lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <CUSG7ZDGZ5N4.37KMXB8BFPWKI@suppilovahvero>
Date:   Mon, 14 Aug 2023 20:37:21 +0300
From:   "Jarkko Sakkinen" <jarkko@...nel.org>
To:     "Nayna Jain" <nayna@...ux.ibm.com>,
        <linux-integrity@...r.kernel.org>
Cc:     "Mimi Zohar" <zohar@...ux.ibm.com>,
        "Eric Snowberg" <eric.snowberg@...cle.com>,
        "Paul Moore" <paul@...l-moore.com>,
        <linux-security-module@...r.kernel.org>,
        "linuxppc-dev" <linuxppc-dev@...ts.ozlabs.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 1/6] integrity: PowerVM support for loading CA keys
 on machine keyring

On Sun Aug 13, 2023 at 5:15 AM EEST, Nayna Jain wrote:
> Keys that derive their trust from an entity such as a security officer,
> administrator, system owner, or machine owner are said to have "imputed
> trust". CA keys with imputed trust can be loaded onto the machine keyring.
> The mechanism for loading these keys onto the machine keyring is platform
> dependent.
>
> Load keys stored in the variable trustedcadb onto the .machine keyring
> on PowerVM platform.
>
> Signed-off-by: Nayna Jain <nayna@...ux.ibm.com>
> Reviewed-and-tested-by: Mimi Zohar <zohar@...ux.ibm.com>
> ---
>  .../integrity/platform_certs/keyring_handler.c  |  8 ++++++++
>  .../integrity/platform_certs/keyring_handler.h  |  5 +++++
>  .../integrity/platform_certs/load_powerpc.c     | 17 +++++++++++++++++
>  3 files changed, 30 insertions(+)
>
> diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
> index 8a1124e4d769..1649d047e3b8 100644
> --- a/security/integrity/platform_certs/keyring_handler.c
> +++ b/security/integrity/platform_certs/keyring_handler.c
> @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
>  	return NULL;
>  }
>  
> +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
> +{
> +	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
> +		return add_to_machine_keyring;
> +
> +	return NULL;
> +}
> +
>  /*
>   * Return the appropriate handler for particular signature list types found in
>   * the UEFI dbx and MokListXRT tables.
> diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
> index 212d894a8c0c..6f15bb4cc8dc 100644
> --- a/security/integrity/platform_certs/keyring_handler.h
> +++ b/security/integrity/platform_certs/keyring_handler.h
> @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
>   */
>  efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
>  
> +/*
> + * Return the handler for particular signature list types for CA keys.
> + */
> +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);
> +
>  /*
>   * Return the handler for particular signature list types found in the dbx.
>   */
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index 170789dc63d2..6263ce3b3f1e 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
>  static int __init load_powerpc_certs(void)
>  {
>  	void *db = NULL, *dbx = NULL, *data = NULL;
> +	void *trustedca = NULL;

Could this be just "void *trustedca;" ?

>  	u64 dsize = 0;
>  	u64 offset = 0;
>  	int rc = 0;
> @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void)
>  		kfree(data);
>  	}
>  
> +	data = get_cert_list("trustedcadb", 12,  &dsize);
> +	if (!data) {
> +		pr_info("Couldn't get trustedcadb list from firmware\n");
> +	} else if (IS_ERR(data)) {
> +		rc = PTR_ERR(data);
> +		pr_err("Error reading trustedcadb from firmware: %d\n", rc);
> +	} else {
> +		extract_esl(trustedca, data, dsize, offset);
> +
> +		rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize,
> +					      get_handler_for_ca_keys);
> +		if (rc)
> +			pr_err("Couldn't parse trustedcadb signatures: %d\n", rc);
> +		kfree(data);
> +	}
> +
>  	return rc;
>  }
>  late_initcall(load_powerpc_certs);
> -- 
> 2.31.1

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ