2019-01-09 16:51:20

by Kairui Song

[permalink] [raw]
Subject: [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image

Hi,

This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.

This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.

Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.

Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.

Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify

arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 10 +++++++++-
include/keys/system_keyring.h | 5 +++++
include/linux/verification.h | 1 +
security/integrity/digsig.c | 4 ++++
5 files changed, 29 insertions(+), 4 deletions(-)

--
2.20.1



2019-01-09 16:51:17

by Kairui Song

[permalink] [raw]
Subject: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

kexec_file_load will need to verify the kernel signed with third part
keys, and the keys could be stored in firmware, then got loaded into
the .platform keyring. Now we have a .platform_trusted_keyring
as the reference to .platform keyring, this patch makes use if it and
allow kexec_file_load to verify the image against keys in .platform
keyring.

This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
should verify the signature using platform keyring. Also, decrease
the error message log level when verification failed with -ENOKEY,
so that if called tried multiple time with different keyring it
won't generate extra noises.

Signed-off-by: Kairui Song <[email protected]>
---
arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 7 ++++++-
include/linux/verification.h | 1 +
3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 7d97e432cbbc..a8a5c1773ccc 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -534,9 +534,16 @@ static int bzImage64_cleanup(void *loader_data)
#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
{
- return verify_pefile_signature(kernel, kernel_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_KEXEC_PE_SIGNATURE);
+ int ret;
+ ret = verify_pefile_signature(kernel, kernel_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_KEXEC_PE_SIGNATURE);
+ if (ret == -ENOKEY) {
+ ret = verify_pefile_signature(kernel, kernel_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_KEXEC_PE_SIGNATURE);
+ }
+ return ret;
}
#endif

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index a61b95390b80..7514e69e719f 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -18,6 +18,7 @@
#include <linux/verification.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
+#include <keys/platform_keyring.h>
#include <crypto/pkcs7.h>

static struct key *builtin_trusted_keys;
@@ -239,12 +240,16 @@ int verify_pkcs7_signature(const void *data, size_t len,
trusted_keys = secondary_trusted_keys;
#else
trusted_keys = builtin_trusted_keys;
+#endif
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
+ trusted_keys = platform_trusted_keys;
#endif
}
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
if (ret < 0) {
if (ret == -ENOKEY)
- pr_err("PKCS#7 signature not signed with a trusted key\n");
+ pr_devel("PKCS#7 signature not signed with a trusted key\n");
goto error;
}

diff --git a/include/linux/verification.h b/include/linux/verification.h
index cfa4730d607a..018fb5f13d44 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -17,6 +17,7 @@
* should be used.
*/
#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL)

/*
* The use to which an asymmetric key is being put.
--
2.20.1


2019-01-09 19:24:17

by Mimi Zohar

[permalink] [raw]
Subject: Re: [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring

On Thu, 2019-01-10 at 00:48 +0800, Kairui Song wrote:
> Currently kexec_file_load will verify the kernel image being loaded
> against .builtin_trusted_keys or .secondary_trusted_keys, but the
> image could be signed with third part keys which will be provided by
> platform or firmware and the keys won't be available in keyrings mentioned
> above.
>
> After commit ea93102f3224 ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware. And with a few following commits, now keys required to verify
> the image is being imported to .platform keyring, but currently, only
> IMA-appraisal could use the keyring and verify the image.
>
> This patch exposes the .platform and makes other components, like
> kexec_file_load, could use this .platform keyring to verify the
> kernel image.

The "platform" keyring was upstreamed in order to verify the kernel
image being loaded by the kexec_file_load syscall.  The intentions of
this patch description needs to be clearer.

>
> Suggested-by: Mimi Zohar <[email protected]>
> Signed-off-by: Kairui Song <[email protected]>
> ---
> certs/system_keyring.c | 3 +++
> include/keys/system_keyring.h | 5 +++++
> security/integrity/digsig.c | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..a61b95390b80 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +struct key *platform_trusted_keys;

Please make it static.

Mimi

> +#endif


2019-01-09 20:13:48

by Kairui Song

[permalink] [raw]
Subject: [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring

Currently kexec_file_load will verify the kernel image being loaded
against .builtin_trusted_keys or .secondary_trusted_keys, but the
image could be signed with third part keys which will be provided by
platform or firmware and the keys won't be available in keyrings mentioned
above.

After commit ea93102f3224 ('integrity: Define a trusted platform keyring')
a .platform keyring is introduced to store the keys provided by platform
or firmware. And with a few following commits, now keys required to verify
the image is being imported to .platform keyring, but currently, only
IMA-appraisal could use the keyring and verify the image.

This patch exposes the .platform and makes other components, like
kexec_file_load, could use this .platform keyring to verify the
kernel image.

Suggested-by: Mimi Zohar <[email protected]>
Signed-off-by: Kairui Song <[email protected]>
---
certs/system_keyring.c | 3 +++
include/keys/system_keyring.h | 5 +++++
security/integrity/digsig.c | 4 ++++
3 files changed, 12 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 81728717523d..a61b95390b80 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
static struct key *secondary_trusted_keys;
#endif
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+struct key *platform_trusted_keys;
+#endif

extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 359c2f936004..9eaf01d01036 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
}
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */

+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+
+extern struct key *platform_trusted_keys;
+
+#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */

#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f45d6edecf99..26206240388d 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -89,6 +89,10 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
keyring[id] = NULL;
}

+ if (id == INTEGRITY_KEYRING_PLATFORM) {
+ platform_trusted_keys = keyring[id];
+ }
+
return err;
}

--
2.20.1


2019-01-11 14:21:28

by Dave Young

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On 01/10/19 at 12:48am, Kairui Song wrote:
> kexec_file_load will need to verify the kernel signed with third part
> keys, and the keys could be stored in firmware, then got loaded into
> the .platform keyring. Now we have a .platform_trusted_keyring
> as the reference to .platform keyring, this patch makes use if it and
> allow kexec_file_load to verify the image against keys in .platform
> keyring.
>
> This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
> VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
> should verify the signature using platform keyring. Also, decrease
> the error message log level when verification failed with -ENOKEY,
> so that if called tried multiple time with different keyring it
> won't generate extra noises.
>
> Signed-off-by: Kairui Song <[email protected]>
> ---
> arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
> certs/system_keyring.c | 7 ++++++-
> include/linux/verification.h | 1 +
> 3 files changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7d97e432cbbc..a8a5c1773ccc 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -534,9 +534,16 @@ static int bzImage64_cleanup(void *loader_data)
> #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len,
> - VERIFY_USE_SECONDARY_KEYRING,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + int ret;
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_SECONDARY_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> + if (ret == -ENOKEY) {
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> + }
> + return ret;
> }
> #endif
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index a61b95390b80..7514e69e719f 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -18,6 +18,7 @@
> #include <linux/verification.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> +#include <keys/platform_keyring.h>
> #include <crypto/pkcs7.h>
>
> static struct key *builtin_trusted_keys;
> @@ -239,12 +240,16 @@ int verify_pkcs7_signature(const void *data, size_t len,
> trusted_keys = secondary_trusted_keys;
> #else
> trusted_keys = builtin_trusted_keys;
> +#endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> + } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> + trusted_keys = platform_trusted_keys;
> #endif
> }
> ret = pkcs7_validate_trust(pkcs7, trusted_keys);
> if (ret < 0) {
> if (ret == -ENOKEY)
> - pr_err("PKCS#7 signature not signed with a trusted key\n");
> + pr_devel("PKCS#7 signature not signed with a trusted key\n");
> goto error;
> }
>
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index cfa4730d607a..018fb5f13d44 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -17,6 +17,7 @@
> * should be used.
> */
> #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
> +#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL)
>
> /*
> * The use to which an asymmetric key is being put.
> --
> 2.20.1
>

Personally I would like to see platform key separated from integrity.
But for the kexec_file part I think it is good at least it works with
this fix.

Acked-by: Dave Young <[email protected]>

Thanks
Dave

2019-01-11 20:53:22

by Mimi Zohar

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
[snip]

> Personally I would like to see platform key separated from integrity.
> But for the kexec_file part I think it is good at least it works with
> this fix.
>
> Acked-by: Dave Young <[email protected]>

The original "platform" keyring patches that Nayna posted multiple
times were in the certs directory, but nobody commented/responded.  So
she reworked the patches, moving them to the integrity directory and
posted them (cc'ing the kexec mailing list).  It's a bit late to be
asking to move it, isn't it?

Mimi


2019-01-13 02:41:14

by Dave Young

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

Hi,

On 01/11/19 at 11:13am, Mimi Zohar wrote:
> On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> [snip]
>
> > Personally I would like to see platform key separated from integrity.
> > But for the kexec_file part I think it is good at least it works with
> > this fix.
> >
> > Acked-by: Dave Young <[email protected]>
>
> The original "platform" keyring patches that Nayna posted multiple
> times were in the certs directory, but nobody commented/responded. ?So
> she reworked the patches, moving them to the integrity directory and
> posted them (cc'ing the kexec mailing list). ?It's a bit late to be
> asking to move it, isn't it?

Hmm, apologize for being late, I did not get chance to have a look the
old series. Since we have the needs now, it should be still fine

Maybe Kairui can check Nayna's old series, see if he can do something
again?

>
> Mimi
>

Thanks
Dave

2019-01-14 03:29:43

by Kairui Song

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

Hi, Mimi, Dave

I checked the previous patches:
https://www.spinics.net/lists/keyrings/msg03518.html
https://www.spinics.net/lists/keyrings/msg03517.html
https://www.spinics.net/lists/keyrings/msg03516.html

That the latest patched I could found that placed the platform keyring in certs/
However it didn't cc kexec list, and so I think Dave didn't receive them.

I could compose a patch to use the previous design, how do you think?


On Sun, Jan 13, 2019 at 9:40 AM Dave Young <[email protected]> wrote:
>
> Hi,
>
> On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > [snip]
> >
> > > Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young <[email protected]>
> >
> > The original "platform" keyring patches that Nayna posted multiple
> > times were in the certs directory, but nobody commented/responded. So
> > she reworked the patches, moving them to the integrity directory and
> > posted them (cc'ing the kexec mailing list). It's a bit late to be
> > asking to move it, isn't it?
>
> Hmm, apologize for being late, I did not get chance to have a look the
> old series. Since we have the needs now, it should be still fine
>
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?
>
> >
> > Mimi
> >
>
> Thanks
> Dave



--
Best Regards,
Kairui Song

2019-01-14 16:13:28

by Mimi Zohar

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> Hi,
>
> On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > [snip]
> >
> > > Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young <[email protected]>
> >
> > The original "platform" keyring patches that Nayna posted multiple
> > times were in the certs directory, but nobody commented/responded.  So
> > she reworked the patches, moving them to the integrity directory and
> > posted them (cc'ing the kexec mailing list).  It's a bit late to be
> > asking to move it, isn't it?
>
> Hmm, apologize for being late, I did not get chance to have a look the
> old series. Since we have the needs now, it should be still fine
>
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?

Whether the platform keyring is defined in certs/ or in integrity/ the
keyring id needs to be accessible to the other, without making the
keyring id global.  Moving where the platform keyring is defined is
not the problem.

Commit a210fd32a46b ("kexec: add call to LSM hook in original
kexec_load syscall") introduced a new LSM hook.  Assuming
CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
prevent kexec_load syscall based on runtime secureboot flag") we can
now block the kexec_load syscall.  Without being able to block the
kexec_load syscall, verifying the kexec image signature via the
kexec_file_load syscall is kind of pointless.

Unless you're planning on writing an LSM to prevent the kexec_load
syscall, I assume you'll want to enable integrity anyway.

Mimi


2019-01-15 04:41:27

by Dave Young

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On 01/14/19 at 11:10am, Mimi Zohar wrote:
> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> > Hi,
> >
> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > > [snip]
> > >
> > > > Personally I would like to see platform key separated from integrity.
> > > > But for the kexec_file part I think it is good at least it works with
> > > > this fix.
> > > >
> > > > Acked-by: Dave Young <[email protected]>
> > >
> > > The original "platform" keyring patches that Nayna posted multiple
> > > times were in the certs directory, but nobody commented/responded. ?So
> > > she reworked the patches, moving them to the integrity directory and
> > > posted them (cc'ing the kexec mailing list). ?It's a bit late to be
> > > asking to move it, isn't it?
> >
> > Hmm, apologize for being late, I did not get chance to have a look the
> > old series. Since we have the needs now, it should be still fine
> >
> > Maybe Kairui can check Nayna's old series, see if he can do something
> > again?
>
> Whether the platform keyring is defined in certs/ or in integrity/ the
> keyring id needs to be accessible to the other, without making the
> keyring id global. ?Moving where the platform keyring is defined is
> not the problem.

Agreed, but just feel kexec depends on IMA sounds not good.

>
> Commit a210fd32a46b ("kexec: add call to LSM hook in original
> kexec_load syscall") introduced a new LSM hook. ?Assuming
> CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
> prevent kexec_load syscall based on runtime secureboot flag") we can
> now block the kexec_load syscall. ?Without being able to block the
> kexec_load syscall, verifying the kexec image signature via the
> kexec_file_load syscall is kind of pointless.
>
> Unless you're planning on writing an LSM to prevent the kexec_load
> syscall, I assume you'll want to enable integrity anyway.

User can disable kexec_load in kernel config, and only allow
kexec_file_load. But yes, this can be improved separately in case no
IMA enabled.

For the time being we can leave with it and fix like this series do.

>
> Mimi
>

Thanks
Dave

2019-01-15 04:50:33

by Kairui Song

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On Tue, Jan 15, 2019 at 10:42 AM Dave Young <[email protected]> wrote:
>
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
> > On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> > > Hi,
> > >
> > > On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > > > [snip]
> > > >
> > > > > Personally I would like to see platform key separated from integrity.
> > > > > But for the kexec_file part I think it is good at least it works with
> > > > > this fix.
> > > > >
> > > > > Acked-by: Dave Young <[email protected]>
> > > >
> > > > The original "platform" keyring patches that Nayna posted multiple
> > > > times were in the certs directory, but nobody commented/responded. So
> > > > she reworked the patches, moving them to the integrity directory and
> > > > posted them (cc'ing the kexec mailing list). It's a bit late to be
> > > > asking to move it, isn't it?
> > >
> > > Hmm, apologize for being late, I did not get chance to have a look the
> > > old series. Since we have the needs now, it should be still fine
> > >
> > > Maybe Kairui can check Nayna's old series, see if he can do something
> > > again?
> >
> > Whether the platform keyring is defined in certs/ or in integrity/ the
> > keyring id needs to be accessible to the other, without making the
> > keyring id global. Moving where the platform keyring is defined is
> > not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.
>
> >
> > Commit a210fd32a46b ("kexec: add call to LSM hook in original
> > kexec_load syscall") introduced a new LSM hook. Assuming
> > CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
> > prevent kexec_load syscall based on runtime secureboot flag") we can
> > now block the kexec_load syscall. Without being able to block the
> > kexec_load syscall, verifying the kexec image signature via the
> > kexec_file_load syscall is kind of pointless.
> >
> > Unless you're planning on writing an LSM to prevent the kexec_load
> > syscall, I assume you'll want to enable integrity anyway.
>
> User can disable kexec_load in kernel config, and only allow
> kexec_file_load. But yes, this can be improved separately in case no
> IMA enabled.
>
> For the time being we can leave with it and fix like this series do.
>
> >
> > Mimi
> >
>
> Thanks
> Dave

Yes, for now, I think it's good to fix the problem by following this
patch series and get kexec_file_load work with platform keyring first.
Will adopt suggestion from Mimi in the previous reply and update the
patch series.

For other remaining potential issues, kexec_load not being protected,
it could be disabled by config, and the improvement may require more
discussion. And issues like where the keyring is located, dependency
to making the keyring available for more general use could be
discussed later.

--
Best Regards,
Kairui Song

2019-01-15 16:43:34

by Nayna Jain

[permalink] [raw]
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <[email protected]>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded.  So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late, I did not get chance to have a look the
>> > old series. Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>>
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global.  Moving where the platform keyring is defined is
>> not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.

The platform keyring is not dependent on IMA, it is dependent on
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING,
CONFIG_EFI.

Thanks & Regards,
- Nayna