BfR3wBp2VZ?=
 =?us-ascii?Q?4z0bGFoaJLXKTLBEiyiBusN/wveG3O3at8PCou3/6TVxZBzxkM1egflavq+2?=
 =?us-ascii?Q?gFgk5SDovRqxVDEDEgcOTQg4yCDQLJTf2Q5CTrUar0/wubYZ8U1gADm8DH26?=
 =?us-ascii?Q?7QZPViGOY9QdzRytK61a9jgEyiZOFBL7BdRQryvwGbnfinrrAjsC3m+pnU93?=
 =?us-ascii?Q?TIfgWy15MhKEPvtu+YUhOSdMC0rlMDWTYtxOh2vB6zGx1wQSbgOOlknzw4S5?=
 =?us-ascii?Q?4D3XEH6IKpgZ7eZWaMfWjNHDR1j47hY6lgI6vAWcQct5yxxPGBqUgPz7pWfV?=
 =?us-ascii?Q?0o4g2YNQxHDOCiOYa1EedW5lN8bgFnMXdtLxPEwslAIPXZop16CUfCoBGBf6?=
 =?us-ascii?Q?iOr8yWYqLf1y5ZjBa/V36CNol1fg3F2p22XBM8PlWsHjG6WmWPHriSjglaz9?=
 =?us-ascii?Q?a7z7fv4vUnLtkhDTZ9rVeDxn6h0OjLZhPNEOJVTOLar+h8pJ2V3f94iRq4eO?=
 =?us-ascii?Q?Od+Y2n30nyDSuKAIoVlG1yEvoR2Ii2hqYQqaIsjzXt7ak44vi6RVxb9oOmsf?=
 =?us-ascii?Q?2LGtbmWSVwgVsz5hbxSkj+fKCIqPoIdxwv1IxW66VjBYNiZrCZ+kAVCzSnPN?=
 =?us-ascii?Q?8SnjXoMDLx9j1tpPoG4dCrBsy24E6TL/vvnA+go68brdS7I8YSBvdSPTLptS?=
 =?us-ascii?Q?5qvqCZJpcYhvc82/eaW1h7us5xCQtTMp5Lg/Q5N2VKz9mnmWzKWmGFlnV4og?=
 =?us-ascii?Q?IiR3uTDv51zw1fD96CT8H7oeu+IMI4+lfr6nkxWOsyF8lOMpXOFrHs1PoHmK?=
 =?us-ascii?Q?pt/2JFwVZZHHlFbMUtPYX15IwAZsXvIYFUyNGE3g5lUVopBjYTA4M3nukhmZ?=
 =?us-ascii?Q?N1bDKNjYr9FXRIMvyyB/yzf+T72ROG7SSj36guMv7bikGOwJQL7/rPmCDSHy?=
 =?us-ascii?Q?tUzpmLEaszHAgLwuz/aJVOmW0MVF/lj25GFcKfXD1Df/1Kq4Ac1RwxfIAdMY?=
 =?us-ascii?Q?1xZg7LtwY3zzft++8d6l+iGFMtSEVbJgIcwUn0Tq6ZsmAZRD/E66IZayqqn+?=
 =?us-ascii?Q?bmMCcCmsAxEdx6G+Spk+bTiPEwwRwv0/nL9y6k4ND36KmrAIaaxyczY+xtxR?=
 =?us-ascii?Q?qe3EQ2lMeRwJhtK3zvWW1bAFDxrjQBHZKQ4vvg=3D=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 39cf9460-61c9-4464-d80d-08db0ed1e9e7
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2023 21:24:53.7671
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tkMAF8IVmF+4dTWsqo6BOc3UK/H/H9a4IvJUj5PiH+vDzLoyi1SHEt/aHozntPu0HF22yipD5Ref/Bh5YWimS0xnC79MaIFU7spnUfnuoZA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR10MB7048
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22
 definitions=2023-02-14_15,2023-02-14_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0
 bulkscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000
 definitions=main-2302140184
X-Proofpoint-ORIG-GUID: -UetTnqaKppz4oAgq7Vj22qmQ9g5_1sB
X-Proofpoint-GUID: -UetTnqaKppz4oAgq7Vj22qmQ9g5_1sB
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


> On Feb 13, 2023, at 12:54 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
>=20
> On Fri, Feb 10, 2023 at 08:05:22AM -0500, Mimi Zohar wrote:
>> Hi Eric,
>>=20
>> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote:
>>> Add a machine keyring CA restriction menu option to control the type of
>>> keys that may be added to it. The options include none, min and max
>>> restrictions.
>>>=20
>>> When no restrictions are selected, all Machine Owner Keys (MOK) are add=
ed
>>> to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN i=
s
>>> selected, the CA bit must be true.  Also the key usage must contain
>>> keyCertSign, any other usage field may be set as well.
>>>=20
>>> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit mu=
st
>>> be true. Also the key usage must contain keyCertSign and the
>>> digitialSignature usage may not be set.
>>>=20
>>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>>=20
>> Missing from the patch description is the motivation for this change. =20
>> The choices none, min, max implies a progression, which is good, and
>> the technical differences between the choices, but not the reason.
>>=20
>> The motivation, at least from my perspective, is separation of
>> certificate signing from code signing keys, where "none" is no
>> separation and "max" being total separation of keys based on usage.
>>=20
>> Subsequent work, as discussed in the cover letter thread, will limit
>> certificates being loaded onto the IMA keyring to code signing keys
>> used for signature verification.
>=20
>=20
> It would be more robust just to have two binary options for CA bit and
> keyCertSign. You can use "select" for setting keyCertSign, when CA bit
> option is selected.

Ok, I will make that change in the next round, thanks.