LKML Archive on lore.kernel.org
 help / color / Atom feed
* [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image
@ 2019-01-09 16:48 Kairui Song
  2019-01-09 16:48 ` [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
  2019-01-09 16:48 ` [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
  0 siblings, 2 replies; 12+ messages in thread
From: Kairui Song @ 2019-01-09 16:48 UTC (permalink / raw)
  To: linux-kernel
  Cc: dhowells, dwmw2, jwboyer, keyrings, jmorris, serge, zohar,
	bauerman, ebiggers, nayna, dyoung, linux-integrity, kexec,
	Kairui Song

Hi,

This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.

This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.

Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.

Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.

Kairui Song (2):
  integrity, KEYS: add a reference to platform keyring
  kexec, KEYS: Make use of platform keyring for signature verify

 arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
 certs/system_keyring.c            | 10 +++++++++-
 include/keys/system_keyring.h     |  5 +++++
 include/linux/verification.h      |  1 +
 security/integrity/digsig.c       |  4 ++++
 5 files changed, 29 insertions(+), 4 deletions(-)

-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-09 16:48 [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-09 16:48 ` [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-09 19:21   ` Mimi Zohar
2019-01-09 16:48 ` [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-11 13:43   ` Dave Young
2019-01-11 16:13     ` Mimi Zohar
2019-01-13  1:39       ` Dave Young
2019-01-14  3:28         ` Kairui Song
2019-01-14 16:10         ` Mimi Zohar
2019-01-15  2:42           ` Dave Young
2019-01-15  3:10             ` Kairui Song
2019-01-15 15:17             ` nayna

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox