Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* Re: cert update procedure with insert-sys-cert
       [not found] ` <ef2f5a5ac6396a0c29a5680cff0388b0c42a0400.camel@linux.ibm.com>
@ 2021-04-07 18:08   ` Daniel Walker
  0 siblings, 0 replies; only message in thread
From: Daniel Walker @ 2021-04-07 18:08 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Mehmet Kayaalp, Nayna Jain, George Wilson, David Howells,
	Mimi Zohar, keyrings, linux-security-module

On Wed, Apr 07, 2021 at 12:51:13PM -0400, Mimi Zohar wrote:
> [Cc'ing Nayna Jain, George Wilson]
> 
> Hi Daniel,
> 
> On Wed, 2021-04-07 at 09:32 -0700, Daniel Walker wrote:
> > Hi,
> > 
> > I was wondering about the practical use of this insert-sys-cert. How is the compressed
> > kernel re-made ? You submitted this change,
> > 
> > https://patchwork.kernel.org/project/linux-security-module/patch/20180502230811.2751-4-mkayaalp@linux.vnet.ibm.com/
> > 
> > for re-assemble a bzImage for x86. Is it the case that the bzImage can not be
> > re-assembled by using the make system ?
> > 
> > Cisco is similar to IBM in that we internally distribute a binary SDK with a
> > kernel. The actual build tree is only saved in a partial form.
> > 
> > We currently use the above commit to insert a certificate for x86, however, I've
> > found that other architecture are more complex than x86. For example , powerpc
> > images maybe not have ELF headers.
> > 
> > I'm wondering what values does the insert-sys-cert have without the bzImage
> > commit ? Am I using it wrong, and there's a way to use the make system to
> > reassemble ?
> 
> On powerpc, the kernel image is signed with an appended signature,
> using the same format as kernel modules.  scripts/sign-file.c can be
> used to append the kernel image signature.  Verifying the kernel image
> is limited on powerpc to kexec_file_load syscall.
> 
> The CONFIG_IMA_ARCH_POLICY loads architecture specific rules.  With
> secure boot enabled on powerpc, it loads a policy requiring the kernel
> image to be signed.

There is no way to insert new certificates with the insert-sys-cert tool ? Or
maybe I'm not understanding your comments.

Daniel

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210407162534.GA3981976@zorba>
     [not found] ` <ef2f5a5ac6396a0c29a5680cff0388b0c42a0400.camel@linux.ibm.com>
2021-04-07 18:08   ` cert update procedure with insert-sys-cert Daniel Walker

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git