LinuxLists.cc - [PATCH v3 2/3] ima: enable signing of modules with build time generated key

2021-03-30 13:19:04

Subject: [PATCH v3 2/3] ima: enable signing of modules with build time generated key

The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <[email protected]>
---
certs/Kconfig | 2 +-
certs/Makefile | 8 ++++++++
init/Kconfig | 6 +++---
3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..48675ad319db 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
default "certs/signing_key.pem"
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
Provide the file name of a private key/certificate in PEM format,
or a PKCS#11 URI according to RFC7512. The file should contain, or
diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..e3185c57fbd8 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
clean-files := x509_certificate_list .x509.list

ifeq ($(CONFIG_MODULE_SIG),y)
+ SIGN_KEY = y
+endif
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ SIGN_KEY = y
+endif
+
+ifdef SIGN_KEY
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been
diff --git a/init/Kconfig b/init/Kconfig
index 5f5c776ef192..85e48a578f90 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE
config MODULE_SIG_ALL
bool "Automatically sign all modules"
default y
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
Sign all modules during make modules_install. Without this option,
modules must be signed manually, using the scripts/sign-file tool.
@@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"

choice
prompt "Which hash algorithm should modules be signed with?"
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
This determines which sort of hashing algorithm will be used during
signature generation. This algorithm _must_ be built into the kernel
@@ -2206,7 +2206,7 @@ endchoice

config MODULE_SIG_HASH
string
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
default "sha1" if MODULE_SIG_SHA1
default "sha224" if MODULE_SIG_SHA224
default "sha256" if MODULE_SIG_SHA256
--
2.29.2

2021-04-02 11:29:23

by Stefan Berger

[permalink] [raw]

Subject: Re: [PATCH v3 2/3] ima: enable signing of modules with build time generated key

On 3/30/21 9:16 AM, Nayna Jain wrote:
> The kernel build process currently only signs kernel modules when
> MODULE_SIG is enabled. Also, sign the kernel modules at build time when
> IMA_APPRAISE_MODSIG is enabled.
>
> Signed-off-by: Nayna Jain <[email protected]>
Acked-by: Stefan Berger <[email protected]>
> ---
> certs/Kconfig | 2 +-
> certs/Makefile | 8 ++++++++
> init/Kconfig | 6 +++---
> 3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..48675ad319db 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -4,7 +4,7 @@ menu "Certificates for signature checking"
> config MODULE_SIG_KEY
> string "File name or PKCS#11 URI of module signing key"
> default "certs/signing_key.pem"
> - depends on MODULE_SIG
> + depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> help
> Provide the file name of a private key/certificate in PEM format,
> or a PKCS#11 URI according to RFC7512. The file should contain, or
> diff --git a/certs/Makefile b/certs/Makefile
> index f4c25b67aad9..e3185c57fbd8 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
> clean-files := x509_certificate_list .x509.list
>
> ifeq ($(CONFIG_MODULE_SIG),y)
> + SIGN_KEY = y
> +endif
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> + SIGN_KEY = y
> +endif
> +
> +ifdef SIGN_KEY
> ###############################################################################
> #
> # If module signing is requested, say by allyesconfig, but a key has not been
> diff --git a/init/Kconfig b/init/Kconfig
> index 5f5c776ef192..85e48a578f90 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE
> config MODULE_SIG_ALL
> bool "Automatically sign all modules"
> default y
> - depends on MODULE_SIG
> + depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> help
> Sign all modules during make modules_install. Without this option,
> modules must be signed manually, using the scripts/sign-file tool.
> @@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
>
> choice
> prompt "Which hash algorithm should modules be signed with?"
> - depends on MODULE_SIG
> + depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> help
> This determines which sort of hashing algorithm will be used during
> signature generation. This algorithm _must_ be built into the kernel
> @@ -2206,7 +2206,7 @@ endchoice
>
> config MODULE_SIG_HASH
> string
> - depends on MODULE_SIG
> + depends on MODULE_SIG || IMA_APPRAISE_MODSIG
> default "sha1" if MODULE_SIG_SHA1
> default "sha224" if MODULE_SIG_SHA224
> default "sha256" if MODULE_SIG_SHA256