[0/6] Enable loading local and third party keys on PowerVM guest

Message ID	20230714153435.28155-1-nayna@linux.ibm.com (mailing list archive)
Headers	show Return-Path: <linux-integrity-owner@vger.kernel.org> From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko@kernel.org>, Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>, linuxppc-dev <linuxppc-dev@lists.ozlabs.org>, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Date: Fri, 14 Jul 2023 11:34:29 -0400 Message-Id: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Enable loading local and third party keys on PowerVM guest \| expand [0/6] Enable loading local and third party keys on PowerVM guest [1/6] integrity: PowerVM support for loading CA keys on machine keyring [2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform [3/6] integrity: remove global variable from machine_keyring.c [4/6] integrity: check whether imputed trust is enabled [5/6] integrity: PowerVM machine keyring enablement. [6/6] integrity: PowerVM support for loading third party code signing keys

Message ID

20230714153435.28155-1-nayna@linux.ibm.com (mailing list archive)

Headers

From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Eric Snowberg <eric.snowberg@oracle.com>,
        Paul Moore <paul@paul-moore.com>,
        linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH 0/6] Enable loading local and third party keys on PowerVM
 guest
Date: Fri, 14 Jul 2023 11:34:29 -0400
Message-Id: <20230714153435.28155-1-nayna@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Enable loading local and third party keys on PowerVM guest | expand

Message

Nayna Jain July 14, 2023, 3:34 p.m. UTC

On a secure boot enabled PowerVM guest, local and third party code signing
keys are needed to verify signed applications, configuration files, and
kernel modules.

Loading these keys onto either the .secondary_trusted_keys or .ima
keyrings requires the certificates be signed by keys on the
.builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings.

Keys on the .builtin_trusted_keys keyring are trusted because of the chain
of trust from secure boot up to and including the linux kernel.  Keys on
the .machine keyring that derive their trust from an entity such as a
security officer, administrator, system owner, or machine owner are said
to have "imputed trust." The type of certificates and the mechanism for
loading them onto the .machine keyring is platform dependent.

Userspace may load certificates onto the .secondary_trusted_keys or .ima
keyrings. However, keys may also need to be loaded by the kernel if they
are needed for verification in early boot time. On PowerVM guest, third
party code signing keys are loaded from the moduledb variable in the
Platform KeyStore(PKS) onto the .secondary_trusted_keys.

The purpose of this patch set is to allow loading of local and third party
code signing keys on PowerVM.

Nayna Jain (6):
  integrity: PowerVM support for loading CA keys on machine keyring
  integrity: ignore keys failing CA restrictions on non-UEFI platform
  integrity: remove global variable from machine_keyring.c
  integrity: check whether imputed trust is enabled
  integrity: PowerVM machine keyring enablement.
  integrity: PowerVM support for loading third party code signing keys

 certs/system_keyring.c                        | 22 +++++++++++++
 include/keys/system_keyring.h                 |  8 +++++
 security/integrity/Kconfig                    |  3 +-
 security/integrity/digsig.c                   |  2 +-
 security/integrity/integrity.h                |  6 ++--
 .../platform_certs/keyring_handler.c          | 18 +++++++++-
 .../platform_certs/keyring_handler.h          | 10 ++++++
 .../integrity/platform_certs/load_powerpc.c   | 33 +++++++++++++++++++
 .../platform_certs/machine_keyring.c          | 21 +++++++++---
 9 files changed, 114 insertions(+), 9 deletions(-)


base-commit: 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5

Comments

Mimi Zohar Aug. 2, 2023, 10:58 p.m. UTC | #1

On Fri, 2023-07-14 at 11:34 -0400, Nayna Jain wrote:
> On a secure boot enabled PowerVM guest, local and third party code signing
> keys are needed to verify signed applications, configuration files, and
> kernel modules.
> 
> Loading these keys onto either the .secondary_trusted_keys or .ima
> keyrings requires the certificates be signed by keys on the
> .builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings.
> 
> Keys on the .builtin_trusted_keys keyring are trusted because of the chain
> of trust from secure boot up to and including the linux kernel.  Keys on
> the .machine keyring that derive their trust from an entity such as a
> security officer, administrator, system owner, or machine owner are said
> to have "imputed trust." The type of certificates and the mechanism for
> loading them onto the .machine keyring is platform dependent.
> 
> Userspace may load certificates onto the .secondary_trusted_keys or .ima
> keyrings. However, keys may also need to be loaded by the kernel if they
> are needed for verification in early boot time. On PowerVM guest, third
> party code signing keys are loaded from the moduledb variable in the
> Platform KeyStore(PKS) onto the .secondary_trusted_keys.

Thanks, Nayna.   I've reviewed and done some initially testing up to
5/6.

Mimi