Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp770530pxp; Fri, 11 Mar 2022 14:40:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJw8sr51QeMLY8xGNVhVDtGMpU0t6iS1e7GUxXT0v+IsvKs8l4+AZyoELoZgWoD/xqJDE0Sa X-Received: by 2002:a63:fb44:0:b0:372:9ec8:745a with SMTP id w4-20020a63fb44000000b003729ec8745amr10125530pgj.551.1647038443247; Fri, 11 Mar 2022 14:40:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647038443; cv=none; d=google.com; s=arc-20160816; b=jaFj/EwWHR5NsYDgUykLwHlZCg+hldJua3Fb4jEyANxrIGj6ZWGH/6S4PbAgLGcqVE IYuKaTAcFJLpcUfKiASjc0sHYk+KgW2rWoYg36YgSvMF763Uyd1GzUpSYETyKp6OX8kN LBaqjv2T2n10WdgWvXwJFXeo1q4IYgj00lqd2naKcG2gu+G+XjoLwXguXYFG20zRUl6S fvICXj2VPxm52OGsXKmExBlSAJ8Tfhz2eY3cWKFXudPzHmL6ceRAC7/kdhfpIryhYAQU y4yWuCA/BNXD0qDWzpPaS1/LlBq9Etz5OnScYiu6phnHvQJHyC41o1ImnyqmaRdOQ7fo ViwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=iQxtb/7lCQ0efAo8Wg+K2sWOfPub5fnx4THFhX7S5uU=; b=FQBWTx1/FVwH0ZT5SOUJIkwDBdLCs3uVeBxLAOE6HBGvr0lj8XW2GOQXEFukJYG8tf EqdpmeRhDHSoLy2yf54w1bsxb+xJloaHZF3aP7UzZ3ZQdI6zxpykQ0x1uBEQ2PJsNBJT BYaOTQgjDvPkRt19lz4Gv4MWOB7+mKF1RvqgsTE6egG7e23msYXUBIfFEKIYrlt7Va2a Wgn3+kiR6jYefYwYPXdzAgiaQPX9t2LDlMFSrsdHLIPtiH19q6KOnKeFWoy61lC0oBdH 6KLfE7wUWHTg3QOR9+lDWuQKX6LoWOeOk5/KEa+9Ds07+1Mi3+6s4zqS/RPidEK7yZs9 RSag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GIgHtmez; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id g5-20020a056a001a0500b004f7090d5e3csi9510065pfv.123.2022.03.11.14.40.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 14:40:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GIgHtmez; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8C3D5403CB; Fri, 11 Mar 2022 13:45:05 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350401AbiCKQlK (ORCPT + 99 others); Fri, 11 Mar 2022 11:41:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231971AbiCKQlH (ORCPT ); Fri, 11 Mar 2022 11:41:07 -0500 Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA8C91B60B0; Fri, 11 Mar 2022 08:40:03 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 0F5E9CE294C; Fri, 11 Mar 2022 16:40:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1125C340E9; Fri, 11 Mar 2022 16:39:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1647016800; bh=xAQesJm2XzMSPjRWRkbuzP8E/HwIUyUXHhBDPK3AifM=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=GIgHtmezvcHnWsSoyna5wsVHeNlnY8NUR2uBCJpmWExIZN54hqRdQZRVEfFbZU9Qx Uer2HApzZ5RGFVu90IxueG7SDnZxkSP5ZXQJW0jDOCvHkF39QLn60EGNHfSM1R/UPJ zVmciQci8KZrDkK5HIfQbKnjQmRkQwuGKklbu5qnNUxYA3CWtYRYGAVXcy7IxzcRHU CL0+QdOZk/DhZGTIT8oG7YzIH5B6wgP+LswMjWfi293yvxGGOPooRTm5Vi0Axt4HDR OQKIlb1yXKWFOSF/EOenpTQ7xIoNKhnnMgwYLkGHkHqAej/ZfcguEp0uZ48z5bwzxo ATXGNGi3ZVdGg== Message-ID: <286a9ec3aa052cc1ed61e7257af492325d8e7279.camel@kernel.org> Subject: Re: [PATCH v11 0/4] integrity: support including firmware ".platform" keys at build time From: Jarkko Sakkinen To: Nayna Jain , linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: dhowells@redhat.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dimitri.ledkov@canonical.com, seth@forshee.me, rnsastry@linux.ibm.com, Masahiro Yamada Date: Fri, 11 Mar 2022 18:39:14 +0200 In-Reply-To: <20220310214450.676505-1-nayna@linux.ibm.com> References: <20220310214450.676505-1-nayna@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.42.4 MIME-Version: 1.0 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2022-03-10 at 16:44 -0500, Nayna Jain wrote: > Some firmware support secure boot by embedding static keys to verify the > Linux kernel during boot. However, these firmware do not expose an > interface for the kernel to load firmware keys onto the ".platform" > keyring, preventing the kernel from verifying the kexec kernel image > signature. >=20 > This patchset exports load_certificate_list() and defines a new function > load_builtin_platform_cert() to load compiled in certificates onto the > ".platform" keyring. >=20 > Changelog: > v11: > * Added a new patch to conditionally build extract-cert if > PLATFORM_KEYRING is enabled. >=20 > v10: > * Fixed the externs warning for Patch 3. >=20 > v9: > * Rebased on Jarkko's repo -=20 > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git >=20 > v8: > * Includes Jarkko's feedback on patch description and removed Reported-by > for Patch 1. >=20 > v7: > * Incldues Jarkko's feedback on patch description for Patch 1 and 3. >=20 > v6: > * Includes Jarkko's feedback: > =C2=A0* Split Patch 2 into two. > =C2=A0* Update Patch description. >=20 > v5: > * Renamed load_builtin_platform_cert() to load_platform_certificate_list(= ) > and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as > suggested by Mimi Zohar. >=20 > v4: > * Split into two patches as per Mimi Zohar and Dimitri John Ledkov > recommendation. >=20 > v3: > * Included Jarkko's feedback > =C2=A0** updated patch description to include approach. > =C2=A0** removed extern for function declaration in the .h file. > * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. >=20 > v2: > * Fixed the error reported by kernel test robot > * Updated patch description based on Jarkko's feedback. >=20 > Nayna Jain (4): > =C2=A0 certs: export load_certificate_list() to be used outside certs/ > =C2=A0 integrity: make integrity_keyring_from_id() non-static > =C2=A0 certs: conditionally build extract-cert if platform keyring is ena= bled > =C2=A0 integrity: support including firmware ".platform" keys at build ti= me >=20 > =C2=A0certs/Makefile=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 9 ++++= ++-- > =C2=A0certs/blacklist.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 1 - > =C2=A0certs/common.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 2 +- > =C2=A0certs/common.h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 9 ----= ---- > =C2=A0certs/system_keyring.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 |=C2=A0 1 - > =C2=A0include/keys/system_keyring.h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 6 ++++= + > =C2=A0security/integrity/Kconfig=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= | 10 ++++++++ > =C2=A0security/integrity/Makefile=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 15 = +++++++++++- > =C2=A0security/integrity/digsig.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2= =A0 2 +- > =C2=A0security/integrity/integrity.h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 9 ++++++++ > =C2=A0.../integrity/platform_certs/platform_cert.S=C2=A0 | 23 +++++++++++= ++++++++ > =C2=A0.../platform_certs/platform_keyring.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 | 23 +++++++++++++++++++ > =C2=A012 files changed, 94 insertions(+), 16 deletions(-) > =C2=A0delete mode 100644 certs/common.h > =C2=A0create mode 100644 security/integrity/platform_certs/platform_cert.= S >=20 >=20 > base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 I tuned tags. Nayna, Mimi is this how it should be: commit f38ebfc7469c4924087dab2203479ee9bb6911ac (HEAD -> master, origin/nex= t, origin/master, origin/HEAD, next) Author: Nayna Jain Date: Thu Mar 10 16:44:50 2022 -0500 integrity: support including firmware ".platform" keys at build time =20 Allow firmware keys to be embedded in the Linux kernel and loaded onto the ".platform" keyring on boot. =20 The firmware keys can be specified in a file as a list of PEM encoded certificates using new config INTEGRITY_PLATFORM_KEYS. The certificates are embedded in the image by converting the PEM-formatted certificates into DER(binary) and generating security/integrity/platform_certs/platform_certificate_list file at build time. On boot, the embedded certs from the image are loaded onto the ".platform" keyring at late_initcall(), ensuring the platform keyri= ng exists before loading the keys. =20 Reviewed-by: Mimi Zohar Tested-by: Mimi Zohar Signed-off-by: Nayna Jain Signed-off-by: Jarkko Sakkinen commit 233bb42918e71f143e6f31d99763348768eb1619 Author: Nayna Jain Date: Thu Mar 10 16:44:49 2022 -0500 certs: conditionally build extract-cert if platform keyring is enabled =20 extract-cert is used outside certs/ by INTEGRITY_PLATFORM_KEYRING. Also build extract-cert if INTEGRITY_PLATFORM_KEYRING is enabled. =20 Signed-off-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit 5e1a41f1c2ee838af6ac39d1cdd4ed0f509186a1 Author: Nayna Jain Date: Thu Mar 10 16:44:48 2022 -0500 integrity: make integrity_keyring_from_id() non-static =20 Make integrity_keyring_from_id() non-static so that it is accessible by other files in security/integrity. =20 Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen commit 05489d362bde0f25c4e921d15cad4492d22147ae Author: Nayna Jain Date: Thu Mar 10 16:44:47 2022 -0500 certs: export load_certificate_list() to be used outside certs/ =20 load_certificate_list() parses certificates embedded in the kernel image to load them onto the keyring. =20 Commit "2565ca7f5ec1 (certs: Move load_system_certificate_list to a com= mon function)" made load_certificate_list() a common function in the certs/ directory. Export load_certificate_list() outside certs/ to be used by load_platform_certificate_list() for loading compiled in platform keys onto the .platform keyring at boot time. =20 Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen BR, Jarkko