From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Stefan Berger <stefanb@linux.ibm.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH v4 0/3] ima: kernel build support for loading the kernel module signing key
Date: Fri, 09 Apr 2021 14:48:45 -0400 [thread overview]
Message-ID: <b631513d0b5200577bb613ee23e2cdf7ad4bd175.camel@linux.ibm.com> (raw)
In-Reply-To: <20210409143507.191443-1-nayna@linux.ibm.com>
On Fri, 2021-04-09 at 10:35 -0400, Nayna Jain wrote:
> Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
> The kernel module signing key is a self-signed CA only loaded onto the
> .builtin_trusted_key keyring. On secure boot enabled systems with an arch
> specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
> are not signed, nor is the kernel module signing public key loaded onto the
> IMA keyring.
>
> In order to load the the kernel module signing key onto the IMA trusted
> keyring ('.ima'), the certificate needs to be signed by a CA key either on
> the builtin or secondary keyrings. The original version of this patch set
> created and loaded a kernel-CA key onto the builtin keyring. The kernel-CA
> key signed the kernel module signing key, allowing it to be loaded onto the
> IMA trusted keyring.
>
> However, missing from this version was support for the kernel-CA to sign the
> hardware token certificate. Adding that support would add additional
> complexity.
>
> Since the kernel module signing key is embedded into the Linux kernel at
> build time, instead of creating and loading a kernel-CA onto the builtin
> trusted keyring, this version makes an exception and allows the
> self-signed kernel module signing key to be loaded directly onto the
> trusted IMA keyring.
Thanks, Nayna.
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
next-integrity
Mimi
prev parent reply other threads:[~2021-04-09 18:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-09 14:35 [PATCH v4 0/3] ima: kernel build support for loading the kernel module signing key Nayna Jain
2021-04-09 14:35 ` [PATCH v4 1/3] keys: cleanup build time module signing keys Nayna Jain
2021-04-09 14:35 ` [PATCH v4 2/3] ima: enable signing of modules with build time generated key Nayna Jain
2021-04-09 14:35 ` [PATCH v4 3/3] ima: enable loading of build time generated key on .ima keyring Nayna Jain
2021-04-09 18:48 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b631513d0b5200577bb613ee23e2cdf7ad4bd175.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.