Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp258118imu; Wed, 12 Dec 2018 16:18:42 -0800 (PST) X-Google-Smtp-Source: AFSGD/VmnAwXwpjvgwnTUxXEwx4oQTYQERl2kWmJ1RGXYg+tdoyFy5Nxo76/E9hsiynPCg3t9wLm X-Received: by 2002:a63:4566:: with SMTP id u38mr20013736pgk.4.1544660322712; Wed, 12 Dec 2018 16:18:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544660322; cv=none; d=google.com; s=arc-20160816; b=vGx4P26b/Bd7IC8SAqBtTwqzyP3BflNaazHav0XeLjkG7bmikmV2NHKb9X3+srfWSC 4C1vQW6AuXZR49w03G0y830p0aa8IYfm2oCfZcurqt946FZ+DAmTVQQLB0iX5XP/ZX6e c9AaidNtp1oZW4RBqB2YwsXqOsNh+P/J7OVV1CC0Yfjh3hBDVVElGTYPT8C0hUnHZXBW Kbee3xOF3FIQEZqDvuGxKQqG6GbwYkssoPHDQSG5SJ7sFKvkAtRapQVDks72tcGgUH8r Ez9sfiWMlAt/RLTN1iAB2N9CKA8UkrKe6yYdcV/Y72bQ7feYRJ+KjsuZM+ncRe9Q0G6A rGyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:mime-version:date:in-reply-to :subject:cc:to:from:user-agent:references; bh=fBYGSsgf0P1/L0ssTQshYjmWLp1VSwfe3grmskTg8wE=; b=rl6MkOY2CUu0iIZzGpU8u+S0K3PIcoMS90Sw9l1C3D7i7SM1xoRju30brAhVCUnLj+ pdX8qp025Iktif3vufL+cqKdSivP08bFxkLddZWrr328krTzVKuCIqMXIdom4JrYNCkp vJc9Em0l9V1Oz+NBWOTWVpfYgyes66gINeT6yJv3kO7ZxzNZzcqAbf9oCMcfSYw/1dT+ vKW0liJaAEUJEtIdJ+8Uz5PSa/yabZ4EQFqlvi7ylhP79BUJdYAN1wnxt1z+UfW+msIB 8N7WChsowNv3URTHMOvwu54KRlpVBVgp6OtV+Fb2c0Pg21r7J7Mk5BrtR3NJKtlacniH l41g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3si205393pld.229.2018.12.12.16.17.53; Wed, 12 Dec 2018 16:18:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728461AbeLMAQX (ORCPT + 99 others); Wed, 12 Dec 2018 19:16:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52978 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727001AbeLMAQW (ORCPT ); Wed, 12 Dec 2018 19:16:22 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wBD0EnG0060824 for ; Wed, 12 Dec 2018 19:16:21 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 2pb9fe8es7-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 12 Dec 2018 19:16:20 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 13 Dec 2018 00:16:20 -0000 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 13 Dec 2018 00:16:16 -0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wBD0GEYR25559180 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 13 Dec 2018 00:16:14 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AEF09C605F; Thu, 13 Dec 2018 00:16:14 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3F9BCC6059; Thu, 13 Dec 2018 00:16:01 +0000 (GMT) Received: from morokweng.localdomain (unknown [9.80.227.60]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTPS; Thu, 13 Dec 2018 00:16:00 +0000 (GMT) References: <20181208202705.18673-2-nayna@linux.ibm.com> <20181209044849.825-1-nayna@linux.ibm.com> User-agent: mu4e 1.0; emacs 26.1 From: Thiago Jung Bauermann To: Nayna Jain Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, keyrings@vger.kernel.org, vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au Subject: Re: [PATCH v2 1/7] integrity: Define a trusted platform keyring In-reply-to: <20181209044849.825-1-nayna@linux.ibm.com> Date: Wed, 12 Dec 2018 22:15:56 -0200 MIME-Version: 1.0 Content-Type: text/plain X-TM-AS-GCONF: 00 x-cbid: 18121300-0012-0000-0000-000016E9057D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010216; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000270; SDB=6.01130913; UDB=6.00587691; IPR=6.00911046; MB=3.00024673; MTD=3.00000008; XFM=3.00000015; UTC=2018-12-13 00:16:19 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18121300-0013-0000-0000-0000556F38C5 Message-Id: <871s6mffib.fsf@morokweng.localdomain> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-12_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812130000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nayna Jain writes: > On secure boot enabled systems, a verified kernel may need to kexec > additional kernels. For example, it may be used as a bootloader needing > to kexec a target kernel or it may need to kexec a crashdump kernel. In > such cases, it may want to verify the signature of the next kernel > image. > > It is further possible that the kernel image is signed with third party > keys which are stored as platform or firmware keys in the 'db' variable. > The kernel, however, can not directly verify these platform keys, and an > administrator may therefore not want to trust them for arbitrary usage. > In order to differentiate platform keys from other keys and provide the > necessary separation of trust, the kernel needs an additional keyring to > store platform keys. > > This patch creates the new keyring called ".platform" to isolate keys > provided by platform from keys by kernel. These keys are used to > facilitate signature verification during kexec. Since the scope of this > keyring is only the platform/firmware keys, it cannot be updated from > userspace. > > This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING. > > Signed-off-by: Nayna Jain > Reviewed-by: Mimi Zohar > Acked-by: Serge Hallyn > --- > security/integrity/Kconfig | 11 +++++ > security/integrity/Makefile | 1 + > security/integrity/digsig.c | 48 +++++++++++++++------- > security/integrity/integrity.h | 3 +- > .../integrity/platform_certs/platform_keyring.c | 35 ++++++++++++++++ > 5 files changed, 83 insertions(+), 15 deletions(-) > create mode 100644 security/integrity/platform_certs/platform_keyring.c Reviewed-by: Thiago Jung Bauermann -- Thiago Jung Bauermann IBM Linux Technology Center