Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp2641324rwp; Fri, 14 Jul 2023 09:04:09 -0700 (PDT) X-Google-Smtp-Source: APBJJlHZ6FXrShhrkjBS/3rCwC7H+l/z/aOPl+Firh81ZfzhPZHqWpR9VKJpji0bDACcZA46W5+f X-Received: by 2002:aa7:d6c5:0:b0:51e:357:3782 with SMTP id x5-20020aa7d6c5000000b0051e03573782mr4234802edr.9.1689350648564; Fri, 14 Jul 2023 09:04:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689350648; cv=none; d=google.com; s=arc-20160816; b=s+eUly4kWOkYIej3PJrtetYXpvw21g8hteHCQGEMrGi8A6MXS1xH6JHdsH153FoWBE XHTDo7Lh5hyocPJv18qmVlLwKZv4YbMSy6bTzLUXaCW6OY59Kncw9B7GyDwm4ji1HYQ2 Ss9kYu4jdNWP0XPsFkn7zPjO37MOceGj4sV/pcI176s2NIr3hNSlaK4g4vh0wAJCaU3x TGlZRRdX/9AfGQ0J2qtC6P/TlgmmVvzE7QpnSTBGzm97zAcLMaG4hsgwEBraWV78pK3Y LW/HWh/nU99zfyWdufVZJSi678IHhwmfiida7VnI5IIljCaB3b6NtrpYCwH7n3ulk2id 4zeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ulu5vJbACvbiSK46ko2yUJA6DNl8Z+GY2OmXOKSupq0=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=a1MVPZoQ03bgtzMNXhxbvTQkuQ9uyAfZ9N7N1Inty5Il6rP7vZ9ws3okdsyrbWRH6X YytrpyJnyAxzEwu06SSExyC26HOGcI8o3qtYHVfFG6o40Er8c429EUeWWt8vvU08oq0c x9qtdHoBTVH6YKYz0ihOf7jRWpxTqZ3Jrj0tg8DjyRoMZiZsXL2uu1+QqsMGifBxEWEB Q16oIBu1pWekrfnWrI4z9sUXV87Nv3AXQ1vTTsj3QzTpBCSgSneITuq5Yw5X/ajKjy8y 5dw2rYxgnsKt+hOT8farsZFWjkGS5GaUu9c6ropWmlp0uif6jgHuFu9OVCHQeRD9RPmg P2VA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=jaZH2lNG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b9-20020aa7c909000000b0051e0f0b46d9si9099279edt.688.2023.07.14.09.03.44; Fri, 14 Jul 2023 09:04:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=jaZH2lNG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236456AbjGNPfq (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236408AbjGNPfY (ORCPT ); Fri, 14 Jul 2023 11:35:24 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D966B3A8E; Fri, 14 Jul 2023 08:35:12 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMZLs012619; Fri, 14 Jul 2023 15:35:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=ulu5vJbACvbiSK46ko2yUJA6DNl8Z+GY2OmXOKSupq0=; b=jaZH2lNGYV2tcInAEhA1Pm7nnEwBDz5nM2uK2uAoNR8oUP9HIUg+VwTaUjJ6MtL5IqHn dFxBQ2HyccguC+VHz2SJSIkIZXIbD9dbKYc1GWY+ddMoLqDN496TWO5N+FBhthFDmn8g SRFJXenNrncdHYXTm9a7mA9XbcL8rrvGc9CyjWmOGzfW9XpcNZP8qtpd4zAnTFc4q1Q0 5nazqsWhuTJyZ3j8jJCfCWLey4iSHduFUv2eiVA1041eulnHB0z6gAatOmsCOLU23w1i lLRHQNznjcbJHoXwrc1zp6ngYH8y89ETajSdVtrWfHvHRqV9TcJ1Elp6+xsJrOZFu/tW NQ== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8xx89h6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:35:01 +0000 Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36EDO0Vf007362; Fri, 14 Jul 2023 15:34:59 GMT Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 3rtpvs217b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:59 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYuDq17433334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:56 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6E1D72004B; Fri, 14 Jul 2023 15:34:56 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4185E20040; Fri, 14 Jul 2023 15:34:54 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:54 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Date: Fri, 14 Jul 2023 11:34:35 -0400 Message-Id: <20230714153435.28155-7-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: HwOzgwTify1fGTbAt7-M_LdjlMbR_BHa X-Proofpoint-GUID: HwOzgwTify1fGTbAt7-M_LdjlMbR_BHa X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore(PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain --- Jarkko, this patch is based on Linus master tree branch, which does not contain the following commits yet: c9d004712300 integrity: Enforce digitalSignature usage in the ima and evm keyrings 59b656eb58fe KEYS: DigitalSignature link restriction certs/system_keyring.c | 22 +++++++++++++++++++ include/keys/system_keyring.h | 8 +++++++ security/integrity/integrity.h | 1 + .../platform_certs/keyring_handler.c | 8 +++++++ .../platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 18 ++++++++++++++- 6 files changed, 61 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..b0235732c1d4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -347,3 +347,25 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ + key_ref_t key; + key_perm_t perm; + int rc = 0; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate %d\n", rc); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..a57a77ccf003 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -41,8 +41,16 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len); + #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..efaa2eb789ad 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id, { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index b3e5df136e50..6095df043498 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -77,6 +77,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dc..f92895cc50f6 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 6263ce3b3f1e..32c4e5fbf0fb 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; - void *trustedca = NULL; + void *trustedca = NULL, *moduledb = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); -- 2.31.1