All of lore.kernel.org
 help / color / mirror / Atom feed
From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH 0/5] ima: kernel build support for loading the kernel module signing key
Date: Thu, 11 Feb 2021 14:54:30 -0500	[thread overview]
Message-ID: <20210211195435.135582-1-nayna@linux.ibm.com> (raw)

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring.  On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings.  This series of patches enables IMA
verification of signed kernel modules by:

* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.

* Enable module signing at build time for IMA_APPRAISE_MODSIG as well

Nayna Jain (5):
  keys: cleanup build time module signing keys
  keys: generate self-signed module signing key using CSR
  ima: update kernel module signing process during build
  keys: define build time generated ephemeral kernel CA key
  ima: enable loading of build time generated key to .ima keyring

 Makefile                      |  9 ++--
 certs/Kconfig                 |  2 +-
 certs/Makefile                | 77 ++++++++++++++++++++++++++++++++---
 certs/system_certificates.S   | 16 +++++++-
 certs/system_keyring.c        | 56 +++++++++++++++++++------
 include/keys/system_keyring.h |  9 +++-
 init/Kconfig                  |  6 +--
 security/integrity/digsig.c   |  4 ++
 8 files changed, 151 insertions(+), 28 deletions(-)

-- 
2.18.1

             reply	other threads:[~2021-02-11 19:56 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-11 19:54 Nayna Jain [this message]
2021-02-11 19:54 ` [PATCH 1/5] keys: cleanup build time module signing keys Nayna Jain
2021-02-11 21:57   ` Stefan Berger
2021-02-12 21:33     ` Nayna
2021-02-12 23:47   ` Jarkko Sakkinen
2021-02-11 19:54 ` [PATCH 2/5] keys: generate self-signed module signing key using CSR Nayna Jain
2021-02-11 22:01   ` Stefan Berger
2021-02-18 22:02     ` Nayna
2021-02-12 23:47   ` Jarkko Sakkinen
2021-02-11 19:54 ` [PATCH 3/5] ima: update kernel module signing process during build Nayna Jain
2021-02-11 19:54 ` [PATCH 4/5] keys: define build time generated ephemeral kernel CA key Nayna Jain
2021-02-11 22:13   ` Stefan Berger
2021-02-11 23:25     ` Mimi Zohar
2021-02-12  3:30   ` kernel test robot
2021-02-12  3:30     ` kernel test robot
2021-02-12  8:25   ` kernel test robot
2021-02-12  8:25     ` kernel test robot
2021-02-11 19:54 ` [PATCH 5/5] ima: enable loading of build time generated key to .ima keyring Nayna Jain
2021-02-11 22:32   ` Stefan Berger
2021-02-12 23:48   ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210211195435.135582-1-nayna@linux.ibm.com \
    --to=nayna@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.