Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Dec 12, 2022, at 2:44 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> 
> Hi Eric, Coiby,
> 
> On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote:
>>> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu@xxxxxxxxxx> wrote:
>>> 
>>> Thanks for your work! The patch set looks good to me except for the
>>> requirement of an intermediate CA certificate should be vouched for by a
>>> root CA certificate before it can vouch for other certificates. What if
>>> users only want to enroll an intermediate CA certificate into the MOK?
>> 
>> This question would need to be answered by the maintainers.  The intermediate 
>> requirement was based on my understanding of previous discussions requiring
>> there be a way to validate root of trust all the way back to the root CA.
> 
> That definitely did not come from me.  My requirement all along has
> been to support a single self-signed CA certificate for the end
> user/customer use case, so that they could create and load their own
> public key, signed by that CA, onto the trusted IMA/EVM keyrings.
> 
>> 
>>> If this requirement could be dropped, the code could be simplified and
>>> some issues could be resolved automatically,
>> 
>> Agreed. I will make sure the issue below is resolved one way or the other,
>> once we have an agreement on the requirements. 
> 
> I totally agree with Coiby that there is no need for intermediate CA
> certificates be vouched for by a root CA certificate.  In fact the
> closer the CA certificate is to the leaf code signing certificate, the
> better.  As much as possible we want to limit the CA keys being loaded
> onto the machine keyring to those that are absolutely required.

Ok, I will change this in the next round.  The confusion around the requirement 
comes from the request to validate the cert is self-signed.  The intermediate in this
case will not be self signed.  As long as this check is not necessary, I will drop it from
the code and allow the intermediate to vouch for the ima key without the root being 
present.  Thanks for clearing this up.





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux