From: Stefan Berger <stefanb@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key
Date: Thu, 11 Feb 2021 17:13:49 -0500 [thread overview]
Message-ID: <90213e4d-4c47-aec3-46f2-4b8e4ce0838f@linux.ibm.com> (raw)
In-Reply-To: <20210211195435.135582-5-nayna@linux.ibm.com>
On 2/11/21 2:54 PM, Nayna Jain wrote:
> Certificates being loaded onto the IMA trusted keyring must be signed by
> a key on either the builtin and secondary trusted keyring.
>
> This patch creates and includes in the kernel image an ephemeral CA
> key, at build time when IMA_APPRAISE_MODSIG is enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
> Makefile | 2 ++
> certs/Makefile | 68 ++++++++++++++++++++++++++++++++++---
> certs/system_certificates.S | 16 ++++++++-
> 3 files changed, 80 insertions(+), 6 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 9c87fdd600d8..a1d4b0a1745e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated \
> certs/signing_key.pem certs/signing_key.x509 \
> certs/x509.genkey certs/signing_key.key \
> certs/signing_key.crt certs/signing_key.csr \
> + certs/ca_signing_key.pem certs/ca_signing_key.x509 \
> + certs/ca_signing_key.srl \
> vmlinux-gdb.py \
> *.spec
>
> diff --git a/certs/Makefile b/certs/Makefile
> index b2be7eb413d3..c3592ba63a05 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
> clean-files := x509_certificate_list .x509.list
>
> ifeq ($(CONFIG_MODULE_SIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +SIGN_KEY = y
> +endif
> +
> +ifdef SIGN_KEY
> ###############################################################################
> #
> # If module signing is requested, say by allyesconfig, but a key has not been
> @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null
> # external private key, because 'make randconfig' might enable such a
> # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
> ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +# openssl arguments for CA Signed certificate.
> +CA_KEY = certs/ca_signing_key.pem
> +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial
> +else
> +# openssl arguments for Self Signed certificate.
> +SIGNER = -signkey $(obj)/signing_key.key
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +
> $(obj)/signing_key.pem: $(obj)/x509.genkey
> @$(kecho) "###"
> @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
> @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
> @$(kecho) "### needs to be run as root, and uses a hardware random"
> @$(kecho) "### number generator if one is available."
> @$(kecho) "###"
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> + # Generate kernel build time CA Certificate.
> + @$(Q)openssl req -new -nodes -utf8 \
> + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
> + -subj "/CN=Build time autogenerated kernel CA key" \
> + -batch -x509 -config $(obj)/x509.genkey \
> + -outform PEM -out $(CA_KEY) \
> + -keyout $(CA_KEY) -extensions ca_ext \
> + $($(quiet)redirect_openssl)
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> $(Q)openssl req -new -nodes -utf8 \
> -batch -config $(obj)/x509.genkey \
> -outform PEM -out $(obj)/signing_key.csr \
> -keyout $(obj)/signing_key.key -extensions myexts \
> $($(quiet)redirect_openssl)
> $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
> - -outform PEM -out $(obj)/signing_key.crt \
> - -signkey $(obj)/signing_key.key \
> + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
> -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
> -extfile $(obj)/x509.genkey \
> $($(quiet)redirect_openssl)
It may make things easier (also below) if the CA was always created and
the kernel signing key was always signed by that CA rather than doing
this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an
opinion on that?
> @@ -95,19 +122,50 @@ $(obj)/x509.genkey:
> @echo >>$@ "keyUsage=digitalSignature"
> @echo >>$@ "subjectKeyIdentifier=hash"
> @echo >>$@ "authorityKeyIdentifier=keyid"
> + @echo >>$@
> + @echo >>$@ "[ ca_ext ]"
> + @echo >>$@ "keyUsage=critical,keyCertSign"
> + @echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0"
> + @echo >>$@ "subjectKeyIdentifier=hash"
> + @echo >>$@ "authorityKeyIdentifier=keyid"
> endif # CONFIG_MODULE_SIG_KEY
>
> $(eval $(call config_filename,MODULE_SIG_KEY))
> +SUBJECT=CN = Build time autogenerated kernel key
> +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer)
>
> # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it
> +
> +# GCC PR#66871 again.
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +
> +# Remove existing keys if it is self-signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey))
> +CA_KEY = certs/ca_signing_key.pem
> +
> +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509
> +
> +targets += ca_signing_key.x509
> +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE
> + $(call if_changed,extract_certs,$(CA_KEY))
> +
> +targets += signing_key.x509
> +$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE
> + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> +else
> +
> +# Remove existing keys if it is CA signed.
> +$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey))
> +
> ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME)))
> X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME)
> endif
>
> -# GCC PR#66871 again.
> $(obj)/system_certificates.o: $(obj)/signing_key.x509
>
> targets += signing_key.x509
> -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
> +$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE
> $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
> -endif # CONFIG_MODULE_SIG
> +
> +endif # CONFIG_IMA_APPRAISE_MODSIG
> +endif # SIGN_KEY
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index 8f29058adf93..e10043800a7e 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -8,8 +8,13 @@
> .globl system_certificate_list
> system_certificate_list:
> __cert_list_start:
> -#ifdef CONFIG_MODULE_SIG
> +__module_cert_start:
> +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
> .incbin "certs/signing_key.x509"
> +#endif
> +__module_cert_end:
> +#ifdef CONFIG_IMA_APPRAISE_MODSIG
> + .incbin "certs/ca_signing_key.x509"
> #endif
> .incbin "certs/x509_certificate_list"
> __cert_list_end:
> @@ -35,3 +40,12 @@ system_certificate_list_size:
> #else
> .long __cert_list_end - __cert_list_start
> #endif
> +
> + .align 8
> + .globl module_cert_size
> + module_cert_size:
> +#ifdef CONFIG_64BIT
> + .quad __module_cert_end - __module_cert_start
> +#else
> + .long __module_cert_end - __module_cert_start
> +#endif
next prev parent reply other threads:[~2021-02-11 22:15 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-11 19:54 [PATCH 0/5] ima: kernel build support for loading the kernel module signing key Nayna Jain
2021-02-11 19:54 ` [PATCH 1/5] keys: cleanup build time module signing keys Nayna Jain
2021-02-11 21:57 ` Stefan Berger
2021-02-12 21:33 ` Nayna
2021-02-12 23:47 ` Jarkko Sakkinen
2021-02-11 19:54 ` [PATCH 2/5] keys: generate self-signed module signing key using CSR Nayna Jain
2021-02-11 22:01 ` Stefan Berger
2021-02-18 22:02 ` Nayna
2021-02-12 23:47 ` Jarkko Sakkinen
2021-02-11 19:54 ` [PATCH 3/5] ima: update kernel module signing process during build Nayna Jain
2021-02-11 19:54 ` [PATCH 4/5] keys: define build time generated ephemeral kernel CA key Nayna Jain
2021-02-11 22:13 ` Stefan Berger [this message]
2021-02-11 23:25 ` Mimi Zohar
2021-02-12 3:30 ` kernel test robot
2021-02-12 8:25 ` kernel test robot
2021-02-11 19:54 ` [PATCH 5/5] ima: enable loading of build time generated key to .ima keyring Nayna Jain
2021-02-11 22:32 ` Stefan Berger
2021-02-12 23:48 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90213e4d-4c47-aec3-46f2-4b8e4ce0838f@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).