Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the... | linux-integrity

[PATCH v7 0/5] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-03-12
[PATCH v7 1/5] tools/certs: Add print-cert-tbs-hash.sh · Mickaël Salaün <mic@digikod.net> · 2021-03-12
Re: [PATCH v7 1/5] tools/certs: Add print-cert-tbs-hash.sh · Eric Snowberg <eric.snowberg@oracle.com> · 2021-03-15
[PATCH v7 2/5] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-03-12
Re: [PATCH v7 2/5] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-03-13
[PATCH v7 4/5] certs: Factor out the blacklist hash creation · Mickaël Salaün <mic@digikod.net> · 2021-03-12
Re: [PATCH v7 4/5] certs: Factor out the blacklist hash creation · Jarkko Sakkinen <jarkko@kernel.org> · 2021-03-13
[PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2021-03-12
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · David Howells <dhowells@redhat.com> · 2022-04-20
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Jarkko Sakkinen <jarkko@kernel.org> · 2022-04-21
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2022-04-21
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Jarkko Sakkinen <jarkko@kernel.org> · 2022-04-21
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2022-04-21
Re: [PATCH v7 3/5] certs: Make blacklist_vet_description() more strict · Jarkko Sakkinen <jarkko@kernel.org> · 2022-04-22
[PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-03-12
Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-03-15
Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-03-15
Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-03-17
Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-03-17
Re: [PATCH v7 0/5] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-03-25
Re: [PATCH v7 0/5] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-04-07
Re: [PATCH v7 0/5] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-05-04

Re: [PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-03-15 17:00:51
Also in: keyrings, linux-crypto, linux-security-module, lkml

On Mar 12, 2021, at 10:12 AM, Mickaël Salaün [off-list ref] wrote:

From: Mickaël Salaün <redacted>

Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
to dynamically add new keys to the blacklist keyring.  This enables to
invalidate new certificates, either from being loaded in a keyring, or
from being trusted in a PKCS#7 certificate chain.  This also enables to
add new file hashes to be denied by the integrity infrastructure.

Being able to untrust a certificate which could have normaly been
trusted is a sensitive operation.  This is why adding new hashes to the
blacklist keyring is only allowed when these hashes are signed and
vouched by the builtin trusted keyring.  A blacklist hash is stored as a
key description.  The PKCS#7 signature of this description must be
provided as the key payload.

Marking a certificate as untrusted should be enforced while the system
is running.  It is then forbiden to remove such blacklist keys.

Update blacklist keyring, blacklist key and revoked certificate access rights:
* allows the root user to search for a specific blacklisted hash, which
 make sense because the descriptions are already viewable;
* forbids key update (blacklist and asymmetric ones);
* restricts kernel rights on the blacklist keyring to align with the
 root user rights.

See help in tools/certs/print-cert-tbs-hash.sh .

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <redacted>
Link: https://lore.kernel.org/r/20210312171232.2681989-6-mic@digikod.net (local)

I tried testing this, it doesn’t work as I would expect.  
Here is my test setup:

Kernel built with two keys compiled into the builtin_trusted_keys keyring

Generated a tbs cert from one of the keys and signed it with the other key

As root, added the tbs cert hash to the blacklist keyring

Verified the tbs hash is in the blacklist keyring

Enabled lockdown to enforce kernel module signature checking

Signed a kernel module with the key I just blacklisted

Load the kernel module 

I’m seeing the kernel module load, I would expect this to fail, since the 
key is now blacklisted.  Or is this change just supposed to prevent new keys 
from being added in the future?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help