| Message ID | 20220111183647.977037-1-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | integrity: support including firmware ".platform" keys at build time | expand |
On Tue, Jan 11, 2022 at 01:36:44PM -0500, Nayna Jain wrote: > Some firmware support secure boot by embedding static keys to verify the > Linux kernel during boot. However, these firmware do not expose an > interface for the kernel to load firmware keys onto the ".platform" > keyring, preventing the kernel from verifying the kexec kernel image > signature. > > This patchset exports load_certificate_list() and defines a new function > load_builtin_platform_cert() to load compiled in certificates onto the > ".platform" keyring. > > Changelog: > > v8: > * Includes Jarkko's feedback on patch description and removed Reported-by > for Patch 1. > > v7: > * Incldues Jarkko's feedback on patch description for Patch 1 and 3. > > v6: > * Includes Jarkko's feedback: > * Split Patch 2 into two. > * Update Patch description. > > v5: > * Renamed load_builtin_platform_cert() to load_platform_certificate_list() > and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as > suggested by Mimi Zohar. > > v4: > * Split into two patches as per Mimi Zohar and Dimitri John Ledkov > recommendation. > > v3: > * Included Jarkko's feedback > ** updated patch description to include approach. > ** removed extern for function declaration in the .h file. > * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. > > v2: > * Fixed the error reported by kernel test robot > * Updated patch description based on Jarkko's feedback. > > Nayna Jain (3): > certs: export load_certificate_list() to be used outside certs/ > integrity: make integrity_keyring_from_id() non-static > integrity: support including firmware ".platform" keys at build time > > certs/Makefile | 5 ++-- > certs/blacklist.c | 1 - > certs/common.c | 2 +- > certs/common.h | 9 ------- > certs/system_keyring.c | 1 - > include/keys/system_keyring.h | 6 +++++ > security/integrity/Kconfig | 10 +++++++ > security/integrity/Makefile | 17 +++++++++++- > security/integrity/digsig.c | 2 +- > security/integrity/integrity.h | 6 +++++ > .../integrity/platform_certs/platform_cert.S | 23 ++++++++++++++++ > .../platform_certs/platform_keyring.c | 26 +++++++++++++++++++ > 12 files changed, 92 insertions(+), 16 deletions(-) > delete mode 100644 certs/common.h > create mode 100644 security/integrity/platform_certs/platform_cert.S > > -- > 2.27.0 To sort out tree conflicts: what if I pick these patches? They look fine to me now. I can try to fix the possible merge conflicts and you can check them before I make a PR. /Jarkko
On 2/20/22 18:02, Jarkko Sakkinen wrote: > On Tue, Jan 11, 2022 at 01:36:44PM -0500, Nayna Jain wrote: >> Some firmware support secure boot by embedding static keys to verify the >> Linux kernel during boot. However, these firmware do not expose an >> interface for the kernel to load firmware keys onto the ".platform" >> keyring, preventing the kernel from verifying the kexec kernel image >> signature. >> >> This patchset exports load_certificate_list() and defines a new function >> load_builtin_platform_cert() to load compiled in certificates onto the >> ".platform" keyring. >> >> Changelog: >> >> v8: >> * Includes Jarkko's feedback on patch description and removed Reported-by >> for Patch 1. >> >> v7: >> * Incldues Jarkko's feedback on patch description for Patch 1 and 3. >> >> v6: >> * Includes Jarkko's feedback: >> * Split Patch 2 into two. >> * Update Patch description. >> >> v5: >> * Renamed load_builtin_platform_cert() to load_platform_certificate_list() >> and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as >> suggested by Mimi Zohar. >> >> v4: >> * Split into two patches as per Mimi Zohar and Dimitri John Ledkov >> recommendation. >> >> v3: >> * Included Jarkko's feedback >> ** updated patch description to include approach. >> ** removed extern for function declaration in the .h file. >> * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. >> >> v2: >> * Fixed the error reported by kernel test robot >> * Updated patch description based on Jarkko's feedback. >> >> Nayna Jain (3): >> certs: export load_certificate_list() to be used outside certs/ >> integrity: make integrity_keyring_from_id() non-static >> integrity: support including firmware ".platform" keys at build time >> >> certs/Makefile | 5 ++-- >> certs/blacklist.c | 1 - >> certs/common.c | 2 +- >> certs/common.h | 9 ------- >> certs/system_keyring.c | 1 - >> include/keys/system_keyring.h | 6 +++++ >> security/integrity/Kconfig | 10 +++++++ >> security/integrity/Makefile | 17 +++++++++++- >> security/integrity/digsig.c | 2 +- >> security/integrity/integrity.h | 6 +++++ >> .../integrity/platform_certs/platform_cert.S | 23 ++++++++++++++++ >> .../platform_certs/platform_keyring.c | 26 +++++++++++++++++++ >> 12 files changed, 92 insertions(+), 16 deletions(-) >> delete mode 100644 certs/common.h >> create mode 100644 security/integrity/platform_certs/platform_cert.S >> >> -- >> 2.27.0 > To sort out tree conflicts: what if I pick these patches? They look fine > to me now. I can try to fix the possible merge conflicts and you can check > them before I make a PR. Sounds good. Thanks !! Thanks & Regards, - Nayna
On Mon, Feb 21, 2022 at 08:33:55AM -0500, Nayna wrote: > > On 2/20/22 18:02, Jarkko Sakkinen wrote: > > On Tue, Jan 11, 2022 at 01:36:44PM -0500, Nayna Jain wrote: > > > Some firmware support secure boot by embedding static keys to verify the > > > Linux kernel during boot. However, these firmware do not expose an > > > interface for the kernel to load firmware keys onto the ".platform" > > > keyring, preventing the kernel from verifying the kexec kernel image > > > signature. > > > > > > This patchset exports load_certificate_list() and defines a new function > > > load_builtin_platform_cert() to load compiled in certificates onto the > > > ".platform" keyring. > > > > > > Changelog: > > > > > > v8: > > > * Includes Jarkko's feedback on patch description and removed Reported-by > > > for Patch 1. > > > > > > v7: > > > * Incldues Jarkko's feedback on patch description for Patch 1 and 3. > > > > > > v6: > > > * Includes Jarkko's feedback: > > > * Split Patch 2 into two. > > > * Update Patch description. > > > > > > v5: > > > * Renamed load_builtin_platform_cert() to load_platform_certificate_list() > > > and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as > > > suggested by Mimi Zohar. > > > > > > v4: > > > * Split into two patches as per Mimi Zohar and Dimitri John Ledkov > > > recommendation. > > > > > > v3: > > > * Included Jarkko's feedback > > > ** updated patch description to include approach. > > > ** removed extern for function declaration in the .h file. > > > * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. > > > > > > v2: > > > * Fixed the error reported by kernel test robot > > > * Updated patch description based on Jarkko's feedback. > > > > > > Nayna Jain (3): > > > certs: export load_certificate_list() to be used outside certs/ > > > integrity: make integrity_keyring_from_id() non-static > > > integrity: support including firmware ".platform" keys at build time > > > > > > certs/Makefile | 5 ++-- > > > certs/blacklist.c | 1 - > > > certs/common.c | 2 +- > > > certs/common.h | 9 ------- > > > certs/system_keyring.c | 1 - > > > include/keys/system_keyring.h | 6 +++++ > > > security/integrity/Kconfig | 10 +++++++ > > > security/integrity/Makefile | 17 +++++++++++- > > > security/integrity/digsig.c | 2 +- > > > security/integrity/integrity.h | 6 +++++ > > > .../integrity/platform_certs/platform_cert.S | 23 ++++++++++++++++ > > > .../platform_certs/platform_keyring.c | 26 +++++++++++++++++++ > > > 12 files changed, 92 insertions(+), 16 deletions(-) > > > delete mode 100644 certs/common.h > > > create mode 100644 security/integrity/platform_certs/platform_cert.S > > > > > > -- > > > 2.27.0 > > To sort out tree conflicts: what if I pick these patches? They look fine > > to me now. I can try to fix the possible merge conflicts and you can check > > them before I make a PR. > > Sounds good. Thanks !! > > Thanks & Regards, > > - Nayna > Sorry that this comes so later but would it possible for you to fix this conflict against my tree and send v10 with just that change: $ git diff diff --cc include/keys/system_keyring.h index 91e080efb918,d3f914d9a632..000000000000 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@@ -10,12 -10,11 +10,20 @@@ #include <linux/key.h> ++<<<<<<< HEAD +enum blacklist_hash_type { + /* TBSCertificate hash */ + BLACKLIST_HASH_X509_TBS = 1, + /* Raw data hash */ + BLACKLIST_HASH_BINARY = 2, +}; ++======= + #ifdef CONFIG_KEYS + int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring); + #endif ++>>>>>>> certs: export load_certificate_list() to be used outside certs/ I somehow lost your response to the jungle and found it only now :-( I'm still happy to include this to the PR. BR, Jarkko