diff mbox series

[4/4] module, KEYS: Make use of platform keyring for signature verification

Message ID 840433bc93a58d6dfc4d96c34c0c3b158a0e669d.1644953683.git.msuchanek@suse.de (mailing list archive)
State New, archived
Headers show
Series [1/4] Fix arm64 kexec forbidding kernels signed with keys in the secondary keyring to boot | expand

Commit Message

Michal Suchanek Feb. 15, 2022, 7:39 p.m. UTC
Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
adds support for use of platform keyring in kexec verification but
support for modules is missing.

Add support for verification of modules with keys from platform keyring
as well.

Fixes: 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
Cc: linux-modules@vger.kernel.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
 kernel/module_signing.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Comments

Mimi Zohar Feb. 15, 2022, 8:08 p.m. UTC | #1
[Cc'ing Eric Snowberg]

Hi Michal,

On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> adds support for use of platform keyring in kexec verification but
> support for modules is missing.
> 
> Add support for verification of modules with keys from platform keyring
> as well.

Permission for loading the pre-OS keys onto the "platform" keyring and
using them is limited to verifying the kexec kernel image, nothing
else.

FYI, Eric Snowberg's initial patch set titled "[PATCH v10 0/8] Enroll
kernel keys thru MOK" is queued in Jarkko's git repo to be usptreamed. 
A subsequent patch set is expected.
Michal Suchanek Feb. 15, 2022, 8:47 p.m. UTC | #2
Hello,

On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> [Cc'ing Eric Snowberg]
> 
> Hi Michal,
> 
> On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > adds support for use of platform keyring in kexec verification but
> > support for modules is missing.
> > 
> > Add support for verification of modules with keys from platform keyring
> > as well.
> 
> Permission for loading the pre-OS keys onto the "platform" keyring and
> using them is limited to verifying the kexec kernel image, nothing
> else.

Why is the platform keyring limited to kexec, and nothing else?

It should either be used for everything or for nothing. You have the
option to compile it in and then it should be used, and the option to
not compile it in and then it cannot be used.

There are two basic use cases:

(1) there is a vendor key which is very hard to use so you sign
something small and simple like shim with the vendor key, and sign your
kernel and modules with your own key that's typically enrolled with shim
MOK, and built into the kernel.

(2) you import your key into the firmware, and possibly disable the
vendor key. You can load the kernel directly without shim, and then your
signing key is typically in the platform keyring and built into the
kernel.

In neither case do I see any reason to use some keyrings for kexec and
other keyrings for modules.

Thanks

Michal
Mimi Zohar Feb. 15, 2022, 10:12 p.m. UTC | #3
On Tue, 2022-02-15 at 21:47 +0100, Michal Suchánek wrote:
> Hello,
> 
> On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > [Cc'ing Eric Snowberg]
> > 
> > Hi Michal,
> > 
> > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > adds support for use of platform keyring in kexec verification but
> > > support for modules is missing.
> > > 
> > > Add support for verification of modules with keys from platform keyring
> > > as well.
> > 
> > Permission for loading the pre-OS keys onto the "platform" keyring and
> > using them is limited to verifying the kexec kernel image, nothing
> > else.
> 
> Why is the platform keyring limited to kexec, and nothing else?
> 
> It should either be used for everything or for nothing. You have the
> option to compile it in and then it should be used, and the option to
> not compile it in and then it cannot be used.
> 
> There are two basic use cases:
> 
> (1) there is a vendor key which is very hard to use so you sign
> something small and simple like shim with the vendor key, and sign your
> kernel and modules with your own key that's typically enrolled with shim
> MOK, and built into the kernel.
> 
> (2) you import your key into the firmware, and possibly disable the
> vendor key. You can load the kernel directly without shim, and then your
> signing key is typically in the platform keyring and built into the
> kernel.
> 
> In neither case do I see any reason to use some keyrings for kexec and
> other keyrings for modules.

When building your own kernel there isn't a problem.  Additional keys
may be built into the kernel image, which are loaded onto the
".builtin_trusted_keys" keyring, and may be stored in MOK.  Normally
different keys are used for signing the kernel image and kernel
modules.  Kernel modules can be signed by the build time ephemeral
kernel module signing key, which is built into the kernel and
automatically loaded onto the ".builtin_trusted_keys" keyring.
 
Similarly distros build the kernel module signing key into the kernel,
which is built into the kernel and loaded onto the
".builtin_trusted_keys" keyring.  By loading the pre-OS keys onto the
".platform" keyring,  kexec may verify the distro or other signed
kernel images.
Michal Suchanek Feb. 16, 2022, 10:56 a.m. UTC | #4
On Tue, Feb 15, 2022 at 05:12:32PM -0500, Mimi Zohar wrote:
> On Tue, 2022-02-15 at 21:47 +0100, Michal Suchánek wrote:
> > Hello,
> > 
> > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > [Cc'ing Eric Snowberg]
> > > 
> > > Hi Michal,
> > > 
> > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > adds support for use of platform keyring in kexec verification but
> > > > support for modules is missing.
> > > > 
> > > > Add support for verification of modules with keys from platform keyring
> > > > as well.
> > > 
> > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > using them is limited to verifying the kexec kernel image, nothing
> > > else.
> > 
> > Why is the platform keyring limited to kexec, and nothing else?
> > 
> > It should either be used for everything or for nothing. You have the
> > option to compile it in and then it should be used, and the option to
> > not compile it in and then it cannot be used.
> > 
> > There are two basic use cases:
> > 
> > (1) there is a vendor key which is very hard to use so you sign
> > something small and simple like shim with the vendor key, and sign your
> > kernel and modules with your own key that's typically enrolled with shim
> > MOK, and built into the kernel.
> > 
> > (2) you import your key into the firmware, and possibly disable the
> > vendor key. You can load the kernel directly without shim, and then your
> > signing key is typically in the platform keyring and built into the
> > kernel.
> > 
> > In neither case do I see any reason to use some keyrings for kexec and
> > other keyrings for modules.
> 
> When building your own kernel there isn't a problem.  Additional keys
> may be built into the kernel image, which are loaded onto the
> ".builtin_trusted_keys" keyring, and may be stored in MOK.  Normally
> different keys are used for signing the kernel image and kernel

That's actually not normal.

> modules.  Kernel modules can be signed by the build time ephemeral
> kernel module signing key, which is built into the kernel and
> automatically loaded onto the ".builtin_trusted_keys" keyring.

Right, there is this advice to use ephemeral key to sign modules.

I don't think that's a sound advice in general. It covers only the
special case when you build the kernel once, only rebuild the whole
kernel and never just one module, don't use any 3rd party module, don't
bother signing firmware (I am not sure that is supported right now but
if you are into integrity and stuff you can see that it makes sense to
sign it, too).

And you need to manage the key you use for the kernel signing, anyway.
Sure, you could use the same ephemeral key as for the modules, enroll
it, and shred it but then it is NOT a key different from the one you use
for modules.

Or you could maintain a long-lived key for the kernel, but if you do I
do NOT see any reason to not use it also for modules, in-tree and
out-of-tree.

> Similarly distros build the kernel module signing key into the kernel,
> which is built into the kernel and loaded onto the
> ".builtin_trusted_keys" keyring.  By loading the pre-OS keys onto the
> ".platform" keyring,  kexec may verify the distro or other signed
> kernel images.

Which are signed by the same key as the modules so there is no reason to
load the platform key at all. I don't think loading shim with kexec is
supported.

Thanks

Michal
Michal Suchanek Feb. 16, 2022, 11:04 a.m. UTC | #5
On Wed, Feb 16, 2022 at 11:56:45AM +0100, Michal Suchánek wrote:
> On Tue, Feb 15, 2022 at 05:12:32PM -0500, Mimi Zohar wrote:
> > On Tue, 2022-02-15 at 21:47 +0100, Michal Suchánek wrote:
> > > Hello,
> > > 
> > > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > > [Cc'ing Eric Snowberg]
> > > > 
> > > > Hi Michal,
> > > > 
> > > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > > adds support for use of platform keyring in kexec verification but
> > > > > support for modules is missing.
> > > > > 
> > > > > Add support for verification of modules with keys from platform keyring
> > > > > as well.
> > > > 
> > > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > > using them is limited to verifying the kexec kernel image, nothing
> > > > else.
> > > 
> > > Why is the platform keyring limited to kexec, and nothing else?
> > > 
> > > It should either be used for everything or for nothing. You have the
> > > option to compile it in and then it should be used, and the option to
> > > not compile it in and then it cannot be used.
> > > 
> > > There are two basic use cases:
> > > 
> > > (1) there is a vendor key which is very hard to use so you sign
> > > something small and simple like shim with the vendor key, and sign your
> > > kernel and modules with your own key that's typically enrolled with shim
> > > MOK, and built into the kernel.
> > > 
> > > (2) you import your key into the firmware, and possibly disable the
> > > vendor key. You can load the kernel directly without shim, and then your
> > > signing key is typically in the platform keyring and built into the
> > > kernel.
> > > 
> > > In neither case do I see any reason to use some keyrings for kexec and
> > > other keyrings for modules.
> > 
> > When building your own kernel there isn't a problem.  Additional keys
> > may be built into the kernel image, which are loaded onto the
> > ".builtin_trusted_keys" keyring, and may be stored in MOK.  Normally
> > different keys are used for signing the kernel image and kernel
> 
> That's actually not normal.
> 
> > modules.  Kernel modules can be signed by the build time ephemeral
> > kernel module signing key, which is built into the kernel and
> > automatically loaded onto the ".builtin_trusted_keys" keyring.
> 
> Right, there is this advice to use ephemeral key to sign modules.
> 
> I don't think that's a sound advice in general. It covers only the
> special case when you build the kernel once, only rebuild the whole
> kernel and never just one module, don't use any 3rd party module, don't
> bother signing firmware (I am not sure that is supported right now but
> if you are into integrity and stuff you can see that it makes sense to
> sign it, too).
And don't forget signing ramdisk which you typically don't build only
once at kernel build time.
> 
> And you need to manage the key you use for the kernel signing, anyway.
> Sure, you could use the same ephemeral key as for the modules, enroll
> it, and shred it but then it is NOT a key different from the one you use
> for modules.
> 
> Or you could maintain a long-lived key for the kernel, but if you do I
> do NOT see any reason to not use it also for modules, in-tree and
> out-of-tree.
> 
> > Similarly distros build the kernel module signing key into the kernel,
> > which is built into the kernel and loaded onto the
> > ".builtin_trusted_keys" keyring.  By loading the pre-OS keys onto the
> > ".platform" keyring,  kexec may verify the distro or other signed
> > kernel images.
> 
> Which are signed by the same key as the modules so there is no reason to
> load the platform key at all. I don't think loading shim with kexec is
> supported.
> 
> Thanks
> 
> Michal
Mimi Zohar Feb. 16, 2022, 11:58 a.m. UTC | #6
On Wed, 2022-02-16 at 11:56 +0100, Michal Suchánek wrote:
> On Tue, Feb 15, 2022 at 05:12:32PM -0500, Mimi Zohar wrote:
> > On Tue, 2022-02-15 at 21:47 +0100, Michal Suchánek wrote:
> > > Hello,
> > > 
> > > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > > [Cc'ing Eric Snowberg]
> > > > 
> > > > Hi Michal,
> > > > 
> > > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > > adds support for use of platform keyring in kexec verification but
> > > > > support for modules is missing.
> > > > > 
> > > > > Add support for verification of modules with keys from platform keyring
> > > > > as well.
> > > > 
> > > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > > using them is limited to verifying the kexec kernel image, nothing
> > > > else.
> > > 
> > > Why is the platform keyring limited to kexec, and nothing else?
> > > 
> > > It should either be used for everything or for nothing. You have the
> > > option to compile it in and then it should be used, and the option to
> > > not compile it in and then it cannot be used.
> > > 
> > > There are two basic use cases:
> > > 
> > > (1) there is a vendor key which is very hard to use so you sign
> > > something small and simple like shim with the vendor key, and sign your
> > > kernel and modules with your own key that's typically enrolled with shim
> > > MOK, and built into the kernel.
> > > 
> > > (2) you import your key into the firmware, and possibly disable the
> > > vendor key. You can load the kernel directly without shim, and then your
> > > signing key is typically in the platform keyring and built into the
> > > kernel.
> > > 
> > > In neither case do I see any reason to use some keyrings for kexec and
> > > other keyrings for modules.
> > 
> > When building your own kernel there isn't a problem.  Additional keys
> > may be built into the kernel image, which are loaded onto the
> > ".builtin_trusted_keys" keyring, and may be stored in MOK.  Normally
> > different keys are used for signing the kernel image and kernel
> 
> That's actually not normal.
> 
> > modules.  Kernel modules can be signed by the build time ephemeral
> > kernel module signing key, which is built into the kernel and
> > automatically loaded onto the ".builtin_trusted_keys" keyring.
> 
> Right, there is this advice to use ephemeral key to sign modules.
> 
> I don't think that's a sound advice in general. It covers only the
> special case when you build the kernel once, only rebuild the whole
> kernel and never just one module, don't use any 3rd party module, don't
> bother signing firmware (I am not sure that is supported right now but
> if you are into integrity and stuff you can see that it makes sense to
> sign it, too).
> 
> And you need to manage the key you use for the kernel signing, anyway.
> Sure, you could use the same ephemeral key as for the modules, enroll
> it, and shred it but then it is NOT a key different from the one you use
> for modules.
> 
> Or you could maintain a long-lived key for the kernel, but if you do I
> do NOT see any reason to not use it also for modules, in-tree and
> out-of-tree.

If signing ALL kernel modules, in-tree and out-of-tree, with the same
key as the kernel image, is your real intention, then by all means
write a complete patch description with the motivation for why kernel
module signatures need to be verified against this one pre-OS key
stored only in the platform keyring.  Such a major change like this
shouldn't be buried here.

Otherwise, I suggest looking at Eric Snowberg's "Enroll kernel keys
thru MOK patch set" patch set [1], as previously mentioned, which is
queued to be upstreamed by Jarkko.  It loads MOK keys onto the
'.machine' keyring, which is linked to the '.secondary_trusted_keys"
keyring.  A subsequent patch set will enable IMA support.

[1] 
https://lore.kernel.org/lkml/20220126025834.255493-1-eric.snowberg@oracle.com/
Michal Suchanek Feb. 16, 2022, 12:09 p.m. UTC | #7
On Wed, Feb 16, 2022 at 06:58:51AM -0500, Mimi Zohar wrote:
> On Wed, 2022-02-16 at 11:56 +0100, Michal Suchánek wrote:
> > On Tue, Feb 15, 2022 at 05:12:32PM -0500, Mimi Zohar wrote:
> > > On Tue, 2022-02-15 at 21:47 +0100, Michal Suchánek wrote:
> > > > Hello,
> > > > 
> > > > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > > > [Cc'ing Eric Snowberg]
> > > > > 
> > > > > Hi Michal,
> > > > > 
> > > > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > > > adds support for use of platform keyring in kexec verification but
> > > > > > support for modules is missing.
> > > > > > 
> > > > > > Add support for verification of modules with keys from platform keyring
> > > > > > as well.
> > > > > 
> > > > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > > > using them is limited to verifying the kexec kernel image, nothing
> > > > > else.
> > > > 
> > > > Why is the platform keyring limited to kexec, and nothing else?
> > > > 
> > > > It should either be used for everything or for nothing. You have the
> > > > option to compile it in and then it should be used, and the option to
> > > > not compile it in and then it cannot be used.
> > > > 
> > > > There are two basic use cases:
> > > > 
> > > > (1) there is a vendor key which is very hard to use so you sign
> > > > something small and simple like shim with the vendor key, and sign your
> > > > kernel and modules with your own key that's typically enrolled with shim
> > > > MOK, and built into the kernel.
> > > > 
> > > > (2) you import your key into the firmware, and possibly disable the
> > > > vendor key. You can load the kernel directly without shim, and then your
> > > > signing key is typically in the platform keyring and built into the
> > > > kernel.
> > > > 
> > > > In neither case do I see any reason to use some keyrings for kexec and
> > > > other keyrings for modules.
> > > 
> > > When building your own kernel there isn't a problem.  Additional keys
> > > may be built into the kernel image, which are loaded onto the
> > > ".builtin_trusted_keys" keyring, and may be stored in MOK.  Normally
> > > different keys are used for signing the kernel image and kernel
> > 
> > That's actually not normal.
> > 
> > > modules.  Kernel modules can be signed by the build time ephemeral
> > > kernel module signing key, which is built into the kernel and
> > > automatically loaded onto the ".builtin_trusted_keys" keyring.
> > 
> > Right, there is this advice to use ephemeral key to sign modules.
> > 
> > I don't think that's a sound advice in general. It covers only the
> > special case when you build the kernel once, only rebuild the whole
> > kernel and never just one module, don't use any 3rd party module, don't
> > bother signing firmware (I am not sure that is supported right now but
> > if you are into integrity and stuff you can see that it makes sense to
> > sign it, too).
> > 
> > And you need to manage the key you use for the kernel signing, anyway.
> > Sure, you could use the same ephemeral key as for the modules, enroll
> > it, and shred it but then it is NOT a key different from the one you use
> > for modules.
> > 
> > Or you could maintain a long-lived key for the kernel, but if you do I
> > do NOT see any reason to not use it also for modules, in-tree and
> > out-of-tree.
> 
> If signing ALL kernel modules, in-tree and out-of-tree, with the same
> key as the kernel image, is your real intention, then by all means

Why would you sign them with different keys, specifically?

For out of tree modules, sure. But that's an ADDITIONAL key, not
REMOVAL of a key.

> write a complete patch description with the motivation for why kernel
> module signatures need to be verified against this one pre-OS key
> stored only in the platform keyring.  Such a major change like this
> shouldn't be buried here.

No, in my book it does not make sense to verify anything against the
pre-os key at all in the common case.

However, if you do verify the kernel against the pre-os key it does not
make sense to not verify modules against the pre-os key. There is no
sense using different key for kernel and modules. They are both built in
the same environment with access to same the keys.

> Otherwise, I suggest looking at Eric Snowberg's "Enroll kernel keys
> thru MOK patch set" patch set [1], as previously mentioned, which is
> queued to be upstreamed by Jarkko.  It loads MOK keys onto the
> '.machine' keyring, which is linked to the '.secondary_trusted_keys"
> keyring.  A subsequent patch set will enable IMA support.

I don't really care how many keyrings there are. What I care about is
that they are used conssitently.

Thanks

Michal
Luis Chamberlain March 22, 2022, 5:37 p.m. UTC | #8
How's this series going? Did you and Mimi sort things out? Either way,
just wanted to let you kow you can base your changes on modules-testing
[0] if you want to resubmit for v5.19 (v5.18 will be too late already).
Once testing is done what is on modules-testing will go to modules-next
for testing for v5.19. There are no changes planned for v5.18 other than
fixes and so far there are none.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/log/?h=modules-testing

  Luis
Mimi Zohar March 22, 2022, 6:55 p.m. UTC | #9
Hi Luis,

On Tue, 2022-03-22 at 10:37 -0700, Luis Chamberlain wrote:
> How's this series going? Did you and Mimi sort things out? Either way,
> just wanted to let you kow you can base your changes on modules-testing
> [0] if you want to resubmit for v5.19 (v5.18 will be too late already).
> Once testing is done what is on modules-testing will go to modules-next
> for testing for v5.19. There are no changes planned for v5.18 other than
> fixes and so far there are none.
> 
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/log/?h=modules-testing

The "platform" keyring was upstreamed specifically to verify the kexec
kernel image. Orginally it contained only the UEFI db keys, but the MOK
keys were later added as well.  Any other usage of the "platform" is
not planned.

To allow end users to sign their own kernel modules, executables, or
any other file, Eric Snowberg is working on a patch set to only load
the MOK CA keys onto the ".machine" keyring, which is linked to the
"secondary" keyring[1].  Verifying kernel modules based on certificates
signed by a MOK CA will then be possible.

thanks,

Mimi

[1] 
https://lore.kernel.org/all/20220301173651.3435350-1-eric.snowberg@oracle.com/
joeyli March 28, 2022, 10:15 a.m. UTC | #10
Hi Mimi,

Sorry for bother you for this old topic.

On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
> Hello,
> 
> On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > [Cc'ing Eric Snowberg]
> > 
> > Hi Michal,
> > 
> > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > adds support for use of platform keyring in kexec verification but
> > > support for modules is missing.
> > > 
> > > Add support for verification of modules with keys from platform keyring
> > > as well.
> > 
> > Permission for loading the pre-OS keys onto the "platform" keyring and
> > using them is limited to verifying the kexec kernel image, nothing
> > else.
> 
> Why is the platform keyring limited to kexec, and nothing else?
> 
> It should either be used for everything or for nothing. You have the
> option to compile it in and then it should be used, and the option to
> not compile it in and then it cannot be used.
> 
> There are two basic use cases:
> 
> (1) there is a vendor key which is very hard to use so you sign
> something small and simple like shim with the vendor key, and sign your
> kernel and modules with your own key that's typically enrolled with shim
> MOK, and built into the kernel.
> 
> (2) you import your key into the firmware, and possibly disable the
> vendor key. You can load the kernel directly without shim, and then your
> signing key is typically in the platform keyring and built into the
> kernel.
>

In the second use case, if user can enroll their own key to db either before
or after hardware shipping. And they don't need shim because they removed
Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
them for trusting db keys for verifying kernel module, or for IMA (using CA
in db)?
 
In the above use case for distro, partner doesn't need to re-compiler distro
kernel. They just need to re-sign distro kernel and modules. Which means
that the partner trusted distro. Then the partner's key in db can be used to
verify kernel image and also kernel module without shim involve.

Regards
Joey Lee
Mimi Zohar March 28, 2022, 1:28 p.m. UTC | #11
On Mon, 2022-03-28 at 18:15 +0800, joeyli wrote:

Hi Joey,

> Hi Mimi,
> 
> Sorry for bother you for this old topic.

Cc'ing Luis the kernel modules maintainer.

> 
> On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
> > Hello,
> > 
> > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > [Cc'ing Eric Snowberg]
> > > 
> > > Hi Michal,
> > > 
> > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > adds support for use of platform keyring in kexec verification but
> > > > support for modules is missing.
> > > > 
> > > > Add support for verification of modules with keys from platform keyring
> > > > as well.
> > > 
> > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > using them is limited to verifying the kexec kernel image, nothing
> > > else.
> > 
> > Why is the platform keyring limited to kexec, and nothing else?
> > 
> > It should either be used for everything or for nothing. You have the
> > option to compile it in and then it should be used, and the option to
> > not compile it in and then it cannot be used.
> > 
> > There are two basic use cases:
> > 
> > (1) there is a vendor key which is very hard to use so you sign
> > something small and simple like shim with the vendor key, and sign your
> > kernel and modules with your own key that's typically enrolled with shim
> > MOK, and built into the kernel.
> > 
> > (2) you import your key into the firmware, and possibly disable the
> > vendor key. You can load the kernel directly without shim, and then your
> > signing key is typically in the platform keyring and built into the
> > kernel.
> >
> 
> In the second use case, if user can enroll their own key to db either before
> or after hardware shipping. And they don't need shim because they removed
> Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
> them for trusting db keys for verifying kernel module, or for IMA (using CA
> in db)?
>  
> In the above use case for distro, partner doesn't need to re-compiler distro
> kernel. They just need to re-sign distro kernel and modules. Which means
> that the partner trusted distro. Then the partner's key in db can be used to
> verify kernel image and also kernel module without shim involve.

From what I understand, distros don't want customers resigning their
kernels.  If they did, then they could have enabled the
CONFIG_SYSTEM_EXTRA_CERTIFICATE, which would load the keys onto the
"builtin" keyring, and anything signed by those keys could be loaded
onto the secondary keyring.  (Of course CONFIG_SYSTEM_EXTRA_CERTIFICATE
would need to be fixed/updated.)

We've gone through "what if" scenarios before.  My response then, as
now, is post it as a patch with the real motivation for such a change.

thanks,

Mimi
Michal Suchanek March 28, 2022, 2:03 p.m. UTC | #12
Hello,

On Mon, Mar 28, 2022 at 09:28:14AM -0400, Mimi Zohar wrote:
> On Mon, 2022-03-28 at 18:15 +0800, joeyli wrote:
> 
> Hi Joey,
> 
> > Hi Mimi,
> > 
> > Sorry for bother you for this old topic.
> 
> Cc'ing Luis the kernel modules maintainer.
> 
> > 
> > On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
> > > Hello,
> > > 
> > > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > > [Cc'ing Eric Snowberg]
> > > > 
> > > > Hi Michal,
> > > > 
> > > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > > adds support for use of platform keyring in kexec verification but
> > > > > support for modules is missing.
> > > > > 
> > > > > Add support for verification of modules with keys from platform keyring
> > > > > as well.
> > > > 
> > > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > > using them is limited to verifying the kexec kernel image, nothing
> > > > else.
> > > 
> > > Why is the platform keyring limited to kexec, and nothing else?
> > > 
> > > It should either be used for everything or for nothing. You have the
> > > option to compile it in and then it should be used, and the option to
> > > not compile it in and then it cannot be used.
> > > 
> > > There are two basic use cases:
> > > 
> > > (1) there is a vendor key which is very hard to use so you sign
> > > something small and simple like shim with the vendor key, and sign your
> > > kernel and modules with your own key that's typically enrolled with shim
> > > MOK, and built into the kernel.
> > > 
> > > (2) you import your key into the firmware, and possibly disable the
> > > vendor key. You can load the kernel directly without shim, and then your
> > > signing key is typically in the platform keyring and built into the
> > > kernel.
> > >
> > 
> > In the second use case, if user can enroll their own key to db either before
> > or after hardware shipping. And they don't need shim because they removed
> > Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
> > them for trusting db keys for verifying kernel module, or for IMA (using CA
> > in db)?
> >  
> > In the above use case for distro, partner doesn't need to re-compiler distro
> > kernel. They just need to re-sign distro kernel and modules. Which means
> > that the partner trusted distro. Then the partner's key in db can be used to
> > verify kernel image and also kernel module without shim involve.
> 
> From what I understand, distros don't want customers resigning their
> kernels.  If they did, then they could have enabled the
> CONFIG_SYSTEM_EXTRA_CERTIFICATE, which would load the keys onto the
> "builtin" keyring, and anything signed by those keys could be loaded
> onto the secondary keyring.  (Of course CONFIG_SYSTEM_EXTRA_CERTIFICATE
> would need to be fixed/updated.)

You don't need to re-sign. You can just import the distro key into the
firmware.

> 
> We've gone through "what if" scenarios before.  My response then, as
> now, is post it as a patch with the real motivation for such a change.

Then that's what this does. Both modules and kernel run on ring0 so
there is no practical distinction. For consistency verify both with the
same keys.

Either way if there should be a disctinction it should be explicit, not
implicit.

That is each option that imports keys should crate a basic keyring that
just has keys, and we should have 'kexec' and 'module' keyrings that
do not have keys, only link the keyrings that import keys from some
specific source. All of them by default but you can adjust this in
defconfigs depending on platform-typical usage.

Contrast to that the current 'secondary' keyring that randomly links
some key sources and not others, is used in some kexec implementations
and not others. Also if you list the keys in it do you get the keys
dynamically added at runtime, or also all the keys on the linked
keyrings? Whatever you get is misleading and unclear.

Thanks

Michal
Eric Snowberg March 28, 2022, 2:44 p.m. UTC | #13
> On Mar 28, 2022, at 4:15 AM, joeyli <jlee@suse.com> wrote:
> 
> Hi Mimi,
> 
> Sorry for bother you for this old topic.
> 
> On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
>> Hello,
>> 
>> On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
>>> [Cc'ing Eric Snowberg]
>>> 
>>> Hi Michal,
>>> 
>>> On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
>>>> Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
>>>> adds support for use of platform keyring in kexec verification but
>>>> support for modules is missing.
>>>> 
>>>> Add support for verification of modules with keys from platform keyring
>>>> as well.
>>> 
>>> Permission for loading the pre-OS keys onto the "platform" keyring and
>>> using them is limited to verifying the kexec kernel image, nothing
>>> else.
>> 
>> Why is the platform keyring limited to kexec, and nothing else?
>> 
>> It should either be used for everything or for nothing. You have the
>> option to compile it in and then it should be used, and the option to
>> not compile it in and then it cannot be used.
>> 
>> There are two basic use cases:
>> 
>> (1) there is a vendor key which is very hard to use so you sign
>> something small and simple like shim with the vendor key, and sign your
>> kernel and modules with your own key that's typically enrolled with shim
>> MOK, and built into the kernel.
>> 
>> (2) you import your key into the firmware, and possibly disable the
>> vendor key. You can load the kernel directly without shim, and then your
>> signing key is typically in the platform keyring and built into the
>> kernel.
>> 
> 
> In the second use case, if user can enroll their own key to db either before
> or after hardware shipping. And they don't need shim because they removed
> Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
> them for trusting db keys for verifying kernel module, or for IMA (using CA
> in db)?
> 
> In the above use case for distro, partner doesn't need to re-compiler distro
> kernel. They just need to re-sign distro kernel and modules. Which means
> that the partner trusted distro. Then the partner's key in db can be used to
> verify kernel image and also kernel module without shim involve.

If shim is used, the new machine keyring can be used to solve this problem. 
This pull request [1] allows additional certificates to be loaded into the MOKList 
without going through MokManager.  Have the end-user/partner create a 
shim_certificate.efi containing their key. Then sign it with their DB key.  When 
shim boots, it will validate shim_certificate.efi against the DB key and load the 
key contained within it into the MOKList.  Now both module and kernel validation 
can be performed with this key, since it is contained within the machine keyring.

[1] https://github.com/rhboot/shim/pull/446
Michal Suchanek March 28, 2022, 4:29 p.m. UTC | #14
Hello,

On Mon, Mar 28, 2022 at 02:44:30PM +0000, Eric Snowberg wrote:
> 
> 
> > On Mar 28, 2022, at 4:15 AM, joeyli <jlee@suse.com> wrote:
> > 
> > Hi Mimi,
> > 
> > Sorry for bother you for this old topic.
> > 
> > On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
> >> Hello,
> >> 
> >> On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> >>> [Cc'ing Eric Snowberg]
> >>> 
> >>> Hi Michal,
> >>> 
> >>> On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> >>>> Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> >>>> adds support for use of platform keyring in kexec verification but
> >>>> support for modules is missing.
> >>>> 
> >>>> Add support for verification of modules with keys from platform keyring
> >>>> as well.
> >>> 
> >>> Permission for loading the pre-OS keys onto the "platform" keyring and
> >>> using them is limited to verifying the kexec kernel image, nothing
> >>> else.
> >> 
> >> Why is the platform keyring limited to kexec, and nothing else?
> >> 
> >> It should either be used for everything or for nothing. You have the
> >> option to compile it in and then it should be used, and the option to
> >> not compile it in and then it cannot be used.
> >> 
> >> There are two basic use cases:
> >> 
> >> (1) there is a vendor key which is very hard to use so you sign
> >> something small and simple like shim with the vendor key, and sign your
> >> kernel and modules with your own key that's typically enrolled with shim
> >> MOK, and built into the kernel.
> >> 
> >> (2) you import your key into the firmware, and possibly disable the
> >> vendor key. You can load the kernel directly without shim, and then your
> >> signing key is typically in the platform keyring and built into the
> >> kernel.
> >> 
> > 
> > In the second use case, if user can enroll their own key to db either before
> > or after hardware shipping. And they don't need shim because they removed
> > Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
> > them for trusting db keys for verifying kernel module, or for IMA (using CA
> > in db)?
> > 
> > In the above use case for distro, partner doesn't need to re-compiler distro
> > kernel. They just need to re-sign distro kernel and modules. Which means
> > that the partner trusted distro. Then the partner's key in db can be used to
> > verify kernel image and also kernel module without shim involve.
> 
> If shim is used, the new machine keyring can be used to solve this problem. 
> This pull request [1] allows additional certificates to be loaded into the MOKList 
> without going through MokManager.  Have the end-user/partner create a 
> shim_certificate.efi containing their key. Then sign it with their DB key.  When 
> shim boots, it will validate shim_certificate.efi against the DB key and load the 
> key contained within it into the MOKList.  Now both module and kernel validation 
> can be performed with this key, since it is contained within the machine keyring.

And why would you go through that when your platform keyring already has
the key and you don't need shim for anything? This sounds a lot like "I
have a hammer and all these look like nails" thinking.

Sure, there is use for the machine keyring in the case you need it and
have it regardless of the kernel making any use of it for anything.
Artifically adding it because the kernel fails to work with the platform
keyring sounds backwards, though.

Thanks

Michal
diff mbox series

Patch

diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 8723ae70ea1f..5e1624294874 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -38,8 +38,14 @@  int mod_verify_sig(const void *mod, struct load_info *info)
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_MODULE_SIGNATURE,
-				      NULL, NULL);
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+				     VERIFY_USE_SECONDARY_KEYRING,
+				     VERIFYING_MODULE_SIGNATURE,
+				     NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	return ret;
 }