From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
Jason Cooper <jason@lakedaemon.net>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Sat, 30 Jul 2016 23:08:01 -0400 [thread overview]
Message-ID: <1469934481.23563.274.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160730163626.GP3296@wotan.suse.de>
On Sa, 2016-07-30 at 18:36 +0200, Luis R. Rodriguez wrote:
> On Fri, Jul 29, 2016 at 03:25:09PM -0700, Andy Lutomirski wrote:
> > On Fri, Jul 29, 2016 at 3:10 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > > On Do, 2016-07-28 at 16:57 +0000, Jason Cooper wrote:
> > >> Hi Andy,
> > >>
> > >> On Wed, Jul 27, 2016 at 01:09:37PM -0700, Andy Lutomirski wrote:
> > >> ...
> > >> > I would like someone to explain why using the keyring mechanism for
> > >> > this in the first place is a good idea.
> > >> >
> > >> > As far as I can tell, the design goals of "keys trusted by the kernel
> > >> > for modules, firmware, etc" are:
> > >> >
> > >> > - Keys are added at build time or, according to potentially
> > >> > system-specific rules, at boot time.
> > >> >
> > >> > - Keys should specify what they're trusted *for*.
> > >>
> > >> Well, I'd argue that keys should specify what they are *intended* for by
> > >> the keyholder. A useful security system could further restrict the key
> > >> as needed.
> > >
> > > We've already started. Currently the kernel_read_file() and family of
> > > functions provide the LSM hooks needed for verifying file signatures of
> > > files read by the kernel. The kernel_read_file_id enumeration is used
> > > to differentiate between callers. Based on this enumeration, the
> > > *intended* for could be defined. It would make sense to extend the IMA
> > > policy language to support *intended* for.
> > >
> >
> > Having kernel_read_file know the purpose is a big step in the right
> > direction, although, as I think I and others have pointed out, just an
> > enum is insufficient -- for firmware, at least, the *name* is
> > relevant.
> The name is passed for firmware, the wrapper kernel_read_file_from_path()
> is used. So if we wanted an LSM extension on name I think we can do that
> on kernel_read_file_from_path() ?
It shouldn't make a difference whether kernel_read_file() is called
directly, or the kernel_read_file_by_path/fd() are called. The pathname
is accessible from the "file" argument.
> > But this is almost orthogonal to what I'm talking about. I'm saying
> > that, before seriously considering any extensions to using keyrings to
> > decide which files are okay for kernel_read_file() and similar, we
> > should first consider whether using keyrings *at all* for this is a
> > reasonable long-term approach.
>
> It sounds like an LSM decision ?
>
> Of course, part of the issue with signing / keyring stuff here is
> module signing wasn't designed as an LSM, I've discussed with David
> the possibility of LSM'ifying kernel signing infrastructure, with
> a lot of works it seems possible. With LSM stacking this then should
> group up together in a sensible way. Then for instance eventually
> module signing and firmware singing could be stackable LSM decisions,
> and not a kconfig final decision -- as they are today. To me though
> having module signing or firmware signing be LSM'ifable is not a hard
> requirement given its just ways to do things, so its not a requirement,
> architecturally its just better to have long term. So when I say this
> sounds like an LSM decision I'm projecting on to how this question
> of keyrings then becomes a stackable LSM question.
>
> > Elsewhere in this thread, Jason Cooper
> > mentioned keyholders. For this type of verification key, the holder
> > isn't even on the same machine as the kernel on which
> > kernel_read_file() is called.
>
> When you run a distro kernel your kernel key holder isn't on the
> same machine either. Then for that shiny mobile OS that runs Linux,
> they use LoadPin LSM, so they have opted out of the keyholder/keyring
> thing but punted it in another way.
>
> In the stackable LSM context, what is not possible then?
>
> > Sure, one might want to configure a system so IMA is used for
> > kernel_read_file(), and one might want to configure IMA to use
> > keyrings, but that's far from being the only sensible configuration.
>
> If we LSM'ify it all, then I think anything should be possible so long
> as we pass on to the LSM enough context. Since we already pass context
> of how something is read that should help. Path seems like the next
> target ? Anything else ?
One issue that repeatedly comes up, at least for IMA, is key management.
Will the keys be used solely for code provenance or to also provide
version control?
Mimi
next prev parent reply other threads:[~2016-07-31 3:08 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar [this message]
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469934481.23563.274.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox