| Message ID | 20220311210344.102396-1-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | integrity: support including firmware ".platform" keys at build time | expand |
On 12/03/22 2:33 am, Nayna Jain wrote: > Some firmware support secure boot by embedding static keys to verify the > Linux kernel during boot. However, these firmware do not expose an > interface for the kernel to load firmware keys onto the ".platform" > keyring, preventing the kernel from verifying the kexec kernel image > signature. > > This patchset exports load_certificate_list() and defines a new function > load_builtin_platform_cert() to load compiled in certificates onto the > ".platform" keyring. > > Changelog: > v12: > * Replace Patch 3/4 with reverting of the commit as suggested by > Masahiro Yamada. > Tested the following four patches ov v12 with and with out setting CONFIG_INTEGRITY_PLATFORM_KEYS Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com> 1. With CONFIG_INTEGRITY_PLATFORM_KEYS set to a key # grep pem .config CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem" # grep "CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST" .config CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem" # CONFIG_SYSTEM_REVOCATION_LIST is not set # cat /proc/keys | grep platform 0a7a11a9 I------ 1 perm 1f0b0000 0 0 keyring .platform: 1 # keyctl show %keyring:.platform Keyring 175772073 ---lswrv 0 0 keyring: .platform 519271447 ---lswrv 0 0 \_ asymmetric: IBM Corporation: Guest Secure Boot Imprint Kernel Signing Key: a0cf9069c30875320cb10a77325d4fa7012f8d12 2. With out CONFIG_INTEGRITY_PLATFORM_KEYS set, leaving empty # grep pem .config CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem" # grep "CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST" .config CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_PLATFORM_KEYS="" # CONFIG_SYSTEM_REVOCATION_LIST is not set # cat /proc/keys | grep platform 39c749b9 I------ 1 perm 1f0b0000 0 0 keyring .platform: empty # keyctl show %keyring:.platform Keyring 969361849 ---lswrv 0 0 keyring: .platform > > base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9
Some firmware support secure boot by embedding static keys to verify the Linux kernel during boot. However, these firmware do not expose an interface for the kernel to load firmware keys onto the ".platform" keyring, preventing the kernel from verifying the kexec kernel image signature. This patchset exports load_certificate_list() and defines a new function load_builtin_platform_cert() to load compiled in certificates onto the ".platform" keyring. Changelog: v12: * Replace Patch 3/4 with reverting of the commit as suggested by Masahiro Yamada. v11: * Added a new patch to conditionally build extract-cert if PLATFORM_KEYRING is enabled. v10: * Fixed the externs warning for Patch 3. v9: * Rebased on Jarkko's repo - git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git v8: * Includes Jarkko's feedback on patch description and removed Reported-by for Patch 1. v7: * Incldues Jarkko's feedback on patch description for Patch 1 and 3. v6: * Includes Jarkko's feedback: * Split Patch 2 into two. * Update Patch description. v5: * Renamed load_builtin_platform_cert() to load_platform_certificate_list() and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as suggested by Mimi Zohar. v4: * Split into two patches as per Mimi Zohar and Dimitri John Ledkov recommendation. v3: * Included Jarkko's feedback ** updated patch description to include approach. ** removed extern for function declaration in the .h file. * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. v2: * Fixed the error reported by kernel test robot * Updated patch description based on Jarkko's feedback. Nayna Jain (4): certs: export load_certificate_list() to be used outside certs/ integrity: make integrity_keyring_from_id() non-static Revert "certs: move scripts/extract-cert to certs/" integrity: support including firmware ".platform" keys at build time MAINTAINERS | 1 + certs/.gitignore | 1 - certs/Makefile | 18 ++++++--------- certs/blacklist.c | 1 - certs/common.c | 2 +- certs/common.h | 9 -------- certs/system_keyring.c | 1 - include/keys/system_keyring.h | 6 +++++ scripts/.gitignore | 1 + scripts/Makefile | 12 ++++++++-- {certs => scripts}/extract-cert.c | 2 +- scripts/remove-stale-files | 2 -- security/integrity/Kconfig | 10 ++++++++ security/integrity/Makefile | 15 +++++++++++- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 9 ++++++++ .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ 18 files changed, 107 insertions(+), 31 deletions(-) delete mode 100644 certs/common.h rename {certs => scripts}/extract-cert.c (98%) create mode 100644 security/integrity/platform_certs/platform_cert.S base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9