Re: [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine

From: Mimi Zohar
Date: Sun Jan 09 2022 - 16:57:35 EST


On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
> Many UEFI Linux distributions boot using shim. The UEFI shim provides
> what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure
> Boot DB and MOK keys to validate the next step in the boot chain. The
> MOK facility can be used to import user generated keys. These keys can
> be used to sign an end-users development kernel build. When Linux
> boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux
> .platform keyring.
>
> Define a new Linux keyring called machine. This keyring shall contain just
> MOK CA keys and not the remaining keys in the platform keyring. This new
> machine keyring will be used in follow on patches. Unlike keys in the
> platform keyring, keys contained in the machine keyring will be trusted
> within the kernel if the end-user has chosen to do so.

True, from an IMA perspective only the CA keys should be loaded onto
the .machine keyring, but this version (v9) of the patch set does not
enforce that. The patch set and this paragraph are out of sync.

Jarkko, my concern is that once this version of the patch set is
upstreamed, would limiting which keys may be loaded onto the .machine
keyring be considered a regression?

thanks,

Mimi

>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> ---
> v1: Initial version
> v2: Removed destory keyring code
> v3: Unmodified from v2
> v4: Add Kconfig, merged in "integrity: add add_to_mok_keyring"
> v5: Rename to machine keyring
> v6: Depend on EFI in kconfig (suggested by Mimi)
> Test to see if ".platform" keyring is configured in
> add_to_machine_keyring (suggested by Mimi)
> v7: Depend on LOAD_UEFI_KEYS instead EFI for mokvar code
> v8: Code unmodified from v7 added Mimi's Reviewed-by
> v9: Removed Reviewed-by. Prevent IMA from being able to
> use the machine keyring since the CA restrictions
> have been removed.