From patchwork Thu Feb 18 22:00:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12094375 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7318C433E0 for ; Thu, 18 Feb 2021 22:01:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 76E5F64EB2 for ; Thu, 18 Feb 2021 22:01:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230079AbhBRWBY (ORCPT ); Thu, 18 Feb 2021 17:01:24 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:47884 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229752AbhBRWBW (ORCPT ); Thu, 18 Feb 2021 17:01:22 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11ILVfZu092239; Thu, 18 Feb 2021 17:00:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=qhOhmOSlRHu/QFvy8AKYzEzboyP7R3nJYWj++xCcRQw=; b=UMNzUAQtb8ZL45oxgvT9bIFWgPy+3rUN3B4/2/xcFWqj/cCSb5KFg69q7tx7cGOY+/zY AwW0amnESpnc69EOoLguIUFW/oC17Kq1ihnLmhLYrEjzM5yo3I9lL6DThl7aJ1xC+QWi gbSCKxyk9JbwImYV86LEAWZQ+D3XqWnwaOLSzuYJEQK6z+Tx/rjT1tRn/3tDOZSGy+Vc gWs0t0ZDskcExxlFWCMq1QmDoq38qg84tkDTcW5POC0/kNQTx4tMhPD+bGOxedbljtiJ zDkQquAUZZ8bi9wE2ERKsamyb+O2GabcC1d76shY4dytn+JyD+qw17CdFhjXX7k2SeoI 5Q== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0790p0t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:41 -0500 Received: from m0098393.ppops.net (m0098393.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11ILhejK001773; Thu, 18 Feb 2021 17:00:40 -0500 Received: from ppma04fra.de.ibm.com (6a.4a.5195.ip4.static.sl-reverse.com [149.81.74.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0790ny8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:40 -0500 Received: from pps.filterd (ppma04fra.de.ibm.com [127.0.0.1]) by ppma04fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11ILtfNK009800; Thu, 18 Feb 2021 22:00:37 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma04fra.de.ibm.com with ESMTP id 36p6d8amgf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 22:00:37 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11IM0Yd161145568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Feb 2021 22:00:34 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 882064C058; Thu, 18 Feb 2021 22:00:34 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 81C974C052; Thu, 18 Feb 2021 22:00:32 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.211.90.194]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 18 Feb 2021 22:00:32 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Stefan Berger , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH v2 1/5] keys: cleanup build time module signing keys Date: Thu, 18 Feb 2021 17:00:07 -0500 Message-Id: <20210218220011.67625-2-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210218220011.67625-1-nayna@linux.ibm.com> References: <20210218220011.67625-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-02-18_09:2021-02-18,2021-02-18 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 phishscore=0 priorityscore=1501 impostorscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 clxscore=1015 spamscore=0 lowpriorityscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102180176 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The "mrproper" target is still looking for build time generated keys in the old path instead of certs/ directory. Fix the path and remove the names of the files which are no longer generated. Fixes: fb1179499134 ("modsign: Use single PEM file for autogenerated key") Signed-off-by: Nayna Jain Reviewed-by: Stefan Berger --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index de1acaefe87e..004163a4e6b3 100644 --- a/Makefile +++ b/Makefile @@ -1472,9 +1472,9 @@ MRPROPER_FILES += include/config include/generated \ debian snap tar-install \ .config .config.old .version \ Module.symvers \ - signing_key.pem signing_key.priv signing_key.x509 \ - x509.genkey extra_certificates signing_key.x509.keyid \ - signing_key.x509.signer vmlinux-gdb.py \ + certs/signing_key.pem certs/signing_key.x509 \ + certs/x509.genkey \ + vmlinux-gdb.py \ *.spec # Directories & files removed with 'make distclean' From patchwork Thu Feb 18 22:00:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12094377 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50B92C43381 for ; Thu, 18 Feb 2021 22:01:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2240F64E77 for ; Thu, 18 Feb 2021 22:01:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230101AbhBRWBf (ORCPT ); Thu, 18 Feb 2021 17:01:35 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:22642 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230087AbhBRWB0 (ORCPT ); Thu, 18 Feb 2021 17:01:26 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11ILXJr3055315; Thu, 18 Feb 2021 17:00:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=UV7AB5KnmxKreuN8XfOrjaI1Hgg2jOAmH5AzwtIRD2E=; b=cNai9womXs30Iw0ntnLqJwwdvIjPBbCGvNYuuXPpyUlZWlwqE3U+Owazf/Kd4BGnhcX5 N4xlt4D4fVfgBw+iSVISIzdWd+Q3qKpfUnjffGGjfP3w5rRifSBtlq03TTXhgwz1o+wP tL/fM0PD1Xu1NIIVLZi3uT9qn+pSzkAQxLTsu7PvO+ca6Jni61kAZ+LHb5oN/slOApr8 wtLhQ3qr8wDBLa1btICQAdtqGWB/Q/Ya5tbp6tePqqjWB+cymvVKi5ppeV5PDw22C9Dn qJlWv/jx+XWk4HlzWSlSNIMYAU/VfcG2+80ZziDJ6IecGviYYc/QR7od+47qsxmJp7gf VA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36sy3atj71-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:45 -0500 Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11ILYNTm060120; Thu, 18 Feb 2021 17:00:44 -0500 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 36sy3atj5u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:44 -0500 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11ILpcd8025889; Thu, 18 Feb 2021 22:00:42 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma03ams.nl.ibm.com with ESMTP id 36rw3u9n68-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 22:00:42 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11IM0d6A45613470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Feb 2021 22:00:39 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 660974C044; Thu, 18 Feb 2021 22:00:39 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 684624C052; Thu, 18 Feb 2021 22:00:37 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.211.90.194]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 18 Feb 2021 22:00:37 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Stefan Berger , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH v2 2/5] keys: generate self-signed module signing key using CSR Date: Thu, 18 Feb 2021 17:00:08 -0500 Message-Id: <20210218220011.67625-3-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210218220011.67625-1-nayna@linux.ibm.com> References: <20210218220011.67625-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-02-18_09:2021-02-18,2021-02-18 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 impostorscore=0 suspectscore=0 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102180178 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Loading a key on the IMA trusted keyring requires the key be signed by an existing key on the builtin or secondary trusted keyring. Creating a Certificate Signing Request (CSR) allows the certificate to be self-signed or signed by a CA. Generate a self-signed module signing key using CSR. Signed-off-by: Nayna Jain Reviewed-by: Stefan Berger --- Makefile | 3 ++- certs/Makefile | 15 +++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 004163a4e6b3..a971d4ae40bd 100644 --- a/Makefile +++ b/Makefile @@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config include/generated \ .config .config.old .version \ Module.symvers \ certs/signing_key.pem certs/signing_key.x509 \ - certs/x509.genkey \ + certs/x509.genkey certs/signing_key.key \ + certs/signing_key.crt certs/signing_key.csr \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..b2be7eb413d3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,11 +60,18 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" - $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config $(obj)/x509.genkey \ - -outform PEM -out $(obj)/signing_key.pem \ - -keyout $(obj)/signing_key.pem \ + $(Q)openssl req -new -nodes -utf8 \ + -batch -config $(obj)/x509.genkey \ + -outform PEM -out $(obj)/signing_key.csr \ + -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) + $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ + -outform PEM -out $(obj)/signing_key.crt \ + -signkey $(obj)/signing_key.key \ + -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ + -extfile $(obj)/x509.genkey \ + $($(quiet)redirect_openssl) + @cat $(obj)/signing_key.key $(obj)/signing_key.crt >> $(obj)/signing_key.pem @$(kecho) "###" @$(kecho) "### Key pair generated." @$(kecho) "###" From patchwork Thu Feb 18 22:00:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12094379 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20406C433DB for ; Thu, 18 Feb 2021 22:01:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DD51764EB3 for ; Thu, 18 Feb 2021 22:01:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229845AbhBRWBi (ORCPT ); Thu, 18 Feb 2021 17:01:38 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:17386 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229874AbhBRWBc (ORCPT ); Thu, 18 Feb 2021 17:01:32 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11ILo23l019505; Thu, 18 Feb 2021 17:00:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=IfFi8fLJ7u1Cb7FNdn37kV2gkAkhwObdazTKQBMoPWI=; b=ZBFFGAf96UbMqP8mrWHUWNhZRilwOrQN/bOnIa896SCLpHNgyPZxmbGX/auuuM38eL/y XL0gmHvlxcqaL7ieB3WOk9DcMBVLfuAfWpwuYAJHfEhIyid3eUj00/yYwGokSSN0ZcGv IAjSPwsEhB8ZU8sHY9mJFVuHvJP4TpD4ZuTGtLz0fwP+FPzf5QxMA1X/TpW+KxDd5SXO XjnucsLtxmW0hyZI1Tt13022w7iQ7Kc9ulNqwqbhht1CPqvEhUZ+ABewVa0XwBsgyKgm Hi0iTn6fVk0DqXBmh9hI8avln458tHEcqMCVMpqFDGLCBipdQVIYqJ1So9GJxNewjS5D yw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0gj07nd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:50 -0500 Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11ILo7Kk022082; Thu, 18 Feb 2021 17:00:50 -0500 Received: from ppma04fra.de.ibm.com (6a.4a.5195.ip4.static.sl-reverse.com [149.81.74.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0gj07m8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:50 -0500 Received: from pps.filterd (ppma04fra.de.ibm.com [127.0.0.1]) by ppma04fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11ILqh3T007834; Thu, 18 Feb 2021 22:00:48 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma04fra.de.ibm.com with ESMTP id 36p6d8amgj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 22:00:48 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11IM0jTJ37290440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Feb 2021 22:00:45 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 156164C05A; Thu, 18 Feb 2021 22:00:45 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1E6E84C040; Thu, 18 Feb 2021 22:00:43 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.211.90.194]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 18 Feb 2021 22:00:42 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Stefan Berger , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH v2 3/5] ima: update kernel module signing process during build Date: Thu, 18 Feb 2021 17:00:09 -0500 Message-Id: <20210218220011.67625-4-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210218220011.67625-1-nayna@linux.ibm.com> References: <20210218220011.67625-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-02-18_09:2021-02-18,2021-02-18 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 priorityscore=1501 phishscore=0 malwarescore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 mlxscore=0 suspectscore=0 impostorscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102180176 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The kernel build process currently only signs kernel modules when MODULE_SIG is enabled. Also, sign the kernel modules at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain Reviewed-by: Stefan Berger --- certs/Kconfig | 2 +- init/Kconfig | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..48675ad319db 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/init/Kconfig b/init/Kconfig index 29ad68325028..68147bbda5f9 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -2162,7 +2162,7 @@ config MODULE_SIG_FORCE config MODULE_SIG_ALL bool "Automatically sign all modules" default y - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. @@ -2172,7 +2172,7 @@ comment "Do not forget to sign required modules with scripts/sign-file" choice prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help This determines which sort of hashing algorithm will be used during signature generation. This algorithm _must_ be built into the kernel @@ -2204,7 +2204,7 @@ endchoice config MODULE_SIG_HASH string - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG default "sha1" if MODULE_SIG_SHA1 default "sha224" if MODULE_SIG_SHA224 default "sha256" if MODULE_SIG_SHA256 From patchwork Thu Feb 18 22:00:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12094381 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1574C433E9 for ; Thu, 18 Feb 2021 22:02:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 99C5B64EB9 for ; Thu, 18 Feb 2021 22:02:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230160AbhBRWCO (ORCPT ); Thu, 18 Feb 2021 17:02:14 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:1411 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230122AbhBRWBt (ORCPT ); Thu, 18 Feb 2021 17:01:49 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11IM0ipB159882; Thu, 18 Feb 2021 17:00:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=o/P4rb7HYu57ssuVl1LBxKPDr70tc9GhDGkWWdWnze4=; b=UzRtSAahWPWbfKdUYbK0cLsHY000dUiRo56ffObAYvy49plnxgwk96AADegiSTrzyHR0 pwi0jFo5Zdv6kJ1jwJ3yZ43QqUjutptakCUS3ZP3hO0CqPDLQ0+QZ+qFDj8dsnt3vpro 483OBmfy9pjaxVh/5WgzJeEBo92gk6mLnFOvjsThKhSMx61xZsQxhrDj9kHDPeV4gz2z QbihZI3zacucWFlnaiC+RKL5Y6mEljfFcOq3q/Ci7YamSGXNDmlHc/IumYIdfjPFHCn8 xrLBw3tNsM6sYg17DoqXAFq7DMQRnl1LP564v9gpEKIPm8YgfDBSmbEOjAi0KUpEeib1 jA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0mc02g3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:54 -0500 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11IM0saJ160666; Thu, 18 Feb 2021 17:00:54 -0500 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0a-001b2d01.pphosted.com with ESMTP id 36t0mc02ew-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:54 -0500 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11ILrtXj028364; Thu, 18 Feb 2021 22:00:51 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma02fra.de.ibm.com with ESMTP id 36p6d8jmvw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 22:00:51 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11IM0n5f38142422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Feb 2021 22:00:49 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EFDA64C052; Thu, 18 Feb 2021 22:00:48 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D021C4C050; Thu, 18 Feb 2021 22:00:46 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.211.90.194]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 18 Feb 2021 22:00:46 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Stefan Berger , Linux Kernel Mailing List , Nayna Jain , kernel test robot Subject: [PATCH v2 4/5] keys: define build time generated ephemeral kernel CA key Date: Thu, 18 Feb 2021 17:00:10 -0500 Message-Id: <20210218220011.67625-5-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210218220011.67625-1-nayna@linux.ibm.com> References: <20210218220011.67625-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-02-18_09:2021-02-18,2021-02-18 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 impostorscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 spamscore=0 clxscore=1011 malwarescore=0 lowpriorityscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102180178 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Certificates being loaded onto the IMA trusted keyring must be signed by a key on either the builtin or secondary trusted keyring. Create and include in the kernel image an ephemeral CA key at build time when IMA_APPRAISE_MODSIG is enabled. Reported-by: kernel test robot (redirect openssl stderr) Signed-off-by: Nayna Jain --- Makefile | 2 ++ certs/Makefile | 68 ++++++++++++++++++++++++++++++++++--- certs/system_certificates.S | 16 ++++++++- 3 files changed, 80 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index a971d4ae40bd..15e8344836b1 100644 --- a/Makefile +++ b/Makefile @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated \ certs/signing_key.pem certs/signing_key.x509 \ certs/x509.genkey certs/signing_key.key \ certs/signing_key.crt certs/signing_key.csr \ + certs/ca_signing_key.pem certs/ca_signing_key.x509 \ + certs/ca_signing_key.srl \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index b2be7eb413d3..3fe6b73786fa 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) +SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +SIGN_KEY = y +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +# openssl arguments for CA Signed certificate. +CA_KEY = certs/ca_signing_key.pem +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial +else +# openssl arguments for Self Signed certificate. +SIGNER = -signkey $(obj)/signing_key.key +endif # CONFIG_IMA_APPRAISE_MODSIG + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + # Generate kernel build time CA Certificate. + @$(Q)openssl req -new -nodes -utf8 \ + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ + -subj "/CN=Build time autogenerated kernel CA key" \ + -batch -x509 -config $(obj)/x509.genkey \ + -outform PEM -out $(CA_KEY) \ + -keyout $(CA_KEY) -extensions ca_ext \ + $($(quiet)redirect_openssl) +endif # CONFIG_IMA_APPRAISE_MODSIG $(Q)openssl req -new -nodes -utf8 \ -batch -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.csr \ -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ - -outform PEM -out $(obj)/signing_key.crt \ - -signkey $(obj)/signing_key.key \ + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \ -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ -extfile $(obj)/x509.genkey \ $($(quiet)redirect_openssl) @@ -95,19 +122,50 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ + @echo >>$@ "[ ca_ext ]" + @echo >>$@ "keyUsage=critical,keyCertSign" + @echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) +SUBJECT=CN = Build time autogenerated kernel key +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer $($(quiet)redirect_openssl)) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it + +# GCC PR#66871 again. +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + +# Remove existing keys if it is self-signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey)) +CA_KEY = certs/ca_signing_key.pem + +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509 + +targets += ca_signing_key.x509 +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(CA_KEY)) + +targets += signing_key.x509 +$(obj)/signing_key.x509: $(obj)/signing_key.pem scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) +else + +# Remove existing keys if it is CA signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),,$(shell rm -f certs/ca_signing_key.* certs/signing_key.* certs/x509.genkey)) + ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) endif -# GCC PR#66871 again. $(obj)/system_certificates.o: $(obj)/signing_key.x509 targets += signing_key.x509 -$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE +$(obj)/signing_key.x509: certs/signing_key.pem scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) -endif # CONFIG_MODULE_SIG + +endif # CONFIG_IMA_APPRAISE_MODSIG +endif # SIGN_KEY diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 8f29058adf93..e10043800a7e 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -8,8 +8,13 @@ .globl system_certificate_list system_certificate_list: __cert_list_start: -#ifdef CONFIG_MODULE_SIG +__module_cert_start: +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) .incbin "certs/signing_key.x509" +#endif +__module_cert_end: +#ifdef CONFIG_IMA_APPRAISE_MODSIG + .incbin "certs/ca_signing_key.x509" #endif .incbin "certs/x509_certificate_list" __cert_list_end: @@ -35,3 +40,12 @@ system_certificate_list_size: #else .long __cert_list_end - __cert_list_start #endif + + .align 8 + .globl module_cert_size + module_cert_size: +#ifdef CONFIG_64BIT + .quad __module_cert_end - __module_cert_start +#else + .long __module_cert_end - __module_cert_start +#endif From patchwork Thu Feb 18 22:00:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 12094383 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F25F9C43381 for ; Thu, 18 Feb 2021 22:02:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B806464EB2 for ; Thu, 18 Feb 2021 22:02:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230140AbhBRWCK (ORCPT ); Thu, 18 Feb 2021 17:02:10 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:5583 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230124AbhBRWBt (ORCPT ); Thu, 18 Feb 2021 17:01:49 -0500 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 11ILiHGs175790; Thu, 18 Feb 2021 17:01:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=9hX00GQXwNwM1pmRk0HiBYCC9/cO2w/+l9BIDU/7qSU=; b=mrRo9Kzz4EMjwJoqDg5HwVmU4jzCG8g1Um78NygSY3UcqCE9+OPR0ymWw4U6X8l5IqMj bJ+He/pQyzDOlbOy5GSy87smROOA6FzgptXAYnS9tO+t3HCtaGRI+6xDxjogwb6YjXJe qTXcBpMFIXpDs8Fp5r6KaZEn9exnwAr+s+sHL5cAoatGr2sf96h8LghiJD+qjStULkcS qFwRx4cZa++G2fTLK4khY1W6/eMvJTdBY3kAQ7JTPMZHFmR/aDhjKObfZBVMTHgl86U6 vwZaqlsot+UStG/HzR2ovf6CZIXBG0ORul6q2i7PZBSApOWum5MTQe4rC4XUG1b9v17L uw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 36syay9mb8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:01:00 -0500 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 11ILA0UO176618; Thu, 18 Feb 2021 17:00:59 -0500 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 36syay9m9s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 17:00:59 -0500 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 11ILqkCZ013553; Thu, 18 Feb 2021 22:00:55 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma04ams.nl.ibm.com with ESMTP id 36p6d8d1r9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 18 Feb 2021 22:00:55 +0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 11IM0qk343385276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 18 Feb 2021 22:00:52 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CAB4F4C04E; Thu, 18 Feb 2021 22:00:52 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF0E94C050; Thu, 18 Feb 2021 22:00:50 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com.com (unknown [9.211.90.194]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 18 Feb 2021 22:00:50 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org, David Howells , Jarkko Sakkinen , Mimi Zohar , Stefan Berger , Linux Kernel Mailing List , Nayna Jain Subject: [PATCH v2 5/5] ima: enable loading of build time generated key on .ima keyring Date: Thu, 18 Feb 2021 17:00:11 -0500 Message-Id: <20210218220011.67625-6-nayna@linux.ibm.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210218220011.67625-1-nayna@linux.ibm.com> References: <20210218220011.67625-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-02-18_09:2021-02-18,2021-02-18 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102180176 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The kernel currently only loads the kernel module signing key onto the builtin trusted keyring. To support IMA, load the module signing key selectively either onto the builtin or IMA keyring based on MODULE_SIG or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel key onto the builtin trusted keyring. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger --- certs/system_keyring.c | 55 ++++++++++++++++++++++++++--------- include/keys/system_keyring.h | 9 +++++- security/integrity/digsig.c | 4 +++ 3 files changed, 54 insertions(+), 14 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 798291177186..ea3826627729 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -26,6 +26,7 @@ static struct key *platform_trusted_keys; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; +extern __initconst const unsigned long module_cert_size; /** * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA @@ -131,19 +132,12 @@ static __init int system_trusted_keyring_init(void) */ device_initcall(system_trusted_keyring_init); -/* - * Load the compiled-in list of X.509 certificates. - */ -static __init int load_system_certificate_list(void) +static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring, + unsigned long flags) { key_ref_t key; - const u8 *p, *end; size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - - p = system_certificate_list; - end = p + system_certificate_list_size; while (p < end) { /* Each cert begins with an ASN.1 SEQUENCE tag and must be more * than 256 bytes in size. @@ -158,16 +152,15 @@ static __init int load_system_certificate_list(void) if (plen > end - p) goto dodgy_cert; - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), + key = key_create_or_update(make_key_ref(keyring, 1), "asymmetric", NULL, p, plen, ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); + flags); + if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); @@ -185,6 +178,42 @@ static __init int load_system_certificate_list(void) pr_err("Problem parsing in-kernel X.509 certificate list\n"); return 0; } + +__init int load_module_cert(struct key *keyring, unsigned long flags) +{ + const u8 *p, *end; + + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + + p = system_certificate_list; + end = p + module_cert_size; + + return load_cert(p, end, keyring, flags); +} + +/* + * Load the compiled-in list of X.509 certificates. + */ +static __init int load_system_certificate_list(void) +{ + const u8 *p, *end; + + pr_notice("Loading compiled-in X.509 certificates\n"); + +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; +#else + p = system_certificate_list + module_cert_size; +#endif + end = p + system_certificate_list_size; + + return load_cert(p, end, builtin_trusted_keys, KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); +} late_initcall(load_system_certificate_list); #ifdef CONFIG_SYSTEM_DATA_VERIFICATION diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9d1..e91c03376599 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -16,9 +16,16 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); - +extern __init int load_module_cert(struct key *keyring, unsigned long flags); #else #define restrict_link_by_builtin_trusted restrict_link_reject + +static inline __init int load_module_cert(struct key *keyring, + unsigned long flags) +{ + return 0; +} + #endif #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0f518dcfde05..4009d1e33fe0 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -111,8 +111,12 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_IMA) + load_module_cert(keyring[id], KEY_ALLOC_NOT_IN_QUOTA); } + pr_info("Loading key to ima keyring\n"); + return err; }