[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1546957909.19931.101.camel@linux.ibm.com>
Date: Tue, 08 Jan 2019 09:31:49 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Kairui Song <kasong@...hat.com>, linux-kernel@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org,
jwboyer@...oraproject.org, keyrings@...r.kernel.org,
jmorris@...ei.org, serge@...lyn.com, bauerman@...ux.ibm.com,
ebiggers@...gle.com, nayna@...ux.ibm.com, dyoung@...hat.com
Subject: Re: [RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to
.secondary_trusted_keys
On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote:
> Hi, as the subject, this is a patch that links the new introduced
> .platform keyring into .secondary_trusted_keys keyring. This is
> mainly for the kexec_file_load, make kexec_file_load be able to verify
> the kernel image agains keys provided by platform or firmware.
> kexec_file_load already could verify the image agains secondary_trusted_keys
> if secondary_trusted_keys exits, so this will make kexec_file_load be ware
> of platform keys as well.
The builtin and secondary keyrings have a signature change of trust
rooted in the signed kernel image. Adding the pre-boot keys to the
secondary keyring breaks that signature chain of trust.
Mimi
>
> This may also useful for things like module sign verify that are using
> secondary_trusted_keys. I'm not sure if it will be better to move the
> INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use
> the keyring there, so just linked the .platform keyring into kernel's
> .secondary_trusted_keys keyring.
>
> It workd for my case, tested in a VM, I signed the kernel image locally
> with pesign and imported the cert to EFI's MokList variable.
>
> Kairui Song (1):
> KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
>
> certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++
> include/keys/platform_keyring.h | 12 ++++++++++++
> security/integrity/digsig.c | 7 +++++++
> 3 files changed, 49 insertions(+)
> create mode 100644 include/keys/platform_keyring.h
>
Powered by blists - more mailing lists