Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp770167imu; Wed, 9 Jan 2019 06:09:45 -0800 (PST) X-Google-Smtp-Source: ALg8bN4TD8PTrgV7V+gnfdQE4Ck84T//JSKzKJHK3+GLXjyaEwoBg9Ndrs/0aa8jzrNyRlXhU7St X-Received: by 2002:a63:2315:: with SMTP id j21mr5570947pgj.297.1547042985186; Wed, 09 Jan 2019 06:09:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547042985; cv=none; d=google.com; s=arc-20160816; b=0hclFlUtZu5OlDlGDRT1yAB94qknQYUNpI7W+NuVUxA/j60z5ASH2KvAaTdShwHRC6 7h9xacoBJCtExrgucz8xXAITcp/1wmoi3VuC6ND/PsRwpt1Af+5Bebhu2IEgimDxKfJ5 YdZlSb9nTA1SBfrOprAH6LHrR8etd7zAT6yldLWd7PRxUCFeBLV8I77cngVGMXUiuGZK H5Z/c/7C+plKfzMaGpIEcJh0tKCn9hND1ElOekDYWnKFFw7MQVXQJN5kcZD3ONOUV+7G 6IIGuEGCKAu25ukPPMAT0cEvHb/mLU+GLU0s0gw85+dyjK+5Lt5GmSuYfMnjjBONMEmI wnoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=NnKZlisuQJi3+6ySGS1t+2E9pldc3qvfBEik58DK+N0=; b=aQP351PGbap8zHlJa2kVgPMEdtxh4j2ev1ii28O8WQCHAnfn0cfWnxoTJ8Y8Qxqw3W LOru87DuPdCY3mAaosUjrUZHMbx7LCRPKc0daghMUH39FFGO/IfDxpHc9o9S5XggK8fB 2lyryE4O4sa+ScGGoOHmXJZlFDXV24U7FyY71daZhuX4sDEBPypKKGWOcFKPlLbf70T/ JWHV9TROWJFSR8eLFPk8Z3oS/0Gdrd6UiVxzcN9WzIDR36JjyUcJhFpld3PjryOdkzaX jkQMhRz150U+DRaQ/3J8ezdmAFmic3O8zr7hXF7PTtlCdmT6aZB0K629Lnn4SKOftL5w 4XAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y20si1325106plp.415.2019.01.09.06.09.29; Wed, 09 Jan 2019 06:09:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730965AbfAIOH7 (ORCPT + 99 others); Wed, 9 Jan 2019 09:07:59 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52828 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730543AbfAIOH6 (ORCPT ); Wed, 9 Jan 2019 09:07:58 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x09E4FV4081883 for ; Wed, 9 Jan 2019 09:07:58 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2pwhr8ab2a-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 09 Jan 2019 09:07:57 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 9 Jan 2019 14:07:55 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 9 Jan 2019 14:07:50 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x09E7mXN47448156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 9 Jan 2019 14:07:48 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6FD32AE063; Wed, 9 Jan 2019 14:07:48 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BC7DFAE05F; Wed, 9 Jan 2019 14:07:46 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.106.104]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 9 Jan 2019 14:07:46 +0000 (GMT) Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys From: Mimi Zohar To: Dave Young Cc: Kairui Song , linux-kernel@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, linux-security-module , linux-integrity , kexec@lists.infradead.org Date: Wed, 09 Jan 2019 09:07:36 -0500 In-Reply-To: <20190109013356.GA2610@dhcp-128-65.nay.redhat.com> References: <20190108081247.2266-1-kasong@redhat.com> <20190108081247.2266-2-kasong@redhat.com> <1546960680.19931.114.camel@linux.ibm.com> <20190109013356.GA2610@dhcp-128-65.nay.redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19010914-0008-0000-0000-000002AE5E88 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19010914-0009-0000-0000-0000221A60A4 Message-Id: <1547042856.19931.229.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-09_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901090119 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-01-09 at 09:33 +0800, Dave Young wrote: > CC kexec list > On 01/08/19 at 10:18am, Mimi Zohar wrote: > > [Cc'ing the LSM and integrity mailing lists] > > > > Repeating my comment on PATCH 0/1 here with the expanded set of > > mailing lists. > > > > The builtin and secondary keyrings have a signature change of trust > > rooted in the signed kernel image.  Adding the pre-boot keys to the > > secondary keyring breaks that signature chain of trust. > > > > Please do NOT add the pre-boot "platform" keys to the secondary > > keyring. > > If we regard kexec as a bootloader, it sounds natural to use the > platform key to verify the signature with kexec_file_load syscall. > > It will be hard for user to manually sign a kernel and import the key > then to reuse kexec_file_load. This is really a generic topic, not limited to kexec, which should be discussed.  Let's defer this discussion for now. > > I think we do not care if platform key can be added to secondary or not, > any suggestions how can kexec_file to use the platform key? I assume the problem is accessing the keyring id. Instead of defining a function to return the keyring id, as below, define a function that sets a variable with the keyring id.  platform_keyring_init() would call that function to set the variable. Similar to builtin_trusted_keys and secondary_trusted_keys, define a variable named platform_trusted_keys. [snip] > > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > > > index f45d6edecf99..397758d4f12d 100644 > > > --- a/security/integrity/digsig.c > > > +++ b/security/integrity/digsig.c > > > @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source, > > > pr_info("Loading X.509 certificate: %s\n", source); > > > return integrity_add_key(id, data, len, perm); > > > } > > > + > > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > > +struct key* __init integrity_get_platform_keyring(void) > > > +{ > > > + return keyring[INTEGRITY_KEYRING_PLATFORM]; > > > +} > > > +#endif Mimi