From patchwork Thu Feb 11 19:54:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12084015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBDF5C4332D for ; Thu, 11 Feb 2021 19:56:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AE8E664E45 for ; Thu, 11 Feb 2021 19:56:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231533AbhBKT4I (ORCPT ); Thu, 11 Feb 2021 14:56:08 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:7106 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231428AbhBKTzn (ORCPT ); Thu, 11 Feb 2021 14:55:43 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11BJhAoo067513; Thu, 11 Feb 2021 14:55:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=rhqRtAo60Pe+xMPALLJ2Iflts1unIMdYD0lHnemZeOc=; b=hnQuC7xNB1tTOR+0bhXHlGdqEjsOn/jKuflRTaCCFTDVu6td9C3H68u5rg9KbaXgbYMg vriO8zQ4Y4Z7WL2nX2si8LM6U32RXmvGqnXMQ43D+WXZibqD/BKQqUjHCS9jhun+lU4M 69ZQFL0eNmUhNOWIkoNlHm6Oq/A1M8vqrJPlw3FogARkzner1FmrHMSxCrS+d4i7pTp0 aXdpC3MZbm5lDV1XFg3TYjGxcdqq8EF7Co9qz69EsfMHjhtcSpOiwv9VIApsNEV3L0JK 56Oo/1ZiFwATwxKbwlouD3IUgSExGuhI11xI9Q/FXuSlWmNnt1mfRsnB/n8O+bo1YaGk XA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nayyg8h0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:01 -0500 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11BJhGuv067904; Thu, 11 Feb 2021 14:55:01 -0500 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nayyg8fv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:01 -0500 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11BJrI0n015417; Thu, 11 Feb 2021 19:54:59 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma03ams.nl.ibm.com with ESMTP id 36m1m2t7js-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:54:58 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11BJsu6135193290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Feb 2021 19:54:56 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27CE242047; Thu, 11 Feb 2021 19:54:56 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E920742041; Thu, 11 Feb 2021 19:54:53 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.160.81.209]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Feb 2021 19:54:53 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH 1/5] keys: cleanup build time module signing keys Date: Thu, 11 Feb 2021 14:54:31 -0500 Message-Id: <20210211195435.135582-2-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210211195435.135582-1-nayna@linux.ibm.com> References: <20210211195435.135582-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-11_07:2021-02-11,2021-02-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxscore=0 spamscore=0 priorityscore=1501 suspectscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110151 Precedence: bulk List-ID: The "mrproper" target is still looking for build time generated keys in the old path instead of certs/ directory. This patch fixes the path as well removes the names of the files which are no longer generated. Signed-off-by: Nayna Jain Fixes: 28a68f828266 ("modsign: Use single PEM file for autogenerated key") --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ade44ac4cc2f..af18aab6bbee 100644 --- a/Makefile +++ b/Makefile @@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated \ debian snap tar-install \ .config .config.old .version \ Module.symvers \ - signing_key.pem signing_key.priv signing_key.x509 \ - x509.genkey extra_certificates signing_key.x509.keyid \ - signing_key.x509.signer vmlinux-gdb.py \ + certs/signing_key.pem certs/signing_key.x509 \ + certs/x509.genkey \ + vmlinux-gdb.py \ *.spec # Directories & files removed with 'make distclean' From patchwork Thu Feb 11 19:54:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12084017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA426C433E9 for ; Thu, 11 Feb 2021 19:56:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A2E4764E5B for ; Thu, 11 Feb 2021 19:56:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229775AbhBKT4L (ORCPT ); Thu, 11 Feb 2021 14:56:11 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57800 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231322AbhBKTzt (ORCPT ); Thu, 11 Feb 2021 14:55:49 -0500 Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11BJX6Nn073148; Thu, 11 Feb 2021 14:55:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=7/wkJ01FAVeHcpEgJJy5JPj3Hy1lw1pR58cXjBlc7ck=; b=LeTGjvzvg1jPxYOXC3YkrhYR1roiEhavxPzGt3RBrWJIOZtfXfui9mMOUA5Vz0kACAlp 9etOZxr77uTm+UJRWam6DE5Zj/5/IBHtCEuJ3cP277b0Qom5guuMy/0yaZjdaiQPn9r9 kYhAAcMCXn9ekxtpQ0feq7FdxuAmxBg3oQZSMPlcqSuNTW72tszvxmLiEbKxPimzFdTO 8suVksSe9nTgPGszyJIkipdTuM5Eh9GvsILI0XGiQRWQffPwnHYivMLmnjJe1NEwc4IE yv7dnOJq2rivCAZQIvUYXnL6eIRZptjRR4yT3XCIAPU6PZfaEmDRCwlqfKvyZsh/p8xD hg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36n9nvths0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:08 -0500 Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11BJXDCB073539; Thu, 11 Feb 2021 14:55:07 -0500 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 36n9nvthr7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:07 -0500 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11BJrnp0020343; Thu, 11 Feb 2021 19:55:05 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma06ams.nl.ibm.com with ESMTP id 36j94wnady-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:55:05 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11BJt21X63767000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Feb 2021 19:55:02 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 30E1642041; Thu, 11 Feb 2021 19:55:02 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6FE8D4203F; Thu, 11 Feb 2021 19:55:00 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.160.81.209]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Feb 2021 19:55:00 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH 2/5] keys: generate self-signed module signing key using CSR Date: Thu, 11 Feb 2021 14:54:32 -0500 Message-Id: <20210211195435.135582-3-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210211195435.135582-1-nayna@linux.ibm.com> References: <20210211195435.135582-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-11_07:2021-02-11,2021-02-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 adultscore=0 suspectscore=0 lowpriorityscore=0 priorityscore=1501 spamscore=0 phishscore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110153 Precedence: bulk List-ID: Loading a key on the IMA trusted keyring requires the key be signed by an existing key on the builtin or secondary trusted keyring. Creating a Certificate Signing Request (CSR) allows the certificate to be self-signed or signed by a CA. This patch generates a self-signed module signing key using CSR. Signed-off-by: Nayna Jain --- Makefile | 3 ++- certs/Makefile | 15 +++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index af18aab6bbee..9c87fdd600d8 100644 --- a/Makefile +++ b/Makefile @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated \ .config .config.old .version \ Module.symvers \ certs/signing_key.pem certs/signing_key.x509 \ - certs/x509.genkey \ + certs/x509.genkey certs/signing_key.key \ + certs/signing_key.crt certs/signing_key.csr \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..b2be7eb413d3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem \ + $(Q)openssl req -new -nodes -utf8 \ + -batch -config $(obj)/x509.genkey \ + -outform PEM -out $(obj)/signing_key.csr \ + -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ + -outform PEM -out $(obj)/signing_key.crt \ + -signkey $(obj)/signing_key.key \ + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ + -extfile $(obj)/x509.genkey \ + $($(quiet)redirect_openssl) + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem @$(kecho) "###" @$(kecho) "### Key pair generated." @$(kecho) "###" From patchwork Thu Feb 11 19:54:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12084019 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28457C4332D for ; Thu, 11 Feb 2021 19:56:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E601864E5F for ; Thu, 11 Feb 2021 19:56:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231593AbhBKT4O (ORCPT ); Thu, 11 Feb 2021 14:56:14 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40312 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230158AbhBKTzy (ORCPT ); Thu, 11 Feb 2021 14:55:54 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11BJsCHr154301; Thu, 11 Feb 2021 14:55:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=6dRyKqGZUHozjXuXF/fjBdyYikmJKTxTNynC9njUecs=; b=sN627cxIMcZ4n8oK6mQRXjL1JKtuIzP2hdosj2b1o1C5dZtqiMtModEQb9e46dy6DaVy gPt14kofab++4vkCFsr1IUt2qFrjS0kdZc535gSuLs2rSP/HsdnZliYQcpFOlzDVcRb1 yadVn+Q78Vztv644ybXkT1e5zKSX4NhM5VdUoSP/5yadVmgf+XLeZkPXcASCk+t0QMZh NSeZ3ofgEvldCxtoLEXQaUM8O/1FlOcVqRccObgOHlD114+t1RZ70JkVhdxDXCl9/e6r CTZhMescejDEvhpiecJgybxpoeLLiU6DwYhPJHCng2o1Ft3UYnpHUUH6n4CH7cgZ9cbs Wg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb58g0v1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:13 -0500 Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11BJsNF5155665; Thu, 11 Feb 2021 14:55:12 -0500 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb58g0u3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:12 -0500 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11BJrQdq020274; Thu, 11 Feb 2021 19:55:10 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma06ams.nl.ibm.com with ESMTP id 36j94wnae3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:55:09 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11BJt7S446203312 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Feb 2021 19:55:07 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0CE5442045; Thu, 11 Feb 2021 19:55:07 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22E494203F; Thu, 11 Feb 2021 19:55:05 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.160.81.209]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Feb 2021 19:55:04 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH 3/5] ima: update kernel module signing process during build Date: Thu, 11 Feb 2021 14:54:33 -0500 Message-Id: <20210211195435.135582-4-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210211195435.135582-1-nayna@linux.ibm.com> References: <20210211195435.135582-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-11_07:2021-02-11,2021-02-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0 mlxscore=0 priorityscore=1501 mlxlogscore=999 malwarescore=0 spamscore=0 phishscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110151 Precedence: bulk List-ID: The kernel build process currently only signs kernel modules when MODULE_SIG is enabled. Also, sign the kernel modules at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain --- certs/Kconfig | 2 +- init/Kconfig | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..48675ad319db 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/init/Kconfig b/init/Kconfig index 29ad68325028..68147bbda5f9 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -2162,7 +2162,7 @@ config MODULE_SIG_FORCE config MODULE_SIG_ALL bool "Automatically sign all modules" default y - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. @@ -2172,7 +2172,7 @@ comment "Do not forget to sign required modules with scripts/sign-file" choice prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help This determines which sort of hashing algorithm will be used during signature generation. This algorithm _must_ be built into the kernel @@ -2204,7 +2204,7 @@ endchoice config MODULE_SIG_HASH string - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG default "sha1" if MODULE_SIG_SHA1 default "sha224" if MODULE_SIG_SHA224 default "sha256" if MODULE_SIG_SHA256 From patchwork Thu Feb 11 19:54:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12084023 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B1DDC43331 for ; Thu, 11 Feb 2021 19:56:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5E0A564E5F for ; Thu, 11 Feb 2021 19:56:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229731AbhBKT4T (ORCPT ); Thu, 11 Feb 2021 14:56:19 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:65522 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231447AbhBKTz6 (ORCPT ); Thu, 11 Feb 2021 14:55:58 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11BJhWpx179856; Thu, 11 Feb 2021 14:55:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=HM3sotdvFTqXt6WRGTIBw2VdbazueFIt2qG6yysrYuo=; b=TKyNgzKbwifl1EtKIPpJLZenz5WBolpRX2SoyCTx0qhjQq9heOLdVQQ0swmCXD5epTKK ni82C8CvdwSyWRe6bxAwhPmSRzCsgL0UC2vmcXtIMHU4Hsv0dCWPOWduvktM27fGvNYU 3rr4MBlu4XSDfehXdRLqAiIH/5CWFBtU6JnCjFi6VjW/gLjDuPk/8PF+XhkSXFTvm91R EpLPOZo/D1g2SbsKRdWc+Dxxpir90AMbIlG/uD4s9gBynewcGEOUqjOEtEGzLxqINUWJ n+YL0TDhV6h3+g20k8B1Q3oVQRf1J7Z7QooYnoMoGzdpohfNn0qCnQ024IywfWro2j9Q DA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb05r86b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:16 -0500 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11BJiJD1184706; Thu, 11 Feb 2021 14:55:16 -0500 Received: from ppma06fra.de.ibm.com (48.49.7a9f.ip4.static.sl-reverse.com [159.122.73.72]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb05r854-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:16 -0500 Received: from pps.filterd (ppma06fra.de.ibm.com [127.0.0.1]) by ppma06fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11BJtD8i020320; Thu, 11 Feb 2021 19:55:13 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma06fra.de.ibm.com with ESMTP id 36hjch35k1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:55:13 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11BJtBM041091458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Feb 2021 19:55:11 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DEC614204D; Thu, 11 Feb 2021 19:55:10 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1AF4342049; Thu, 11 Feb 2021 19:55:09 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.160.81.209]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Feb 2021 19:55:08 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key Date: Thu, 11 Feb 2021 14:54:34 -0500 Message-Id: <20210211195435.135582-5-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210211195435.135582-1-nayna@linux.ibm.com> References: <20210211195435.135582-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-11_07:2021-02-11,2021-02-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 phishscore=0 spamscore=0 impostorscore=0 adultscore=0 lowpriorityscore=0 priorityscore=1501 clxscore=1015 suspectscore=0 mlxscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110153 Precedence: bulk List-ID: Certificates being loaded onto the IMA trusted keyring must be signed by a key on either the builtin and secondary trusted keyring. This patch creates and includes in the kernel image an ephemeral CA key, at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain Reported-by: kernel test robot Reported-by: kernel test robot --- Makefile | 2 ++ certs/Makefile | 68 ++++++++++++++++++++++++++++++++++--- certs/system_certificates.S | 16 ++++++++- 3 files changed, 80 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 9c87fdd600d8..a1d4b0a1745e 100644 --- a/Makefile +++ b/Makefile @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated \ certs/signing_key.pem certs/signing_key.x509 \ certs/x509.genkey certs/signing_key.key \ certs/signing_key.crt certs/signing_key.csr \ + certs/ca_signing_key.pem certs/ca_signing_key.x509 \ + certs/ca_signing_key.srl \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index b2be7eb413d3..c3592ba63a05 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) +SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +SIGN_KEY = y +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +# openssl arguments for CA Signed certificate. +CA_KEY = certs/ca_signing_key.pem +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial +else +# openssl arguments for Self Signed certificate. +SIGNER = -signkey $(obj)/signing_key.key +endif # CONFIG_IMA_APPRAISE_MODSIG + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + # Generate kernel build time CA Certificate. + @$(Q)openssl req -new -nodes -utf8 \ + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ + -subj "/CN=Build time autogenerated kernel CA key" \ + -batch -x509 -config $(obj)/x509.genkey \ + -outform PEM -out $(CA_KEY) \ + -keyout $(CA_KEY) -extensions ca_ext \ + $($(quiet)redirect_openssl) +endif # CONFIG_IMA_APPRAISE_MODSIG $(Q)openssl req -new -nodes -utf8 \ -batch -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.csr \ -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ - -outform PEM -out $(obj)/signing_key.crt \ - -signkey $(obj)/signing_key.key \ + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \ -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ -extfile $(obj)/x509.genkey \ $($(quiet)redirect_openssl) @@ -95,19 +122,50 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ + @echo >>$@ "[ ca_ext ]" + @echo >>$@ "keyUsage=critical,keyCertSign" + @echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) +SUBJECT=CN = Build time autogenerated kernel key +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it + +# GCC PR#66871 again. +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + +# Remove existing keys if it is self-signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey)) +CA_KEY = certs/ca_signing_key.pem + +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509 + +targets += ca_signing_key.x509 +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(CA_KEY)) + +targets += signing_key.x509 +$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) +else + +# Remove existing keys if it is CA signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey)) + ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) endif -# GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 targets += signing_key.x509 -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE +$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) -endif # CONFIG_MODULE_SIG + +endif # CONFIG_IMA_APPRAISE_MODSIG +endif # SIGN_KEY diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 8f29058adf93..e10043800a7e 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -8,8 +8,13 @@ .globl system_certificate_list system_certificate_list: __cert_list_start: -#ifdef CONFIG_MODULE_SIG +__module_cert_start: +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) .incbin "certs/signing_key.x509" +#endif +__module_cert_end: +#ifdef CONFIG_IMA_APPRAISE_MODSIG + .incbin "certs/ca_signing_key.x509" #endif .incbin "certs/x509_certificate_list" __cert_list_end: @@ -35,3 +40,12 @@ system_certificate_list_size: #else .long __cert_list_end - __cert_list_start #endif + + .align 8 + .globl module_cert_size + module_cert_size: +#ifdef CONFIG_64BIT + .quad __module_cert_end - __module_cert_start +#else + .long __module_cert_end - __module_cert_start +#endif From patchwork Thu Feb 11 19:54:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12084021 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4637C43333 for ; Thu, 11 Feb 2021 19:56:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 78C0C64E5B for ; Thu, 11 Feb 2021 19:56:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231639AbhBKT4a (ORCPT ); Thu, 11 Feb 2021 14:56:30 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:24478 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231486AbhBKT4A (ORCPT ); Thu, 11 Feb 2021 14:56:00 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11BJhZ1K180221; Thu, 11 Feb 2021 14:55:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=/dVh8leYKPxVTu0OUSq0TIvb2aZyD1O6XwkrwUlEfqA=; b=V1hGgVFE6Mge/ewznGr5s5MpRz578ikiGXAOyoxt4igzebkkLGuRJXLunkha0N3dGNVh COtuzngk9E6CXkNFFn/+j87BGMV33I/EqpSIw+YoxgCoLx8Kk4uitDqxp/HSyzX5wyWi 5R40QDumqsxDs6+U/EAvTZQCA4pgTEbRT51EtvbGcc11xSm95ttfi4chAqhFMUneK+UH vM2H17MBb7/O3Bx8OX1vnVl0s9af7xa1BVctZ9PW1UASo57ujk4z7qv+gF0azqVvPvqF CMejvvRfjAWN9/2qlHolPyEQBKyWDmNyqMB7kc92V3OsqXmBz3yT9AchChUfOy+6dPIi xQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb05r87u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:19 -0500 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11BJi4o7182965; Thu, 11 Feb 2021 14:55:19 -0500 Received: from ppma04fra.de.ibm.com (6a.4a.5195.ip4.static.sl-reverse.com [149.81.74.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 36nb05r872-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:55:19 -0500 Received: from pps.filterd (ppma04fra.de.ibm.com [127.0.0.1]) by ppma04fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11BJqLSq030665; Thu, 11 Feb 2021 19:55:17 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma04fra.de.ibm.com with ESMTP id 36hjr8b5qh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:55:17 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11BJtEQ941419172 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Feb 2021 19:55:14 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E43A14203F; Thu, 11 Feb 2021 19:55:13 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 388C34204B; Thu, 11 Feb 2021 19:55:12 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.160.81.209]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 11 Feb 2021 19:55:11 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH 5/5] ima: enable loading of build time generated key to .ima keyring Date: Thu, 11 Feb 2021 14:54:35 -0500 Message-Id: <20210211195435.135582-6-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210211195435.135582-1-nayna@linux.ibm.com> References: <20210211195435.135582-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-11_07:2021-02-11,2021-02-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 phishscore=0 spamscore=0 impostorscore=0 adultscore=0 lowpriorityscore=0 priorityscore=1501 clxscore=1015 suspectscore=0 mlxscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110153 Precedence: bulk List-ID: The kernel currently only loads the kernel module signing key onto the builtin trusted keyring. To support IMA, load the module signing key selectively either onto builtin or ima keyring based on MODULE_SIG or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel key onto builtin trusted keyring. Signed-off-by: Nayna Jain --- certs/system_keyring.c | 56 +++++++++++++++++++++++++++-------- include/keys/system_keyring.h | 9 +++++- security/integrity/digsig.c | 4 +++ 3 files changed, 55 insertions(+), 14 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 798291177186..0bbbe501f8a7 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -26,6 +26,7 @@ static struct key *platform_trusted_keys; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; +extern __initconst const unsigned long module_cert_size; /** * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA @@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void) */ device_initcall(system_trusted_keyring_init); -/* - * Load the compiled-in list of X.509 certificates. - */ -static __init int load_system_certificate_list(void) +static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring, + unsigned long flags) { key_ref_t key; - const u8 *p, *end; size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - - p = system_certificate_list; - end = p + system_certificate_list_size; while (p < end) { /* Each cert begins with an ASN.1 SEQUENCE tag and must be more * than 256 bytes in size. @@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void) if (plen > end - p) goto dodgy_cert; - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), + key = key_create_or_update(make_key_ref(keyring, 1), "asymmetric", NULL, p, plen, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); + flags); + if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); @@ -185,6 +178,43 @@ static __init int load_system_certificate_list(void) pr_err("Problem parsing in-kernel X.509 certificate list\n"); return 0; } + +__init int load_module_cert(struct key *keyring, unsigned long flags) +{ + const u8 *p, *end; + + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + + p = system_certificate_list; + end = p + module_cert_size; + load_cert(p, end, keyring, flags); + + return 0; +} + +/* + * Load the compiled-in list of X.509 certificates. + */ +static __init int load_system_certificate_list(void) +{ + const u8 *p, *end; + + pr_notice("Loading compiled-in X.509 certificates\n"); + +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; +#else + p = system_certificate_list + module_cert_size; +#endif + end = p + system_certificate_list_size; + load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + return 0; +} late_initcall(load_system_certificate_list); #ifdef CONFIG_SYSTEM_DATA_VERIFICATION diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9d1..e91c03376599 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); - +extern __init int load_module_cert(struct key *keyring, unsigned long flags); #else #define restrict_link_by_builtin_trusted restrict_link_reject + +static inline __init int load_module_cert(struct key *keyring, + unsigned long flags) +{ + return 0; +} + #endif #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0f518dcfde05..4009d1e33fe0 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_IMA) + load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA); } + pr_info("Loading key to ima keyring\n"); + return err; }