Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6038229imu; Mon, 21 Jan 2019 02:01:40 -0800 (PST) X-Google-Smtp-Source: ALg8bN62F8gmlt8053GlUaQWJR6DRnH5EQ8uQzRFusWekjfG0NcQhirIcuiKaUP1e3G+BxID9W1W X-Received: by 2002:a63:dc54:: with SMTP id f20mr27860967pgj.410.1548064899940; Mon, 21 Jan 2019 02:01:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548064899; cv=none; d=google.com; s=arc-20160816; b=iv3GwuoDvFY7fmEpKokXNRRIqOiuSew0L/hciHXbUEW9wtF4aIB4ifzl/MmM5NuVOQ hYZFWEyudi5jbkEGtafdEetPrQ/fCG072r9fVM5VP4nXvh9XsKEJgxpNW0bdT2QAxTJU MGFlTccFacsMlr6x3N5UBUBfFSWPQF+ITd/3a4ROxWkDc9SigL0ywOLG0SOdO0czluN8 HzTONR++CMIAyMBYN0fh/5Qo87YJQek9rwjce7WwSN0e5aF/VBp23z/VBWKnt2RKP+69 lUC+Pp+V69hqkfMm1rXwtw32EIKDLshPFbR4U8rjhc/NWo1oRXwtKLSPFpDRXCP8fazO sqMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=96VuSiSL8Wt/Q5T9HbVlE3+P40FVhEQK9VHib0yJOz4=; b=I1QUeyLGfgo/KcvcX3ihD5Qo8unP5xjWObqkFpRRbiSn4rKmsw3kfP3vDKtqW3XRmb cRENLRjPvZkNQNNz6mNimszn627Lc/aAtsMxEQcvozKVIYXqmsvDfJgZdXQW1TmAdOEk Plimp7CS+LWflqf5mRZqSKF4UMkqB79Wamxv/9Zz6Jg1vESKymMamxxDOqekkgfwMRMV KAVuhZRZgj4/G3r2ns9UMGXYz+BnLqOoPBQWWBiSHscmyTMkucl49UxfoM487Wsydxj1 uIAOEykeYinFIxQ8nAG+WJPC9Cq8vL2SabX6GzTmCbCqwds1+qB9iVmglsYdALb2TtGD E8VQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1si12288323pgi.66.2019.01.21.02.01.24; Mon, 21 Jan 2019 02:01:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728249AbfAUKAO (ORCPT + 99 others); Mon, 21 Jan 2019 05:00:14 -0500 Received: from mx1.redhat.com ([209.132.183.28]:34096 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726003AbfAUKAO (ORCPT ); Mon, 21 Jan 2019 05:00:14 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 61F6CC073D78; Mon, 21 Jan 2019 10:00:13 +0000 (UTC) Received: from kasong-desktop-nay-redhat-com.nay.redhat.com (unknown [10.66.128.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id B2FAB6012D; Mon, 21 Jan 2019 10:00:04 +0000 (UTC) From: Kairui Song To: linux-kernel@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org, Kairui Song Subject: [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring Date: Mon, 21 Jan 2019 17:59:28 +0800 Message-Id: <20190121095929.26915-2-kasong@redhat.com> In-Reply-To: <20190121095929.26915-1-kasong@redhat.com> References: <20190121095929.26915-1-kasong@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 21 Jan 2019 10:00:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit 9dc92c45177a ('integrity: Define a trusted platform keyring') introduced a .platform keyring for storing preboot keys, used for verifying kernel images' signature. Currently only IMA-appraisal is able to use the keyring to verify kernel images that have their signature stored in xattr. This patch exposes the .platform keyring, making it accessible for verifying PE signed kernel images as well. Suggested-by: Mimi Zohar Signed-off-by: Kairui Song --- certs/system_keyring.c | 9 +++++++++ include/keys/system_keyring.h | 9 +++++++++ security/integrity/digsig.c | 3 +++ 3 files changed, 21 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..4690ef9cda8a 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +static struct key *platform_trusted_keys; +#endif extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature); +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +void __init set_platform_trusted_keys(struct key *keyring) { + platform_trusted_keys = keyring; +} +#endif + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 359c2f936004..df766ef8f03c 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -61,5 +61,14 @@ static inline struct key *get_ima_blacklist_keyring(void) } #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING + +extern void __init set_platform_trusted_keys(struct key* keyring); + +#else + +static inline void set_platform_trusted_keys(struct key* keyring) { }; + +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..e19c2eb72c51 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); keyring[id] = NULL; + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); } return err; -- 2.20.1