From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v3 1/2] integrity, KEYS: add a reference to platform keyring
Date: Thu, 17 Jan 2019 23:20:45 +0000 [thread overview]
Message-ID: <1547767245.3931.56.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-2-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> Currently when loading new kernel via kexec_file_load syscall, it is able
> to verify the signed PE bzimage against .builtin_trusted_keys or
> .secondary_trusted_keys. But the image could be signed with third part
> keys which will be provided by platform or firmware as EFI variable (eg.
> stored in MokListRT EFI variable), and the keys won't be available in
> keyrings mentioned above.
>
> After commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware, this keyring is intended to be used for verifying kernel
> images being loaded by kexec_file_load syscall. And with a few following
> up commits, keys provided by firmware is being loaded into this keyring,
> and IMA-appraisal is able to use the keyring to verify kernel images.
> IMA is the currently the only user of that keyring.
How about simply saying, Commit "...." introduced a platform keyring
for storing preboot keys, used for verifying the kexec kernel image's
signature.
> This patch exposes the .platform, and makes it useable for other
> components. For example, kexec_file_load could use this .platform
> keyring to verify the kernel image's image.
The above statement is too generic.  Please replace "and makes it
useable for other components" with " keyring, making it accessible for
verifying a PE signed kernel image".
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 5 +++++
> security/integrity/digsig.c | 6 ++++++
> 3 files changed, 20 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..9e1b7849b6aa 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..bfabc2a8111d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> keyring[id] = NULL;
> }
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> + if (id = INTEGRITY_KEYRING_PLATFORM) {
> + set_platform_trusted_keys(keyring[id]);
> + }
> +#endif
> +
> return err;
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v3 1/2] integrity, KEYS: add a reference to platform keyring
Date: Thu, 17 Jan 2019 18:20:45 -0500 [thread overview]
Message-ID: <1547767245.3931.56.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-2-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> Currently when loading new kernel via kexec_file_load syscall, it is able
> to verify the signed PE bzimage against .builtin_trusted_keys or
> .secondary_trusted_keys. But the image could be signed with third part
> keys which will be provided by platform or firmware as EFI variable (eg.
> stored in MokListRT EFI variable), and the keys won't be available in
> keyrings mentioned above.
>
> After commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware, this keyring is intended to be used for verifying kernel
> images being loaded by kexec_file_load syscall. And with a few following
> up commits, keys provided by firmware is being loaded into this keyring,
> and IMA-appraisal is able to use the keyring to verify kernel images.
> IMA is the currently the only user of that keyring.
How about simply saying, Commit "...." introduced a platform keyring
for storing preboot keys, used for verifying the kexec kernel image's
signature.
> This patch exposes the .platform, and makes it useable for other
> components. For example, kexec_file_load could use this .platform
> keyring to verify the kernel image's image.
The above statement is too generic. Please replace "and makes it
useable for other components" with " keyring, making it accessible for
verifying a PE signed kernel image".
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 5 +++++
> security/integrity/digsig.c | 6 ++++++
> 3 files changed, 20 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..9e1b7849b6aa 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..bfabc2a8111d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> keyring[id] = NULL;
> }
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> + if (id == INTEGRITY_KEYRING_PLATFORM) {
> + set_platform_trusted_keys(keyring[id]);
> + }
> +#endif
> +
> return err;
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: jwboyer@fedoraproject.org, ebiggers@google.com,
dyoung@redhat.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, jmorris@namei.org,
dhowells@redhat.com, keyrings@vger.kernel.org,
linux-integrity@vger.kernel.org, dwmw2@infradead.org,
bauerman@linux.ibm.com, serge@hallyn.com
Subject: Re: [PATCH v3 1/2] integrity, KEYS: add a reference to platform keyring
Date: Thu, 17 Jan 2019 18:20:45 -0500 [thread overview]
Message-ID: <1547767245.3931.56.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-2-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> Currently when loading new kernel via kexec_file_load syscall, it is able
> to verify the signed PE bzimage against .builtin_trusted_keys or
> .secondary_trusted_keys. But the image could be signed with third part
> keys which will be provided by platform or firmware as EFI variable (eg.
> stored in MokListRT EFI variable), and the keys won't be available in
> keyrings mentioned above.
>
> After commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware, this keyring is intended to be used for verifying kernel
> images being loaded by kexec_file_load syscall. And with a few following
> up commits, keys provided by firmware is being loaded into this keyring,
> and IMA-appraisal is able to use the keyring to verify kernel images.
> IMA is the currently the only user of that keyring.
How about simply saying, Commit "...." introduced a platform keyring
for storing preboot keys, used for verifying the kexec kernel image's
signature.
> This patch exposes the .platform, and makes it useable for other
> components. For example, kexec_file_load could use this .platform
> keyring to verify the kernel image's image.
The above statement is too generic. Please replace "and makes it
useable for other components" with " keyring, making it accessible for
verifying a PE signed kernel image".
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 5 +++++
> security/integrity/digsig.c | 6 ++++++
> 3 files changed, 20 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..9e1b7849b6aa 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..bfabc2a8111d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> keyring[id] = NULL;
> }
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> + if (id == INTEGRITY_KEYRING_PLATFORM) {
> + set_platform_trusted_keys(keyring[id]);
> + }
> +#endif
> +
> return err;
> }
>
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-01-17 23:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-16 10:16 [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` [PATCH v3 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-17 23:20 ` Mimi Zohar [this message]
2019-01-17 23:20 ` Mimi Zohar
2019-01-17 23:20 ` Mimi Zohar
2019-01-16 10:16 ` [PATCH v3 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-17 23:25 ` Mimi Zohar
2019-01-17 23:25 ` Mimi Zohar
2019-01-17 23:25 ` Mimi Zohar
2019-01-18 1:08 ` [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image Mimi Zohar
2019-01-18 1:08 ` Mimi Zohar
2019-01-18 1:08 ` Mimi Zohar
2019-01-18 1:35 ` Dave Young
2019-01-18 1:35 ` Dave Young
2019-01-18 1:35 ` Dave Young
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 2:00 ` Dave Young
2019-01-18 2:00 ` Dave Young
2019-01-18 2:00 ` Dave Young
2019-01-18 2:16 ` Kairui Song
2019-01-18 2:16 ` Kairui Song
2019-01-18 2:16 ` Kairui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1547767245.3931.56.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.