| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241015222235.71040-1-jeremy.linton@arm.com> Date: Tue, 15 Oct 2024 17:22:30 -0500 From: Jeremy Linton <jeremy.linton@....com> To: linux-kernel@...r.kernel.org Cc: akpm@...ux-foundation.org, hch@....de, gregkh@...uxfoundation.org, graf@...zon.com, lukas@...ner.de, wufan@...ux.microsoft.com, brauner@...nel.org, jsperbeck@...gle.com, ardb@...nel.org, linux-crypto@...r.kernel.org, linux-kbuild@...r.kernel.org, keyrings@...r.kernel.org, Jeremy Linton <jeremy.linton@....com> Subject: [RFC 0/5] Another initramfs signature checking set With the advent of UKI's wrapping kernel and cpio archives up into single UEFI PE executables it seems like its probably time to reconsider whether the core idea of signing the initrd and verifying it in its entirely is a useful function of the core kernel. Moving this functionality in the kernel should provide a similar security statement to the UKIs with a more traditional kernel + initrd boot flow and the ability to have a single kernel image that selects between multiple signed initrd images. Say a normal boot image, and a recovery image. This set is a very basic implementation of that concept using the kernel built in trusted keyring, and a signature format that is similar to the existing module signature. The core change is quite trivial with the larger questions around the policy for enforcing or simply checking for a valid signature. I've considered various policies, tying it to lockdown/etc but this set simply enforces it by default with an kernel parameter to override the behavior. Outside of the core patch the largest change revolves around making sure that the asymmetric key and built in cert/keyring/blacklist logic is started much earlier in the boot process than normal. This means that beyond the hacky _initcall changes in patch 2 there are a bit of additional Kconfig changes necessary. Finally, before the RFC is dropped there are a number of /Documentation changes that will be completed as needed. Jeremy Linton (5): initramfs: Add initramfs signature checking KEYS/certs: Start the builtin key and cert system earlier initramfs: Use existing module signing infrastructure sign-file: Add -i option to sign initramfs images initramfs: Enforce initramfs signature certs/blacklist.c | 2 +- certs/system_keyring.c | 4 +- crypto/asymmetric_keys/asymmetric_type.c | 2 +- crypto/asymmetric_keys/x509_public_key.c | 2 +- include/linux/initrd.h | 3 + init/initramfs.c | 84 +++++++++++++++++++++++- scripts/sign-file.c | 11 +++- usr/Kconfig | 9 +++ 8 files changed, 109 insertions(+), 8 deletions(-) -- 2.46.0
Powered by blists - more mailing lists