lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220414175930.GM163591@kunlun.suse.cz>
Date:   Thu, 14 Apr 2022 19:59:30 +0200
From:   Michal Suchánek <msuchanek@...e.de>
To:     "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>
Subject: How to list keys used for kexec

Hello,

apparently modules are verified by keys from 'secondary' keyring on all
platforms.

If you happen to know that it's this particular keyring, and know how
to list keyrings recursively you can find the keys that are used for
verifying modules.

However, for kexec we have

 - primary keyring on aarch64
 - platform keyring on s390
 - secondary AND platform keyring on x86

How is a user supposed to know which keys are used for kexec image
verification?

There is an implicit keyring that is ad-hoc constructed by the code that
does the kexec verification but there is no key list observable from
userspace that corresponds to this ad-hoc keyring only known to the kexec
code.

Can the kernel make the information which keys are used for what purpose
available to the user?

Thanks

Michal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ