From: Kairui Song <kasong@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
dyoung@redhat.com, linux-integrity@vger.kernel.org,
kexec@lists.infradead.org, Kairui Song <kasong@redhat.com>
Subject: [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Wed, 09 Jan 2019 16:48:22 +0000 [thread overview]
Message-ID: <20190109164824.19708-1-kasong@redhat.com> (raw)
Hi,
This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.
This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.
Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.
Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 10 +++++++++-
include/keys/system_keyring.h | 5 +++++
include/linux/verification.h | 1 +
security/integrity/digsig.c | 4 ++++
5 files changed, 29 insertions(+), 4 deletions(-)
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Kairui Song <kasong@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
dyoung@redhat.com, linux-integrity@vger.kernel.org,
kexec@lists.infradead.org, Kairui Song <kasong@redhat.com>
Subject: [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Thu, 10 Jan 2019 00:48:22 +0800 [thread overview]
Message-ID: <20190109164824.19708-1-kasong@redhat.com> (raw)
Hi,
This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.
This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.
Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.
Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 10 +++++++++-
include/keys/system_keyring.h | 5 +++++
include/linux/verification.h | 1 +
security/integrity/digsig.c | 4 ++++
5 files changed, 29 insertions(+), 4 deletions(-)
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Kairui Song <kasong@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: jwboyer@fedoraproject.org, Kairui Song <kasong@redhat.com>,
ebiggers@google.com, dyoung@redhat.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, jmorris@namei.org,
zohar@linux.ibm.com, dhowells@redhat.com,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
dwmw2@infradead.org, bauerman@linux.ibm.com, serge@hallyn.com
Subject: [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Thu, 10 Jan 2019 00:48:22 +0800 [thread overview]
Message-ID: <20190109164824.19708-1-kasong@redhat.com> (raw)
Hi,
This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.
This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.
Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.
Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 10 +++++++++-
include/keys/system_keyring.h | 5 +++++
include/linux/verification.h | 1 +
security/integrity/digsig.c | 4 ++++
5 files changed, 29 insertions(+), 4 deletions(-)
--
2.20.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next reply other threads:[~2019-01-09 16:48 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 16:48 Kairui Song [this message]
2019-01-09 16:48 ` [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 16:48 ` [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-11 13:43 ` Dave Young
2019-01-11 13:43 ` Dave Young
2019-01-11 13:43 ` Dave Young
2019-01-11 16:13 ` Mimi Zohar
2019-01-11 16:13 ` Mimi Zohar
2019-01-11 16:13 ` Mimi Zohar
2019-01-13 1:39 ` Dave Young
2019-01-13 1:39 ` Dave Young
2019-01-13 1:39 ` Dave Young
2019-01-14 3:28 ` Kairui Song
2019-01-14 3:28 ` Kairui Song
2019-01-14 3:28 ` Kairui Song
2019-01-14 16:10 ` Mimi Zohar
2019-01-14 16:10 ` Mimi Zohar
2019-01-14 16:10 ` Mimi Zohar
2019-01-15 2:42 ` Dave Young
2019-01-15 2:42 ` Dave Young
2019-01-15 2:42 ` Dave Young
2019-01-15 3:10 ` Kairui Song
2019-01-15 3:10 ` Kairui Song
2019-01-15 3:10 ` Kairui Song
2019-01-15 15:17 ` nayna
2019-01-15 15:17 ` nayna
2019-01-15 15:17 ` nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190109164824.19708-1-kasong@redhat.com \
--to=kasong@redhat.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.