From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko@kernel.org>, Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>, linuxppc-dev <linuxppc-dev@lists.ozlabs.org>, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Date: Fri, 14 Jul 2023 11:34:35 -0400 [thread overview] Message-ID: <20230714153435.28155-7-nayna@linux.ibm.com> (raw) In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore(PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- Jarkko, this patch is based on Linus master tree branch, which does not contain the following commits yet: c9d004712300 integrity: Enforce digitalSignature usage in the ima and evm keyrings 59b656eb58fe KEYS: DigitalSignature link restriction certs/system_keyring.c | 22 +++++++++++++++++++ include/keys/system_keyring.h | 8 +++++++ security/integrity/integrity.h | 1 + .../platform_certs/keyring_handler.c | 8 +++++++ .../platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 18 ++++++++++++++- 6 files changed, 61 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..b0235732c1d4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -347,3 +347,25 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ + key_ref_t key; + key_perm_t perm; + int rc = 0; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate %d\n", rc); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..a57a77ccf003 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -41,8 +41,16 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len); + #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..efaa2eb789ad 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id, { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index b3e5df136e50..6095df043498 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -77,6 +77,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dc..f92895cc50f6 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 6263ce3b3f1e..32c4e5fbf0fb 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; - void *trustedca = NULL; + void *trustedca = NULL, *moduledb = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); -- 2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>, Nayna Jain <nayna@linux.ibm.com>, linux-security-module@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, linux-kernel@vger.kernel.org, Jarkko Sakkinen <jarkko@kernel.org>, linuxppc-dev <linuxppc-dev@lists.ozlabs.org> Subject: [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Date: Fri, 14 Jul 2023 11:34:35 -0400 [thread overview] Message-ID: <20230714153435.28155-7-nayna@linux.ibm.com> (raw) In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore(PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- Jarkko, this patch is based on Linus master tree branch, which does not contain the following commits yet: c9d004712300 integrity: Enforce digitalSignature usage in the ima and evm keyrings 59b656eb58fe KEYS: DigitalSignature link restriction certs/system_keyring.c | 22 +++++++++++++++++++ include/keys/system_keyring.h | 8 +++++++ security/integrity/integrity.h | 1 + .../platform_certs/keyring_handler.c | 8 +++++++ .../platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 18 ++++++++++++++- 6 files changed, 61 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..b0235732c1d4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -347,3 +347,25 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ + key_ref_t key; + key_perm_t perm; + int rc = 0; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate %d\n", rc); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..a57a77ccf003 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -41,8 +41,16 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len); + #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..efaa2eb789ad 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id, { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index b3e5df136e50..6095df043498 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -77,6 +77,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dc..f92895cc50f6 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 6263ce3b3f1e..32c4e5fbf0fb 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; - void *trustedca = NULL; + void *trustedca = NULL, *moduledb = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); -- 2.31.1
next prev parent reply other threads:[~2023-07-14 15:35 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-07-14 15:34 ` [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-08-02 22:58 ` Mimi Zohar 2023-08-02 22:58 ` Mimi Zohar 2023-07-14 15:34 ` [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-08-02 22:59 ` Mimi Zohar 2023-08-02 22:59 ` Mimi Zohar 2023-07-14 15:34 ` [PATCH 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-08-02 22:58 ` Mimi Zohar 2023-08-02 22:58 ` Mimi Zohar 2023-07-14 15:34 ` [PATCH 4/6] integrity: check whether imputed trust is enabled Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-08-02 22:59 ` Mimi Zohar 2023-08-02 22:59 ` Mimi Zohar 2023-07-14 15:34 ` [PATCH 5/6] integrity: PowerVM machine keyring enablement Nayna Jain 2023-07-14 15:34 ` Nayna Jain 2023-08-02 22:59 ` Mimi Zohar 2023-08-02 22:59 ` Mimi Zohar 2023-07-14 15:34 ` Nayna Jain [this message] 2023-07-14 15:34 ` [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain 2023-08-02 22:58 ` [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Mimi Zohar 2023-08-02 22:58 ` Mimi Zohar
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230714153435.28155-7-nayna@linux.ibm.com \ --to=nayna@linux.ibm.com \ --cc=eric.snowberg@oracle.com \ --cc=jarkko@kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=paul@paul-moore.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.