Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4481940imu;
        Tue, 8 Jan 2019 00:38:21 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6exk6gdYBD4bWbaunGbiMjr0YRa8gFVx9fMAaLw99kHPoGV5MUj1YgE4FUltHVA8fK6RFo
X-Received: by 2002:a63:9843:: with SMTP id l3mr704420pgo.413.1546936701792;
        Tue, 08 Jan 2019 00:38:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546936701; cv=none;
        d=google.com; s=arc-20160816;
        b=UEAzjiRfhByVz/WGpm8StJOEaMMe/Lnyb9ogAFA3AXFhZRW7CctBHRn3EracHNGBQg
         oJjf8UG64rfIfcOV29tb+X/ZQ9XgclRNbdSjR/ocl7fbA6LltgqTgRqt86g6Br1qGeWD
         3owFpY3s4taiXS9pXaA7esynIkr90isMPwMYDd8pwRue2+5ocub+42+JnrdZwkTFbGwg
         4uInZs8CcmLO//V8BJS+FB3z2bk9mBEg6qi/ynOzRtud75L0AWvhXuVCJzHsumzkdWym
         NfGS1nROO6QOmSACb7bhxTKaRl+MtLC8c9Ic9/ruvbWsyc6f9iPPSV9G6CBleBGOph1v
         iLdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=txk/f7oO9J0UUNTuyhM9osuv+GiMpsWTnq5hF9Lw6cE=;
        b=aS02Wrg9Q1HJwGussf9BRPpNDb6C832Gira5oJk/anLmguEwlgKtqbC8JllH/uAmO/
         FPRRbCJ/HNW6FuAsne2jGlAw1kf5iYRm1buVMfExFWa1PH7Xn1H7f7f2rMMdyG01QgKb
         j+9UVdZP0YW9TTedG3y6PxoUei4DRG4SwUHj5E7XPhciv0SuQEugQwsYTQ+MipgWxVGE
         vXBFevCCSkk+LPgYetW81He0Bf7QLMLcO0fN5lR5clIBksNL0daEfQwVArH4ryYauvLV
         v1QNuC+A67qibC6IRi6B0sat2UB4dQiK+30hkSbav1n10c5bvi4Ftkul27gyqAATaRQa
         7Pcw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 66si1086745plc.125.2019.01.08.00.38.05;
        Tue, 08 Jan 2019 00:38:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728087AbfAHIM6 (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Tue, 8 Jan 2019 03:12:58 -0500
Received: from mx1.redhat.com ([209.132.183.28]:49640 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728018AbfAHIM6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Jan 2019 03:12:58 -0500
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 15F9BC0BEAB8;
        Tue,  8 Jan 2019 08:12:58 +0000 (UTC)
Received: from kasong-desktop-nay-redhat-com.nay.redhat.com (unknown [10.66.128.41])
        by smtp.corp.redhat.com (Postfix) with ESMTP id D4E9A226FE;
        Tue,  8 Jan 2019 08:12:49 +0000 (UTC)
From:   Kairui Song <kasong@redhat.com>
To:     linux-kernel@vger.kernel.org
Cc:     dhowells@redhat.com, dwmw2@infradead.org,
        jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
        jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
        bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
        dyoung@redhat.com, Kairui Song <kasong@redhat.com>
Subject: [RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date:   Tue,  8 Jan 2019 16:12:46 +0800
Message-Id: <20190108081247.2266-1-kasong@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 08 Jan 2019 08:12:58 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi, as the subject, this is a patch that links the new introduced
.platform keyring into .secondary_trusted_keys keyring. This is
mainly for the kexec_file_load, make kexec_file_load be able to verify
the kernel image agains keys provided by platform or firmware.
kexec_file_load already could verify the image agains secondary_trusted_keys
if secondary_trusted_keys exits, so this will make kexec_file_load be ware
of platform keys as well.

This may also useful for things like module sign verify that are using
secondary_trusted_keys. I'm not sure if it will be better to move the
INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use
the keyring there, so just linked the .platform keyring into kernel's
.secondary_trusted_keys keyring.

It workd for my case, tested in a VM, I signed the kernel image locally
with pesign and imported the cert to EFI's MokList variable.

Kairui Song (1):
  KEYS, integrity: Link .platform keyring to .secondary_trusted_keys

 certs/system_keyring.c          | 30 ++++++++++++++++++++++++++++++
 include/keys/platform_keyring.h | 12 ++++++++++++
 security/integrity/digsig.c     |  7 +++++++
 3 files changed, 49 insertions(+)
 create mode 100644 include/keys/platform_keyring.h

-- 
2.20.1