Linux-Security-Module Archive on
 help / color / Atom feed
From: Nayna Jain <>
	Nayna Jain <>
Subject: [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA 
Date: Sun, 25 Nov 2018 20:44:53 +0530
Message-ID: <> (raw)

On secure boot enabled systems, a verified kernel may need to kexec
additional kernels. For example, it may be used as a bootloader needing
to kexec a target kernel or it may need to kexec a crashdump kernel.
In such cases, it may want to verify the signature of the next kernel

It is possible that the new kernel image is signed with third party keys
which are stored as platform or firmware keys in the 'db' variable. The
kernel, however, can not directly verify these platform keys, and an
administrator may therefore not want to trust them for arbitrary usage.
In order to differentiate platform keys from other keys and provide the
necessary separation of trust the kernel needs an additional keyring to
store platform/firmware keys.

The secure boot key database is expected to store the keys as EFI
Signature List(ESL). The patch set uses David Howells and Josh Boyer's
patch to access and parse the ESL to extract the certificates and load
them onto the platform keyring.

The last patch in this patch set adds support for IMA-appraisal to
verify the kexec'ed kernel image based on keys stored in the platform


- The original patches loaded the certificates onto the secondary
  trusted keyring. This patch set defines a new keyring named
  ".platform" and adds the certificates to this new keyring  
- moved files from certs/ to security/integrity/platform_certs/

Dave Howells (2):
  efi: Add EFI signature data types
  efi: Add an EFI signature blob parser

Josh Boyer (2):
  efi: Import certificates from UEFI Secure Boot
  efi: Allow the "db" UEFI variable to be suppressed

Nayna Jain (3):
  integrity: define a trusted platform keyring
  integrity: load certs to the platform keyring
  ima: support platform keyring for kernel appraisal

 include/linux/efi.h                                |  34 ++++
 security/integrity/Kconfig                         |  11 ++
 security/integrity/Makefile                        |   5 +
 security/integrity/digsig.c                        | 115 ++++++++----
 security/integrity/ima/ima_appraise.c              |  11 +-
 security/integrity/integrity.h                     |  23 ++-
 security/integrity/platform_certs/efi_parser.c     | 112 ++++++++++++
 security/integrity/platform_certs/load_uefi.c      | 192 +++++++++++++++++++++
 .../integrity/platform_certs/platform_keyring.c    |  62 +++++++
 9 files changed, 527 insertions(+), 38 deletions(-)
 create mode 100644 security/integrity/platform_certs/efi_parser.c
 create mode 100644 security/integrity/platform_certs/load_uefi.c
 create mode 100644 security/integrity/platform_certs/platform_keyring.c


             reply index

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-25 15:14 Nayna Jain [this message]
2018-11-25 15:14 ` [PATCH 1/7] integrity: Define a trusted platform keyring Nayna Jain
2018-11-25 15:14 ` [PATCH 2/7] integrity: Load certs to the " Nayna Jain
2018-11-25 15:14 ` [PATCH 3/7] efi: Add EFI signature data types Nayna Jain
2018-11-25 15:14 ` [PATCH 4/7] efi: Add an EFI signature blob parser Nayna Jain
2018-11-28 15:52   ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 5/7] efi: Import certificates from UEFI Secure Boot Nayna Jain
2018-11-28 15:46   ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 6/7] efi: Allow the "db" UEFI variable to be suppressed Nayna Jain
2018-11-25 15:15 ` [PATCH 7/7] ima: Support platform keyring for kernel appraisal Nayna Jain
2018-12-06 23:09   ` Serge E. Hallyn
2018-11-28 16:45 ` [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Mimi Zohar

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on

Archives are clonable:
	git clone --mirror linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ \
	public-inbox-index linux-security-module

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox