[PATCH v2 00/10] Add CA enforcement keyring restrictions
Eric Snowberg
eric.snowberg at oracle.com
Tue Dec 13 02:41:23 UTC 2022
> On Dec 12, 2022, at 2:44 PM, Mimi Zohar <zohar at linux.ibm.com> wrote:
>
> Hi Eric, Coiby,
>
> On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote:
>>> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu at redhat.com> wrote:
>>>
>>> Thanks for your work! The patch set looks good to me except for the
>>> requirement of an intermediate CA certificate should be vouched for by a
>>> root CA certificate before it can vouch for other certificates. What if
>>> users only want to enroll an intermediate CA certificate into the MOK?
>>
>> This question would need to be answered by the maintainers. The intermediate
>> requirement was based on my understanding of previous discussions requiring
>> there be a way to validate root of trust all the way back to the root CA.
>
> That definitely did not come from me. My requirement all along has
> been to support a single self-signed CA certificate for the end
> user/customer use case, so that they could create and load their own
> public key, signed by that CA, onto the trusted IMA/EVM keyrings.
>
>>
>>> If this requirement could be dropped, the code could be simplified and
>>> some issues could be resolved automatically,
>>
>> Agreed. I will make sure the issue below is resolved one way or the other,
>> once we have an agreement on the requirements.
>
> I totally agree with Coiby that there is no need for intermediate CA
> certificates be vouched for by a root CA certificate. In fact the
> closer the CA certificate is to the leaf code signing certificate, the
> better. As much as possible we want to limit the CA keys being loaded
> onto the machine keyring to those that are absolutely required.
Ok, I will change this in the next round. The confusion around the requirement
comes from the request to validate the cert is self-signed. The intermediate in this
case will not be self signed. As long as this check is not necessary, I will drop it from
the code and allow the intermediate to vouch for the ima key without the root being
present. Thanks for clearing this up.
More information about the Linux-security-module-archive
mailing list