| Message ID | 20230815112722.1591829-2-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | Enable loading local and third party keys on PowerVM guest | expand |
On 15/08/23 4:57 pm, Nayna Jain wrote: > Keys that derive their trust from an entity such as a security officer, > administrator, system owner, or machine owner are said to have "imputed > trust". CA keys with imputed trust can be loaded onto the machine keyring. > The mechanism for loading these keys onto the machine keyring is platform > dependent. > > Load keys stored in the variable trustedcadb onto the .machine keyring > on PowerVM platform. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Tested with trustedcadb, moduledb scenarios Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com> > --- > .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ > .../integrity/platform_certs/keyring_handler.h | 5 +++++ > .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ > 3 files changed, 30 insertions(+) > > diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c > index 8a1124e4d769..1649d047e3b8 100644 > --- a/security/integrity/platform_certs/keyring_handler.c > +++ b/security/integrity/platform_certs/keyring_handler.c > @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) > return NULL; > } > > +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) > +{ > + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) > + return add_to_machine_keyring; > + > + return NULL; > +} > + > /* > * Return the appropriate handler for particular signature list types found in > * the UEFI dbx and MokListXRT tables. > diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h > index 212d894a8c0c..6f15bb4cc8dc 100644 > --- a/security/integrity/platform_certs/keyring_handler.h > +++ b/security/integrity/platform_certs/keyring_handler.h > @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); > */ > efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); > > +/* > + * Return the handler for particular signature list types for CA keys. > + */ > +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); > + > /* > * Return the handler for particular signature list types found in the dbx. > */ > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > index 170789dc63d2..339053d9726d 100644 > --- a/security/integrity/platform_certs/load_powerpc.c > +++ b/security/integrity/platform_certs/load_powerpc.c > @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) > static int __init load_powerpc_certs(void) > { > void *db = NULL, *dbx = NULL, *data = NULL; > + void *trustedca; > u64 dsize = 0; > u64 offset = 0; > int rc = 0; > @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) > kfree(data); > } > > + data = get_cert_list("trustedcadb", 12, &dsize); > + if (!data) { > + pr_info("Couldn't get trustedcadb list from firmware\n"); > + } else if (IS_ERR(data)) { > + rc = PTR_ERR(data); > + pr_err("Error reading trustedcadb from firmware: %d\n", rc); > + } else { > + extract_esl(trustedca, data, dsize, offset); > + > + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, > + get_handler_for_ca_keys); > + if (rc) > + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); > + kfree(data); > + } > + > return rc; > } > late_initcall(load_powerpc_certs);
On Tue Aug 15, 2023 at 2:27 PM EEST, Nayna Jain wrote: > Keys that derive their trust from an entity such as a security officer, > administrator, system owner, or machine owner are said to have "imputed > trust". CA keys with imputed trust can be loaded onto the machine keyring. > The mechanism for loading these keys onto the machine keyring is platform > dependent. > > Load keys stored in the variable trustedcadb onto the .machine keyring > on PowerVM platform. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> > Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> > --- > .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ > .../integrity/platform_certs/keyring_handler.h | 5 +++++ > .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ > 3 files changed, 30 insertions(+) > > diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c > index 8a1124e4d769..1649d047e3b8 100644 > --- a/security/integrity/platform_certs/keyring_handler.c > +++ b/security/integrity/platform_certs/keyring_handler.c > @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) > return NULL; > } > > +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) > +{ > + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) > + return add_to_machine_keyring; > + > + return NULL; > +} > + > /* > * Return the appropriate handler for particular signature list types found in > * the UEFI dbx and MokListXRT tables. > diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h > index 212d894a8c0c..6f15bb4cc8dc 100644 > --- a/security/integrity/platform_certs/keyring_handler.h > +++ b/security/integrity/platform_certs/keyring_handler.h > @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); > */ > efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); > > +/* > + * Return the handler for particular signature list types for CA keys. > + */ > +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); > + > /* > * Return the handler for particular signature list types found in the dbx. > */ > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c > index 170789dc63d2..339053d9726d 100644 > --- a/security/integrity/platform_certs/load_powerpc.c > +++ b/security/integrity/platform_certs/load_powerpc.c > @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) > static int __init load_powerpc_certs(void) > { > void *db = NULL, *dbx = NULL, *data = NULL; > + void *trustedca; > u64 dsize = 0; > u64 offset = 0; > int rc = 0; > @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) > kfree(data); > } > > + data = get_cert_list("trustedcadb", 12, &dsize); > + if (!data) { > + pr_info("Couldn't get trustedcadb list from firmware\n"); > + } else if (IS_ERR(data)) { > + rc = PTR_ERR(data); > + pr_err("Error reading trustedcadb from firmware: %d\n", rc); > + } else { > + extract_esl(trustedca, data, dsize, offset); > + > + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, > + get_handler_for_ca_keys); > + if (rc) > + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); > + kfree(data); > + } > + > return rc; > } > late_initcall(load_powerpc_certs); > -- > 2.31.1 Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 8a1124e4d769..1649d047e3b8 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_machine_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 212d894a8c0c..6f15bb4cc8dc 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for CA keys. + */ +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 170789dc63d2..339053d9726d 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; + void *trustedca; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("trustedcadb", 12, &dsize); + if (!data) { + pr_info("Couldn't get trustedcadb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading trustedcadb from firmware: %d\n", rc); + } else { + extract_esl(trustedca, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, + get_handler_for_ca_keys); + if (rc) + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs);
Keys that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust". CA keys with imputed trust can be loaded onto the machine keyring. The mechanism for loading these keys onto the machine keyring is platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> --- .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ .../integrity/platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ 3 files changed, 30 insertions(+)