Message ID | 20211124044124.998170-4-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Enroll kernel keys thru MOK | expand |
Hi Eric, On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: > +config INTEGRITY_MACHINE_KEYRING > + bool "Provide a keyring to which CA Machine Owner Keys may be added" > + depends on SECONDARY_TRUSTED_KEYRING > + depends on INTEGRITY_ASYMMETRIC_KEYS Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this change, is "KEYS: Create static version of public_key_verify_signature" trusted needed? Mimi > + depends on SYSTEM_BLACKLIST_KEYRING > + depends on LOAD_UEFI_KEYS > + help > + If set, provide a keyring to which CA Machine Owner Keys (MOK) may > + be added. This keyring shall contain just CA MOK keys. Unlike keys > + in the platform keyring, keys contained in the .machine keyring will > + be trusted within the kernel. > +
On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: > Many UEFI Linux distributions boot using shim. The UEFI shim provides > what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure > Boot DB and MOK keys to validate the next step in the boot chain. The > MOK facility can be used to import user generated keys. These keys can > be used to sign an end-users development kernel build. When Linux > boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux > .platform keyring. > > Define a new Linux keyring called machine. This keyring shall contain just > MOK CA keys and not the remaining keys in the platform keyring. This new > machine keyring will be used in follow on patches. Unlike keys in the > platform keyring, keys contained in the machine keyring will be trusted > within the kernel if the end-user has chosen to do so. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> /Jarkko
> On Nov 24, 2021, at 7:49 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: > On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: >> +config INTEGRITY_MACHINE_KEYRING >> + bool "Provide a keyring to which CA Machine Owner Keys may be added" >> + depends on SECONDARY_TRUSTED_KEYRING >> + depends on INTEGRITY_ASYMMETRIC_KEYS > > Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this > change, is "KEYS: Create static version of > public_key_verify_signature" trusted needed? I believe it is still needed. If someone were to use the same config as the build bot, where ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined and INTEGRITY_MACHINE_KEYRING is not defined, they would still hit the problem that has now been fixed in "KEYS: Create static version of public_key_verify_signature”. I wish the first two patches in this series would be accepted, since I’m only carrying them to get past the build bot.
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 71f0177e8716..12879dec251d 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -62,6 +62,18 @@ config INTEGRITY_PLATFORM_KEYRING provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. +config INTEGRITY_MACHINE_KEYRING + bool "Provide a keyring to which CA Machine Owner Keys may be added" + depends on SECONDARY_TRUSTED_KEYRING + depends on INTEGRITY_ASYMMETRIC_KEYS + depends on SYSTEM_BLACKLIST_KEYRING + depends on LOAD_UEFI_KEYS + help + If set, provide a keyring to which CA Machine Owner Keys (MOK) may + be added. This keyring shall contain just CA MOK keys. Unlike keys + in the platform keyring, keys contained in the .machine keyring will + be trusted within the kernel. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..d0ffe37dc1d6 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -10,6 +10,7 @@ integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..8c315be8ad99 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".machine", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..730771eececd 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MACHINE 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; @@ -283,3 +284,12 @@ static inline void __init add_to_platform_keyring(const char *source, { } #endif + +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +#else +static inline void __init add_to_machine_keyring(const char *source, + const void *data, size_t len) +{ +} +#endif diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c new file mode 100644 index 000000000000..ea2ac2f9f2b5 --- /dev/null +++ b/security/integrity/platform_certs/machine_keyring.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Machine keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int machine_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); + if (rc) + return rc; + + pr_notice("Machine keyring initialized\n"); + return 0; +} +device_initcall(machine_keyring_init); + +void __init add_to_machine_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); + + /* + * Some MOKList keys may not pass the machine keyring restrictions. + * If the restriction check does not pass and the platform keyring + * is configured, try to add it into that keyring instead. + */ + if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to machine keyring %s\n", source); +}