Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4464617imu; Tue, 8 Jan 2019 00:14:33 -0800 (PST) X-Google-Smtp-Source: ALg8bN7KnmVE0jAQ4P7pAFgsP3vjYdF2BqI1NVVCDGUUxNlIUoAZXMeU6nhzJZLpRAg2XewlxVA5 X-Received: by 2002:a63:f65:: with SMTP id 37mr678199pgp.238.1546935273469; Tue, 08 Jan 2019 00:14:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546935273; cv=none; d=google.com; s=arc-20160816; b=HI9zjuDGR+OBVj+AQylpDPh4YyV179WN4T75rEk+FFCeLG9J0FMYHJwgMBQbZlHupj IIrCEAsdloDa0L+OYJF/JTpPbI7SQdSEAQdjVJ0VshBfGMx2S6A+tcxXvthH0DFs3xnp iFmgh4Cfcaziiv95O+wGv1RjnZfAOaajxa2HQHQhWWflB3NDnJPW+ljbk9uSLPDwjtk9 yjxf1posghgAModtbjgjRIBti0EgVrLNQ+n9i/d6tZgsxqkgTDfCGnm7YOumIQxGvfDH lwnF0sFkJ61mA3nu2McBCnVsiB//ipW4rJ6yaOUh54ob5avri7XjagRy1E97JMqg01cL 5A8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=y/liO+UmXHXW1tN7DL9SBitESa4Xbp6SnEU1DbkXdOY=; b=ojdopVUeBBDSbUOiCCtDetG1mJ3Rus6P13YL0fVLzmBNdbFyKnoyIMY1fesoxbgg+p YfF54slJ1VgIwHHwMFyEY5K64YYsW7m+vD6JEo2m/MOOl95MRJak3JSkZjRhu/J7zh7t TRJ4amDp432ldTQszOp2b/mj7eQ9wW7NPT5bbdYB+taMedIPhyW4ydHTlLFufppjLB7w 0aPHdgn2ROf9lKV+1hD50OpNNnQALJiKnNm56CS6HsleT0txEJwdUxxyxiUWB6q3u0bX vKOChfpGg6NZUoN3mfSVbAwZWgB9MjjUVI+ctsaI/xOeZqnXgc0oGLfF5eRJT1oAm5td 5FXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gn22si48444335plb.19.2019.01.08.00.14.18; Tue, 08 Jan 2019 00:14:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728159AbfAHIND (ORCPT + 99 others); Tue, 8 Jan 2019 03:13:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:49750 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728018AbfAHIND (ORCPT ); Tue, 8 Jan 2019 03:13:03 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C8360C050DEE; Tue, 8 Jan 2019 08:13:02 +0000 (UTC) Received: from kasong-desktop-nay-redhat-com.nay.redhat.com (unknown [10.66.128.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8E65417F37; Tue, 8 Jan 2019 08:12:58 +0000 (UTC) From: Kairui Song To: linux-kernel@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com, Kairui Song Subject: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys Date: Tue, 8 Jan 2019 16:12:47 +0800 Message-Id: <20190108081247.2266-2-kasong@redhat.com> In-Reply-To: <20190108081247.2266-1-kasong@redhat.com> References: <20190108081247.2266-1-kasong@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 08 Jan 2019 08:13:03 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently kexec may need to verify the kerne image, and the kernel image could be signed with third part keys which are provided by paltform or firmware (eg. stored in MokListRT EFI variable). And the same time, kexec_file_load will only verify the image agains .builtin_trusted_keys or .secondary_trusted_keys according to configuration, but there is no way for kexec_file_load to verify the image against any third part keys mentioned above. In ea93102f3224 ('integrity: Define a trusted platform keyring') a .platform keyring is introduced to store the keys provided by platform or firmware. And with a few following commits including 15ea0e1e3e185 ('efi: Import certificates from UEFI Secure Boot'), now keys required to verify the image is being imported to .paltform keyring, and later IMA-appraisal could access the keyring and verify the image. This patch links the .platform keyring to .secondary_trusted_keys so kexec_file_load could also leverage the .platform keyring to verify the kernel image. Signed-off-by: Kairui Song --- certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++ include/keys/platform_keyring.h | 12 ++++++++++++ security/integrity/digsig.c | 7 +++++++ 3 files changed, 49 insertions(+) create mode 100644 include/keys/platform_keyring.h diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..dcef0259e149 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -18,12 +18,14 @@ #include #include #include +#include #include static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +static struct key *platform_keys = NULL; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; @@ -67,6 +69,12 @@ int restrict_link_by_builtin_and_secondary_trusted( /* Allow the builtin keyring to be added to the secondary */ return 0; + if (type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &platform_keys->payload) + /* Allow the platform keyring to be added to the secondary */ + return 0; + return restrict_link_by_signature(dest_keyring, type, payload, secondary_trusted_keys); } @@ -188,6 +196,28 @@ static __init int load_system_certificate_list(void) } late_initcall(load_system_certificate_list); +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && defined(CONFIG_SECONDARY_TRUSTED_KEYRING) + +/* + * Link .platform keyring to .secondary_trusted_key keyring + */ +static __init int load_platform_certificate_list(void) +{ + int ret = 0; + platform_keys = integrity_get_platform_keyring(); + if (!platform_keys) { + return 0; + } + ret = key_link(secondary_trusted_keys, platform_keys); + if (ret < 0) { + pr_err("Failed to link platform keyring: %d", ret); + } + return 0; +} +late_initcall(load_platform_certificate_list); + +#endif + #ifdef CONFIG_SYSTEM_DATA_VERIFICATION /** diff --git a/include/keys/platform_keyring.h b/include/keys/platform_keyring.h new file mode 100644 index 000000000000..4f92ed6c0b42 --- /dev/null +++ b/include/keys/platform_keyring.h @@ -0,0 +1,12 @@ +#ifndef _KEYS_PLATFORM_KEYRING_H +#define _KEYS_PLATFORM_KEYRING_H + +#include + +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING + +extern const struct key* __init integrity_get_platform_keyring(void); + +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ + +#endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..397758d4f12d 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source, pr_info("Loading X.509 certificate: %s\n", source); return integrity_add_key(id, data, len, perm); } + +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +struct key* __init integrity_get_platform_keyring(void) +{ + return keyring[INTEGRITY_KEYRING_PLATFORM]; +} +#endif -- 2.20.1