Message ID | 20220306205100.651878-4-nayna@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | integrity: support including firmware ".platform" keys at build time | expand |
On Sun, Mar 06, 2022 at 03:51:00PM -0500, Nayna Jain wrote: > Allow firmware keys to be embedded in the Linux kernel and loaded onto > the ".platform" keyring on boot. > > The firmware keys can be specified in a file as a list of PEM encoded > certificates using new config INTEGRITY_PLATFORM_KEYS. The certificates > are embedded in the image by converting the PEM-formatted certificates > into DER(binary) and generating > security/integrity/platform_certs/platform_certificate_list file at > build time. On boot, the embedded certs from the image are loaded onto > the ".platform" keyring at late_initcall(), ensuring the platform keyring > exists before loading the keys. > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > --- > security/integrity/Kconfig | 10 ++++++++ > security/integrity/Makefile | 15 +++++++++++- > security/integrity/integrity.h | 3 +++ > .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ > .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ > 5 files changed, 73 insertions(+), 1 deletion(-) > create mode 100644 security/integrity/platform_certs/platform_cert.S > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > index 599429f99f99..77b2c22c0e1b 100644 > --- a/security/integrity/Kconfig > +++ b/security/integrity/Kconfig > @@ -62,6 +62,16 @@ config INTEGRITY_PLATFORM_KEYRING > provided by the platform for verifying the kexec'ed kerned image > and, possibly, the initramfs signature. > > +config INTEGRITY_PLATFORM_KEYS > + string "Builtin X.509 keys for .platform keyring" > + depends on KEYS > + depends on ASYMMETRIC_KEY_TYPE > + depends on INTEGRITY_PLATFORM_KEYRING > + help > + If set, this option should be the filename of a PEM-formatted file > + containing X.509 certificates to be loaded onto the ".platform" > + keyring. > + > config INTEGRITY_MACHINE_KEYRING > bool "Provide a keyring to which Machine Owner Keys may be added" > depends on SECONDARY_TRUSTED_KEYRING > diff --git a/security/integrity/Makefile b/security/integrity/Makefile > index d0ffe37dc1d6..65bd93301a3a 100644 > --- a/security/integrity/Makefile > +++ b/security/integrity/Makefile > @@ -3,13 +3,17 @@ > # Makefile for caching inode integrity data (iint) > # > > +quiet_cmd_extract_certs = CERT $@ > + cmd_extract_certs = certs/extract-cert $(2) $@ > + > obj-$(CONFIG_INTEGRITY) += integrity.o > > integrity-y := iint.o > integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o > integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o > integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o > -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o > +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ > + platform_certs/platform_cert.o > integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o > integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ > platform_certs/load_uefi.o \ > @@ -20,3 +24,12 @@ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ > platform_certs/keyring_handler.o > obj-$(CONFIG_IMA) += ima/ > obj-$(CONFIG_EVM) += evm/ > + > +$(obj)/platform_certs/platform_cert.o: $(obj)/platform_certs/platform_certificate_list > + > +targets += platform_certificate_list > + > +$(obj)/platform_certs/platform_certificate_list: $(CONFIG_INTEGRITY_PLATFORM_KEYS) certs/extract-cert FORCE > + $(call if_changed,extract_certs,$(if $(CONFIG_INTEGRITY_PLATFORM_KEYS),$<,"")) > + > +clean-files := platform_certs/platform_certificate_list > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index 76e9a9515f99..219da29fecf7 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -282,6 +282,9 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) > #endif > > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > +extern __initconst const u8 platform_certificate_list[]; > +extern __initconst const unsigned long platform_certificate_list_size; > + > void __init add_to_platform_keyring(const char *source, const void *data, > size_t len); > #else > diff --git a/security/integrity/platform_certs/platform_cert.S b/security/integrity/platform_certs/platform_cert.S > new file mode 100644 > index 000000000000..20bccce5dc5a > --- /dev/null > +++ b/security/integrity/platform_certs/platform_cert.S > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#include <linux/export.h> > +#include <linux/init.h> > + > + __INITRODATA > + > + .align 8 > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > + .globl platform_certificate_list > +platform_certificate_list: > +__cert_list_start: > + .incbin "security/integrity/platform_certs/platform_certificate_list" > +__cert_list_end: > +#endif > + > + .align 8 > + .globl platform_certificate_list_size > +platform_certificate_list_size: > +#ifdef CONFIG_64BIT > + .quad __cert_list_end - __cert_list_start > +#else > + .long __cert_list_end - __cert_list_start > +#endif > diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c > index bcafd7387729..c2368912fd1b 100644 > --- a/security/integrity/platform_certs/platform_keyring.c > +++ b/security/integrity/platform_certs/platform_keyring.c > @@ -12,6 +12,7 @@ > #include <linux/cred.h> > #include <linux/err.h> > #include <linux/slab.h> > +#include <keys/system_keyring.h> > #include "../integrity.h" > > /** > @@ -37,6 +38,28 @@ void __init add_to_platform_keyring(const char *source, const void *data, > pr_info("Error adding keys to platform keyring %s\n", source); > } > > +static __init int load_platform_certificate_list(void) > +{ > + const u8 *p; > + unsigned long size; > + int rc; > + struct key *keyring; > + > + p = platform_certificate_list; > + size = platform_certificate_list_size; > + > + keyring = integrity_keyring_from_id(INTEGRITY_KEYRING_PLATFORM); > + if (IS_ERR(keyring)) > + return PTR_ERR(keyring); > + > + rc = load_certificate_list(p, size, keyring); > + if (rc) > + pr_info("Error adding keys to platform keyring %d\n", rc); > + > + return rc; > +} > +late_initcall(load_platform_certificate_list); > + > /* > * Create the trusted keyrings. > */ > -- > 2.27.0 > There's zero tested-by's for this, i.e. cannot be applied before someone has tested this. Mimi, do not mean to be rude, but I don't frankly understand why you ask to pick a patch set that is *untested*. So I generated a self-signed certificate: openssl req -x509 -out localhost.crt -keyout localhost.key \ -newkey rsa:2048 -nodes -sha256 \ -subj '/CN=localhost' -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") (by courtesy of letsencrypt: https://letsencrypt.org/docs/certificates-for-localhost/) openssl x509 -in localhost.crt -out localhost.pem -outform PEM And starting with tinyconfig I added minimal options to enable this feature. The config is attached. The end result is: make[2]: *** No rule to make target 'certs/extract-cert', needed by 'security/integrity/platform_certs/platform_certificate_list'. Stop. make[1]: *** [scripts/Makefile.build:550: security/integrity] Error 2 make: *** [Makefile:1831: security] Error 2 BR, Jarkko # # Automatically generated file; DO NOT EDIT. # Linux/x86 5.17.0-rc5 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=110200 CONFIG_CLANG_VERSION=0 CONFIG_AS_IS_GNU=y CONFIG_AS_VERSION=23800 CONFIG_LD_IS_BFD=y CONFIG_LD_VERSION=23800 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y CONFIG_CC_HAS_ASM_GOTO=y CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_TABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y # # General setup # CONFIG_BROKEN_ON_SMP=y CONFIG_INIT_ENV_ARG_LIMIT=32 # CONFIG_COMPILE_TEST is not set # CONFIG_WERROR is not set CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_BUILD_SALT="" CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y CONFIG_HAVE_KERNEL_ZSTD=y # CONFIG_KERNEL_GZIP is not set # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set CONFIG_KERNEL_XZ=y # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set # CONFIG_KERNEL_ZSTD is not set CONFIG_DEFAULT_INIT="" CONFIG_DEFAULT_HOSTNAME="(none)" # CONFIG_SYSVIPC is not set # CONFIG_WATCH_QUEUE is not set # CONFIG_CROSS_MEMORY_ATTACH is not set # CONFIG_USELIB is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y # # IRQ subsystem # CONFIG_GENERIC_IRQ_PROBE=y CONFIG_GENERIC_IRQ_SHOW=y CONFIG_HARDIRQS_SW_RESEND=y CONFIG_IRQ_DOMAIN=y CONFIG_IRQ_DOMAIN_HIERARCHY=y CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y CONFIG_GENERIC_IRQ_RESERVATION_MODE=y CONFIG_IRQ_FORCED_THREADING=y CONFIG_SPARSE_IRQ=y # end of IRQ subsystem CONFIG_CLOCKSOURCE_WATCHDOG=y CONFIG_ARCH_CLOCKSOURCE_INIT=y CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y CONFIG_GENERIC_TIME_VSYSCALL=y CONFIG_GENERIC_CLOCKEVENTS=y CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y CONFIG_GENERIC_CMOS_UPDATE=y CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y # # Timers subsystem # CONFIG_HZ_PERIODIC=y # CONFIG_NO_HZ_IDLE is not set # CONFIG_NO_HZ is not set # CONFIG_HIGH_RES_TIMERS is not set # end of Timers subsystem CONFIG_HAVE_EBPF_JIT=y CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y # # BPF subsystem # # CONFIG_BPF_SYSCALL is not set # end of BPF subsystem CONFIG_PREEMPT_NONE_BUILD=y CONFIG_PREEMPT_NONE=y # CONFIG_PREEMPT_VOLUNTARY is not set # CONFIG_PREEMPT is not set # CONFIG_PREEMPT_DYNAMIC is not set # # CPU/Task time and stats accounting # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set # CONFIG_IRQ_TIME_ACCOUNTING is not set # CONFIG_BSD_PROCESS_ACCT is not set # CONFIG_PSI is not set # end of CPU/Task time and stats accounting # # RCU Subsystem # CONFIG_TINY_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y CONFIG_TINY_SRCU=y # end of RCU Subsystem # CONFIG_IKCONFIG is not set # CONFIG_IKHEADERS is not set CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y # # Scheduler features # # end of Scheduler features CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y CONFIG_CC_HAS_INT128=y CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" CONFIG_ARCH_SUPPORTS_INT128=y # CONFIG_CGROUPS is not set # CONFIG_NAMESPACES is not set # CONFIG_CHECKPOINT_RESTORE is not set # CONFIG_SCHED_AUTOGROUP is not set # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_RELAY is not set # CONFIG_BLK_DEV_INITRD is not set # CONFIG_BOOT_CONFIG is not set # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_LD_ORPHAN_WARN=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_EXPERT=y CONFIG_MULTIUSER=y # CONFIG_SGETMASK_SYSCALL is not set # CONFIG_SYSFS_SYSCALL is not set # CONFIG_FHANDLE is not set # CONFIG_POSIX_TIMERS is not set # CONFIG_PRINTK is not set # CONFIG_BUG is not set # CONFIG_PCSPKR_PLATFORM is not set # CONFIG_BASE_FULL is not set # CONFIG_FUTEX is not set # CONFIG_EPOLL is not set # CONFIG_SIGNALFD is not set # CONFIG_TIMERFD is not set # CONFIG_EVENTFD is not set # CONFIG_SHMEM is not set # CONFIG_AIO is not set # CONFIG_IO_URING is not set # CONFIG_ADVISE_SYSCALLS is not set # CONFIG_MEMBARRIER is not set # CONFIG_KALLSYMS is not set # CONFIG_USERFAULTFD is not set CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y # CONFIG_KCMP is not set # CONFIG_RSEQ is not set CONFIG_EMBEDDED=y CONFIG_HAVE_PERF_EVENTS=y # CONFIG_PC104 is not set # # Kernel Performance Events And Counters # CONFIG_PERF_EVENTS=y # CONFIG_DEBUG_PERF_USE_VMALLOC is not set # end of Kernel Performance Events And Counters # CONFIG_VM_EVENT_COUNTERS is not set # CONFIG_COMPAT_BRK is not set # CONFIG_SLAB is not set # CONFIG_SLUB is not set CONFIG_SLOB=y # CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set # CONFIG_PROFILING is not set # end of General setup CONFIG_64BIT=y CONFIG_X86_64=y CONFIG_X86=y CONFIG_INSTRUCTION_DECODER=y CONFIG_OUTPUT_FORMAT="elf64-x86-64" CONFIG_LOCKDEP_SUPPORT=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_MMU=y CONFIG_ARCH_MMAP_RND_BITS_MIN=28 CONFIG_ARCH_MMAP_RND_BITS_MAX=32 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 CONFIG_GENERIC_ISA_DMA=y CONFIG_ARCH_MAY_HAVE_PC_FDC=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_ARCH_HAS_CPU_RELAX=y CONFIG_ARCH_HAS_FILTER_PGPROT=y CONFIG_ARCH_HIBERNATION_POSSIBLE=y CONFIG_ARCH_NR_GPIO=1024 CONFIG_ARCH_SUSPEND_POSSIBLE=y CONFIG_ARCH_WANT_GENERAL_HUGETLB=y CONFIG_AUDIT_ARCH=y CONFIG_ARCH_SUPPORTS_UPROBES=y CONFIG_FIX_EARLYCON_MEM=y CONFIG_PGTABLE_LEVELS=5 CONFIG_CC_HAS_SANE_STACKPROTECTOR=y # # Processor type and features # # CONFIG_SMP is not set # CONFIG_X86_FEATURE_NAMES is not set CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set # CONFIG_RETPOLINE is not set # CONFIG_X86_CPU_RESCTRL is not set # CONFIG_X86_EXTENDED_PLATFORM is not set # CONFIG_SCHED_OMIT_FRAME_POINTER is not set # CONFIG_HYPERVISOR_GUEST is not set # CONFIG_MK8 is not set # CONFIG_MPSC is not set # CONFIG_MCORE2 is not set # CONFIG_MATOM is not set CONFIG_GENERIC_CPU=y CONFIG_X86_INTERNODE_CACHE_SHIFT=6 CONFIG_X86_L1_CACHE_SHIFT=6 CONFIG_X86_TSC=y CONFIG_X86_CMPXCHG64=y CONFIG_X86_CMOV=y CONFIG_X86_MINIMUM_CPU_FAMILY=64 CONFIG_X86_DEBUGCTLMSR=y CONFIG_IA32_FEAT_CTL=y # CONFIG_PROCESSOR_SELECT is not set CONFIG_CPU_SUP_INTEL=y CONFIG_CPU_SUP_AMD=y CONFIG_CPU_SUP_HYGON=y CONFIG_CPU_SUP_CENTAUR=y CONFIG_CPU_SUP_ZHAOXIN=y CONFIG_HPET_TIMER=y # CONFIG_DMI is not set CONFIG_NR_CPUS_RANGE_BEGIN=1 CONFIG_NR_CPUS_RANGE_END=1 CONFIG_NR_CPUS_DEFAULT=1 CONFIG_NR_CPUS=1 CONFIG_UP_LATE_INIT=y CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y # CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set # CONFIG_X86_MCE is not set # # Performance monitoring # # CONFIG_PERF_EVENTS_AMD_POWER is not set # CONFIG_PERF_EVENTS_AMD_UNCORE is not set # end of Performance monitoring CONFIG_X86_VSYSCALL_EMULATION=y # CONFIG_X86_IOPL_IOPERM is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set CONFIG_X86_5LEVEL=y CONFIG_X86_DIRECT_GBPAGES=y # CONFIG_AMD_MEM_ENCRYPT is not set CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 # CONFIG_X86_CHECK_BIOS_CORRUPTION is not set # CONFIG_MTRR is not set # CONFIG_ARCH_RANDOM is not set # CONFIG_X86_SMAP is not set # CONFIG_X86_UMIP is not set CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_X86_INTEL_TSX_MODE_OFF=y # CONFIG_X86_INTEL_TSX_MODE_ON is not set # CONFIG_X86_INTEL_TSX_MODE_AUTO is not set # CONFIG_HZ_100 is not set CONFIG_HZ_250=y # CONFIG_HZ_300 is not set # CONFIG_HZ_1000 is not set CONFIG_HZ=250 # CONFIG_KEXEC is not set # CONFIG_CRASH_DUMP is not set CONFIG_PHYSICAL_START=0x1000000 # CONFIG_RELOCATABLE is not set CONFIG_PHYSICAL_ALIGN=0x200000 CONFIG_DYNAMIC_MEMORY_LAYOUT=y # CONFIG_LEGACY_VSYSCALL_EMULATE is not set CONFIG_LEGACY_VSYSCALL_XONLY=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # CONFIG_STRICT_SIGALTSTACK_SIZE is not set CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y # # Power management and ACPI options # # CONFIG_SUSPEND is not set # CONFIG_PM is not set CONFIG_ARCH_SUPPORTS_ACPI=y # CONFIG_ACPI is not set # # CPU Frequency scaling # # CONFIG_CPU_FREQ is not set # end of CPU Frequency scaling # # CPU Idle # # CONFIG_CPU_IDLE is not set # end of CPU Idle # end of Power management and ACPI options # # Bus options (PCI etc.) # # CONFIG_ISA_BUS is not set CONFIG_ISA_DMA_API=y # end of Bus options (PCI etc.) # # Binary Emulations # # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set # end of Binary Emulations CONFIG_HAVE_KVM=y # CONFIG_VIRTUALIZATION is not set CONFIG_AS_AVX512=y CONFIG_AS_SHA1_NI=y CONFIG_AS_SHA256_NI=y CONFIG_AS_TPAUSE=y # # General architecture-dependent options # CONFIG_GENERIC_ENTRY=y # CONFIG_JUMP_LABEL is not set # CONFIG_STATIC_CALL_SELFTEST is not set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y CONFIG_HAVE_IOREMAP_PROT=y CONFIG_HAVE_KPROBES=y CONFIG_HAVE_KRETPROBES=y CONFIG_HAVE_OPTPROBES=y CONFIG_HAVE_KPROBES_ON_FTRACE=y CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y CONFIG_HAVE_NMI=y CONFIG_TRACE_IRQFLAGS_SUPPORT=y CONFIG_HAVE_ARCH_TRACEHOOK=y CONFIG_HAVE_DMA_CONTIGUOUS=y CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_ARCH_HAS_FORTIFY_SOURCE=y CONFIG_ARCH_HAS_SET_MEMORY=y CONFIG_ARCH_HAS_SET_DIRECT_MAP=y CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y CONFIG_ARCH_WANTS_NO_INSTR=y CONFIG_HAVE_ASM_MODVERSIONS=y CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y CONFIG_HAVE_RSEQ=y CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y CONFIG_HAVE_HW_BREAKPOINT=y CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y CONFIG_HAVE_USER_RETURN_NOTIFIER=y CONFIG_HAVE_PERF_EVENTS_NMI=y CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y CONFIG_HAVE_PERF_REGS=y CONFIG_HAVE_PERF_USER_STACK_DUMP=y CONFIG_HAVE_ARCH_JUMP_LABEL=y CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y # CONFIG_SECCOMP is not set CONFIG_HAVE_ARCH_STACKLEAK=y CONFIG_HAVE_STACKPROTECTOR=y # CONFIG_STACKPROTECTOR is not set CONFIG_ARCH_SUPPORTS_LTO_CLANG=y CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y CONFIG_LTO_NONE=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_CONTEXT_TRACKING_OFFSTACK=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y CONFIG_HAVE_MOVE_PUD=y CONFIG_HAVE_MOVE_PMD=y CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y CONFIG_HAVE_ARCH_HUGE_VMAP=y CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y CONFIG_HAVE_ARCH_SOFT_DIRTY=y CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y CONFIG_ARCH_MMAP_RND_BITS=28 CONFIG_PAGE_SIZE_LESS_THAN_64KB=y CONFIG_PAGE_SIZE_LESS_THAN_256KB=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_COMPAT_32BIT_TIME is not set CONFIG_HAVE_ARCH_VMAP_STACK=y CONFIG_VMAP_STACK=y CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y # CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y CONFIG_HAVE_PREEMPT_DYNAMIC=y CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y CONFIG_ARCH_HAS_ELFCORE_COMPAT=y CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y CONFIG_DYNAMIC_SIGFRAME=y # # GCOV-based kernel profiling # CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y # end of GCOV-based kernel profiling CONFIG_HAVE_GCC_PLUGINS=y # CONFIG_GCC_PLUGINS is not set # end of General architecture-dependent options CONFIG_BASE_SMALL=1 # CONFIG_MODULES is not set CONFIG_MODULES_TREE_LOOKUP=y # CONFIG_BLOCK is not set CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y CONFIG_INLINE_WRITE_UNLOCK=y CONFIG_INLINE_WRITE_UNLOCK_IRQ=y CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y CONFIG_ARCH_USE_QUEUED_RWLOCKS=y CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y # # Executable file formats # # CONFIG_BINFMT_ELF is not set # CONFIG_BINFMT_SCRIPT is not set # CONFIG_BINFMT_MISC is not set # CONFIG_COREDUMP is not set # end of Executable file formats # # Memory Management options # CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y CONFIG_SPARSEMEM=y CONFIG_SPARSEMEM_EXTREME=y CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y CONFIG_SPARSEMEM_VMEMMAP=y CONFIG_HAVE_FAST_GUP=y CONFIG_EXCLUSIVE_SYSTEM_RAM=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y # CONFIG_MEMORY_HOTPLUG is not set CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y # CONFIG_COMPACTION is not set # CONFIG_PAGE_REPORTING is not set CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_VIRT_TO_BUS=y # CONFIG_KSM is not set CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_TRANSPARENT_HUGEPAGE is not set CONFIG_ARCH_WANTS_THP_SWAP=y CONFIG_NEED_PER_CPU_KM=y CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y CONFIG_HAVE_SETUP_PER_CPU_AREA=y # CONFIG_CMA is not set # CONFIG_ZPOOL is not set # CONFIG_ZSMALLOC is not set CONFIG_GENERIC_EARLY_IOREMAP=y # CONFIG_IDLE_PAGE_TRACKING is not set CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y CONFIG_ARCH_HAS_PTE_DEVMAP=y CONFIG_ARCH_HAS_ZONE_DMA_SET=y # CONFIG_ZONE_DMA is not set CONFIG_ZONE_DMA32=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y # CONFIG_PERCPU_STATS is not set # # GUP_TEST needs to have DEBUG_FS enabled # CONFIG_ARCH_HAS_PTE_SPECIAL=y # # Data Access Monitoring # # CONFIG_DAMON is not set # end of Data Access Monitoring # end of Memory Management options # CONFIG_NET is not set # # Device Drivers # CONFIG_HAVE_EISA=y # CONFIG_EISA is not set CONFIG_HAVE_PCI=y # CONFIG_PCI is not set # CONFIG_PCCARD is not set # # Generic Driver Options # # CONFIG_UEVENT_HELPER is not set # CONFIG_DEVTMPFS is not set # CONFIG_STANDALONE is not set # CONFIG_PREVENT_FIRMWARE_BUILD is not set # # Firmware loader # # CONFIG_FW_LOADER is not set # end of Firmware loader # CONFIG_ALLOW_DEV_COREDUMP is not set # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_DEVRES is not set # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set CONFIG_GENERIC_CPU_AUTOPROBE=y CONFIG_GENERIC_CPU_VULNERABILITIES=y # end of Generic Driver Options # # Bus devices # # CONFIG_MHI_BUS is not set # end of Bus devices # # Firmware Drivers # # # ARM System Control and Management Interface Protocol # # end of ARM System Control and Management Interface Protocol # CONFIG_EDD is not set # CONFIG_FIRMWARE_MEMMAP is not set # CONFIG_FW_CFG_SYSFS is not set CONFIG_SYSFB=y # CONFIG_SYSFB_SIMPLEFB is not set # CONFIG_GOOGLE_FIRMWARE is not set # # Tegra firmware driver # # end of Tegra firmware driver # end of Firmware Drivers # CONFIG_GNSS is not set # CONFIG_MTD is not set # CONFIG_OF is not set CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y # CONFIG_PARPORT is not set # # NVME Support # # end of NVME Support # # Misc devices # # CONFIG_DUMMY_IRQ is not set # CONFIG_ENCLOSURE_SERVICES is not set # CONFIG_SRAM is not set # CONFIG_XILINX_SDFEC is not set # CONFIG_C2PORT is not set # # EEPROM support # # CONFIG_EEPROM_93CX6 is not set # end of EEPROM support # # Texas Instruments shared transport line discipline # # end of Texas Instruments shared transport line discipline # # Altera FPGA firmware download module (requires I2C) # # CONFIG_ECHO is not set # CONFIG_PVPANIC is not set # end of Misc devices # # SCSI device support # CONFIG_SCSI_MOD=y # end of SCSI device support # CONFIG_MACINTOSH_DRIVERS is not set # # Input device support # # CONFIG_INPUT is not set # # Hardware I/O ports # # CONFIG_SERIO is not set CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y # CONFIG_GAMEPORT is not set # end of Hardware I/O ports # end of Input device support # # Character devices # # CONFIG_TTY is not set # CONFIG_SERIAL_DEV_BUS is not set # CONFIG_IPMI_HANDLER is not set # CONFIG_HW_RANDOM is not set # CONFIG_DEVMEM is not set # CONFIG_NVRAM is not set # CONFIG_HANGCHECK_TIMER is not set # CONFIG_TCG_TPM is not set # CONFIG_TELCLOCK is not set # CONFIG_RANDOM_TRUST_BOOTLOADER is not set # end of Character devices # # I2C support # # CONFIG_I2C is not set # end of I2C support # CONFIG_I3C is not set # CONFIG_SPI is not set # CONFIG_SPMI is not set # CONFIG_HSI is not set # CONFIG_PPS is not set # # PTP clock support # CONFIG_PTP_1588_CLOCK_OPTIONAL=y # # Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. # # end of PTP clock support # CONFIG_PINCTRL is not set # CONFIG_GPIOLIB is not set # CONFIG_W1 is not set # CONFIG_POWER_RESET is not set # CONFIG_POWER_SUPPLY is not set # CONFIG_HWMON is not set # CONFIG_THERMAL is not set # CONFIG_WATCHDOG is not set CONFIG_SSB_POSSIBLE=y # CONFIG_SSB is not set CONFIG_BCMA_POSSIBLE=y # CONFIG_BCMA is not set # # Multifunction device drivers # # CONFIG_MFD_MADERA is not set # CONFIG_HTC_PASIC3 is not set # CONFIG_MFD_KEMPLD is not set # CONFIG_MFD_MT6397 is not set # CONFIG_MFD_SM501 is not set # CONFIG_MFD_SYSCON is not set # CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_TQMX86 is not set # end of Multifunction device drivers # CONFIG_REGULATOR is not set # # CEC support # # CONFIG_MEDIA_CEC_SUPPORT is not set # end of CEC support # CONFIG_MEDIA_SUPPORT is not set # # Graphics support # # CONFIG_DRM is not set # CONFIG_DRM_DEBUG_MODESET_LOCK is not set # # ARM devices # # end of ARM devices # # Frame buffer Devices # # CONFIG_FB is not set # end of Frame buffer Devices # # Backlight & LCD device support # # CONFIG_LCD_CLASS_DEVICE is not set # CONFIG_BACKLIGHT_CLASS_DEVICE is not set # end of Backlight & LCD device support # end of Graphics support # CONFIG_SOUND is not set CONFIG_USB_OHCI_LITTLE_ENDIAN=y # CONFIG_USB_SUPPORT is not set # CONFIG_MMC is not set # CONFIG_MEMSTICK is not set # CONFIG_NEW_LEDS is not set # CONFIG_ACCESSIBILITY is not set CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y CONFIG_RTC_LIB=y CONFIG_RTC_MC146818_LIB=y # CONFIG_RTC_CLASS is not set # CONFIG_DMADEVICES is not set # # DMABUF options # # CONFIG_SYNC_FILE is not set # CONFIG_DMABUF_HEAPS is not set # end of DMABUF options # CONFIG_AUXDISPLAY is not set # CONFIG_UIO is not set # CONFIG_VFIO is not set # CONFIG_VIRT_DRIVERS is not set # CONFIG_VIRTIO_MENU is not set # CONFIG_VHOST_MENU is not set # # Microsoft Hyper-V guest support # # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set # CONFIG_COMEDI is not set # CONFIG_STAGING is not set # CONFIG_X86_PLATFORM_DEVICES is not set # CONFIG_CHROME_PLATFORMS is not set # CONFIG_MELLANOX_PLATFORM is not set # CONFIG_SURFACE_PLATFORMS is not set # CONFIG_COMMON_CLK is not set # CONFIG_HWSPINLOCK is not set # # Clock Source drivers # CONFIG_CLKEVT_I8253=y CONFIG_CLKBLD_I8253=y # end of Clock Source drivers # CONFIG_MAILBOX is not set # CONFIG_IOMMU_SUPPORT is not set # # Remoteproc drivers # # CONFIG_REMOTEPROC is not set # end of Remoteproc drivers # # Rpmsg drivers # # CONFIG_RPMSG_VIRTIO is not set # end of Rpmsg drivers # # SOC (System On Chip) specific Drivers # # # Amlogic SoC drivers # # end of Amlogic SoC drivers # # Broadcom SoC drivers # # end of Broadcom SoC drivers # # NXP/Freescale QorIQ SoC drivers # # end of NXP/Freescale QorIQ SoC drivers # # i.MX SoC drivers # # end of i.MX SoC drivers # # Enable LiteX SoC Builder specific drivers # # end of Enable LiteX SoC Builder specific drivers # # Qualcomm SoC drivers # # end of Qualcomm SoC drivers # CONFIG_SOC_TI is not set # # Xilinx SoC drivers # # end of Xilinx SoC drivers # end of SOC (System On Chip) specific Drivers # CONFIG_PM_DEVFREQ is not set # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set # CONFIG_IIO is not set # CONFIG_PWM is not set # # IRQ chip support # # end of IRQ chip support # CONFIG_IPACK_BUS is not set # CONFIG_RESET_CONTROLLER is not set # # PHY Subsystem # # CONFIG_GENERIC_PHY is not set # CONFIG_PHY_CAN_TRANSCEIVER is not set # # PHY drivers for Broadcom platforms # # CONFIG_BCM_KONA_USB2_PHY is not set # end of PHY drivers for Broadcom platforms # CONFIG_PHY_PXA_28NM_HSIC is not set # CONFIG_PHY_PXA_28NM_USB2 is not set # CONFIG_PHY_INTEL_LGM_EMMC is not set # end of PHY Subsystem # CONFIG_POWERCAP is not set # CONFIG_MCB is not set # # Performance monitor support # # end of Performance monitor support # CONFIG_RAS is not set # # Android # # CONFIG_ANDROID is not set # end of Android # CONFIG_DAX is not set # CONFIG_NVMEM is not set # # HW tracing support # # CONFIG_STM is not set # CONFIG_INTEL_TH is not set # end of HW tracing support # CONFIG_FPGA is not set # CONFIG_TEE is not set # CONFIG_SIOX is not set # CONFIG_SLIMBUS is not set # CONFIG_INTERCONNECT is not set # CONFIG_COUNTER is not set # end of Device Drivers # # File systems # CONFIG_DCACHE_WORD_ACCESS=y # CONFIG_VALIDATE_FS_PARSER is not set # CONFIG_FS_DAX is not set # CONFIG_EXPORTFS_BLOCK_OPS is not set # CONFIG_FILE_LOCKING is not set # CONFIG_FS_ENCRYPTION is not set # CONFIG_FS_VERITY is not set # CONFIG_DNOTIFY is not set # CONFIG_INOTIFY_USER is not set # CONFIG_FANOTIFY is not set # CONFIG_QUOTA is not set # CONFIG_AUTOFS4_FS is not set # CONFIG_AUTOFS_FS is not set # CONFIG_FUSE_FS is not set # CONFIG_OVERLAY_FS is not set # # Caches # # CONFIG_FSCACHE is not set # end of Caches # # Pseudo filesystems # # CONFIG_PROC_FS is not set # CONFIG_PROC_CHILDREN is not set CONFIG_KERNFS=y CONFIG_SYSFS=y # CONFIG_HUGETLBFS is not set CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # end of Pseudo filesystems # CONFIG_MISC_FILESYSTEMS is not set # CONFIG_NLS is not set # CONFIG_UNICODE is not set # end of File systems # # Security options # CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set # CONFIG_SECURITY_NETWORK is not set CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_SECURITY_PATH is not set # CONFIG_FORTIFY_SOURCE is not set # CONFIG_STATIC_USERMODEHELPER is not set # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_PLATFORM_KEYS="localhost.pem" # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" # # Kernel hardening options # # # Memory initialization # CONFIG_INIT_STACK_NONE=y # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y # CONFIG_ZERO_CALL_USED_REGS is not set # end of Memory initialization # end of Kernel hardening options # end of Security options CONFIG_CRYPTO=y # # Crypto core or helper # CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_SKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_ACOMP2=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y # CONFIG_CRYPTO_NULL is not set CONFIG_CRYPTO_NULL2=y # CONFIG_CRYPTO_CRYPTD is not set # CONFIG_CRYPTO_AUTHENC is not set # CONFIG_CRYPTO_TEST is not set # # Public-key cryptography # CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set # CONFIG_CRYPTO_ECDH is not set # CONFIG_CRYPTO_ECDSA is not set # CONFIG_CRYPTO_ECRDSA is not set # CONFIG_CRYPTO_SM2 is not set # CONFIG_CRYPTO_CURVE25519 is not set # CONFIG_CRYPTO_CURVE25519_X86 is not set # # Authenticated Encryption with Associated Data # # CONFIG_CRYPTO_CCM is not set # CONFIG_CRYPTO_GCM is not set # CONFIG_CRYPTO_CHACHA20POLY1305 is not set # CONFIG_CRYPTO_AEGIS128 is not set # CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set # CONFIG_CRYPTO_SEQIV is not set # CONFIG_CRYPTO_ECHAINIV is not set # # Block modes # # CONFIG_CRYPTO_CBC is not set # CONFIG_CRYPTO_CFB is not set # CONFIG_CRYPTO_CTR is not set # CONFIG_CRYPTO_CTS is not set # CONFIG_CRYPTO_ECB is not set # CONFIG_CRYPTO_LRW is not set # CONFIG_CRYPTO_OFB is not set # CONFIG_CRYPTO_PCBC is not set # CONFIG_CRYPTO_XTS is not set # CONFIG_CRYPTO_KEYWRAP is not set # CONFIG_CRYPTO_NHPOLY1305_SSE2 is not set # CONFIG_CRYPTO_NHPOLY1305_AVX2 is not set # CONFIG_CRYPTO_ADIANTUM is not set # CONFIG_CRYPTO_ESSIV is not set # # Hash modes # # CONFIG_CRYPTO_CMAC is not set # CONFIG_CRYPTO_HMAC is not set # CONFIG_CRYPTO_XCBC is not set # CONFIG_CRYPTO_VMAC is not set # # Digest # # CONFIG_CRYPTO_CRC32C is not set # CONFIG_CRYPTO_CRC32C_INTEL is not set # CONFIG_CRYPTO_CRC32 is not set # CONFIG_CRYPTO_CRC32_PCLMUL is not set # CONFIG_CRYPTO_XXHASH is not set # CONFIG_CRYPTO_BLAKE2B is not set # CONFIG_CRYPTO_BLAKE2S is not set # CONFIG_CRYPTO_BLAKE2S_X86 is not set # CONFIG_CRYPTO_CRCT10DIF is not set # CONFIG_CRYPTO_GHASH is not set # CONFIG_CRYPTO_POLY1305 is not set # CONFIG_CRYPTO_POLY1305_X86_64 is not set # CONFIG_CRYPTO_MD4 is not set # CONFIG_CRYPTO_MD5 is not set # CONFIG_CRYPTO_MICHAEL_MIC is not set # CONFIG_CRYPTO_RMD160 is not set CONFIG_CRYPTO_SHA1=y # CONFIG_CRYPTO_SHA1_SSSE3 is not set # CONFIG_CRYPTO_SHA256_SSSE3 is not set # CONFIG_CRYPTO_SHA512_SSSE3 is not set # CONFIG_CRYPTO_SHA256 is not set # CONFIG_CRYPTO_SHA512 is not set # CONFIG_CRYPTO_SHA3 is not set # CONFIG_CRYPTO_SM3 is not set # CONFIG_CRYPTO_STREEBOG is not set # CONFIG_CRYPTO_WP512 is not set # CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set # # Ciphers # # CONFIG_CRYPTO_AES is not set # CONFIG_CRYPTO_AES_TI is not set # CONFIG_CRYPTO_AES_NI_INTEL is not set # CONFIG_CRYPTO_BLOWFISH is not set # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set # CONFIG_CRYPTO_CAMELLIA is not set # CONFIG_CRYPTO_CAMELLIA_X86_64 is not set # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 is not set # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 is not set # CONFIG_CRYPTO_CAST5 is not set # CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set # CONFIG_CRYPTO_CAST6 is not set # CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set # CONFIG_CRYPTO_DES is not set # CONFIG_CRYPTO_DES3_EDE_X86_64 is not set # CONFIG_CRYPTO_FCRYPT is not set # CONFIG_CRYPTO_CHACHA20 is not set # CONFIG_CRYPTO_CHACHA20_X86_64 is not set # CONFIG_CRYPTO_SERPENT is not set # CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set # CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set # CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set # CONFIG_CRYPTO_SM4 is not set # CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64 is not set # CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64 is not set # CONFIG_CRYPTO_TWOFISH is not set # CONFIG_CRYPTO_TWOFISH_X86_64 is not set # CONFIG_CRYPTO_TWOFISH_X86_64_3WAY is not set # CONFIG_CRYPTO_TWOFISH_AVX_X86_64 is not set # # Compression # # CONFIG_CRYPTO_DEFLATE is not set # CONFIG_CRYPTO_LZO is not set # CONFIG_CRYPTO_842 is not set # CONFIG_CRYPTO_LZ4 is not set # CONFIG_CRYPTO_LZ4HC is not set # CONFIG_CRYPTO_ZSTD is not set # # Random Number Generation # # CONFIG_CRYPTO_ANSI_CPRNG is not set # CONFIG_CRYPTO_DRBG_MENU is not set # CONFIG_CRYPTO_JITTERENTROPY is not set CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_PADLOCK is not set # CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y CONFIG_X509_CERTIFICATE_PARSER=y # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set # CONFIG_PKCS7_MESSAGE_PARSER is not set # # Certificates for signature checking # # CONFIG_SYSTEM_TRUSTED_KEYRING is not set CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" # end of Certificates for signature checking # # Library routines # # CONFIG_PACKING is not set CONFIG_GENERIC_STRNCPY_FROM_USER=y CONFIG_GENERIC_STRNLEN_USER=y # CONFIG_CORDIC is not set # CONFIG_PRIME_NUMBERS is not set CONFIG_GENERIC_PCI_IOMAP=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y CONFIG_ARCH_USE_SYM_ANNOTATIONS=y # # Crypto library routines # CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y # CONFIG_CRYPTO_LIB_CHACHA is not set # CONFIG_CRYPTO_LIB_CURVE25519 is not set CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 # CONFIG_CRYPTO_LIB_POLY1305 is not set # CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set # end of Crypto library routines # CONFIG_CRC_CCITT is not set # CONFIG_CRC16 is not set # CONFIG_CRC_T10DIF is not set # CONFIG_CRC_ITU_T is not set # CONFIG_CRC32 is not set # CONFIG_CRC64 is not set # CONFIG_CRC4 is not set # CONFIG_CRC7 is not set # CONFIG_LIBCRC32C is not set # CONFIG_CRC8 is not set # CONFIG_RANDOM32_SELFTEST is not set # CONFIG_XZ_DEC is not set CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y CONFIG_HAS_DMA=y CONFIG_NEED_SG_DMA_LENGTH=y CONFIG_NEED_DMA_MAP_STATE=y CONFIG_ARCH_DMA_ADDR_T_64BIT=y CONFIG_SWIOTLB=y # CONFIG_DMA_API_DEBUG is not set CONFIG_SGL_ALLOC=y CONFIG_CLZ_TAB=y # CONFIG_IRQ_POLL is not set CONFIG_MPILIB=y CONFIG_SIGNATURE=y CONFIG_OID_REGISTRY=y CONFIG_HAVE_GENERIC_VDSO=y CONFIG_GENERIC_GETTIMEOFDAY=y CONFIG_GENERIC_VDSO_TIME_NS=y CONFIG_ARCH_HAS_PMEM_API=y CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y CONFIG_ARCH_HAS_COPY_MC=y CONFIG_ARCH_STACKWALK=y # end of Library routines # # Kernel hacking # # # printk and dmesg options # CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 CONFIG_CONSOLE_LOGLEVEL_QUIET=4 CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 # CONFIG_SYMBOLIC_ERRNAME is not set # end of printk and dmesg options # # Compile-time checks and compiler options # # CONFIG_DEBUG_INFO is not set CONFIG_FRAME_WARN=1024 # CONFIG_STRIP_ASM_SYMS is not set # CONFIG_READABLE_ASM is not set # CONFIG_HEADERS_INSTALL is not set # CONFIG_DEBUG_SECTION_MISMATCH is not set # CONFIG_SECTION_MISMATCH_WARN_ONLY is not set # CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B is not set CONFIG_STACK_VALIDATION=y # CONFIG_VMLINUX_MAP is not set # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set # end of Compile-time checks and compiler options # # Generic Kernel Debugging Instruments # # CONFIG_MAGIC_SYSRQ is not set # CONFIG_DEBUG_FS is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_HAVE_ARCH_KCSAN=y CONFIG_HAVE_KCSAN_COMPILER=y # CONFIG_KCSAN is not set # end of Generic Kernel Debugging Instruments CONFIG_DEBUG_KERNEL=y # CONFIG_DEBUG_MISC is not set # # Networking Debugging # # CONFIG_NET_DEV_REFCNT_TRACKER is not set # CONFIG_NET_NS_REFCNT_TRACKER is not set # end of Networking Debugging # # Memory Debugging # # CONFIG_PAGE_EXTENSION is not set # CONFIG_DEBUG_PAGEALLOC is not set # CONFIG_PAGE_OWNER is not set # CONFIG_PAGE_TABLE_CHECK is not set # CONFIG_PAGE_POISONING is not set # CONFIG_DEBUG_RODATA_TEST is not set CONFIG_ARCH_HAS_DEBUG_WX=y # CONFIG_DEBUG_WX is not set CONFIG_GENERIC_PTDUMP=y # CONFIG_DEBUG_OBJECTS is not set CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_KMEMLEAK is not set # CONFIG_DEBUG_STACK_USAGE is not set # CONFIG_SCHED_STACK_END_CHECK is not set CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y # CONFIG_DEBUG_VM is not set # CONFIG_DEBUG_VM_PGTABLE is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set # CONFIG_DEBUG_MEMORY_INIT is not set CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y # CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is not set CONFIG_HAVE_ARCH_KASAN=y CONFIG_HAVE_ARCH_KASAN_VMALLOC=y CONFIG_CC_HAS_KASAN_GENERIC=y CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y CONFIG_HAVE_ARCH_KFENCE=y # end of Memory Debugging # CONFIG_DEBUG_SHIRQ is not set # # Debug Oops, Lockups and Hangs # # CONFIG_PANIC_ON_OOPS is not set CONFIG_PANIC_ON_OOPS_VALUE=0 CONFIG_PANIC_TIMEOUT=0 # CONFIG_SOFTLOCKUP_DETECTOR is not set CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y # CONFIG_HARDLOCKUP_DETECTOR is not set # CONFIG_DETECT_HUNG_TASK is not set # CONFIG_WQ_WATCHDOG is not set # end of Debug Oops, Lockups and Hangs # # Scheduler Debugging # # end of Scheduler Debugging # CONFIG_DEBUG_TIMEKEEPING is not set # # Lock Debugging (spinlocks, mutexes, etc...) # CONFIG_LOCK_DEBUGGING_SUPPORT=y # CONFIG_PROVE_LOCKING is not set # CONFIG_LOCK_STAT is not set # CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_MUTEXES is not set # CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set # CONFIG_DEBUG_RWSEMS is not set # CONFIG_DEBUG_LOCK_ALLOC is not set # CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set # CONFIG_LOCK_TORTURE_TEST is not set # CONFIG_WW_MUTEX_SELFTEST is not set # CONFIG_SCF_TORTURE_TEST is not set # CONFIG_CSD_LOCK_WAIT_DEBUG is not set # end of Lock Debugging (spinlocks, mutexes, etc...) # CONFIG_DEBUG_IRQFLAGS is not set # CONFIG_STACKTRACE is not set # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set # CONFIG_DEBUG_KOBJECT is not set # # Debug kernel data structures # # CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PLIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set # CONFIG_BUG_ON_DATA_CORRUPTION is not set # end of Debug kernel data structures # CONFIG_DEBUG_CREDENTIALS is not set # # RCU Debugging # # CONFIG_RCU_SCALE_TEST is not set # CONFIG_RCU_TORTURE_TEST is not set # CONFIG_RCU_REF_SCALE_TEST is not set # CONFIG_RCU_TRACE is not set # CONFIG_RCU_EQS_DEBUG is not set # end of RCU Debugging # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y CONFIG_HAVE_DYNAMIC_FTRACE=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y CONFIG_HAVE_SYSCALL_TRACEPOINTS=y CONFIG_HAVE_FENTRY=y CONFIG_HAVE_OBJTOOL_MCOUNT=y CONFIG_HAVE_C_RECORDMCOUNT=y CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y CONFIG_TRACING_SUPPORT=y # CONFIG_FTRACE is not set # CONFIG_SAMPLES is not set CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y # # x86 Debugging # CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y # CONFIG_X86_VERBOSE_BOOTUP is not set # CONFIG_EARLY_PRINTK is not set # CONFIG_DEBUG_TLBFLUSH is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y # CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_0X80=y # CONFIG_IO_DELAY_0XED is not set # CONFIG_IO_DELAY_UDELAY is not set # CONFIG_IO_DELAY_NONE is not set # CONFIG_CPA_DEBUG is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set # CONFIG_X86_DEBUG_FPU is not set # CONFIG_UNWINDER_ORC is not set # CONFIG_UNWINDER_FRAME_POINTER is not set CONFIG_UNWINDER_GUESS=y # end of x86 Debugging # # Kernel Testing and Coverage # # CONFIG_KUNIT is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set # CONFIG_FAULT_INJECTION is not set CONFIG_ARCH_HAS_KCOV=y CONFIG_CC_HAS_SANCOV_TRACE_PC=y # CONFIG_KCOV is not set # CONFIG_RUNTIME_TESTING_MENU is not set CONFIG_ARCH_USE_MEMTEST=y # CONFIG_MEMTEST is not set # end of Kernel Testing and Coverage # end of Kernel hacking
On Mon, Mar 07, 2022 at 02:48:52PM +0200, Jarkko Sakkinen wrote: > On Sun, Mar 06, 2022 at 03:51:00PM -0500, Nayna Jain wrote: > > Allow firmware keys to be embedded in the Linux kernel and loaded onto > > the ".platform" keyring on boot. > > > > The firmware keys can be specified in a file as a list of PEM encoded > > certificates using new config INTEGRITY_PLATFORM_KEYS. The certificates > > are embedded in the image by converting the PEM-formatted certificates > > into DER(binary) and generating > > security/integrity/platform_certs/platform_certificate_list file at > > build time. On boot, the embedded certs from the image are loaded onto > > the ".platform" keyring at late_initcall(), ensuring the platform keyring > > exists before loading the keys. > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > > --- > > security/integrity/Kconfig | 10 ++++++++ > > security/integrity/Makefile | 15 +++++++++++- > > security/integrity/integrity.h | 3 +++ > > .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ > > .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ > > 5 files changed, 73 insertions(+), 1 deletion(-) > > create mode 100644 security/integrity/platform_certs/platform_cert.S > > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > > index 599429f99f99..77b2c22c0e1b 100644 > > --- a/security/integrity/Kconfig > > +++ b/security/integrity/Kconfig > > @@ -62,6 +62,16 @@ config INTEGRITY_PLATFORM_KEYRING > > provided by the platform for verifying the kexec'ed kerned image > > and, possibly, the initramfs signature. > > > > +config INTEGRITY_PLATFORM_KEYS > > + string "Builtin X.509 keys for .platform keyring" > > + depends on KEYS > > + depends on ASYMMETRIC_KEY_TYPE > > + depends on INTEGRITY_PLATFORM_KEYRING > > + help > > + If set, this option should be the filename of a PEM-formatted file > > + containing X.509 certificates to be loaded onto the ".platform" > > + keyring. > > + > > config INTEGRITY_MACHINE_KEYRING > > bool "Provide a keyring to which Machine Owner Keys may be added" > > depends on SECONDARY_TRUSTED_KEYRING > > diff --git a/security/integrity/Makefile b/security/integrity/Makefile > > index d0ffe37dc1d6..65bd93301a3a 100644 > > --- a/security/integrity/Makefile > > +++ b/security/integrity/Makefile > > @@ -3,13 +3,17 @@ > > # Makefile for caching inode integrity data (iint) > > # > > > > +quiet_cmd_extract_certs = CERT $@ > > + cmd_extract_certs = certs/extract-cert $(2) $@ > > + > > obj-$(CONFIG_INTEGRITY) += integrity.o > > > > integrity-y := iint.o > > integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o > > integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o > > integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o > > -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o > > +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ > > + platform_certs/platform_cert.o > > integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o > > integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ > > platform_certs/load_uefi.o \ > > @@ -20,3 +24,12 @@ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ > > platform_certs/keyring_handler.o > > obj-$(CONFIG_IMA) += ima/ > > obj-$(CONFIG_EVM) += evm/ > > + > > +$(obj)/platform_certs/platform_cert.o: $(obj)/platform_certs/platform_certificate_list > > + > > +targets += platform_certificate_list > > + > > +$(obj)/platform_certs/platform_certificate_list: $(CONFIG_INTEGRITY_PLATFORM_KEYS) certs/extract-cert FORCE > > + $(call if_changed,extract_certs,$(if $(CONFIG_INTEGRITY_PLATFORM_KEYS),$<,"")) > > + > > +clean-files := platform_certs/platform_certificate_list > > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > > index 76e9a9515f99..219da29fecf7 100644 > > --- a/security/integrity/integrity.h > > +++ b/security/integrity/integrity.h > > @@ -282,6 +282,9 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) > > #endif > > > > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > +extern __initconst const u8 platform_certificate_list[]; > > +extern __initconst const unsigned long platform_certificate_list_size; > > + > > void __init add_to_platform_keyring(const char *source, const void *data, > > size_t len); > > #else > > diff --git a/security/integrity/platform_certs/platform_cert.S b/security/integrity/platform_certs/platform_cert.S > > new file mode 100644 > > index 000000000000..20bccce5dc5a > > --- /dev/null > > +++ b/security/integrity/platform_certs/platform_cert.S > > @@ -0,0 +1,23 @@ > > +/* SPDX-License-Identifier: GPL-2.0 */ > > +#include <linux/export.h> > > +#include <linux/init.h> > > + > > + __INITRODATA > > + > > + .align 8 > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > + .globl platform_certificate_list > > +platform_certificate_list: > > +__cert_list_start: > > + .incbin "security/integrity/platform_certs/platform_certificate_list" > > +__cert_list_end: > > +#endif > > + > > + .align 8 > > + .globl platform_certificate_list_size > > +platform_certificate_list_size: > > +#ifdef CONFIG_64BIT > > + .quad __cert_list_end - __cert_list_start > > +#else > > + .long __cert_list_end - __cert_list_start > > +#endif > > diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c > > index bcafd7387729..c2368912fd1b 100644 > > --- a/security/integrity/platform_certs/platform_keyring.c > > +++ b/security/integrity/platform_certs/platform_keyring.c > > @@ -12,6 +12,7 @@ > > #include <linux/cred.h> > > #include <linux/err.h> > > #include <linux/slab.h> > > +#include <keys/system_keyring.h> > > #include "../integrity.h" > > > > /** > > @@ -37,6 +38,28 @@ void __init add_to_platform_keyring(const char *source, const void *data, > > pr_info("Error adding keys to platform keyring %s\n", source); > > } > > > > +static __init int load_platform_certificate_list(void) > > +{ > > + const u8 *p; > > + unsigned long size; > > + int rc; > > + struct key *keyring; > > + > > + p = platform_certificate_list; > > + size = platform_certificate_list_size; > > + > > + keyring = integrity_keyring_from_id(INTEGRITY_KEYRING_PLATFORM); > > + if (IS_ERR(keyring)) > > + return PTR_ERR(keyring); > > + > > + rc = load_certificate_list(p, size, keyring); > > + if (rc) > > + pr_info("Error adding keys to platform keyring %d\n", rc); > > + > > + return rc; > > +} > > +late_initcall(load_platform_certificate_list); > > + > > /* > > * Create the trusted keyrings. > > */ > > -- > > 2.27.0 > > > > There's zero tested-by's for this, i.e. cannot be applied before someone > has tested this. Mimi, do not mean to be rude, but I don't frankly > understand why you ask to pick a patch set that is *untested*. > > So I generated a self-signed certificate: > > openssl req -x509 -out localhost.crt -keyout localhost.key \ > -newkey rsa:2048 -nodes -sha256 \ > -subj '/CN=localhost' -extensions EXT -config <( \ > printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") > > (by courtesy of letsencrypt: https://letsencrypt.org/docs/certificates-for-localhost/) > > openssl x509 -in localhost.crt -out localhost.pem -outform PEM > > And starting with tinyconfig I added minimal options to enable this > feature. The config is attached. > > The end result is: > > make[2]: *** No rule to make target 'certs/extract-cert', needed by 'security/integrity/platform_certs/platform_certificate_list'. Stop. > make[1]: *** [scripts/Makefile.build:550: security/integrity] Error 2 > make: *** [Makefile:1831: security] Error 2 > > BR, Jarkko At least for the next PR, I'm not including this, sorry. BR, Jarkko
[Cc'ing Masahiro Yamada] On Mon, 2022-03-07 at 14:48 +0200, Jarkko Sakkinen wrote: > On Sun, Mar 06, 2022 at 03:51:00PM -0500, Nayna Jain wrote: > > Allow firmware keys to be embedded in the Linux kernel and loaded onto > > the ".platform" keyring on boot. > > > > The firmware keys can be specified in a file as a list of PEM encoded > > certificates using new config INTEGRITY_PLATFORM_KEYS. The certificates > > are embedded in the image by converting the PEM-formatted certificates > > into DER(binary) and generating > > security/integrity/platform_certs/platform_certificate_list file at > > build time. On boot, the embedded certs from the image are loaded onto > > the ".platform" keyring at late_initcall(), ensuring the platform keyring > > exists before loading the keys. > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > > --- > > security/integrity/Kconfig | 10 ++++++++ > > security/integrity/Makefile | 15 +++++++++++- > > security/integrity/integrity.h | 3 +++ > > .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ > > .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ > > 5 files changed, 73 insertions(+), 1 deletion(-) > > create mode 100644 security/integrity/platform_certs/platform_cert.S > > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > > index 599429f99f99..77b2c22c0e1b 100644 > > --- a/security/integrity/Kconfig > > +++ b/security/integrity/Kconfig > > @@ -62,6 +62,16 @@ config INTEGRITY_PLATFORM_KEYRING > > provided by the platform for verifying the kexec'ed kerned image > > and, possibly, the initramfs signature. > > > > +config INTEGRITY_PLATFORM_KEYS > > + string "Builtin X.509 keys for .platform keyring" > > + depends on KEYS > > + depends on ASYMMETRIC_KEY_TYPE > > + depends on INTEGRITY_PLATFORM_KEYRING > > + help > > + If set, this option should be the filename of a PEM-formatted file > > + containing X.509 certificates to be loaded onto the ".platform" > > + keyring. > > + > > config INTEGRITY_MACHINE_KEYRING > > bool "Provide a keyring to which Machine Owner Keys may be added" > > depends on SECONDARY_TRUSTED_KEYRING > > diff --git a/security/integrity/Makefile b/security/integrity/Makefile > > index d0ffe37dc1d6..65bd93301a3a 100644 > > --- a/security/integrity/Makefile > > +++ b/security/integrity/Makefile > > @@ -3,13 +3,17 @@ > > # Makefile for caching inode integrity data (iint) > > # > > > > +quiet_cmd_extract_certs = CERT $@ > > + cmd_extract_certs = certs/extract-cert $(2) $@ > > + > > obj-$(CONFIG_INTEGRITY) += integrity.o > > > > integrity-y := iint.o > > integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o > > integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o > > integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o > > -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o > > +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ > > + platform_certs/platform_cert.o > > integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o > > integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ > > platform_certs/load_uefi.o \ > > @@ -20,3 +24,12 @@ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ > > platform_certs/keyring_handler.o > > obj-$(CONFIG_IMA) += ima/ > > obj-$(CONFIG_EVM) += evm/ > > + > > +$(obj)/platform_certs/platform_cert.o: $(obj)/platform_certs/platform_certificate_list > > + > > +targets += platform_certificate_list > > + > > +$(obj)/platform_certs/platform_certificate_list: $(CONFIG_INTEGRITY_PLATFORM_KEYS) certs/extract-cert FORCE > > + $(call if_changed,extract_certs,$(if $(CONFIG_INTEGRITY_PLATFORM_KEYS),$<,"")) > > + > > +clean-files := platform_certs/platform_certificate_list > > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > > index 76e9a9515f99..219da29fecf7 100644 > > --- a/security/integrity/integrity.h > > +++ b/security/integrity/integrity.h > > @@ -282,6 +282,9 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) > > #endif > > > > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > +extern __initconst const u8 platform_certificate_list[]; > > +extern __initconst const unsigned long platform_certificate_list_size; > > + > > void __init add_to_platform_keyring(const char *source, const void *data, > > size_t len); > > #else > > diff --git a/security/integrity/platform_certs/platform_cert.S b/security/integrity/platform_certs/platform_cert.S > > new file mode 100644 > > index 000000000000..20bccce5dc5a > > --- /dev/null > > +++ b/security/integrity/platform_certs/platform_cert.S > > @@ -0,0 +1,23 @@ > > +/* SPDX-License-Identifier: GPL-2.0 */ > > +#include <linux/export.h> > > +#include <linux/init.h> > > + > > + __INITRODATA > > + > > + .align 8 > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > + .globl platform_certificate_list > > +platform_certificate_list: > > +__cert_list_start: > > + .incbin "security/integrity/platform_certs/platform_certificate_list" > > +__cert_list_end: > > +#endif > > + > > + .align 8 > > + .globl platform_certificate_list_size > > +platform_certificate_list_size: > > +#ifdef CONFIG_64BIT > > + .quad __cert_list_end - __cert_list_start > > +#else > > + .long __cert_list_end - __cert_list_start > > +#endif > > diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c > > index bcafd7387729..c2368912fd1b 100644 > > --- a/security/integrity/platform_certs/platform_keyring.c > > +++ b/security/integrity/platform_certs/platform_keyring.c > > @@ -12,6 +12,7 @@ > > #include <linux/cred.h> > > #include <linux/err.h> > > #include <linux/slab.h> > > +#include <keys/system_keyring.h> > > #include "../integrity.h" > > > > /** > > @@ -37,6 +38,28 @@ void __init add_to_platform_keyring(const char *source, const void *data, > > pr_info("Error adding keys to platform keyring %s\n", source); > > } > > > > +static __init int load_platform_certificate_list(void) > > +{ > > + const u8 *p; > > + unsigned long size; > > + int rc; > > + struct key *keyring; > > + > > + p = platform_certificate_list; > > + size = platform_certificate_list_size; > > + > > + keyring = integrity_keyring_from_id(INTEGRITY_KEYRING_PLATFORM); > > + if (IS_ERR(keyring)) > > + return PTR_ERR(keyring); > > + > > + rc = load_certificate_list(p, size, keyring); > > + if (rc) > > + pr_info("Error adding keys to platform keyring %d\n", rc); > > + > > + return rc; > > +} > > +late_initcall(load_platform_certificate_list); > > + > > /* > > * Create the trusted keyrings. > > */ > > -- > > 2.27.0 > > > > There's zero tested-by's for this, i.e. cannot be applied before someone > has tested this. Mimi, do not mean to be rude, but I don't frankly > understand why you ask to pick a patch set that is *untested*. > So I generated a self-signed certificate: > > openssl req -x509 -out localhost.crt -keyout localhost.key \ > -newkey rsa:2048 -nodes -sha256 \ > -subj '/CN=localhost' -extensions EXT -config <( \ > printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") > > (by courtesy of letsencrypt: https://letsencrypt.org/docs/certificates-for-localhost/) > > openssl x509 -in localhost.crt -out localhost.pem -outform PEM > > And starting with tinyconfig I added minimal options to enable this > feature. The config is attached. > > The end result is: > > make[2]: *** No rule to make target 'certs/extract-cert', needed by 'security/integrity/platform_certs/platform_certificate_list'. Stop. > make[1]: *** [scripts/Makefile.build:550: security/integrity] Error 2 > make: *** [Makefile:1831: security] Error 2 I've reviewed and tested this patch set each time it was posted last fall/winter. Recent changes were limited to the cover letter and patch description. Only recently was "extract_cert" moved to the certs/ directory and not built automatically. The commit message says the move was because it wasn't being used outside the certs directory. Refer to commit 340a02535ee7 ("certs: move scripts/extract-cert to certs/"). Masahiro Yamada would you be ok with reverting the move? thanks, Mimi
On Mon, Mar 07, 2022 at 05:03:09PM -0500, Mimi Zohar wrote: > [Cc'ing Masahiro Yamada] > > On Mon, 2022-03-07 at 14:48 +0200, Jarkko Sakkinen wrote: > > On Sun, Mar 06, 2022 at 03:51:00PM -0500, Nayna Jain wrote: > > > Allow firmware keys to be embedded in the Linux kernel and loaded onto > > > the ".platform" keyring on boot. > > > > > > The firmware keys can be specified in a file as a list of PEM encoded > > > certificates using new config INTEGRITY_PLATFORM_KEYS. The certificates > > > are embedded in the image by converting the PEM-formatted certificates > > > into DER(binary) and generating > > > security/integrity/platform_certs/platform_certificate_list file at > > > build time. On boot, the embedded certs from the image are loaded onto > > > the ".platform" keyring at late_initcall(), ensuring the platform keyring > > > exists before loading the keys. > > > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > > > --- > > > security/integrity/Kconfig | 10 ++++++++ > > > security/integrity/Makefile | 15 +++++++++++- > > > security/integrity/integrity.h | 3 +++ > > > .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ > > > .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ > > > 5 files changed, 73 insertions(+), 1 deletion(-) > > > create mode 100644 security/integrity/platform_certs/platform_cert.S > > > > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > > > index 599429f99f99..77b2c22c0e1b 100644 > > > --- a/security/integrity/Kconfig > > > +++ b/security/integrity/Kconfig > > > @@ -62,6 +62,16 @@ config INTEGRITY_PLATFORM_KEYRING > > > provided by the platform for verifying the kexec'ed kerned image > > > and, possibly, the initramfs signature. > > > > > > +config INTEGRITY_PLATFORM_KEYS > > > + string "Builtin X.509 keys for .platform keyring" > > > + depends on KEYS > > > + depends on ASYMMETRIC_KEY_TYPE > > > + depends on INTEGRITY_PLATFORM_KEYRING > > > + help > > > + If set, this option should be the filename of a PEM-formatted file > > > + containing X.509 certificates to be loaded onto the ".platform" > > > + keyring. > > > + > > > config INTEGRITY_MACHINE_KEYRING > > > bool "Provide a keyring to which Machine Owner Keys may be added" > > > depends on SECONDARY_TRUSTED_KEYRING > > > diff --git a/security/integrity/Makefile b/security/integrity/Makefile > > > index d0ffe37dc1d6..65bd93301a3a 100644 > > > --- a/security/integrity/Makefile > > > +++ b/security/integrity/Makefile > > > @@ -3,13 +3,17 @@ > > > # Makefile for caching inode integrity data (iint) > > > # > > > > > > +quiet_cmd_extract_certs = CERT $@ > > > + cmd_extract_certs = certs/extract-cert $(2) $@ > > > + > > > obj-$(CONFIG_INTEGRITY) += integrity.o > > > > > > integrity-y := iint.o > > > integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o > > > integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o > > > integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o > > > -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o > > > +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ > > > + platform_certs/platform_cert.o > > > integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o > > > integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ > > > platform_certs/load_uefi.o \ > > > @@ -20,3 +24,12 @@ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ > > > platform_certs/keyring_handler.o > > > obj-$(CONFIG_IMA) += ima/ > > > obj-$(CONFIG_EVM) += evm/ > > > + > > > +$(obj)/platform_certs/platform_cert.o: $(obj)/platform_certs/platform_certificate_list > > > + > > > +targets += platform_certificate_list > > > + > > > +$(obj)/platform_certs/platform_certificate_list: $(CONFIG_INTEGRITY_PLATFORM_KEYS) certs/extract-cert FORCE > > > + $(call if_changed,extract_certs,$(if $(CONFIG_INTEGRITY_PLATFORM_KEYS),$<,"")) > > > + > > > +clean-files := platform_certs/platform_certificate_list > > > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > > > index 76e9a9515f99..219da29fecf7 100644 > > > --- a/security/integrity/integrity.h > > > +++ b/security/integrity/integrity.h > > > @@ -282,6 +282,9 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) > > > #endif > > > > > > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > > +extern __initconst const u8 platform_certificate_list[]; > > > +extern __initconst const unsigned long platform_certificate_list_size; > > > + > > > void __init add_to_platform_keyring(const char *source, const void *data, > > > size_t len); > > > #else > > > diff --git a/security/integrity/platform_certs/platform_cert.S b/security/integrity/platform_certs/platform_cert.S > > > new file mode 100644 > > > index 000000000000..20bccce5dc5a > > > --- /dev/null > > > +++ b/security/integrity/platform_certs/platform_cert.S > > > @@ -0,0 +1,23 @@ > > > +/* SPDX-License-Identifier: GPL-2.0 */ > > > +#include <linux/export.h> > > > +#include <linux/init.h> > > > + > > > + __INITRODATA > > > + > > > + .align 8 > > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > > + .globl platform_certificate_list > > > +platform_certificate_list: > > > +__cert_list_start: > > > + .incbin "security/integrity/platform_certs/platform_certificate_list" > > > +__cert_list_end: > > > +#endif > > > + > > > + .align 8 > > > + .globl platform_certificate_list_size > > > +platform_certificate_list_size: > > > +#ifdef CONFIG_64BIT > > > + .quad __cert_list_end - __cert_list_start > > > +#else > > > + .long __cert_list_end - __cert_list_start > > > +#endif > > > diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c > > > index bcafd7387729..c2368912fd1b 100644 > > > --- a/security/integrity/platform_certs/platform_keyring.c > > > +++ b/security/integrity/platform_certs/platform_keyring.c > > > @@ -12,6 +12,7 @@ > > > #include <linux/cred.h> > > > #include <linux/err.h> > > > #include <linux/slab.h> > > > +#include <keys/system_keyring.h> > > > #include "../integrity.h" > > > > > > /** > > > @@ -37,6 +38,28 @@ void __init add_to_platform_keyring(const char *source, const void *data, > > > pr_info("Error adding keys to platform keyring %s\n", source); > > > } > > > > > > +static __init int load_platform_certificate_list(void) > > > +{ > > > + const u8 *p; > > > + unsigned long size; > > > + int rc; > > > + struct key *keyring; > > > + > > > + p = platform_certificate_list; > > > + size = platform_certificate_list_size; > > > + > > > + keyring = integrity_keyring_from_id(INTEGRITY_KEYRING_PLATFORM); > > > + if (IS_ERR(keyring)) > > > + return PTR_ERR(keyring); > > > + > > > + rc = load_certificate_list(p, size, keyring); > > > + if (rc) > > > + pr_info("Error adding keys to platform keyring %d\n", rc); > > > + > > > + return rc; > > > +} > > > +late_initcall(load_platform_certificate_list); > > > + > > > /* > > > * Create the trusted keyrings. > > > */ > > > -- > > > 2.27.0 > > > > > > > There's zero tested-by's for this, i.e. cannot be applied before someone > > has tested this. Mimi, do not mean to be rude, but I don't frankly > > understand why you ask to pick a patch set that is *untested*. > > So I generated a self-signed certificate: > > > > openssl req -x509 -out localhost.crt -keyout localhost.key \ > > -newkey rsa:2048 -nodes -sha256 \ > > -subj '/CN=localhost' -extensions EXT -config <( \ > > printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") > > > > (by courtesy of letsencrypt: https://letsencrypt.org/docs/certificates-for-localhost/) > > > > openssl x509 -in localhost.crt -out localhost.pem -outform PEM > > > > And starting with tinyconfig I added minimal options to enable this > > feature. The config is attached. > > > > The end result is: > > > > make[2]: *** No rule to make target 'certs/extract-cert', needed by 'security/integrity/platform_certs/platform_certificate_list'. Stop. > > make[1]: *** [scripts/Makefile.build:550: security/integrity] Error 2 > > make: *** [Makefile:1831: security] Error 2 > > I've reviewed and tested this patch set each time it was posted last > fall/winter. Recent changes were limited to the cover letter and patch > description. Only recently was "extract_cert" moved to the certs/ > directory and not built automatically. The commit message says the > move was because it wasn't being used outside the certs directory. > Refer to commit 340a02535ee7 ("certs: move scripts/extract-cert to > certs/"). > > Masahiro Yamada would you be ok with reverting the move? > > thanks, > > Mimi OK, so I can add your tested-by? It was missing, that's where the concern came from. BR, Jarkko
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..77b2c22c0e1b 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -62,6 +62,16 @@ config INTEGRITY_PLATFORM_KEYRING provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. +config INTEGRITY_PLATFORM_KEYS + string "Builtin X.509 keys for .platform keyring" + depends on KEYS + depends on ASYMMETRIC_KEY_TYPE + depends on INTEGRITY_PLATFORM_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing X.509 certificates to be loaded onto the ".platform" + keyring. + config INTEGRITY_MACHINE_KEYRING bool "Provide a keyring to which Machine Owner Keys may be added" depends on SECONDARY_TRUSTED_KEYRING diff --git a/security/integrity/Makefile b/security/integrity/Makefile index d0ffe37dc1d6..65bd93301a3a 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -3,13 +3,17 @@ # Makefile for caching inode integrity data (iint) # +quiet_cmd_extract_certs = CERT $@ + cmd_extract_certs = certs/extract-cert $(2) $@ + obj-$(CONFIG_INTEGRITY) += integrity.o integrity-y := iint.o integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ + platform_certs/platform_cert.o integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ @@ -20,3 +24,12 @@ integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ platform_certs/keyring_handler.o obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_EVM) += evm/ + +$(obj)/platform_certs/platform_cert.o: $(obj)/platform_certs/platform_certificate_list + +targets += platform_certificate_list + +$(obj)/platform_certs/platform_certificate_list: $(CONFIG_INTEGRITY_PLATFORM_KEYS) certs/extract-cert FORCE + $(call if_changed,extract_certs,$(if $(CONFIG_INTEGRITY_PLATFORM_KEYS),$<,"")) + +clean-files := platform_certs/platform_certificate_list diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 76e9a9515f99..219da29fecf7 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -282,6 +282,9 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +extern __initconst const u8 platform_certificate_list[]; +extern __initconst const unsigned long platform_certificate_list_size; + void __init add_to_platform_keyring(const char *source, const void *data, size_t len); #else diff --git a/security/integrity/platform_certs/platform_cert.S b/security/integrity/platform_certs/platform_cert.S new file mode 100644 index 000000000000..20bccce5dc5a --- /dev/null +++ b/security/integrity/platform_certs/platform_cert.S @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include <linux/export.h> +#include <linux/init.h> + + __INITRODATA + + .align 8 +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING + .globl platform_certificate_list +platform_certificate_list: +__cert_list_start: + .incbin "security/integrity/platform_certs/platform_certificate_list" +__cert_list_end: +#endif + + .align 8 + .globl platform_certificate_list_size +platform_certificate_list_size: +#ifdef CONFIG_64BIT + .quad __cert_list_end - __cert_list_start +#else + .long __cert_list_end - __cert_list_start +#endif diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c index bcafd7387729..c2368912fd1b 100644 --- a/security/integrity/platform_certs/platform_keyring.c +++ b/security/integrity/platform_certs/platform_keyring.c @@ -12,6 +12,7 @@ #include <linux/cred.h> #include <linux/err.h> #include <linux/slab.h> +#include <keys/system_keyring.h> #include "../integrity.h" /** @@ -37,6 +38,28 @@ void __init add_to_platform_keyring(const char *source, const void *data, pr_info("Error adding keys to platform keyring %s\n", source); } +static __init int load_platform_certificate_list(void) +{ + const u8 *p; + unsigned long size; + int rc; + struct key *keyring; + + p = platform_certificate_list; + size = platform_certificate_list_size; + + keyring = integrity_keyring_from_id(INTEGRITY_KEYRING_PLATFORM); + if (IS_ERR(keyring)) + return PTR_ERR(keyring); + + rc = load_certificate_list(p, size, keyring); + if (rc) + pr_info("Error adding keys to platform keyring %d\n", rc); + + return rc; +} +late_initcall(load_platform_certificate_list); + /* * Create the trusted keyrings. */