Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v3 0/3] ima: kernel build support for loading the kernel module signing key
@ 2021-03-30 13:16 Nayna Jain
  2021-03-30 13:16 ` [PATCH v3 1/3] keys: cleanup build time module signing keys Nayna Jain
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Nayna Jain @ 2021-03-30 13:16 UTC (permalink / raw)
  To: linux-integrity, keyrings
  Cc: linux-security-module, David Howells, Jarkko Sakkinen,
	Mimi Zohar, Stefan Berger, Linux Kernel Mailing List,
	David Woodhouse, Nayna Jain

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring.  On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings. The original version of this patch set
created and loaded a kernel-CA key onto the builtin keyring. The kernel-CA
key signed the kernel module signing key, allowing it to be loaded onto the
IMA trusted keyring.

However, missing from this version was support for the kernel-CA to sign the
hardware token certificate. Adding that support would add additional
complexity.

Since the kernel module signing key is embedded into the Linux kernel at
build time, instead of creating and loading a kernel-CA onto the builtin
trusted keyring, this version makes an exception and allows the 
self-signed kernel module signing key to be loaded directly onto the 
trusted IMA keyring

v3:

* Fix the "Fixes" tag as suggested by Stefan for Patch 1/3.
* Revert back the CA signed module signing key to only self-signed.
* Allow self signed key as exception only for build time generated
module signing key onto .ima keyring.

v2:

* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.

Nayna Jain (3):
  keys: cleanup build time module signing keys
  ima: enable signing of modules with build time generated key
  ima: enable loading of build time generated key on .ima keyring

 Makefile                      |  6 ++---
 certs/Kconfig                 |  2 +-
 certs/Makefile                |  8 ++++++
 certs/system_certificates.S   | 13 +++++++++-
 certs/system_keyring.c        | 47 +++++++++++++++++++++++++++--------
 include/keys/system_keyring.h |  7 ++++++
 init/Kconfig                  |  6 ++---
 security/integrity/digsig.c   |  2 ++
 8 files changed, 73 insertions(+), 18 deletions(-)

-- 
2.29.2

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-30 13:16 [PATCH v3 0/3] ima: kernel build support for loading the kernel module signing key Nayna Jain
2021-03-30 13:16 ` [PATCH v3 1/3] keys: cleanup build time module signing keys Nayna Jain
2021-03-31  2:55   ` Jarkko Sakkinen
2021-03-30 13:16 ` [PATCH v3 2/3] ima: enable signing of modules with build time generated key Nayna Jain
2021-04-02 11:27   ` Stefan Berger
2021-03-30 13:16 ` [PATCH v3 3/3] ima: enable loading of build time generated key on .ima keyring Nayna Jain
2021-04-02 11:29   ` Stefan Berger

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git