From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Nayna Jain <nayna@linux.ibm.com>
Cc: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Elaine Palmer <erpalmer@us.ibm.com>,
Eric Ricther <erichte@linux.ibm.com>,
Oliver O'Halloran <oohall@gmail.com>
Subject: Re: [PATCH v2 4/4] powerpc: load firmware trusted keys into kernel keyring
Date: Wed, 21 Aug 2019 09:32:24 -0700 [thread overview]
Message-ID: <20190821163224.GC28571@kroah.com> (raw)
In-Reply-To: <1566400103-18201-5-git-send-email-nayna@linux.ibm.com>
On Wed, Aug 21, 2019 at 11:08:23AM -0400, Nayna Jain wrote:
> The keys used to verify the Host OS kernel are managed by OPAL as secure
> variables. This patch loads the verification keys into the .platform
> keyring and revocation keys into .blacklist keyring. This enables
> verification and loading of the kernels signed by the boot time keys which
> are trusted by firmware.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
> security/integrity/Kconfig | 9 ++
> security/integrity/Makefile | 3 +
> .../integrity/platform_certs/load_powerpc.c | 94 +++++++++++++++++++
> 3 files changed, 106 insertions(+)
> create mode 100644 security/integrity/platform_certs/load_powerpc.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 0bae6adb63a9..2b4109c157e2 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
> depends on S390
> def_bool y
>
> +config LOAD_PPC_KEYS
> + bool "Enable loading of platform and revocation keys for POWER"
> + depends on INTEGRITY_PLATFORM_KEYRING
> + depends on PPC_SECURE_BOOT
> + def_bool y
def_bool y only for things that the system will not boot if it is not
enabled because you added a new feature. Otherwise just do not set the
default.
> + help
> + Enable loading of db keys to the .platform keyring and dbx keys to
> + the .blacklist keyring for powerpc based platforms.
> +
> config INTEGRITY_AUDIT
> bool "Enables integrity auditing support "
> depends on AUDIT
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 525bf1d6e0db..9eeb6b053de3 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -14,6 +14,9 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
> platform_certs/load_uefi.o \
> platform_certs/keyring_handler.o
> integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
> +integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
> + platform_certs/load_powerpc.o \
> + platform_certs/keyring_handler.o
> $(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
> subdir-$(CONFIG_IMA) += ima
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> new file mode 100644
> index 000000000000..f4d869171062
> --- /dev/null
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -0,0 +1,94 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain <nayna@linux.ibm.com>
> + *
> + * load_powernv.c
That's not the name of this file :(
And the perfect example of why you NEVER have the name of the file in
the file itself, as it's not needed and easy to get wrong :)
thanks,
greg k-h
prev parent reply other threads:[~2019-08-21 16:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-21 15:08 [PATCH v2 0/4] powerpc: expose secure variables to the kernel and userspace Nayna Jain
2019-08-21 15:08 ` [PATCH v2 1/4] powerpc/powernv: Add OPAL API interface to access secure variable Nayna Jain
2019-08-22 5:02 ` Oliver O'Halloran
2019-08-22 5:41 ` Oliver O'Halloran
2019-08-21 15:08 ` [PATCH v2 2/4] powerpc: expose secure variables to userspace via sysfs Nayna Jain
2019-08-21 16:30 ` Greg Kroah-Hartman
2019-08-22 5:18 ` Oliver O'Halloran
2019-08-21 15:08 ` [PATCH v2 3/4] x86/efi: move common keyring handler functions to new file Nayna Jain
2019-08-21 16:30 ` Greg Kroah-Hartman
2019-08-21 15:08 ` [PATCH v2 4/4] powerpc: load firmware trusted keys into kernel keyring Nayna Jain
2019-08-21 16:32 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190821163224.GC28571@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=cclaudio@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=erpalmer@us.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).