Message ID | 20190118091733.29940-2-kasong@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | let kexec_file_load use platform keyring to verify the kernel image | expand |
On 01/18/2019 04:17 AM, Kairui Song wrote: > commit 9dc92c45177a ('integrity: Define a trusted platform keyring') > introduced a .platform keyring for storing preboot keys, used for > verifying kernel images' signature. Currently only IMA-appraisal is able > to use the keyring to verify kernel images that have their signature > stored in xattr. > > This patch exposes the .platform keyring, making it accessible for > verifying PE signed kernel images as well. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Kairui Song <kasong@redhat.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Tested-by: Mimi Zohar <zohar@linux.ibm.com> > --- > certs/system_keyring.c | 9 +++++++++ > include/keys/system_keyring.h | 5 +++++ > security/integrity/digsig.c | 6 ++++++ > 3 files changed, 20 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 81728717523d..4690ef9cda8a 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > static struct key *secondary_trusted_keys; > #endif > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > +static struct key *platform_trusted_keys; > +#endif > > extern __initconst const u8 system_certificate_list[]; > extern __initconst const unsigned long system_certificate_list_size; > @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len, > } > EXPORT_SYMBOL_GPL(verify_pkcs7_signature); > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > +void __init set_platform_trusted_keys(struct key *keyring) { > + platform_trusted_keys = keyring; > +} > +#endif > + > #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index 359c2f936004..9e1b7849b6aa 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void) > } > #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > + > +extern void __init set_platform_trusted_keys(struct key* keyring); > + > +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ > > #endif /* _KEYS_SYSTEM_KEYRING_H */ > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index f45d6edecf99..bfabc2a8111d 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, > keyring[id] = NULL; > } > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > + if (id == INTEGRITY_KEYRING_PLATFORM) { Shouldn't it also check that keyring[id] is not NULL ? Thanks & Regards, - Nayna > + set_platform_trusted_keys(keyring[id]); > + } > +#endif > + > return err; > } >
On Fri, Jan 18, 2019 at 10:36 PM Nayna <nayna@linux.vnet.ibm.com> wrote: > On 01/18/2019 04:17 AM, Kairui Song wrote: > > commit 9dc92c45177a ('integrity: Define a trusted platform keyring') > > introduced a .platform keyring for storing preboot keys, used for > > verifying kernel images' signature. Currently only IMA-appraisal is able > > to use the keyring to verify kernel images that have their signature > > stored in xattr. > > > > This patch exposes the .platform keyring, making it accessible for > > verifying PE signed kernel images as well. > > > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > > Signed-off-by: Kairui Song <kasong@redhat.com> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > Tested-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > certs/system_keyring.c | 9 +++++++++ > > include/keys/system_keyring.h | 5 +++++ > > security/integrity/digsig.c | 6 ++++++ > > 3 files changed, 20 insertions(+) > > > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > > index 81728717523d..4690ef9cda8a 100644 > > --- a/certs/system_keyring.c > > +++ b/certs/system_keyring.c > > @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; > > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > > static struct key *secondary_trusted_keys; > > #endif > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > +static struct key *platform_trusted_keys; > > +#endif > > > > extern __initconst const u8 system_certificate_list[]; > > extern __initconst const unsigned long system_certificate_list_size; > > @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len, > > } > > EXPORT_SYMBOL_GPL(verify_pkcs7_signature); > > > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > +void __init set_platform_trusted_keys(struct key *keyring) { > > + platform_trusted_keys = keyring; > > +} > > +#endif > > + > > #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ > > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > > index 359c2f936004..9e1b7849b6aa 100644 > > --- a/include/keys/system_keyring.h > > +++ b/include/keys/system_keyring.h > > @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void) > > } > > #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ > > > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > + > > +extern void __init set_platform_trusted_keys(struct key* keyring); > > + > > +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ > > > > #endif /* _KEYS_SYSTEM_KEYRING_H */ > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > > index f45d6edecf99..bfabc2a8111d 100644 > > --- a/security/integrity/digsig.c > > +++ b/security/integrity/digsig.c > > @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, > > keyring[id] = NULL; > > } > > > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > + if (id == INTEGRITY_KEYRING_PLATFORM) { > > Shouldn't it also check that keyring[id] is not NULL ? Good catch, if it's NULL then platform_trusted_keyring will be set to NULL as well, which will work just fine as in this case platform_trusted_keyring is still considered not initialized. I'll add a sanity check here to check err value just in case. Thanks for your suggestion! > > Thanks & Regards, > - Nayna > > > + set_platform_trusted_keys(keyring[id]); > > + } > > +#endif > > + > > return err; > > } > > > > > _______________________________________________ > kexec mailing list > kexec@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/kexec
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..4690ef9cda8a 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +static struct key *platform_trusted_keys; +#endif extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature); +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +void __init set_platform_trusted_keys(struct key *keyring) { + platform_trusted_keys = keyring; +} +#endif + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 359c2f936004..9e1b7849b6aa 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void) } #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING + +extern void __init set_platform_trusted_keys(struct key* keyring); + +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..bfabc2a8111d 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -89,6 +89,12 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, keyring[id] = NULL; } +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING + if (id == INTEGRITY_KEYRING_PLATFORM) { + set_platform_trusted_keys(keyring[id]); + } +#endif + return err; }