On 10/06/14 15:20, Josh Boyer wrote: > On Tue, Jun 10, 2014 at 11:48:14AM +0300, Dmitry Kasatkin wrote: >> Hi Mimi, >> >> As you asked ofline , here is possible equivalent and simpler alternative >> patches not requiring to have additional keyring. >> >> First patch are irrelevant minor fixes. >> >> Also I want to discuss here Fedora UEFI patches as they are the reason for >> the these original patchset. >> >> http://pkgs.fedoraproject.org/cgit/kernel.git/tree/modsign-uefi.patch >> >> They provide functionality to specify MokIgnoreDb variable to limit loading >> of >> UEFI keys only from MOK List, while ignoring DB. This is certainly a good >> functionality. But once MODULE_SIG_UEFI is enabled, it looks there is no way >> to prevent loading keys from UEFI at all. And this might not be a good >> default >> functionality. Someone might want not allow loading of keys from UEFI unless >> kernel parameter is specified to allow it without recompiling the kernel >> and disabling MODULE_SIG_UEFI. >> >> Josh, why such design decision was made? > IIRC, it's because kernel parameters can be added programmatically from a > remote user if they gain root access. Having a kernel parameter to > disable a key piece of secure boot isn't all that great. We disable > other kernel parameters like acpi_rspd as well.
I see the point, as we have unprotected boot loader configuration. >> Why not to provide kernel parameter to have more fine-tune control over the >> functionality? Unconfigured machines will not have MokIgnoreDb and will >> allow to load kernel modules signed with certain undesired keys. In fact, > Undesired by whom? If SB is enabled, your machine's firmware already > trusts those keys. It is tricky issue. But yes and no... If I forced to trust MS key to run SHIM, it does not mean that I want to trust MS key to run kernel and load modules or use MS key to valid other keys on system keyring. Personally I took ownership of my laptop laptop by enrolling my key. I also re-signed SHIM... But for convenience I keep MS key to boot from any USB stick, though booting is password protected... -> So the only point I trust MS key is when I type my password to boot... And next when system is running, I do not want MS or Lenovo key would be used to verify kernel modules or signed files... >> I beleive, it should be default behavior of the kernel. Bootloader can >> enable UEFI functionality by specifing it on the kernel command line. > If it was enabled via boot params, or done in the early setup code that > might be possible. I don't think a kernel parameter is the right > solution though. I've added Matthew on CC. Thanks for reply. > josh > >> Second patch allows to overcome keys coming from UEFI for key validation by >> specifing owner key id and is an alternative for v5 4/4 patch. >> >> It was also a good idea presented in Mimi's v4 4/4 patch to have possibility >> to limit key trust valiation by only builtin keys. Third patch as an >> alternative. >> It uses keys->flags to specify origin of the key, but any additional field >> could >> be added as well. >> >> Both key id and origin verification is done in x509_validate_trust(). >> >> Thanks, >> Dmitry >> >> Dmitry Kasatkin (3): >> KEYS: fix couple of things >> KEYS: validate key trust only with selected owner key >> KEYS: validate key trust only with builtin keys >> >> Mimi Zohar (1): >> KEYS: define an owner trusted keyring >> >> Documentation/kernel-parameters.txt | 5 +++++ >> crypto/asymmetric_keys/x509_public_key.c | 35 >> +++++++++++++++++++++++++++++--- >> include/linux/key.h | 1 + >> kernel/system_keyring.c | 1 + >> 4 files changed, 39 insertions(+), 3 deletions(-) >> >> -- >> 1.9.1 >> > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
