All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Nayna Jain <nayna@linux.ibm.com>,
	linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: dhowells@redhat.com, zohar@linux.ibm.com,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, dimitri.ledkov@canonical.com,
	seth@forshee.me, rnsastry@linux.ibm.com
Subject: Re: [PATCH v9 0/3] integrity: support including firmware ".platform" keys at build time
Date: Sat, 05 Mar 2022 01:45:08 +0200	[thread overview]
Message-ID: <293a795f4d1ffabb263ef06de677ea5827765be5.camel@kernel.org> (raw)
In-Reply-To: <20220304175403.20092-1-nayna@linux.ibm.com>

On Fri, 2022-03-04 at 12:54 -0500, Nayna Jain wrote:
> Some firmware support secure boot by embedding static keys to verify the
> Linux kernel during boot. However, these firmware do not expose an
> interface for the kernel to load firmware keys onto the ".platform"
> keyring, preventing the kernel from verifying the kexec kernel image
> signature.
> 
> This patchset exports load_certificate_list() and defines a new function
> load_builtin_platform_cert() to load compiled in certificates onto the
> ".platform" keyring.
> 
> Changelog:
> v9:
> * Rebased on tpmdd master branch repo - 
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
> 
> v8:
> * Includes Jarkko's feedback on patch description and removed Reported-by
> for Patch 1.
> 
> v7:
> * Incldues Jarkko's feedback on patch description for Patch 1 and 3.
> 
> v6:
> * Includes Jarkko's feedback:
>  * Split Patch 2 into two.
>  * Update Patch description.
> 
> v5:
> * Renamed load_builtin_platform_cert() to load_platform_certificate_list()
> and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as
> suggested by Mimi Zohar.
> 
> v4:
> * Split into two patches as per Mimi Zohar and Dimitri John Ledkov
> recommendation.
> 
> v3:
> * Included Jarkko's feedback
>  ** updated patch description to include approach.
>  ** removed extern for function declaration in the .h file.
> * Included load_certificate_list() within #ifdef CONFIG_KEYS condition.
> 
> v2:
> * Fixed the error reported by kernel test robot
> * Updated patch description based on Jarkko's feedback.
> 
> Nayna Jain (3):
>   certs: export load_certificate_list() to be used outside certs/
>   integrity: make integrity_keyring_from_id() non-static
>   integrity: support including firmware ".platform" keys at build time
> 
>  certs/Makefile                                |  5 ++--
>  certs/blacklist.c                             |  1 -
>  certs/common.c                                |  2 +-
>  certs/common.h                                |  9 -------
>  certs/system_keyring.c                        |  1 -
>  include/keys/system_keyring.h                 |  6 +++++
>  security/integrity/Kconfig                    | 10 +++++++
>  security/integrity/Makefile                   | 15 ++++++++++-
>  security/integrity/digsig.c                   |  2 +-
>  security/integrity/integrity.h                |  6 +++++
>  .../integrity/platform_certs/platform_cert.S  | 23 ++++++++++++++++
>  .../platform_certs/platform_keyring.c         | 26 +++++++++++++++++++
>  12 files changed, 90 insertions(+), 16 deletions(-)
>  delete mode 100644 certs/common.h
>  create mode 100644 security/integrity/platform_certs/platform_cert.S
> 
> 
> base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1

Thanks for the trouble! I'll pick these.

BR, Jarkko


  parent reply	other threads:[~2022-03-04 23:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-04 17:54 [PATCH v9 0/3] integrity: support including firmware ".platform" keys at build time Nayna Jain
2022-03-04 17:54 ` [PATCH v9 1/3] certs: export load_certificate_list() to be used outside certs/ Nayna Jain
2022-03-04 17:54 ` [PATCH v9 2/3] integrity: make integrity_keyring_from_id() non-static Nayna Jain
2022-03-04 17:54 ` [PATCH v9 3/3] integrity: support including firmware ".platform" keys at build time Nayna Jain
2022-03-04 23:45 ` Jarkko Sakkinen [this message]
2022-03-05  5:37 ` [PATCH v9 0/3] " Jarkko Sakkinen
2022-03-05  5:49   ` Jarkko Sakkinen
2022-03-06  1:32     ` Nayna
2022-03-06  2:10       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=293a795f4d1ffabb263ef06de677ea5827765be5.camel@kernel.org \
    --to=jarkko@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=dimitri.ledkov@canonical.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=rnsastry@linux.ibm.com \
    --cc=seth@forshee.me \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.