Re: [PATCH v4 00/12] Enroll kernel keys thru MOK

[PATCH v4 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 03/12] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 06/12] KEYS: add a reference to mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 07/12] KEYS: Introduce link restriction to include builtin, secondary and mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 05/12] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 01/12] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 08/12] KEYS: integrity: change link restriction to trust the mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 04/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 02/12] integrity: Do not allow mok keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 09/12] KEYS: link secondary_trusted_keys to mok trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 10/12] integrity: store reference to mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 11/12] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
[PATCH v4 12/12] integrity: Only use mok keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-08-19
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-19
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-19
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-19
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-08-23
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Nayna <hidden> · 2021-08-23
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-24
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-08-25
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · James Bottomley <James.Bottomley@HansenPartnership.com> · 2021-08-25
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Nayna <hidden> · 2021-08-27
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-30
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Nayna <hidden> · 2021-09-01
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-01
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-02
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-01
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-01
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-01
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-08-23
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-08-23
Re: [PATCH v4 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-23

From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2021-09-01 04:47:03
Also in: keyrings, linux-crypto, linux-security-module, lkml

On Wed, 2021-09-01 at 07:36 +0300, Jarkko Sakkinen wrote:

On Wed, 2021-09-01 at 07:34 +0300, Jarkko Sakkinen wrote:

quoted

On Fri, 2021-08-27 at 16:44 -0400, Nayna wrote:

quoted

On 8/25/21 6:27 PM, James Bottomley wrote:

quoted

On Thu, 2021-08-26 at 01:21 +0300, Jarkko Sakkinen wrote:

quoted

On Tue, 2021-08-24 at 10:34 -0400, Mimi Zohar wrote:

quoted

Jarkko, I think the emphasis should not be on "machine" from
Machine Owner Key (MOK), but on "owner".  Whereas Nayna is
focusing more on the "_ca" aspect of the name.   Perhaps
consider naming it "system_owner_ca" or something along those
lines.

What do you gain such overly long identifier? Makes no sense.
What is "ca aspect of the name" anyway?

As I mentioned previously, the main usage of this new keyring is
that it should contain only CA keys which can be later used to
vouch for user keys loaded onto secondary or IMA keyring at
runtime. Having ca in the  name like .xxxx_ca, would make the
keyring name self-describing. Since you preferred .system, we can
call it .system_ca.

Sounds good to me.  Jarkko?

thanks,

Mimi

I just wonder what you exactly gain with "_ca"?

Remember, a CA cert is a self signed cert with the CA:TRUE basic
constraint.  Pretty much no secure boot key satisfies this (secure boot
chose deliberately NOT to use CA certificates, so they're all some type
of intermediate or leaf), so the design seems to be only to pick out
the CA certificates you put in the MOK keyring.  Adding the _ca suffix
may deflect some of the "why aren't all my MOK certificates in the
keyring" emails ...

My understanding is the .system_ca keyring should not be restricted only 
to self-signed CAs (Root CA). Any cert that can qualify as Root or 
Intermediate CA with Basic Constraints CA:TRUE should be allowed. In 
fact, the intermediate CA certificates closest to the leaf nodes would 
be best.

Thanks for bringing up that adding the _ca suffix may deflect some of 
the "why aren't all my MOK certificates in the keyring" emails.

What the heck is the pragamatic gain of adding such a suffix? Makes
zero sense

If this series needs both "system" and "system_ca" keyrings, then
there would be some sanity in this.

Also, I still *fully* lack understanding of the use of word system.

Why MOK is not SOK then??

Please just call it "machine". You have machines that hold the keyring.

"system" does not mean anything concrete. I don't know what a "system"
is.

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help