linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kairui Song <kasong@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
	jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
	jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
	bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
	dyoung@redhat.com, linux-integrity@vger.kernel.org,
	kexec@lists.infradead.org, Kairui Song <kasong@redhat.com>
Subject: [PATCH v4 1/2] integrity, KEYS: add a reference to platform keyring
Date: Fri, 18 Jan 2019 17:17:32 +0800	[thread overview]
Message-ID: <20190118091733.29940-2-kasong@redhat.com> (raw)
In-Reply-To: <20190118091733.29940-1-kasong@redhat.com>

commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
introduced a .platform keyring for storing preboot keys, used for
verifying kernel images' signature. Currently only IMA-appraisal is able
to use the keyring to verify kernel images that have their signature
stored in xattr.

This patch exposes the .platform keyring, making it accessible for
verifying PE signed kernel images as well.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
---
 certs/system_keyring.c        | 9 +++++++++
 include/keys/system_keyring.h | 5 +++++
 security/integrity/digsig.c   | 6 ++++++
 3 files changed, 20 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 81728717523d..4690ef9cda8a 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 static struct key *secondary_trusted_keys;
 #endif
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+static struct key *platform_trusted_keys;
+#endif
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
@@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
 }
 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+void __init set_platform_trusted_keys(struct key *keyring) {
+	platform_trusted_keys = keyring;
+}
+#endif
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 359c2f936004..9e1b7849b6aa 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
 }
 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+
+extern void __init set_platform_trusted_keys(struct key* keyring);
+
+#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
 
 #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f45d6edecf99..bfabc2a8111d 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
 		keyring[id] = NULL;
 	}
 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+	if (id == INTEGRITY_KEYRING_PLATFORM) {
+		set_platform_trusted_keys(keyring[id]);
+	}
+#endif
+
 	return err;
 }
 
-- 
2.20.1

next prev parent reply	other threads:[~2019-01-18  9:19 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-18  9:17 [PATCH v4 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-18  9:17 ` Kairui Song [this message]
2019-01-18 14:35   ` [PATCH v4 1/2] integrity, KEYS: add a reference to platform keyring Nayna
2019-01-18 15:01     ` Kairui Song
2019-01-18  9:17 ` [PATCH v4 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-18 11:53 ` [PATCH v4 0/2] let kexec_file_load use platform keyring to verify the kernel image Mimi Zohar
2019-01-18 12:07   ` Kairui Song
2019-01-18 12:34   ` Dave Young
2019-01-18 12:37     ` Dave Young
2019-01-18 13:42       ` Kairui Song
2019-01-18 14:28         ` Kairui Song
2019-01-21  9:08           ` Kairui Song

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:81728717523 dfblob:359c2f93600 dfblob:f45d6edecf9
dfblob:4690ef9cda8 dfblob:9e1b7849b6a dfblob:bfabc2a8111
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190118091733.29940-2-kasong@redhat.com \
    --to=kasong@redhat.com \
    --cc=bauerman@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=dyoung@redhat.com \
    --cc=ebiggers@google.com \
    --cc=jmorris@namei.org \
    --cc=jwboyer@fedoraproject.org \
    --cc=kexec@lists.infradead.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).