Re: [PATCH 0/2] [IMA] Measure public keys of BuiltIn Trusted Keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 6/11/19 10:13 AM, Mimi Zohar wrote:


The design of IMA from the very beginning has been to allow the system
owner to decide which keys to trust.  This is the reason that the root
of trust pivots from the pre-boot keys to the keys embedded in the
Linux kernel.  When software packages contain both the file data and
file signatures, the system owner will be able to pick and choose
which public keys to sign and load onto the IMA keyring.

This patch set might not be limiting which public keys may be loaded
onto the builtin/secondary keyrings, but by virtue of including this
information in the measurement list, the attestation service (eg. TNC)
will be able to deny access.  IMA walks a fine line in enforcing and
measuring file integrity.  This patch set breaches that fine line and
by so doing, brings back the fears of trusted computing.
I don't understand why measuring the keyring is more restrictive. Currently the signature of a file can already be measured. This means that the service can maintain a list of allowable keys and see if the files are signed with any of those keys. So effectively it is already possible for a service to deny access to the machine based on the keys it trusts.
I also think validating the keys in the keyring is less restrictive than file-hash validation. You can say "I trust any file that the signer trusts". In file-hash validation you're saying "I only trust the files that I trust". 



Many attempts over the years were made to update grub to support
secure & trusted boot.  Richard Stallman (grudgingly) added the secure
boot callbacks, which are also being used for trusted boot.  The code
to actually do the signature verification though, as far as I'm aware,
is still not part of grub.

It also took a really long time and effort to convince Stallman that
TPMs aren't totally bad.  He's added an addendum to the wiki.[1]
  Let's try not to upset Stallman too much.
I do understand the desire to avoid taking a step backward by pushing too hard. As I said above, I don't see this as more restrictive than the existing measurements. But you have more understanding of the history here so let me know if I'm missing something. 

-Jordan



Mimi

[1] https://www.gnu.org/philosophy/can-you-trust.en.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux