[RFC,0/5] Another initramfs signature checking set

Message ID	20241015222235.71040-1-jeremy.linton@arm.com (mailing list archive)
Headers	show Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B09F721E3A7; Tue, 15 Oct 2024 22:22:54 +0000 (UTC) From: Jeremy Linton <jeremy.linton@arm.com> To: linux-kernel@vger.kernel.org Cc: akpm@linux-foundation.org, hch@lst.de, gregkh@linuxfoundation.org, graf@amazon.com, lukas@wunner.de, wufan@linux.microsoft.com, brauner@kernel.org, jsperbeck@google.com, ardb@kernel.org, linux-crypto@vger.kernel.org, linux-kbuild@vger.kernel.org, keyrings@vger.kernel.org, Jeremy Linton <jeremy.linton@arm.com> Subject: [RFC 0/5] Another initramfs signature checking set Date: Tue, 15 Oct 2024 17:22:30 -0500 Message-ID: <20241015222235.71040-1-jeremy.linton@arm.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Another initramfs signature checking set \| expand [RFC,0/5] Another initramfs signature checking set [RFC,1/5] initramfs: Add initramfs signature checking [RFC,2/5] KEYS/certs: Start the builtin key and cert system earlier [RFC,3/5] initramfs: Use existing module signing infrastructure [RFC,4/5] sign-file: Add -i option to sign initramfs images [RFC,5/5] initramfs: Enforce initramfs signature

Message ID

20241015222235.71040-1-jeremy.linton@arm.com (mailing list archive)

Headers

From: Jeremy Linton <jeremy.linton@arm.com>
To: linux-kernel@vger.kernel.org
Cc: akpm@linux-foundation.org,
	hch@lst.de,
	gregkh@linuxfoundation.org,
	graf@amazon.com,
	lukas@wunner.de,
	wufan@linux.microsoft.com,
	brauner@kernel.org,
	jsperbeck@google.com,
	ardb@kernel.org,
	linux-crypto@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	keyrings@vger.kernel.org,
	Jeremy Linton <jeremy.linton@arm.com>
Subject: [RFC 0/5] Another initramfs signature checking set
Date: Tue, 15 Oct 2024 17:22:30 -0500
Message-ID: <20241015222235.71040-1-jeremy.linton@arm.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Another initramfs signature checking set | expand

Message

Jeremy Linton Oct. 15, 2024, 10:22 p.m. UTC

With the advent of UKI's wrapping kernel and cpio archives up into
single UEFI PE executables it seems like its probably time to
reconsider whether the core idea of signing the initrd and verifying
it in its entirely is a useful function of the core kernel.

Moving this functionality in the kernel should provide a similar
security statement to the UKIs with a more traditional kernel + initrd
boot flow and the ability to have a single kernel image that
selects between multiple signed initrd images. Say a normal boot
image, and a recovery image.

This set is a very basic implementation of that concept using the kernel
built in trusted keyring, and a signature format that is similar to the
existing module signature. The core change is quite trivial with the larger
questions around the policy for enforcing or simply checking
for a valid signature. I've considered various policies, tying it to
lockdown/etc but this set simply enforces it by default with an kernel
parameter to override the behavior.

Outside of the core patch the largest change revolves around making
sure that the asymmetric key and built in cert/keyring/blacklist logic
is started much earlier in the boot process than normal. This means
that beyond the hacky _initcall changes in patch 2 there are a bit of
additional Kconfig changes necessary.

Finally, before the RFC is dropped there are a number of
/Documentation changes that will be completed as needed.

Jeremy Linton (5):
  initramfs: Add initramfs signature checking
  KEYS/certs: Start the builtin key and cert system earlier
  initramfs: Use existing module signing infrastructure
  sign-file: Add -i option to sign initramfs images
  initramfs: Enforce initramfs signature

 certs/blacklist.c                        |  2 +-
 certs/system_keyring.c                   |  4 +-
 crypto/asymmetric_keys/asymmetric_type.c |  2 +-
 crypto/asymmetric_keys/x509_public_key.c |  2 +-
 include/linux/initrd.h                   |  3 +
 init/initramfs.c                         | 84 +++++++++++++++++++++++-
 scripts/sign-file.c                      | 11 +++-
 usr/Kconfig                              |  9 +++
 8 files changed, 109 insertions(+), 8 deletions(-)