[PATCH v12 0/4] integrity: support including firmware ".platform" keys at build time

From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, dimitri.ledkov@canonical.com,
	seth@forshee.me, rnsastry@linux.ibm.com, masahiroy@kernel.org,
	Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH v12 0/4] integrity: support including firmware ".platform" keys at build time
Date: Fri, 11 Mar 2022 16:03:40 -0500	[thread overview]
Message-ID: <20220311210344.102396-1-nayna@linux.ibm.com> (raw)

Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.

This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.

Changelog:
v12:
* Replace Patch 3/4 with reverting of the commit as suggested by
Masahiro Yamada.

v11:
* Added a new patch to conditionally build extract-cert if
PLATFORM_KEYRING is enabled.

v10:
* Fixed the externs warning for Patch 3.

v9:
* Rebased on Jarkko's repo - 
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

v8:
* Includes Jarkko's feedback on patch description and removed Reported-by
for Patch 1.

v7:
* Incldues Jarkko's feedback on patch description for Patch 1 and 3.

v6:
* Includes Jarkko's feedback:
 * Split Patch 2 into two.
 * Update Patch description.

v5:
* Renamed load_builtin_platform_cert() to load_platform_certificate_list()
and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as
suggested by Mimi Zohar.

v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.

v3:
* Included Jarkko's feedback
 ** updated patch description to include approach.
 ** removed extern for function declaration in the .h file.
* Included load_certificate_list() within #ifdef CONFIG_KEYS condition.

v2:
* Fixed the error reported by kernel test robot
* Updated patch description based on Jarkko's feedback.

Nayna Jain (4):
  certs: export load_certificate_list() to be used outside certs/
  integrity: make integrity_keyring_from_id() non-static
  Revert "certs: move scripts/extract-cert to certs/"
  integrity: support including firmware ".platform" keys at build time

 MAINTAINERS                                   |  1 +
 certs/.gitignore                              |  1 -
 certs/Makefile                                | 18 ++++++---------
 certs/blacklist.c                             |  1 -
 certs/common.c                                |  2 +-
 certs/common.h                                |  9 --------
 certs/system_keyring.c                        |  1 -
 include/keys/system_keyring.h                 |  6 +++++
 scripts/.gitignore                            |  1 +
 scripts/Makefile                              | 12 ++++++++--
 {certs => scripts}/extract-cert.c             |  2 +-
 scripts/remove-stale-files                    |  2 --
 security/integrity/Kconfig                    | 10 ++++++++
 security/integrity/Makefile                   | 15 +++++++++++-
 security/integrity/digsig.c                   |  2 +-
 security/integrity/integrity.h                |  9 ++++++++
 .../integrity/platform_certs/platform_cert.S  | 23 +++++++++++++++++++
 .../platform_certs/platform_keyring.c         | 23 +++++++++++++++++++
 18 files changed, 107 insertions(+), 31 deletions(-)
 delete mode 100644 certs/common.h
 rename {certs => scripts}/extract-cert.c (98%)
 create mode 100644 security/integrity/platform_certs/platform_cert.S

base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9
-- 
2.34.1