[PATCH v2 0/5] ima: kernel build support for loading the kernel module signing key

[PATCH v2 0/5] ima: kernel build support for loading the kernel module signing key

[Nayna Jain]

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring.  On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings.  This series of patches enables IMA
verification of signed kernel modules by:

* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto the .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.

* Enable module signing at build time for IMA_APPRAISE_MODSIG as well

v2:

* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.

Nayna Jain (5):
  keys: cleanup build time module signing keys
  keys: generate self-signed module signing key using CSR
  ima: update kernel module signing process during build
  keys: define build time generated ephemeral kernel CA key
  ima: enable loading of build time generated key on .ima keyring

 Makefile                      |  9 ++--
 certs/Kconfig                 |  2 +-
 certs/Makefile                | 77 ++++++++++++++++++++++++++++++++---
 certs/system_certificates.S   | 16 +++++++-
 certs/system_keyring.c        | 55 +++++++++++++++++++------
 include/keys/system_keyring.h |  9 +++-
 init/Kconfig                  |  6 +--
 security/integrity/digsig.c   |  4 ++
 8 files changed, 150 insertions(+), 28 deletions(-)

-- 
2.29.2

[PATCH v2 1/5] keys: cleanup build time module signing keys

[Nayna Jain]

The "mrproper" target is still looking for build time generated keys in
the old path instead of certs/ directory. Fix the path and remove the
names of the files which are no longer generated.

Fixes: fb1179499134 ("modsign: Use single PEM file for autogenerated key")
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index de1acaefe87e..004163a4e6b3 100644
--- a/Makefile
+++ b/Makefile
@@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated          \
 		  debian snap tar-install \
 		  .config .config.old .version \
 		  Module.symvers \
-		  signing_key.pem signing_key.priv signing_key.x509	\
-		  x509.genkey extra_certificates signing_key.x509.keyid	\
-		  signing_key.x509.signer vmlinux-gdb.py \
+		  certs/signing_key.pem certs/signing_key.x509 \
+		  certs/x509.genkey \
+		  vmlinux-gdb.py \
 		  *.spec
 
 # Directories & files removed with 'make distclean'
-- 
2.29.2

Re: [PATCH v2 1/5] keys: cleanup build time module signing keys

[Stefan Berger]

On 2/18/21 5:00 PM, Nayna Jain wrote:
> The "mrproper" target is still looking for build time generated keys in
> the old path instead of certs/ directory. Fix the path and remove the
> names of the files which are no longer generated.
>
> Fixes: fb1179499134 ("modsign: Use single PEM file for autogenerated key")
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

The actual move of the certs files happened in cfc411e7fff3e15. That may 
be the better commit to mention.

Otherwise:

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   Makefile | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index de1acaefe87e..004163a4e6b3 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated          \
>   		  debian snap tar-install \
>   		  .config .config.old .version \
>   		  Module.symvers \
> -		  signing_key.pem signing_key.priv signing_key.x509	\
> -		  x509.genkey extra_certificates signing_key.x509.keyid	\
> -		  signing_key.x509.signer vmlinux-gdb.py \
> +		  certs/signing_key.pem certs/signing_key.x509 \
> +		  certs/x509.genkey \
> +		  vmlinux-gdb.py \
>   		  *.spec
>   
>   # Directories & files removed with 'make distclean'

[PATCH v2 2/5] keys: generate self-signed module signing key using CSR

[Nayna Jain]

Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self-signed or signed by a CA.

Generate a self-signed module signing key using CSR.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 Makefile       |  3 ++-
 certs/Makefile | 15 +++++++++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 004163a4e6b3..a971d4ae40bd 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
 		  .config .config.old .version \
 		  Module.symvers \
 		  certs/signing_key.pem certs/signing_key.x509 \
-		  certs/x509.genkey \
+		  certs/x509.genkey certs/signing_key.key \
+		  certs/signing_key.crt certs/signing_key.csr \
 		  vmlinux-gdb.py \
 		  *.spec
 
diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..b2be7eb413d3 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
-	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-		-batch -x509 -config $(obj)/x509.genkey \
-		-outform PEM -out $(obj)/signing_key.pem \
-		-keyout $(obj)/signing_key.pem \
+	$(Q)openssl req -new -nodes -utf8 \
+		-batch -config $(obj)/x509.genkey \
+		-outform PEM -out $(obj)/signing_key.csr \
+		-keyout $(obj)/signing_key.key -extensions myexts \
 		$($(quiet)redirect_openssl)
+	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
+		-outform PEM -out $(obj)/signing_key.crt \
+		-signkey $(obj)/signing_key.key \
+		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
+		-extfile $(obj)/x509.genkey \
+		$($(quiet)redirect_openssl)
+	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem
 	@$(kecho) "###"
 	@$(kecho) "### Key pair generated."
 	@$(kecho) "###"
-- 
2.29.2

Re: [PATCH v2 2/5] keys: generate self-signed module signing key using CSR

[Stefan Berger]

On 2/18/21 5:00 PM, Nayna Jain wrote:
> Loading a key on the IMA trusted keyring requires the key be signed
> by an existing key on the builtin or secondary trusted keyring.
> Creating a Certificate Signing Request (CSR) allows the certificate
> to be self-signed or signed by a CA.
>
> Generate a self-signed module signing key using CSR.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

Tested this also as part of a patch I am going to post.

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   Makefile       |  3 ++-
>   certs/Makefile | 15 +++++++++++----
>   2 files changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 004163a4e6b3..a971d4ae40bd 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated          \
>   		  .config .config.old .version \
>   		  Module.symvers \
>   		  certs/signing_key.pem certs/signing_key.x509 \
> -		  certs/x509.genkey \
> +		  certs/x509.genkey certs/signing_key.key \
> +		  certs/signing_key.crt certs/signing_key.csr \
>   		  vmlinux-gdb.py \
>   		  *.spec
>   
> diff --git a/certs/Makefile b/certs/Makefile
> index f4c25b67aad9..b2be7eb413d3 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "### needs to be run as root, and uses a hardware random"
>   	@$(kecho) "### number generator if one is available."
>   	@$(kecho) "###"
> -	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> -		-batch -x509 -config $(obj)/x509.genkey \
> -		-outform PEM -out $(obj)/signing_key.pem \
> -		-keyout $(obj)/signing_key.pem \
> +	$(Q)openssl req -new -nodes -utf8 \
> +		-batch -config $(obj)/x509.genkey \
> +		-outform PEM -out $(obj)/signing_key.csr \
> +		-keyout $(obj)/signing_key.key -extensions myexts \
>   		$($(quiet)redirect_openssl)
> +	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> +		-outform PEM -out $(obj)/signing_key.crt \
> +		-signkey $(obj)/signing_key.key \
> +		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
> +		-extfile $(obj)/x509.genkey \
> +		$($(quiet)redirect_openssl)
> +	@cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem
>   	@$(kecho) "###"
>   	@$(kecho) "### Key pair generated."
>   	@$(kecho) "###"

[PATCH v2 3/5] ima: update kernel module signing process during build

[Nayna Jain]

The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 certs/Kconfig | 2 +-
 init/Kconfig  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..48675ad319db 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
 config MODULE_SIG_KEY
 	string "File name or PKCS#11 URI of module signing key"
 	default "certs/signing_key.pem"
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
          Provide the file name of a private key/certificate in PEM format,
          or a PKCS#11 URI according to RFC7512. The file should contain, or
diff --git a/init/Kconfig b/init/Kconfig
index 29ad68325028..68147bbda5f9 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2162,7 +2162,7 @@ config MODULE_SIG_FORCE
 config MODULE_SIG_ALL
 	bool "Automatically sign all modules"
 	default y
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
 	  Sign all modules during make modules_install. Without this option,
 	  modules must be signed manually, using the scripts/sign-file tool.
@@ -2172,7 +2172,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
 
 choice
 	prompt "Which hash algorithm should modules be signed with?"
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
 	  This determines which sort of hashing algorithm will be used during
 	  signature generation.  This algorithm _must_ be built into the kernel
@@ -2204,7 +2204,7 @@ endchoice
 
 config MODULE_SIG_HASH
 	string
-	depends on MODULE_SIG
+	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	default "sha1" if MODULE_SIG_SHA1
 	default "sha224" if MODULE_SIG_SHA224
 	default "sha256" if MODULE_SIG_SHA256
-- 
2.29.2

Re: [PATCH v2 3/5] ima: update kernel module signing process during build

[Stefan Berger]

On 2/18/21 5:00 PM, Nayna Jain wrote:
> The kernel build process currently only signs kernel modules when
> MODULE_SIG is enabled. Also, sign the kernel modules at build time when
> IMA_APPRAISE_MODSIG is enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

[PATCH v2 4/5] keys: define build time generated ephemeral kernel CA key

[Nayna Jain]

Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin or secondary trusted keyring. Create and
include in the kernel image an ephemeral CA key at build time when
IMA_APPRAISE_MODSIG is enabled.

Reported-by: kernel test robot <lkp@intel.com> (redirect openssl stderr)
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 Makefile                    |  2 ++
 certs/Makefile              | 68 ++++++++++++++++++++++++++++++++++---
 certs/system_certificates.S | 16 ++++++++-
 3 files changed, 80 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index a971d4ae40bd..15e8344836b1 100644
--- a/Makefile
+++ b/Makefile
@@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated          \
 		  certs/signing_key.pem certs/signing_key.x509 \
 		  certs/x509.genkey certs/signing_key.key \
 		  certs/signing_key.crt certs/signing_key.csr \
+		  certs/ca_signing_key.pem certs/ca_signing_key.x509 \
+		  certs/ca_signing_key.srl \
 		  vmlinux-gdb.py \
 		  *.spec
 
diff --git a/certs/Makefile b/certs/Makefile
index b2be7eb413d3..3fe6b73786fa 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
 clean-files := x509_certificate_list .x509.list
 
 ifeq ($(CONFIG_MODULE_SIG),y)
+SIGN_KEY = y
+endif
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+SIGN_KEY = y
+endif
+
+ifdef SIGN_KEY
 ###############################################################################
 #
 # If module signing is requested, say by allyesconfig, but a key has not been
@@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+# openssl arguments for CA Signed certificate.
+CA_KEY = certs/ca_signing_key.pem
+SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial
+else
+# openssl arguments for Self Signed certificate.
+SIGNER = -signkey $(obj)/signing_key.key
+endif # CONFIG_IMA_APPRAISE_MODSIG
+
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
@@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+	# Generate kernel build time CA Certificate.
+	@$(Q)openssl req -new -nodes -utf8 \
+		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
+		-subj "/CN=Build time autogenerated kernel CA key" \
+		-batch -x509 -config $(obj)/x509.genkey \
+		-outform PEM -out $(CA_KEY) \
+		-keyout $(CA_KEY) -extensions ca_ext \
+		$($(quiet)redirect_openssl)
+endif # CONFIG_IMA_APPRAISE_MODSIG
 	$(Q)openssl req -new -nodes -utf8 \
 		-batch -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.csr \
 		-keyout $(obj)/signing_key.key -extensions myexts \
 		$($(quiet)redirect_openssl)
 	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
-		-outform PEM -out $(obj)/signing_key.crt \
-		-signkey $(obj)/signing_key.key \
+		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
 		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
 		-extfile $(obj)/x509.genkey \
 		$($(quiet)redirect_openssl)
@@ -95,19 +122,50 @@ $(obj)/x509.genkey:
 	@echo >>$@ "keyUsage=digitalSignature"
 	@echo >>$@ "subjectKeyIdentifier=hash"
 	@echo >>$@ "authorityKeyIdentifier=keyid"
+	@echo >>$@
+	@echo >>$@ "[ ca_ext ]"
+	@echo >>$@ "keyUsage=critical,keyCertSign"
+	@echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0"
+	@echo >>$@ "subjectKeyIdentifier=hash"
+	@echo >>$@ "authorityKeyIdentifier=keyid"
 endif # CONFIG_MODULE_SIG_KEY
 
 $(eval $(call config_filename,MODULE_SIG_KEY))
+SUBJECT=CN = Build time autogenerated kernel key
+ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer $($(quiet)redirect_openssl))
 
 # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
+
+# GCC PR#66871 again.
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+
+# Remove existing keys if it is self-signed.
+$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey))
+CA_KEY = certs/ca_signing_key.pem
+
+$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509
+
+targets += ca_signing_key.x509
+$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE
+	$(call if_changed,extract_certs,$(CA_KEY))
+
+targets += signing_key.x509
+$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE
+	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
+else
+
+# Remove existing keys if it is CA signed.
+$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey))
+
 ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
 X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
 endif
 
-# GCC PR#66871 again.
 $(obj)/system_certificates.o: $(obj)/signing_key.x509
 
 targets += signing_key.x509
-$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
+$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE
 	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
-endif # CONFIG_MODULE_SIG
+
+endif # CONFIG_IMA_APPRAISE_MODSIG
+endif # SIGN_KEY
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index 8f29058adf93..e10043800a7e 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -8,8 +8,13 @@
 	.globl system_certificate_list
 system_certificate_list:
 __cert_list_start:
-#ifdef CONFIG_MODULE_SIG
+__module_cert_start:
+#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
 	.incbin "certs/signing_key.x509"
+#endif
+__module_cert_end:
+#ifdef CONFIG_IMA_APPRAISE_MODSIG
+	.incbin "certs/ca_signing_key.x509"
 #endif
 	.incbin "certs/x509_certificate_list"
 __cert_list_end:
@@ -35,3 +40,12 @@ system_certificate_list_size:
 #else
 	.long __cert_list_end - __cert_list_start
 #endif
+
+	.align 8
+	.globl module_cert_size
+	module_cert_size:
+#ifdef CONFIG_64BIT
+	.quad __module_cert_end - __module_cert_start
+#else
+	.long __module_cert_end - __module_cert_start
+#endif
-- 
2.29.2

Re: [PATCH v2 4/5] keys: define build time generated ephemeral kernel CA key

[Stefan Berger]

On 2/18/21 5:00 PM, Nayna Jain wrote:
> Certificates being loaded onto the IMA trusted keyring must be signed by
> a key on either the builtin or secondary trusted keyring. Create and
> include in the kernel image an ephemeral CA key at build time when
> IMA_APPRAISE_MODSIG is enabled.
>
> Reported-by: kernel test robot <lkp@intel.com> (redirect openssl stderr)
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>   Makefile                    |  2 ++
>   certs/Makefile              | 68 ++++++++++++++++++++++++++++++++++---
>   certs/system_certificates.S | 16 ++++++++-
>   3 files changed, 80 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index a971d4ae40bd..15e8344836b1 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated          \
>   		  certs/signing_key.pem certs/signing_key.x509 \
>   		  certs/x509.genkey certs/signing_key.key \
>   		  certs/signing_key.crt certs/signing_key.csr \
> +		  certs/ca_signing_key.pem certs/ca_signing_key.x509 \
> +		  certs/ca_signing_key.srl \
>   		  vmlinux-gdb.py \
>   		  *.spec
>   
> diff --git a/certs/Makefile b/certs/Makefile
> index b2be7eb413d3..3fe6b73786fa 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
>   clean-files := x509_certificate_list .x509.list
>   
>   ifeq ($(CONFIG_MODULE_SIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifdef SIGN_KEY
>   ###############################################################################
>   #
>   # If module signing is requested, say by allyesconfig, but a key has not been
> @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null
>   # external private key, because 'make randconfig' might enable such a
>   # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
>   ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +# openssl arguments for CA Signed certificate.
> +CA_KEY = certs/ca_signing_key.pem
> +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial
> +else
> +# openssl arguments for Self Signed certificate.
> +SIGNER = -signkey $(obj)/signing_key.key
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +
>   $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "###"
>   	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
> @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>   	@$(kecho) "### needs to be run as root, and uses a hardware random"
>   	@$(kecho) "### number generator if one is available."
>   	@$(kecho) "###"
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +	# Generate kernel build time CA Certificate.
> +	@$(Q)openssl req -new -nodes -utf8 \
> +		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> +		-subj "/CN=Build time autogenerated kernel CA key" \
> +		-batch -x509 -config $(obj)/x509.genkey \
> +		-outform PEM -out $(CA_KEY) \
> +		-keyout $(CA_KEY) -extensions ca_ext \
> +		$($(quiet)redirect_openssl)
> +endif # CONFIG_IMA_APPRAISE_MODSIG
>   	$(Q)openssl req -new -nodes -utf8 \
>   		-batch -config $(obj)/x509.genkey \
>   		-outform PEM -out $(obj)/signing_key.csr \
>   		-keyout $(obj)/signing_key.key -extensions myexts \
>   		$($(quiet)redirect_openssl)
>   	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> -		-outform PEM -out $(obj)/signing_key.crt \
> -		-signkey $(obj)/signing_key.key \
> +		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
>   		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
>   		-extfile $(obj)/x509.genkey \
>   		$($(quiet)redirect_openssl)
> @@ -95,19 +122,50 @@ $(obj)/x509.genkey:
>   	@echo >>$@ "keyUsage=digitalSignature"
>   	@echo >>$@ "subjectKeyIdentifier=hash"
>   	@echo >>$@ "authorityKeyIdentifier=keyid"
> +	@echo >>$@
> +	@echo >>$@ "[ ca_ext ]"
> +	@echo >>$@ "keyUsage=critical,keyCertSign"
> +	@echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0"
> +	@echo >>$@ "subjectKeyIdentifier=hash"
> +	@echo >>$@ "authorityKeyIdentifier=keyid"
>   endif # CONFIG_MODULE_SIG_KEY
>   
>   $(eval $(call config_filename,MODULE_SIG_KEY))
> +SUBJECT=CN = Build time autogenerated kernel key
> +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer $($(quiet)redirect_openssl))
>   
>   # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> +
> +# GCC PR#66871 again.
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +
> +# Remove existing keys if it is self-signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey))
> +CA_KEY = certs/ca_signing_key.pem
> +
> +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509
> +
> +targets += ca_signing_key.x509
> +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE
> +	$(call if_changed,extract_certs,$(CA_KEY))
> +
> +targets += signing_key.x509
> +$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE
> +	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> +else
> +
> +# Remove existing keys if it is CA signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey))
> +
>   ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
>   X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
>   endif
>   
> -# GCC PR#66871 again.

I think you should keep this comment at this place here.


>   $(obj)/system_certificates.o: $(obj)/signing_key.x509
>   
>   targets += signing_key.x509
> -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
> +$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE
>   	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> -endif # CONFIG_MODULE_SIG
> +
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +endif # SIGN_KEY
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index 8f29058adf93..e10043800a7e 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -8,8 +8,13 @@
>   	.globl system_certificate_list
>   system_certificate_list:
>   __cert_list_start:
> -#ifdef CONFIG_MODULE_SIG
> +__module_cert_start:
> +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
>   	.incbin "certs/signing_key.x509"
> +#endif
> +__module_cert_end:
> +#ifdef CONFIG_IMA_APPRAISE_MODSIG
> +	.incbin "certs/ca_signing_key.x509"
>   #endif
>   	.incbin "certs/x509_certificate_list"
>   __cert_list_end:
> @@ -35,3 +40,12 @@ system_certificate_list_size:
>   #else
>   	.long __cert_list_end - __cert_list_start
>   #endif
> +
> +	.align 8
> +	.globl module_cert_size
> +	module_cert_size:
> +#ifdef CONFIG_64BIT
> +	.quad __module_cert_end - __module_cert_start
> +#else
> +	.long __module_cert_end - __module_cert_start
> +#endif

[PATCH v2 5/5] ima: enable loading of build time generated key on .ima keyring

[Nayna Jain]

The kernel currently only loads the kernel module signing key onto
the builtin trusted keyring. To support IMA, load the module signing
key selectively either onto the builtin or IMA keyring based on MODULE_SIG
or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
key onto the builtin trusted keyring.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 certs/system_keyring.c        | 55 ++++++++++++++++++++++++++---------
 include/keys/system_keyring.h |  9 +++++-
 security/integrity/digsig.c   |  4 +++
 3 files changed, 54 insertions(+), 14 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 798291177186..ea3826627729 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -26,6 +26,7 @@ static struct key *platform_trusted_keys;
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
 
 /**
  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
@@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void)
  */
 device_initcall(system_trusted_keyring_init);
 
-/*
- * Load the compiled-in list of X.509 certificates.
- */
-static __init int load_system_certificate_list(void)
+static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring,
+			    unsigned long flags)
 {
 	key_ref_t key;
-	const u8 *p, *end;
 	size_t plen;
 
-	pr_notice("Loading compiled-in X.509 certificates\n");
-
-	p = system_certificate_list;
-	end = p + system_certificate_list_size;
 	while (p < end) {
 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
 		 * than 256 bytes in size.
@@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void)
 		if (plen > end - p)
 			goto dodgy_cert;
 
-		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
+		key = key_create_or_update(make_key_ref(keyring, 1),
 					   "asymmetric",
 					   NULL,
 					   p,
 					   plen,
 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 					   KEY_USR_VIEW | KEY_USR_READ),
-					   KEY_ALLOC_NOT_IN_QUOTA |
-					   KEY_ALLOC_BUILT_IN |
-					   KEY_ALLOC_BYPASS_RESTRICTION);
+					   flags);
+
 		if (IS_ERR(key)) {
 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 			       PTR_ERR(key));
@@ -185,6 +178,42 @@ static __init int load_system_certificate_list(void)
 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
 	return 0;
 }
+
+__init int load_module_cert(struct key *keyring, unsigned long flags)
+{
+	const u8 *p, *end;
+
+	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+		return 0;
+
+	pr_notice("Loading compiled-in module X.509 certificates\n");
+
+	p = system_certificate_list;
+	end = p + module_cert_size;
+
+	return load_cert(p, end, keyring, flags);
+}
+
+/*
+ * Load the compiled-in list of X.509 certificates.
+ */
+static __init int load_system_certificate_list(void)
+{
+	const u8 *p, *end;
+
+	pr_notice("Loading compiled-in X.509 certificates\n");
+
+#ifdef CONFIG_MODULE_SIG
+	p = system_certificate_list;
+#else
+	p = system_certificate_list + module_cert_size;
+#endif
+	end = p + system_certificate_list_size;
+
+	return load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA |
+						KEY_ALLOC_BUILT_IN |
+						KEY_ALLOC_BYPASS_RESTRICTION);
+}
 late_initcall(load_system_certificate_list);
 
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index fb8b07daa9d1..e91c03376599 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
 					    const struct key_type *type,
 					    const union key_payload *payload,
 					    struct key *restriction_key);
-
+extern __init int load_module_cert(struct key *keyring, unsigned long flags);
 #else
 #define restrict_link_by_builtin_trusted restrict_link_reject
+
+static inline __init int load_module_cert(struct key *keyring,
+					  unsigned long flags)
+{
+	return 0;
+}
+
 #endif
 
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0f518dcfde05..4009d1e33fe0 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id,
 	} else {
 		if (id == INTEGRITY_KEYRING_PLATFORM)
 			set_platform_trusted_keys(keyring[id]);
+		if (id == INTEGRITY_KEYRING_IMA)
+			load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA);
 	}
 
+	pr_info("Loading key to ima keyring\n");
+
 	return err;
 }
 
-- 
2.29.2

Re: [PATCH v2 5/5] ima: enable loading of build time generated key on .ima keyring

[Mimi Zohar]

On Thu, 2021-02-18 at 17:00 -0500, Nayna Jain wrote:
> The kernel currently only loads the kernel module signing key onto
> the builtin trusted keyring. To support IMA, load the module signing
> key selectively either onto the builtin or IMA keyring based on MODULE_SIG
> or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
> key onto the builtin trusted keyring.
> 
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

Always having a CA key would simplify the code.   Otherwise for the
patch set,

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH v2 5/5] ima: enable loading of build time generated key on .ima keyring

[Stefan Berger]

On 2/18/21 5:00 PM, Nayna Jain wrote:
> The kernel currently only loads the kernel module signing key onto
> the builtin trusted keyring. To support IMA, load the module signing
> key selectively either onto the builtin or IMA keyring based on MODULE_SIG
> or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
> key onto the builtin trusted keyring.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>


Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>