Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.
This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.
Changelog:
v12:
* Replace Patch 3/4 with reverting of the commit as suggested by
Masahiro Yamada.
v11:
* Added a new patch to conditionally build extract-cert if
PLATFORM_KEYRING is enabled.
v10:
* Fixed the externs warning for Patch 3.
v9:
* Rebased on Jarkko's repo -
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
v8:
* Includes Jarkko's feedback on patch description and removed Reported-by
for Patch 1.
v7:
* Incldues Jarkko's feedback on patch description for Patch 1 and 3.
v6:
* Includes Jarkko's feedback:
* Split Patch 2 into two.
* Update Patch description.
v5:
* Renamed load_builtin_platform_cert() to load_platform_certificate_list()
and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as
suggested by Mimi Zohar.
v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.
v3:
* Included Jarkko's feedback
** updated patch description to include approach.
** removed extern for function declaration in the .h file.
* Included load_certificate_list() within #ifdef CONFIG_KEYS condition.
v2:
* Fixed the error reported by kernel test robot
* Updated patch description based on Jarkko's feedback.
Nayna Jain (4):
certs: export load_certificate_list() to be used outside certs/
integrity: make integrity_keyring_from_id() non-static
Revert "certs: move scripts/extract-cert to certs/"
integrity: support including firmware ".platform" keys at build time
MAINTAINERS | 1 +
certs/.gitignore | 1 -
certs/Makefile | 18 ++++++---------
certs/blacklist.c | 1 -
certs/common.c | 2 +-
certs/common.h | 9 --------
certs/system_keyring.c | 1 -
include/keys/system_keyring.h | 6 +++++
scripts/.gitignore | 1 +
scripts/Makefile | 12 ++++++++--
{certs => scripts}/extract-cert.c | 2 +-
scripts/remove-stale-files | 2 --
security/integrity/Kconfig | 10 ++++++++
security/integrity/Makefile | 15 +++++++++++-
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h | 9 ++++++++
.../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++
.../platform_certs/platform_keyring.c | 23 +++++++++++++++++++
18 files changed, 107 insertions(+), 31 deletions(-)
delete mode 100644 certs/common.h
rename {certs => scripts}/extract-cert.c (98%)
create mode 100644 security/integrity/platform_certs/platform_cert.S
base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9
--
2.34.1
On 12/03/22 2:33 am, Nayna Jain wrote:
> Some firmware support secure boot by embedding static keys to verify the
> Linux kernel during boot. However, these firmware do not expose an
> interface for the kernel to load firmware keys onto the ".platform"
> keyring, preventing the kernel from verifying the kexec kernel image
> signature.
>
> This patchset exports load_certificate_list() and defines a new function
> load_builtin_platform_cert() to load compiled in certificates onto the
> ".platform" keyring.
>
> Changelog:
> v12:
> * Replace Patch 3/4 with reverting of the commit as suggested by
> Masahiro Yamada.
>
Tested the following four patches ov v12 with and with out setting
CONFIG_INTEGRITY_PLATFORM_KEYS
Tested-by: Nageswara R Sastry <[email protected]>
1. With CONFIG_INTEGRITY_PLATFORM_KEYS set to a key
# grep pem .config
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
# grep
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST"
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
# CONFIG_SYSTEM_REVOCATION_LIST is not set
# cat /proc/keys | grep platform
0a7a11a9 I------ 1 perm 1f0b0000 0 0 keyring .platform: 1
# keyctl show %keyring:.platform
Keyring
175772073 ---lswrv 0 0 keyring: .platform
519271447 ---lswrv 0 0 \_ asymmetric: IBM Corporation:
Guest Secure Boot Imprint Kernel Signing Key:
a0cf9069c30875320cb10a77325d4fa7012f8d12
2. With out CONFIG_INTEGRITY_PLATFORM_KEYS set, leaving empty
# grep pem .config
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
# grep
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST"
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS=""
# CONFIG_SYSTEM_REVOCATION_LIST is not set
# cat /proc/keys | grep platform
39c749b9 I------ 1 perm 1f0b0000 0 0 keyring .platform: empty
# keyctl show %keyring:.platform
Keyring
969361849 ---lswrv 0 0 keyring: .platform
>
> base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9
--
Thanks and Regards
R.Nageswara Sastry