Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2022675imu; Sat, 8 Dec 2018 12:32:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/V+GmupoBqYWxW4foPEjX+Ij9uV9pSMj4IRvYN3AIBjQcMquOLp+ch9C6pB32SS83gDvmhV X-Received: by 2002:a63:9501:: with SMTP id p1mr6158792pgd.149.1544301161672; Sat, 08 Dec 2018 12:32:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544301161; cv=none; d=google.com; s=arc-20160816; b=rEhl31ZrLyBk0KYwrmnwTsusvZM5Zni3Trzu3IEKlQWZsBntlCoerg8MYmo58a8CK0 d4dJJM88gM9mxsf6nQSlpvF61c1kn0M1z42gv63qY/qpJyEx1+cbFutw3Tiw1Kpai7QP DLoapD/fcvQ/ukQc8lN41OaOjz75g/9vJOQgK+iVNMH1RhL+YFMZNSQG73wY1qpsMBB5 mjSqw+SoTTO4l09fDQy8WOGL6bd1Oe2SkUuZAmsat7NPkzV+bC78HhlnV7JyF/tykcIC QQUHUVOR6DnpKsn/JXJsLK1dH/pO2RkbemtZgMKyZbFxfOEMlZW5oHLhs6qGR/usjZqr nEVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=zFV+iS42U7VxpMsVuy/SnCd8nO5s4Vbbq8jIDrqAtAE=; b=Rn8BYCJ/JksP/4EtvbhMKMGmn9JtO3hiEscMhf2RunpK+djThSyyMPJSSpYdx/CuZW hY8D/MNLnfqmJaAaG5nNC86PLldNvX2Zy1qGd7lentLk8vNyMAV3W2Wv5NumdwTvYi/B jUtRwZm4Fq6DjaKpw6ka9XmXtEEHCV8rpPOCiSlJdw2AG66JuQPX3lnHnK78UHfT6e9o lQ5ueci6YvsijO3R3oO2y0EqPzhJDW/IZVjkX7y/6oUXQfecJASO1+O8rhUMR2hCLvjj 7fbxdKRDaqTWcjhN0ZRt0v58W/z5xt1+A8N6EO8ULB9yJB8J9kLpDQRyjQeUBVdPqfIK auEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 89si6582901pfr.242.2018.12.08.12.32.26; Sat, 08 Dec 2018 12:32:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726248AbeLHUam (ORCPT + 99 others); Sat, 8 Dec 2018 15:30:42 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41582 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726218AbeLHUal (ORCPT ); Sat, 8 Dec 2018 15:30:41 -0500 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wB8KSxaf045245 for ; Sat, 8 Dec 2018 15:30:40 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2p8aqg195g-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 08 Dec 2018 15:30:40 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 8 Dec 2018 20:30:38 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Sat, 8 Dec 2018 20:30:34 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wB8KUW0859637816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 8 Dec 2018 20:30:32 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27CDD4C04E; Sat, 8 Dec 2018 20:30:32 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BE13F4C044; Sat, 8 Dec 2018 20:30:28 +0000 (GMT) Received: from swastik.ibmuc.com (unknown [9.85.68.82]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sat, 8 Dec 2018 20:30:28 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, keyrings@vger.kernel.org, vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au, Nayna Jain Subject: [PATCH v2 0/7] add platform/firmware keys support for kernel verification by IMA Date: Sun, 9 Dec 2018 01:56:58 +0530 X-Mailer: git-send-email 2.13.6 X-TM-AS-GCONF: 00 x-cbid: 18120820-0008-0000-0000-0000029EC54A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18120820-0009-0000-0000-0000220934F5 Message-Id: <20181208202705.18673-1-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-08_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812080192 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On secure boot enabled systems, a verified kernel may need to kexec additional kernels. For example, it may be used as a bootloader needing to kexec a target kernel or it may need to kexec a crashdump kernel. In such cases, it may want to verify the signature of the next kernel image. It is possible that the new kernel image is signed with third party keys which are stored as platform or firmware keys in the 'db' variable. The kernel, however, can not directly verify these platform keys, and an administrator may therefore not want to trust them for arbitrary usage. In order to differentiate platform keys from other keys and provide the necessary separation of trust the kernel needs an additional keyring to store platform/firmware keys. The secure boot key database is expected to store the keys as EFI Signature List(ESL). The patch set uses David Howells and Josh Boyer's patch to access and parse the ESL to extract the certificates and load them onto the platform keyring. The last patch in this patch set adds support for IMA-appraisal to verify the kexec'ed kernel image based on keys stored in the platform keyring. Changelog: v0: - The original patches loaded the certificates onto the secondary trusted keyring. This patch set defines a new keyring named ".platform" and adds the certificates to this new keyring - removed CONFIG EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS - moved files from certs/ to security/integrity/platform_certs/ v2: - fixed the checkpatch warnings and other formatting as suggested by Mimi Zohar - fixed coding style as suggested by Serge Hallyn in Patch "ima: Support platform keyring for kernel appraisal" Dave Howells (2): efi: Add EFI signature data types efi: Add an EFI signature blob parser Josh Boyer (2): efi: Import certificates from UEFI Secure Boot efi: Allow the "db" UEFI variable to be suppressed Nayna Jain (3): integrity: Define a trusted platform keyring integrity: Load certs to the platform keyring ima: Support platform keyring for kernel appraisal include/linux/efi.h | 34 ++++ security/integrity/Kconfig | 11 ++ security/integrity/Makefile | 5 + security/integrity/digsig.c | 115 ++++++++---- security/integrity/ima/ima_appraise.c | 13 +- security/integrity/integrity.h | 23 ++- security/integrity/platform_certs/efi_parser.c | 108 ++++++++++++ security/integrity/platform_certs/load_uefi.c | 196 +++++++++++++++++++++ .../integrity/platform_certs/platform_keyring.c | 62 +++++++ 9 files changed, 528 insertions(+), 39 deletions(-) create mode 100644 security/integrity/platform_certs/efi_parser.c create mode 100644 security/integrity/platform_certs/load_uefi.c create mode 100644 security/integrity/platform_certs/platform_keyring.c -- 2.13.6