Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4638060imu; Sun, 25 Nov 2018 07:23:32 -0800 (PST) X-Google-Smtp-Source: AFSGD/VE4TIln54qQZb2AbXcyBnfNtRahJjUaLwlYpR4w5oBQBwiDvZela5ry8Jgf1XRwTV0PA7X X-Received: by 2002:a63:da14:: with SMTP id c20mr20539060pgh.233.1543159412167; Sun, 25 Nov 2018 07:23:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543159412; cv=none; d=google.com; s=arc-20160816; b=ue+/8ZJ0PA1ad/pNxu/s1+viGaI5fVJCurreix06qhMaqlQXn5Emmderkk9bY6IvVM jC/gKz0h+fZeGj/04G4i5cvQ57ACgn7V8ATFmgW4HuPni/y616b36WLX8GIPBI0RKNuk kyK3NVbANul0Dgl/XRfPgsiUFAP3OwA60vX8TAn80K42kxZLTZt4UW69OQD6oB1FqjI+ IRX/zrBiyhyP8cHweZhUdfbGr6SCPidvYKrUlEy3f2ONqU5/AAxZpe2mR9I8rpYPwHRo fGr4YWu6zC51L36xw9yWDcC1Wn26RYEPuwi+1tKySyEaO5iT8jjsnBj9MFqSSMxx7SL7 Jiqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=CztPiY3Mc/IJcpI0P7eAT2CC6cPXcpFn2XHXUF3CBZk=; b=A+Xt+jOm/6RH3ZsqpP9Fx3l3Vbi2UfMsLhWIhn9jVqjJLlnh9i2tPuhUC31cA5HFfy /CBM28iMZfEc1Mkg7+wqtrznDx+UIKWrVAxNMpmSnxLSoxTHkRbIJ3pVRRqWRP5WReAp Cq492QuKkLjfoh7MzJXE+zKK7qCGzA3UpSfTSHxHydki/E2iI+/+6lmDsPJSgGiSWVvS xUgLXwHyQNaLme1012knPcomwmMTaBa/7ph897aK26bD+itf7pa6Z6O0eIW0VDMNsU7I gj0ERdtnamaY8dW7/7tb5P2lRl4OMa6Hn4VB6U3N9icYpFATQMV8o3ui3pjQTqU+AyEh kOIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b124si41957611pfg.47.2018.11.25.07.23.17; Sun, 25 Nov 2018 07:23:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726429AbeKZCJw (ORCPT + 99 others); Sun, 25 Nov 2018 21:09:52 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43998 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726226AbeKZCJw (ORCPT ); Sun, 25 Nov 2018 21:09:52 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAPFFFcJ019907 for ; Sun, 25 Nov 2018 10:18:35 -0500 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2nymdtxxkr-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 25 Nov 2018 10:18:34 -0500 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 25 Nov 2018 15:18:32 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Sun, 25 Nov 2018 15:18:27 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wAPFIPni41484394 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 25 Nov 2018 15:18:25 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A8FDA4C046; Sun, 25 Nov 2018 15:18:25 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C27634C040; Sun, 25 Nov 2018 15:18:21 +0000 (GMT) Received: from swastik.ibmuc.com (unknown [9.85.72.131]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 25 Nov 2018 15:18:21 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, keyrings@vger.kernel.org, vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au, Nayna Jain Subject: [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Date: Sun, 25 Nov 2018 20:44:53 +0530 X-Mailer: git-send-email 2.13.6 X-TM-AS-GCONF: 00 x-cbid: 18112515-0028-0000-0000-000003213452 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18112515-0029-0000-0000-000023DD3549 Message-Id: <20181125151500.8298-1-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-25_14:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811250071 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On secure boot enabled systems, a verified kernel may need to kexec additional kernels. For example, it may be used as a bootloader needing to kexec a target kernel or it may need to kexec a crashdump kernel. In such cases, it may want to verify the signature of the next kernel image. It is possible that the new kernel image is signed with third party keys which are stored as platform or firmware keys in the 'db' variable. The kernel, however, can not directly verify these platform keys, and an administrator may therefore not want to trust them for arbitrary usage. In order to differentiate platform keys from other keys and provide the necessary separation of trust the kernel needs an additional keyring to store platform/firmware keys. The secure boot key database is expected to store the keys as EFI Signature List(ESL). The patch set uses David Howells and Josh Boyer's patch to access and parse the ESL to extract the certificates and load them onto the platform keyring. The last patch in this patch set adds support for IMA-appraisal to verify the kexec'ed kernel image based on keys stored in the platform keyring. Changelog: v0: - The original patches loaded the certificates onto the secondary trusted keyring. This patch set defines a new keyring named ".platform" and adds the certificates to this new keyring - removed CONFIG EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS - moved files from certs/ to security/integrity/platform_certs/ Dave Howells (2): efi: Add EFI signature data types efi: Add an EFI signature blob parser Josh Boyer (2): efi: Import certificates from UEFI Secure Boot efi: Allow the "db" UEFI variable to be suppressed Nayna Jain (3): integrity: define a trusted platform keyring integrity: load certs to the platform keyring ima: support platform keyring for kernel appraisal include/linux/efi.h | 34 ++++ security/integrity/Kconfig | 11 ++ security/integrity/Makefile | 5 + security/integrity/digsig.c | 115 ++++++++---- security/integrity/ima/ima_appraise.c | 11 +- security/integrity/integrity.h | 23 ++- security/integrity/platform_certs/efi_parser.c | 112 ++++++++++++ security/integrity/platform_certs/load_uefi.c | 192 +++++++++++++++++++++ .../integrity/platform_certs/platform_keyring.c | 62 +++++++ 9 files changed, 527 insertions(+), 38 deletions(-) create mode 100644 security/integrity/platform_certs/efi_parser.c create mode 100644 security/integrity/platform_certs/load_uefi.c create mode 100644 security/integrity/platform_certs/platform_keyring.c -- 2.13.6