mbox series

[v12,0/4] integrity: support including firmware ".platform" keys at build time

Message ID 20220311210344.102396-1-nayna@linux.ibm.com (mailing list archive)
Headers show
Series integrity: support including firmware ".platform" keys at build time | expand

Message

Nayna Jain March 11, 2022, 9:03 p.m. UTC
Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.

This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.

Changelog:
v12:
* Replace Patch 3/4 with reverting of the commit as suggested by
Masahiro Yamada.

v11:
* Added a new patch to conditionally build extract-cert if
PLATFORM_KEYRING is enabled.

v10:
* Fixed the externs warning for Patch 3.

v9:
* Rebased on Jarkko's repo - 
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

v8:
* Includes Jarkko's feedback on patch description and removed Reported-by
for Patch 1.

v7:
* Incldues Jarkko's feedback on patch description for Patch 1 and 3.

v6:
* Includes Jarkko's feedback:
 * Split Patch 2 into two.
 * Update Patch description.

v5:
* Renamed load_builtin_platform_cert() to load_platform_certificate_list()
and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as
suggested by Mimi Zohar.

v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.

v3:
* Included Jarkko's feedback
 ** updated patch description to include approach.
 ** removed extern for function declaration in the .h file.
* Included load_certificate_list() within #ifdef CONFIG_KEYS condition.

v2:
* Fixed the error reported by kernel test robot
* Updated patch description based on Jarkko's feedback.

Nayna Jain (4):
  certs: export load_certificate_list() to be used outside certs/
  integrity: make integrity_keyring_from_id() non-static
  Revert "certs: move scripts/extract-cert to certs/"
  integrity: support including firmware ".platform" keys at build time

 MAINTAINERS                                   |  1 +
 certs/.gitignore                              |  1 -
 certs/Makefile                                | 18 ++++++---------
 certs/blacklist.c                             |  1 -
 certs/common.c                                |  2 +-
 certs/common.h                                |  9 --------
 certs/system_keyring.c                        |  1 -
 include/keys/system_keyring.h                 |  6 +++++
 scripts/.gitignore                            |  1 +
 scripts/Makefile                              | 12 ++++++++--
 {certs => scripts}/extract-cert.c             |  2 +-
 scripts/remove-stale-files                    |  2 --
 security/integrity/Kconfig                    | 10 ++++++++
 security/integrity/Makefile                   | 15 +++++++++++-
 security/integrity/digsig.c                   |  2 +-
 security/integrity/integrity.h                |  9 ++++++++
 .../integrity/platform_certs/platform_cert.S  | 23 +++++++++++++++++++
 .../platform_certs/platform_keyring.c         | 23 +++++++++++++++++++
 18 files changed, 107 insertions(+), 31 deletions(-)
 delete mode 100644 certs/common.h
 rename {certs => scripts}/extract-cert.c (98%)
 create mode 100644 security/integrity/platform_certs/platform_cert.S


base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9

Comments

R Nageswara Sastry March 12, 2022, 2:42 a.m. UTC | #1
On 12/03/22 2:33 am, Nayna Jain wrote:
> Some firmware support secure boot by embedding static keys to verify the
> Linux kernel during boot. However, these firmware do not expose an
> interface for the kernel to load firmware keys onto the ".platform"
> keyring, preventing the kernel from verifying the kexec kernel image
> signature.
> 
> This patchset exports load_certificate_list() and defines a new function
> load_builtin_platform_cert() to load compiled in certificates onto the
> ".platform" keyring.
> 
> Changelog:
> v12:
> * Replace Patch 3/4 with reverting of the commit as suggested by
> Masahiro Yamada.
> 

Tested the following four patches ov v12 with and with out setting 
CONFIG_INTEGRITY_PLATFORM_KEYS

Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>


1. With CONFIG_INTEGRITY_PLATFORM_KEYS set to a key

# grep pem .config
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"

# grep 
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST" 
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
# CONFIG_SYSTEM_REVOCATION_LIST is not set

# cat /proc/keys | grep platform
0a7a11a9 I------     1 perm 1f0b0000     0     0 keyring   .platform: 1

# keyctl show %keyring:.platform
Keyring
  175772073 ---lswrv      0     0  keyring: .platform
  519271447 ---lswrv      0     0   \_ asymmetric: IBM Corporation: 
Guest Secure Boot Imprint Kernel Signing Key: 
a0cf9069c30875320cb10a77325d4fa7012f8d12


2. With out CONFIG_INTEGRITY_PLATFORM_KEYS set, leaving empty

# grep pem .config
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"

# grep 
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST" 
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS=""
# CONFIG_SYSTEM_REVOCATION_LIST is not set

# cat /proc/keys | grep platform
39c749b9 I------     1 perm 1f0b0000     0     0 keyring   .platform: empty

# keyctl show %keyring:.platform
Keyring
  969361849 ---lswrv      0     0  keyring: .platform



> 
> base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9