Hello, (in plain text)
I respond to the original question of this thread. signed initramfs allows not only to add keys to the keyrings but perform other initialization, which requires user-space. Keys can be embedded into the kernel. This is fine. Regards - Dmitry On Thu, Apr 11, 2013 at 12:05 AM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > On Wed, 2013-04-10 at 15:42 -0400, Vivek Goyal wrote: >> On Tue, Apr 09, 2013 at 11:07:10PM -0400, Mimi Zohar wrote: >> >> [..] >> > The module keyring is a special case. Loading these keys from the >> > kernel and, presumably, locking the keyring is probably fine. In the >> > case of IMA, however, files will be signed by any number of package >> > owners. If the _ima keyring is locked by the kernel, how would you add >> > these other keys? >> >> Who are package owners here. IOW, in typical IMA setup, where are the keys >> and when are these keys loaded in ima keyring? > > Suppose I install third party packages not signed by the distro, but by > the package owner (eg. google, rpmfusion, ...). Not only does the > package signature need to be verified on installation, but the files > need to be installed with signatures. For IMA to enforce file > integrity, the package owner's public key needs to be added to the _ima > keyring. > >> If we trust root and keys can be loaded any time later, then signed >> initramfs will not solve the problem either. > > Locking the keyring in the kernel will limit the set of permitted keys > to only those specified in UEFI db or builtin. Locking the keyring in > the "early" initramfs, will allow the system owner, whose key is in the > UEFI db, to specify additional keys, such as those for third party > packages. Not all public keys belong in the UEFI db. > > Mimi > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
