Re: [Linux-ima-user] IMA/EVM

[Petko M. <pe...@mi...>]

On 15-03-23 07:00:13, Mimi Zohar wrote:
> 
> All the keys in the top directory of the kernel build tree are added to
> the system keyring, nothing is added to the IMA keyring.

Makes sense.

> > > - KEYS: Add a system blacklist keyring
> > 
> > This is, however, of interest to me. Does the kernel support CRLs or
> > "blacklist" has some different meaning here?

Can this blacklist keyring handle certificates as well?  

> > > - MODSIGN: Import certificates from UEFI Secure Boot
> > > - Add EFI signature data tyeps
> > > - Add an EFI signature blob parser and key loader
> > These may come handy later on.
> 
> These patches add the UEFI/MoK db keys to the system keyring.  Without
> them, only the builtin keys are on the system keyring.

Is there a public repository i can checkout these patches from?

> Actually the diagram is a bit different than the one you showed.  It
> would be:
> local-CA ----> IMA_key_1 (signed certificate (eg. selfsigned/CA 1))  
>          |
>          |---> IMA_key_2 (signed certificate (eg. selfsigned/CA 2))

I've gotten the above to work.  The question is, does this make sense:

local-CA ----> IMA_key_1 (signed certificate (eg. selfsigned/CA 1))  
         |
         |---> local-CA2 (on the .system keyring) ---> IMA_key_3 (signed cert/CA3)

Here local-CA2 (that belongs to trusted entity) is used to sign IMA_key_3 (and possibly others) which on turn IMA signs immutable files.

> Right, once a key is signed by the local-CA and the local-CA key is on the system keyring, use evmctl to load the key onto the .ima keyring.

Right.  Can the .ima keyring handle CAs or just keys?  If it can't then i assume the only option is to get all CAs into the .system keyring and use .ima for keys only.


thanks,
Petko