Re: [PATCH v4 6/6] integrity: machine keyring CA configuration

From: Jarkko Sakkinen
Date: Mon Feb 13 2023 - 02:55:23 EST


On Fri, Feb 10, 2023 at 08:05:22AM -0500, Mimi Zohar wrote:
> Hi Eric,
>
> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote:
> > Add a machine keyring CA restriction menu option to control the type of
> > keys that may be added to it. The options include none, min and max
> > restrictions.
> >
> > When no restrictions are selected, all Machine Owner Keys (MOK) are added
> > to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is
> > selected, the CA bit must be true. Also the key usage must contain
> > keyCertSign, any other usage field may be set as well.
> >
> > When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> > be true. Also the key usage must contain keyCertSign and the
> > digitialSignature usage may not be set.
> >
> > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
>
> Missing from the patch description is the motivation for this change.
> The choices none, min, max implies a progression, which is good, and
> the technical differences between the choices, but not the reason.
>
> The motivation, at least from my perspective, is separation of
> certificate signing from code signing keys, where "none" is no
> separation and "max" being total separation of keys based on usage.
>
> Subsequent work, as discussed in the cover letter thread, will limit
> certificates being loaded onto the IMA keyring to code signing keys
> used for signature verification.


It would be more robust just to have two binary options for CA bit and
keyCertSign. You can use "select" for setting keyCertSign, when CA bit
option is selected.

BR, Jarkko