[PATCH 0/5] ima: kernel build support for loading the kernel module signing key

[PATCH 0/5] ima: kernel build support for loading the kernel module signing key

[Nayna Jain]

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring.  On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings.  This series of patches enables IMA
verification of signed kernel modules by:

* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.

* Enable module signing at build time for IMA_APPRAISE_MODSIG as well

Nayna Jain (5):
  keys: cleanup build time module signing keys
  keys: generate self-signed module signing key using CSR
  ima: update kernel module signing process during build
  keys: define build time generated ephemeral kernel CA key
  ima: enable loading of build time generated key to .ima keyring

 Makefile                      |  9 ++--
 certs/Kconfig                 |  2 +-
 certs/Makefile                | 77 ++++++++++++++++++++++++++++++++---
 certs/system_certificates.S   | 16 +++++++-
 certs/system_keyring.c        | 56 +++++++++++++++++++------
 include/keys/system_keyring.h |  9 +++-
 init/Kconfig                  |  6 +--
 security/integrity/digsig.c   |  4 ++
 8 files changed, 151 insertions(+), 28 deletions(-)

-- 
2.18.1

[PATCH 1/5] keys: cleanup build time module signing keys

[Nayna Jain]

The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer generated.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Fixes: 28a68f828266 ("modsign: Use single PEM file for autogenerated key")
---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index ade44ac4cc2f..af18aab6bbee 100644
--- a/Makefile
+++ b/Makefile
@@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated          \
 		  debian snap tar-install \
 		  .config .config.old .version \
 		  Module.symvers \
-		  signing_key.pem signing_key.priv signing_key.x509	\
-		  x509.genkey extra_certificates signing_key.x509.keyid	\
-		  signing_key.x509.signer vmlinux-gdb.py \
+		  certs/signing_key.pem certs/signing_key.x509 \
+		  certs/x509.genkey \
+		  vmlinux-gdb.py \
 		  *.spec
 
 # Directories & files removed with 'make distclean'
-- 
2.18.1

[PATCH 2/5] keys: generate self-signed module signing key using CSR

[Nayna Jain]

Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self-signed or signed by a CA.

This patch generates a self-signed module signing key using CSR.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 Makefile       |  3 ++-
 certs/Makefile | 15 +++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index af18aab6bbee..9c87fdd600d8 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
 		  .config .config.old .version \
 		  Module.symvers \
 		  certs/signing_key.pem certs/signing_key.x509 \
-		  certs/x509.genkey \
+		  certs/x509.genkey certs/signing_key.key \
+		  certs/signing_key.crt certs/signing_key.csr \
 		  vmlinux-gdb.py \
 		  *.spec
 
diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..b2be7eb413d3 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
-	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-		-batch -x509 -config $(obj)/x509.genkey \
-		-outform PEM -out $(obj)/signing_key.pem \
-		-keyout $(obj)/signing_key.pem \
+	$(Q)openssl req -new -nodes -utf8 \
+		-batch -config $(obj)/x509.genkey \
+		-outform PEM -out $(obj)/signing_key.csr \
+		-keyout $(obj)/signing_key.key -extensions myexts \
 		$($(quiet)redirect_openssl)
+	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
+		-outform PEM -out $(obj)/signing_key.crt \
+		-signkey $(obj)/signing_key.key \
+		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
+		-extfile $(obj)/x509.genkey \
+		$($(quiet)redirect_openssl)
+	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem
 	@$(kecho) "###"
 	@$(kecho) "### Key pair generated."
 	@$(kecho) "###"
-- 
2.18.1

[PATCH 3/5] ima: update kernel module signing process during build

[Nayna Jain]

The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 certs/Kconfig | 2 +-
 init/Kconfig  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..48675ad319db 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
 config MODULE_SIG_KEY
 	string "File name or PKCS#11 URI of module signing key"
 	default "certs/signing_key.pem"
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
          Provide the file name of a private key/certificate in PEM format,
          or a PKCS#11 URI according to RFC7512. The file should contain, or
diff --git a/init/Kconfig b/init/Kconfig
index 29ad68325028..68147bbda5f9 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2162,7 +2162,7 @@ config MODULE_SIG_FORCE
 config MODULE_SIG_ALL
 	bool "Automatically sign all modules"
 	default y
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
 	  Sign all modules during make modules_install. Without this option,
 	  modules must be signed manually, using the scripts/sign-file tool.
@@ -2172,7 +2172,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
 
 choice
 	prompt "Which hash algorithm should modules be signed with?"
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
 	  This determines which sort of hashing algorithm will be used during
 	  signature generation.  This algorithm _must_ be built into the kernel
@@ -2204,7 +2204,7 @@ endchoice
 
 config MODULE_SIG_HASH
 	string
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	default "sha1" if MODULE_SIG_SHA1
 	default "sha224" if MODULE_SIG_SHA224
 	default "sha256" if MODULE_SIG_SHA256
-- 
2.18.1

[PATCH 4/5] keys: define build time generated ephemeral kernel CA key

[Nayna Jain]

Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin and secondary trusted keyring.

This patch creates and includes in the kernel image an ephemeral CA
key, at build time when IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 Makefile                    |  2 ++
 certs/Makefile              | 68 ++++++++++++++++++++++++++++++++++---
 certs/system_certificates.S | 16 ++++++++-
 3 files changed, 80 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 9c87fdd600d8..a1d4b0a1745e 100644
--- a/Makefile
+++ b/Makefile
@@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated          \
 		  certs/signing_key.pem certs/signing_key.x509 \
 		  certs/x509.genkey certs/signing_key.key \
 		  certs/signing_key.crt certs/signing_key.csr \
+		  certs/ca_signing_key.pem certs/ca_signing_key.x509 \
+		  certs/ca_signing_key.srl \
 		  vmlinux-gdb.py \
 		  *.spec
 
diff --git a/certs/Makefile b/certs/Makefile
index b2be7eb413d3..c3592ba63a05 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
 clean-files := x509_certificate_list .x509.list
 
 ifeq ($(CONFIG_MODULE_SIG),y)
+SIGN_KEY = y
+endif
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+SIGN_KEY = y
+endif
+
+ifdef SIGN_KEY
 ###############################################################################
 #
 # If module signing is requested, say by allyesconfig, but a key has not been
@@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+# openssl arguments for CA Signed certificate.
+CA_KEY = certs/ca_signing_key.pem
+SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial
+else
+# openssl arguments for Self Signed certificate.
+SIGNER = -signkey $(obj)/signing_key.key
+endif # CONFIG_IMA_APPRAISE_MODSIG
+
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
@@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+	# Generate kernel build time CA Certificate.
+	@$(Q)openssl req -new -nodes -utf8 \
+		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
+		-subj "/CN=Build time autogenerated kernel CA key" \
+		-batch -x509 -config $(obj)/x509.genkey \
+		-outform PEM -out $(CA_KEY) \
+		-keyout $(CA_KEY) -extensions ca_ext \
+		$($(quiet)redirect_openssl)
+endif # CONFIG_IMA_APPRAISE_MODSIG
 	$(Q)openssl req -new -nodes -utf8 \
 		-batch -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.csr \
 		-keyout $(obj)/signing_key.key -extensions myexts \
 		$($(quiet)redirect_openssl)
 	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
-		-outform PEM -out $(obj)/signing_key.crt \
-		-signkey $(obj)/signing_key.key \
+		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
 		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
 		-extfile $(obj)/x509.genkey \
 		$($(quiet)redirect_openssl)
@@ -95,19 +122,50 @@ $(obj)/x509.genkey:
 	@echo >>$@ "keyUsage=digitalSignature"
 	@echo >>$@ "subjectKeyIdentifier=hash"
 	@echo >>$@ "authorityKeyIdentifier=keyid"
+	@echo >>$@
+	@echo >>$@ "[ ca_ext ]"
+	@echo >>$@ "keyUsage=critical,keyCertSign"
+	@echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0"
+	@echo >>$@ "subjectKeyIdentifier=hash"
+	@echo >>$@ "authorityKeyIdentifier=keyid"
 endif # CONFIG_MODULE_SIG_KEY
 
 $(eval $(call config_filename,MODULE_SIG_KEY))
+SUBJECT=CN = Build time autogenerated kernel key
+ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer)
 
 # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
+
+# GCC PR#66871 again.
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+
+# Remove existing keys if it is self-signed.
+$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey))
+CA_KEY = certs/ca_signing_key.pem
+
+$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509
+
+targets += ca_signing_key.x509
+$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE
+	$(call if_changed,extract_certs,$(CA_KEY))
+
+targets += signing_key.x509
+$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE
+	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
+else
+
+# Remove existing keys if it is CA signed.
+$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey))
+
 ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
 X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
 endif
 
-# GCC PR#66871 again.
 $(obj)/system_certificates.o: $(obj)/signing_key.x509
 
 targets += signing_key.x509
-$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
+$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE
 	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
-endif # CONFIG_MODULE_SIG
+
+endif # CONFIG_IMA_APPRAISE_MODSIG
+endif # SIGN_KEY
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index 8f29058adf93..e10043800a7e 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -8,8 +8,13 @@
 	.globl system_certificate_list
 system_certificate_list:
 __cert_list_start:
-#ifdef CONFIG_MODULE_SIG
+__module_cert_start:
+#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
 	.incbin "certs/signing_key.x509"
+#endif
+__module_cert_end:
+#ifdef CONFIG_IMA_APPRAISE_MODSIG
+	.incbin "certs/ca_signing_key.x509"
 #endif
 	.incbin "certs/x509_certificate_list"
 __cert_list_end:
@@ -35,3 +40,12 @@ system_certificate_list_size:
 #else
 	.long __cert_list_end - __cert_list_start
 #endif
+
+	.align 8
+	.globl module_cert_size
+	module_cert_size:
+#ifdef CONFIG_64BIT
+	.quad __module_cert_end - __module_cert_start
+#else
+	.long __module_cert_end - __module_cert_start
+#endif
-- 
2.18.1

[PATCH 5/5] ima: enable loading of build time generated key to .ima keyring

[Nayna Jain]

The kernel currently only loads the kernel module signing key onto
the builtin trusted keyring. To support IMA, load the module signing
key selectively either onto builtin or ima keyring based on MODULE_SIG
or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
key onto builtin trusted keyring.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 certs/system_keyring.c        | 56 +++++++++++++++++++++++++++--------
 include/keys/system_keyring.h |  9 +++++-
 security/integrity/digsig.c   |  4 +++
 3 files changed, 55 insertions(+), 14 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 798291177186..0bbbe501f8a7 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -26,6 +26,7 @@ static struct key *platform_trusted_keys;
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
 
 /**
  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
@@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void)
  */
 device_initcall(system_trusted_keyring_init);
 
-/*
- * Load the compiled-in list of X.509 certificates.
- */
-static __init int load_system_certificate_list(void)
+static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring,
+			    unsigned long flags)
 {
 	key_ref_t key;
-	const u8 *p, *end;
 	size_t plen;
 
-	pr_notice("Loading compiled-in X.509 certificates\n");
-
-	p = system_certificate_list;
-	end = p + system_certificate_list_size;
 	while (p < end) {
 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
 		 * than 256 bytes in size.
@@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void)
 		if (plen > end - p)
 			goto dodgy_cert;
 
-		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
+		key = key_create_or_update(make_key_ref(keyring, 1),
 					   "asymmetric",
 					   NULL,
 					   p,
 					   plen,
 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 					   KEY_USR_VIEW | KEY_USR_READ),
-					   KEY_ALLOC_NOT_IN_QUOTA |
-					   KEY_ALLOC_BUILT_IN |
-					   KEY_ALLOC_BYPASS_RESTRICTION);
+					   flags);
+
 		if (IS_ERR(key)) {
 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 			       PTR_ERR(key));
@@ -185,6 +178,43 @@ static __init int load_system_certificate_list(void)
 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
 	return 0;
 }
+
+__init int load_module_cert(struct key *keyring, unsigned long flags)
+{
+	const u8 *p, *end;
+
+	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+		return 0;
+
+	pr_notice("Loading compiled-in module X.509 certificates\n");
+
+	p = system_certificate_list;
+	end = p + module_cert_size;
+	load_cert(p, end, keyring, flags);
+
+	return 0;
+}
+
+/*
+ * Load the compiled-in list of X.509 certificates.
+ */
+static __init int load_system_certificate_list(void)
+{
+	const u8 *p, *end;
+
+	pr_notice("Loading compiled-in X.509 certificates\n");
+
+#ifdef CONFIG_MODULE_SIG
+	p = system_certificate_list;
+#else
+	p = system_certificate_list + module_cert_size;
+#endif
+	end = p + system_certificate_list_size;
+	load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA |
+						KEY_ALLOC_BUILT_IN |
+						KEY_ALLOC_BYPASS_RESTRICTION);
+	return 0;
+}
 late_initcall(load_system_certificate_list);
 
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index fb8b07daa9d1..e91c03376599 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
 					    const struct key_type *type,
 					    const union key_payload *payload,
 					    struct key *restriction_key);
-
+extern __init int load_module_cert(struct key *keyring, unsigned long flags);
 #else
 #define restrict_link_by_builtin_trusted restrict_link_reject
+
+static inline __init int load_module_cert(struct key *keyring,
+					  unsigned long flags)
+{
+	return 0;
+}
+
 #endif
 
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0f518dcfde05..4009d1e33fe0 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id,
 	} else {
 		if (id == INTEGRITY_KEYRING_PLATFORM)
 			set_platform_trusted_keys(keyring[id]);
+		if (id == INTEGRITY_KEYRING_IMA)
+			load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA);
 	}
 
+	pr_info("Loading key to ima keyring\n");
+
 	return err;
 }
 
-- 
2.18.1

Re: [PATCH 1/5] keys: cleanup build time module signing keys

[Stefan Berger]

On 2/11/21 2:54 PM, Nayna Jain wrote:
> The "mrproper" target is still looking for build time generated keys
> in the old path instead of certs/ directory.
> This patch fixes the path as well removes the names of the files which
> are no longer generated.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> Fixes: 28a68f828266 ("modsign: Use single PEM file for autogenerated key")
I was curious about some of the files and how they were created in the
past but couldn't see it in the hostory of the Makefile. The above
Fixes tag seems to give the wrong commit id:


commit 28a68f828266754c2bd64b87873e8099e3f8fe0c

Author: Dave Airlie <airlied@redhat.com>
Date:   Thu Oct 29 13:59:45 2020 +1000

     drm/radeon/ttm: use multihop


> ---
>   Makefile | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index ade44ac4cc2f..af18aab6bbee 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated          \
>   		  debian snap tar-install \
>   		  .config .config.old .version \
>   		  Module.symvers \
> -		  signing_key.pem signing_key.priv signing_key.x509	\
> -		  x509.genkey extra_certificates signing_key.x509.keyid	\
> -		  signing_key.x509.signer vmlinux-gdb.py \
> +		  certs/signing_key.pem certs/signing_key.x509 \
> +		  certs/x509.genkey \
> +		  vmlinux-gdb.py \
>   		  *.spec
>   
>   # Directories & files removed with 'make distclean'

Re: [PATCH 2/5] keys: generate self-signed module signing key using CSR

[Stefan Berger]

On 2/11/21 2:54 PM, Nayna Jain wrote:
> Loading a key on the IMA trusted keyring requires the key be signed
> by an existing key on the builtin or secondary trusted keyring.
> Creating a Certificate Signing Request (CSR) allows the certificate
> to be self-signed or signed by a CA.
>
> This patch generates a self-signed module signing key using CSR.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>   Makefile       |  3 ++-
>   certs/Makefile | 15 +++++++++++----
>   2 files changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index af18aab6bbee..9c87fdd600d8 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
>   		  .config .config.old .version \
>   		  Module.symvers \
>   		  certs/signing_key.pem certs/signing_key.x509 \
> -		  certs/x509.genkey \
> +		  certs/x509.genkey certs/signing_key.key \
> +		  certs/signing_key.crt certs/signing_key.csr \
>   		  vmlinux-gdb.py \
>   		  *.spec
>   
> diff --git a/certs/Makefile b/certs/Makefile
> index f4c25b67aad9..b2be7eb413d3 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "### needs to be run as root, and uses a hardware random"
>   	@$(kecho) "### number generator if one is available."
>   	@$(kecho) "###"
> -	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> -		-batch -x509 -config $(obj)/x509.genkey \
> -		-outform PEM -out $(obj)/signing_key.pem \
> -		-keyout $(obj)/signing_key.pem \
> +	$(Q)openssl req -new -nodes -utf8 \
> +		-batch -config $(obj)/x509.genkey \
> +		-outform PEM -out $(obj)/signing_key.csr \
> +		-keyout $(obj)/signing_key.key -extensions myexts \
>   		$($(quiet)redirect_openssl)
> +	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> +		-outform PEM -out $(obj)/signing_key.crt \
> +		-signkey $(obj)/signing_key.key \
> +		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
> +		-extfile $(obj)/x509.genkey \
> +		$($(quiet)redirect_openssl)
> +	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem


Could you not just rename signing_key.key to signing_key.pem (as it was 
before) and that would be it? Why do you need the .crt in that pem bundle?

    Stefan

Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key

[Stefan Berger]

On 2/11/21 2:54 PM, Nayna Jain wrote:
> Certificates being loaded onto the IMA trusted keyring must be signed by
> a key on either the builtin and secondary trusted keyring.
>
> This patch creates and includes in the kernel image an ephemeral CA
> key, at build time when IMA_APPRAISE_MODSIG is enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>   Makefile                    |  2 ++
>   certs/Makefile              | 68 ++++++++++++++++++++++++++++++++++---
>   certs/system_certificates.S | 16 ++++++++-
>   3 files changed, 80 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9c87fdd600d8..a1d4b0a1745e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated          \
>   		  certs/signing_key.pem certs/signing_key.x509 \
>   		  certs/x509.genkey certs/signing_key.key \
>   		  certs/signing_key.crt certs/signing_key.csr \
> +		  certs/ca_signing_key.pem certs/ca_signing_key.x509 \
> +		  certs/ca_signing_key.srl \
>   		  vmlinux-gdb.py \
>   		  *.spec
>   
> diff --git a/certs/Makefile b/certs/Makefile
> index b2be7eb413d3..c3592ba63a05 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
>   clean-files := x509_certificate_list .x509.list
>   
>   ifeq ($(CONFIG_MODULE_SIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifdef SIGN_KEY
>   ###############################################################################
>   #
>   # If module signing is requested, say by allyesconfig, but a key has not been
> @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null
>   # external private key, because 'make randconfig' might enable such a
>   # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
>   ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +# openssl arguments for CA Signed certificate.
> +CA_KEY = certs/ca_signing_key.pem
> +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial
> +else
> +# openssl arguments for Self Signed certificate.
> +SIGNER = -signkey $(obj)/signing_key.key
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +
>   $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "###"
>   	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
> @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "### needs to be run as root, and uses a hardware random"
>   	@$(kecho) "### number generator if one is available."
>   	@$(kecho) "###"
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +	# Generate kernel build time CA Certificate.
> +	@$(Q)openssl req -new -nodes -utf8 \
> +		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> +		-subj "/CN=Build time autogenerated kernel CA key" \
> +		-batch -x509 -config $(obj)/x509.genkey \
> +		-outform PEM -out $(CA_KEY) \
> +		-keyout $(CA_KEY) -extensions ca_ext \
> +		$($(quiet)redirect_openssl)
> +endif # CONFIG_IMA_APPRAISE_MODSIG
>   	$(Q)openssl req -new -nodes -utf8 \
>   		-batch -config $(obj)/x509.genkey \
>   		-outform PEM -out $(obj)/signing_key.csr \
>   		-keyout $(obj)/signing_key.key -extensions myexts \
>   		$($(quiet)redirect_openssl)
>   	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> -		-outform PEM -out $(obj)/signing_key.crt \
> -		-signkey $(obj)/signing_key.key \
> +		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
>   		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
>   		-extfile $(obj)/x509.genkey \
>   		$($(quiet)redirect_openssl)

It may make things easier (also below) if the CA was always created and 
the kernel signing key was always signed by that CA rather than doing 
this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an 
opinion on that?


> @@ -95,19 +122,50 @@ $(obj)/x509.genkey:
>   	@echo >>$@ "keyUsage=digitalSignature"
>   	@echo >>$@ "subjectKeyIdentifier=hash"
>   	@echo >>$@ "authorityKeyIdentifier=keyid"
> +	@echo >>$@
> +	@echo >>$@ "[ ca_ext ]"
> +	@echo >>$@ "keyUsage=critical,keyCertSign"
> +	@echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0"
> +	@echo >>$@ "subjectKeyIdentifier=hash"
> +	@echo >>$@ "authorityKeyIdentifier=keyid"
>   endif # CONFIG_MODULE_SIG_KEY
>   
>   $(eval $(call config_filename,MODULE_SIG_KEY))
> +SUBJECT=CN = Build time autogenerated kernel key
> +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer)
>   
>   # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> +
> +# GCC PR#66871 again.
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +
> +# Remove existing keys if it is self-signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey))
> +CA_KEY = certs/ca_signing_key.pem
> +
> +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509
> +
> +targets += ca_signing_key.x509
> +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE
> +	$(call if_changed,extract_certs,$(CA_KEY))
> +
> +targets += signing_key.x509
> +$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE
> +	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> +else
> +
> +# Remove existing keys if it is CA signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey))
> +
>   ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
>   X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
>   endif
>   
> -# GCC PR#66871 again.
>   $(obj)/system_certificates.o: $(obj)/signing_key.x509
>   
>   targets += signing_key.x509
> -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
> +$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE
>   	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> -endif # CONFIG_MODULE_SIG
> +
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +endif # SIGN_KEY
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index 8f29058adf93..e10043800a7e 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -8,8 +8,13 @@
>   	.globl system_certificate_list
>   system_certificate_list:
>   __cert_list_start:
> -#ifdef CONFIG_MODULE_SIG
> +__module_cert_start:
> +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
>   	.incbin "certs/signing_key.x509"
> +#endif
> +__module_cert_end:
> +#ifdef CONFIG_IMA_APPRAISE_MODSIG
> +	.incbin "certs/ca_signing_key.x509"
>   #endif
>   	.incbin "certs/x509_certificate_list"
>   __cert_list_end:
> @@ -35,3 +40,12 @@ system_certificate_list_size:
>   #else
>   	.long __cert_list_end - __cert_list_start
>   #endif
> +
> +	.align 8
> +	.globl module_cert_size
> +	module_cert_size:
> +#ifdef CONFIG_64BIT
> +	.quad __module_cert_end - __module_cert_start
> +#else
> +	.long __module_cert_end - __module_cert_start
> +#endif

Re: [PATCH 5/5] ima: enable loading of build time generated key to .ima keyring

[Stefan Berger]

On 2/11/21 2:54 PM, Nayna Jain wrote:
> The kernel currently only loads the kernel module signing key onto
> the builtin trusted keyring. To support IMA, load the module signing
> key selectively either onto builtin or ima keyring based on MODULE_SIG
> or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
> key onto builtin trusted keyring.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>   certs/system_keyring.c        | 56 +++++++++++++++++++++++++++--------
>   include/keys/system_keyring.h |  9 +++++-
>   security/integrity/digsig.c   |  4 +++
>   3 files changed, 55 insertions(+), 14 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 798291177186..0bbbe501f8a7 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -26,6 +26,7 @@ static struct key *platform_trusted_keys;
>   
>   extern __initconst const u8 system_certificate_list[];
>   extern __initconst const unsigned long system_certificate_list_size;
> +extern __initconst const unsigned long module_cert_size;
>   
>   /**
>    * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
> @@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void)
>    */
>   device_initcall(system_trusted_keyring_init);
>   
> -/*
> - * Load the compiled-in list of X.509 certificates.
> - */
> -static __init int load_system_certificate_list(void)
> +static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring,
> +			    unsigned long flags)
>   {
>   	key_ref_t key;
> -	const u8 *p, *end;
>   	size_t plen;
>   
> -	pr_notice("Loading compiled-in X.509 certificates\n");
> -
> -	p = system_certificate_list;
> -	end = p + system_certificate_list_size;
>   	while (p < end) {
>   		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
>   		 * than 256 bytes in size.
> @@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void)
>   		if (plen > end - p)
>   			goto dodgy_cert;
>   
> -		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
> +		key = key_create_or_update(make_key_ref(keyring, 1),
>   					   "asymmetric",
>   					   NULL,
>   					   p,
>   					   plen,
>   					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
>   					   KEY_USR_VIEW | KEY_USR_READ),
> -					   KEY_ALLOC_NOT_IN_QUOTA |
> -					   KEY_ALLOC_BUILT_IN |
> -					   KEY_ALLOC_BYPASS_RESTRICTION);
> +					   flags);
> +
>   		if (IS_ERR(key)) {
>   			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
>   			       PTR_ERR(key));
> @@ -185,6 +178,43 @@ static __init int load_system_certificate_list(void)
>   	pr_err("Problem parsing in-kernel X.509 certificate list\n");
>   	return 0;
>   }
> +
> +__init int load_module_cert(struct key *keyring, unsigned long flags)
> +{
> +	const u8 *p, *end;
> +
> +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
> +		return 0;
> +
> +	pr_notice("Loading compiled-in module X.509 certificates\n");
> +
> +	p = system_certificate_list;
> +	end = p + module_cert_size;
> +	load_cert(p, end, keyring, flags);
> +
> +	return 0;

See my comment below.


> +}
> +
> +/*
> + * Load the compiled-in list of X.509 certificates.
> + */
> +static __init int load_system_certificate_list(void)
> +{
> +	const u8 *p, *end;
> +
> +	pr_notice("Loading compiled-in X.509 certificates\n");
> +
> +#ifdef CONFIG_MODULE_SIG
> +	p = system_certificate_list;
> +#else
> +	p = system_certificate_list + module_cert_size;
> +#endif
> +	end = p + system_certificate_list_size;
> +	load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA |
> +						KEY_ALLOC_BUILT_IN |
> +						KEY_ALLOC_BYPASS_RESTRICTION);
> +	return 0;


The old  load_system_certificate_list always returned 0 and the new 
load_cert also does. You could just do 'return load_cert(p, ...)' here 
and still get the 0.



> +}
>   late_initcall(load_system_certificate_list);
>   
>   #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index fb8b07daa9d1..e91c03376599 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
>   					    const struct key_type *type,
>   					    const union key_payload *payload,
>   					    struct key *restriction_key);
> -
> +extern __init int load_module_cert(struct key *keyring, unsigned long flags);
>   #else
>   #define restrict_link_by_builtin_trusted restrict_link_reject
> +
> +static inline __init int load_module_cert(struct key *keyring,
> +					  unsigned long flags)
> +{
> +	return 0;
> +}
> +
>   #endif
>   
>   #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 0f518dcfde05..4009d1e33fe0 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id,
>   	} else {
>   		if (id == INTEGRITY_KEYRING_PLATFORM)
>   			set_platform_trusted_keys(keyring[id]);
> +		if (id == INTEGRITY_KEYRING_IMA)
> +			load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA);
>   	}
>   
> +	pr_info("Loading key to ima keyring\n");
> +
>   	return err;
>   }
>   

Otherwise lgtm.

Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key

[Mimi Zohar]

On Thu, 2021-02-11 at 17:13 -0500, Stefan Berger wrote:
> On 2/11/21 2:54 PM, Nayna Jain wrote:
> > Certificates being loaded onto the IMA trusted keyring must be signed by
> > a key on either the builtin and secondary trusted keyring.
> >
> > This patch creates and includes in the kernel image an ephemeral CA
> > key, at build time when IMA_APPRAISE_MODSIG is enabled.
> >
> > Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> > ---

<snip>

> > diff --git a/certs/Makefile b/certs/Makefile
> 
> > @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
> >   	@$(kecho) "### needs to be run as root, and uses a hardware random"
> >   	@$(kecho) "### number generator if one is available."
> >   	@$(kecho) "###"
> > +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> > +	# Generate kernel build time CA Certificate.
> > +	@$(Q)openssl req -new -nodes -utf8 \
> > +		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> > +		-subj "/CN=Build time autogenerated kernel CA key" \
> > +		-batch -x509 -config $(obj)/x509.genkey \
> > +		-outform PEM -out $(CA_KEY) \
> > +		-keyout $(CA_KEY) -extensions ca_ext \
> > +		$($(quiet)redirect_openssl)
> > +endif # CONFIG_IMA_APPRAISE_MODSIG
> >   	$(Q)openssl req -new -nodes -utf8 \
> >   		-batch -config $(obj)/x509.genkey \
> >   		-outform PEM -out $(obj)/signing_key.csr \
> >   		-keyout $(obj)/signing_key.key -extensions myexts \
> >   		$($(quiet)redirect_openssl)
> >   	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> > -		-outform PEM -out $(obj)/signing_key.crt \
> > -		-signkey $(obj)/signing_key.key \
> > +		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
> >   		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
> >   		-extfile $(obj)/x509.genkey \
> >   		$($(quiet)redirect_openssl)
> 
> It may make things easier (also below) if the CA was always created and 
> the kernel signing key was always signed by that CA rather than doing 
> this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an 
> opinion on that?

Thanks, Stefan.  It would definitely simplify the code.  We wanted to
minimize the code change and solicit feedback, before making such a
change.

Mimi

Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]

Hi Nayna,

I love your patch! Yet something to improve:

[auto build test ERROR on kbuild/for-next]
[also build test ERROR on integrity/next-integrity linus/master security/next-testing v5.11-rc7]
[cannot apply to next-20210211]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
base:   https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git for-next
config: nds32-allyesconfig (attached as .config)
compiler: nds32le-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/84acbcedcd14fe43bf648857b4642c9bf426afd4
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
        git checkout 84acbcedcd14fe43bf648857b4642c9bf426afd4
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=nds32 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   Can't open certs/signing_key.crt for reading, No such file or directory
>> 139789059654784:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('certs/signing_key.crt','r')
>> 139789059654784:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
   unable to load certificate

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 59712 bytes --]

Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 2219 bytes --]

Hi Nayna,

I love your patch! Yet something to improve:

[auto build test ERROR on kbuild/for-next]
[also build test ERROR on integrity/next-integrity linus/master security/next-testing v5.11-rc7]
[cannot apply to next-20210211]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
base:   https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git for-next
config: x86_64-randconfig-a013-20210209 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project c9439ca36342fb6013187d0a69aef92736951476)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install x86_64 cross compiling tool for clang build
        # apt-get install binutils-x86-64-linux-gnu
        # https://github.com/0day-ci/linux/commit/84acbcedcd14fe43bf648857b4642c9bf426afd4
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
        git checkout 84acbcedcd14fe43bf648857b4642c9bf426afd4
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   Can't open certs/signing_key.crt for reading, No such file or directory
>> 140683809875072:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('certs/signing_key.crt','r')
>> 140683809875072:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
   unable to load certificate

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 36959 bytes --]

Re: [PATCH 1/5] keys: cleanup build time module signing keys

[Nayna]

On 2/11/21 4:57 PM, Stefan Berger wrote:
> On 2/11/21 2:54 PM, Nayna Jain wrote:
>> The "mrproper" target is still looking for build time generated keys
>> in the old path instead of certs/ directory.
>> This patch fixes the path as well removes the names of the files which
>> are no longer generated.
>>
>> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
>> Fixes: 28a68f828266 ("modsign: Use single PEM file for autogenerated 
>> key")
> I was curious about some of the files and how they were created in the
> past but couldn't see it in the hostory of the Makefile. The above
> Fixes tag seems to give the wrong commit id:
>
>
> commit 28a68f828266754c2bd64b87873e8099e3f8fe0c
>
> Author: Dave Airlie <airlied@redhat.com>
> Date:   Thu Oct 29 13:59:45 2020 +1000
>
>     drm/radeon/ttm: use multihop
>

Thanks Stefan for noticing it. I will fix this in v2.

Thanks & Regards,

        - Nayna

Re: [PATCH 1/5] keys: cleanup build time module signing keys

[Jarkko Sakkinen]

On Thu, Feb 11, 2021 at 02:54:31PM -0500, Nayna Jain wrote:
> The "mrproper" target is still looking for build time generated keys
> in the old path instead of certs/ directory.
> This patch fixes the path as well removes the names of the files which
> are no longer generated.

"Fix the path..."

> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> Fixes: 28a68f828266 ("modsign: Use single PEM file for autogenerated key")

Swap the order.

/Jarkko

> ---
>  Makefile | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index ade44ac4cc2f..af18aab6bbee 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated          \
>  		  debian snap tar-install \
>  		  .config .config.old .version \
>  		  Module.symvers \
> -		  signing_key.pem signing_key.priv signing_key.x509	\
> -		  x509.genkey extra_certificates signing_key.x509.keyid	\
> -		  signing_key.x509.signer vmlinux-gdb.py \
> +		  certs/signing_key.pem certs/signing_key.x509 \
> +		  certs/x509.genkey \
> +		  vmlinux-gdb.py \
>  		  *.spec
>  
>  # Directories & files removed with 'make distclean'
> -- 
> 2.18.1
> 
> 

Re: [PATCH 2/5] keys: generate self-signed module signing key using CSR

[Jarkko Sakkinen]

On Thu, Feb 11, 2021 at 02:54:32PM -0500, Nayna Jain wrote:
> Loading a key on the IMA trusted keyring requires the key be signed
> by an existing key on the builtin or secondary trusted keyring.
> Creating a Certificate Signing Request (CSR) allows the certificate
> to be self-signed or signed by a CA.
> 
> This patch generates a self-signed module signing key using CSR.

"Generate ..."

/Jarkko

> 
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>  Makefile       |  3 ++-
>  certs/Makefile | 15 +++++++++++----
>  2 files changed, 13 insertions(+), 5 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index af18aab6bbee..9c87fdd600d8 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
>  		  .config .config.old .version \
>  		  Module.symvers \
>  		  certs/signing_key.pem certs/signing_key.x509 \
> -		  certs/x509.genkey \
> +		  certs/x509.genkey certs/signing_key.key \
> +		  certs/signing_key.crt certs/signing_key.csr \
>  		  vmlinux-gdb.py \
>  		  *.spec
>  
> diff --git a/certs/Makefile b/certs/Makefile
> index f4c25b67aad9..b2be7eb413d3 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>  	@$(kecho) "### needs to be run as root, and uses a hardware random"
>  	@$(kecho) "### number generator if one is available."
>  	@$(kecho) "###"
> -	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> -		-batch -x509 -config $(obj)/x509.genkey \
> -		-outform PEM -out $(obj)/signing_key.pem \
> -		-keyout $(obj)/signing_key.pem \
> +	$(Q)openssl req -new -nodes -utf8 \
> +		-batch -config $(obj)/x509.genkey \
> +		-outform PEM -out $(obj)/signing_key.csr \
> +		-keyout $(obj)/signing_key.key -extensions myexts \
>  		$($(quiet)redirect_openssl)
> +	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> +		-outform PEM -out $(obj)/signing_key.crt \
> +		-signkey $(obj)/signing_key.key \
> +		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
> +		-extfile $(obj)/x509.genkey \
> +		$($(quiet)redirect_openssl)
> +	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem
>  	@$(kecho) "###"
>  	@$(kecho) "### Key pair generated."
>  	@$(kecho) "###"
> -- 
> 2.18.1
> 
> 

Re: [PATCH 5/5] ima: enable loading of build time generated key to .ima keyring

[Jarkko Sakkinen]

On Thu, Feb 11, 2021 at 02:54:35PM -0500, Nayna Jain wrote:
> The kernel currently only loads the kernel module signing key onto
> the builtin trusted keyring. To support IMA, load the module signing
> key selectively either onto builtin or ima keyring based on MODULE_SIG
                                         ~~~
                                         IMA


> or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
> key onto builtin trusted keyring.
> 
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

/Jarkko

> ---
>  certs/system_keyring.c        | 56 +++++++++++++++++++++++++++--------
>  include/keys/system_keyring.h |  9 +++++-
>  security/integrity/digsig.c   |  4 +++
>  3 files changed, 55 insertions(+), 14 deletions(-)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 798291177186..0bbbe501f8a7 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -26,6 +26,7 @@ static struct key *platform_trusted_keys;
>  
>  extern __initconst const u8 system_certificate_list[];
>  extern __initconst const unsigned long system_certificate_list_size;
> +extern __initconst const unsigned long module_cert_size;
>  
>  /**
>   * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
> @@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void)
>   */
>  device_initcall(system_trusted_keyring_init);
>  
> -/*
> - * Load the compiled-in list of X.509 certificates.
> - */
> -static __init int load_system_certificate_list(void)
> +static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring,
> +			    unsigned long flags)
>  {
>  	key_ref_t key;
> -	const u8 *p, *end;
>  	size_t plen;
>  
> -	pr_notice("Loading compiled-in X.509 certificates\n");
> -
> -	p = system_certificate_list;
> -	end = p + system_certificate_list_size;
>  	while (p < end) {
>  		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
>  		 * than 256 bytes in size.
> @@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void)
>  		if (plen > end - p)
>  			goto dodgy_cert;
>  
> -		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
> +		key = key_create_or_update(make_key_ref(keyring, 1),
>  					   "asymmetric",
>  					   NULL,
>  					   p,
>  					   plen,
>  					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
>  					   KEY_USR_VIEW | KEY_USR_READ),
> -					   KEY_ALLOC_NOT_IN_QUOTA |
> -					   KEY_ALLOC_BUILT_IN |
> -					   KEY_ALLOC_BYPASS_RESTRICTION);
> +					   flags);
> +
>  		if (IS_ERR(key)) {
>  			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
>  			       PTR_ERR(key));
> @@ -185,6 +178,43 @@ static __init int load_system_certificate_list(void)
>  	pr_err("Problem parsing in-kernel X.509 certificate list\n");
>  	return 0;
>  }
> +
> +__init int load_module_cert(struct key *keyring, unsigned long flags)
> +{
> +	const u8 *p, *end;
> +
> +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
> +		return 0;
> +
> +	pr_notice("Loading compiled-in module X.509 certificates\n");
> +
> +	p = system_certificate_list;
> +	end = p + module_cert_size;
> +	load_cert(p, end, keyring, flags);
> +
> +	return 0;
> +}
> +
> +/*
> + * Load the compiled-in list of X.509 certificates.
> + */
> +static __init int load_system_certificate_list(void)
> +{
> +	const u8 *p, *end;
> +
> +	pr_notice("Loading compiled-in X.509 certificates\n");
> +
> +#ifdef CONFIG_MODULE_SIG
> +	p = system_certificate_list;
> +#else
> +	p = system_certificate_list + module_cert_size;
> +#endif
> +	end = p + system_certificate_list_size;
> +	load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA |
> +						KEY_ALLOC_BUILT_IN |
> +						KEY_ALLOC_BYPASS_RESTRICTION);
> +	return 0;
> +}
>  late_initcall(load_system_certificate_list);
>  
>  #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index fb8b07daa9d1..e91c03376599 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
>  					    const struct key_type *type,
>  					    const union key_payload *payload,
>  					    struct key *restriction_key);
> -
> +extern __init int load_module_cert(struct key *keyring, unsigned long flags);
>  #else
>  #define restrict_link_by_builtin_trusted restrict_link_reject
> +
> +static inline __init int load_module_cert(struct key *keyring,
> +					  unsigned long flags)
> +{
> +	return 0;
> +}
> +
>  #endif
>  
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 0f518dcfde05..4009d1e33fe0 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id,
>  	} else {
>  		if (id == INTEGRITY_KEYRING_PLATFORM)
>  			set_platform_trusted_keys(keyring[id]);
> +		if (id == INTEGRITY_KEYRING_IMA)
> +			load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA);
>  	}
>  
> +	pr_info("Loading key to ima keyring\n");
> +
>  	return err;
>  }
>  
> -- 
> 2.18.1
> 
> 

Re: [PATCH 2/5] keys: generate self-signed module signing key using CSR

[Nayna]

On 2/11/21 5:01 PM, Stefan Berger wrote:
> On 2/11/21 2:54 PM, Nayna Jain wrote:
>> Loading a key on the IMA trusted keyring requires the key be signed
>> by an existing key on the builtin or secondary trusted keyring.
>> Creating a Certificate Signing Request (CSR) allows the certificate
>> to be self-signed or signed by a CA.
>>
>> This patch generates a self-signed module signing key using CSR.
>>
>> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
>> ---
>>   Makefile       |  3 ++-
>>   certs/Makefile | 15 +++++++++++----
>>   2 files changed, 13 insertions(+), 5 deletions(-)
>>
>> diff --git a/Makefile b/Makefile
>> index af18aab6bbee..9c87fdd600d8 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config 
>> include/generated          \
>>             .config .config.old .version \
>>             Module.symvers \
>>             certs/signing_key.pem certs/signing_key.x509 \
>> -          certs/x509.genkey \
>> +          certs/x509.genkey certs/signing_key.key \
>> +          certs/signing_key.crt certs/signing_key.csr \
>>             vmlinux-gdb.py \
>>             *.spec
>>   diff --git a/certs/Makefile b/certs/Makefile
>> index f4c25b67aad9..b2be7eb413d3 100644
>> --- a/certs/Makefile
>> +++ b/certs/Makefile
>> @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>>       @$(kecho) "### needs to be run as root, and uses a hardware 
>> random"
>>       @$(kecho) "### number generator if one is available."
>>       @$(kecho) "###"
>> -    $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) 
>> -days 36500 \
>> -        -batch -x509 -config $(obj)/x509.genkey \
>> -        -outform PEM -out $(obj)/signing_key.pem \
>> -        -keyout $(obj)/signing_key.pem \
>> +    $(Q)openssl req -new -nodes -utf8 \
>> +        -batch -config $(obj)/x509.genkey \
>> +        -outform PEM -out $(obj)/signing_key.csr \
>> +        -keyout $(obj)/signing_key.key -extensions myexts \
>>           $($(quiet)redirect_openssl)
>> +    $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
>> +        -outform PEM -out $(obj)/signing_key.crt \
>> +        -signkey $(obj)/signing_key.key \
>> +        -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
>> +        -extfile $(obj)/x509.genkey \
>> +        $($(quiet)redirect_openssl)
>> +    @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> 
>> $(obj)/signing_key.pem
>
>
> Could you not just rename signing_key.key to signing_key.pem (as it 
> was before) and that would be it? Why do you need the .crt in that pem 
> bundle?

I had also thought so, but the PEM file contains both the private key 
and the certificate. I found the reasoning in the commit "fb1179499134 
modsign: Use single PEM file for autogenerated key". I addressed your 
other feedback in v2, posted just now.

Thanks & Regards,

       - Nayna