lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241015222235.71040-1-jeremy.linton@arm.com>
Date: Tue, 15 Oct 2024 17:22:30 -0500
From: Jeremy Linton <jeremy.linton@....com>
To: linux-kernel@...r.kernel.org
Cc: akpm@...ux-foundation.org,
	hch@....de,
	gregkh@...uxfoundation.org,
	graf@...zon.com,
	lukas@...ner.de,
	wufan@...ux.microsoft.com,
	brauner@...nel.org,
	jsperbeck@...gle.com,
	ardb@...nel.org,
	linux-crypto@...r.kernel.org,
	linux-kbuild@...r.kernel.org,
	keyrings@...r.kernel.org,
	Jeremy Linton <jeremy.linton@....com>
Subject: [RFC 0/5] Another initramfs signature checking set

With the advent of UKI's wrapping kernel and cpio archives up into
single UEFI PE executables it seems like its probably time to
reconsider whether the core idea of signing the initrd and verifying
it in its entirely is a useful function of the core kernel.

Moving this functionality in the kernel should provide a similar
security statement to the UKIs with a more traditional kernel + initrd
boot flow and the ability to have a single kernel image that
selects between multiple signed initrd images. Say a normal boot
image, and a recovery image.

This set is a very basic implementation of that concept using the kernel
built in trusted keyring, and a signature format that is similar to the
existing module signature. The core change is quite trivial with the larger
questions around the policy for enforcing or simply checking
for a valid signature. I've considered various policies, tying it to
lockdown/etc but this set simply enforces it by default with an kernel
parameter to override the behavior.

Outside of the core patch the largest change revolves around making
sure that the asymmetric key and built in cert/keyring/blacklist logic
is started much earlier in the boot process than normal. This means
that beyond the hacky _initcall changes in patch 2 there are a bit of
additional Kconfig changes necessary.

Finally, before the RFC is dropped there are a number of
/Documentation changes that will be completed as needed.

Jeremy Linton (5):
  initramfs: Add initramfs signature checking
  KEYS/certs: Start the builtin key and cert system earlier
  initramfs: Use existing module signing infrastructure
  sign-file: Add -i option to sign initramfs images
  initramfs: Enforce initramfs signature

 certs/blacklist.c                        |  2 +-
 certs/system_keyring.c                   |  4 +-
 crypto/asymmetric_keys/asymmetric_type.c |  2 +-
 crypto/asymmetric_keys/x509_public_key.c |  2 +-
 include/linux/initrd.h                   |  3 +
 init/initramfs.c                         | 84 +++++++++++++++++++++++-
 scripts/sign-file.c                      | 11 +++-
 usr/Kconfig                              |  9 +++
 8 files changed, 109 insertions(+), 8 deletions(-)

-- 
2.46.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ