Re: [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine

From: Mimi Zohar
Date: Tue Jan 11 2022 - 13:19:22 EST


On Mon, 2022-01-10 at 23:25 +0000, Eric Snowberg wrote:
> > Jarkko, my concern is that once this version of the patch set is
> > upstreamed, would limiting which keys may be loaded onto the .machine
> > keyring be considered a regression?
>
>
> Currently certificates built into the kernel do not have a CA restriction on them.
> IMA will trust anything in this keyring even if the CA bit is not set. While it would
> be advisable for a kernel to be built with a CA, nothing currently enforces it.
>
> My thinking for the dropped CA restriction patches was to introduce a new Kconfig.
> This Kconfig would do the CA enforcement on the machine keyring. However if the
> Kconfig option was not set for enforcement, it would work as it does in this series,
> plus it would allow IMA to work with non-CA keys. This would be done by removing
> the restriction placed in this patch. Let me know your thoughts on whether this would
> be an appropriate solution. I believe this would get around what you are identifying as
> a possible regression.

True the problem currently exists with the builtin keys, but there's a
major difference between trusting the builtin keys and those being
loading via MOK. This is an integrity gap that needs to be closed and
shouldn't be expanded to keys on the .machine keyring.

"plus it would allow IMA to work with non-CA keys" is unacceptable.

Mimi