On 6/11/19 10:13 AM, Mimi Zohar wrote:
The design of IMA from the very beginning has been to allow the system owner to decide which keys to trust. This is the reason that the root of trust pivots from the pre-boot keys to the keys embedded in the Linux kernel. When software packages contain both the file data and file signatures, the system owner will be able to pick and choose which public keys to sign and load onto the IMA keyring. This patch set might not be limiting which public keys may be loaded onto the builtin/secondary keyrings, but by virtue of including this information in the measurement list, the attestation service (eg. TNC) will be able to deny access. IMA walks a fine line in enforcing and measuring file integrity. This patch set breaches that fine line and by so doing, brings back the fears of trusted computing.
I don't understand why measuring the keyring is more restrictive. Currently the signature of a file can already be measured. This means that the service can maintain a list of allowable keys and see if the files are signed with any of those keys. So effectively it is already possible for a service to deny access to the machine based on the keys it trusts.
I also think validating the keys in the keyring is less restrictive than file-hash validation. You can say "I trust any file that the signer trusts". In file-hash validation you're saying "I only trust the files that I trust".
Many attempts over the years were made to update grub to support secure & trusted boot. Richard Stallman (grudgingly) added the secure boot callbacks, which are also being used for trusted boot. The code to actually do the signature verification though, as far as I'm aware, is still not part of grub. It also took a really long time and effort to convince Stallman that TPMs aren't totally bad. He's added an addendum to the wiki.[1] Let's try not to upset Stallman too much.
I do understand the desire to avoid taking a step backward by pushing too hard. As I said above, I don't see this as more restrictive than the existing measurements. But you have more understanding of the history here so let me know if I'm missing something.
-Jordan
Mimi [1] https://www.gnu.org/philosophy/can-you-trust.en.html