From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, mpe@ellerman.id.au,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
ebiederm@xmission.com, jforbes@redhat.com, vgoyal@redhat.com
Subject: Re: [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA
Date: Wed, 28 Nov 2018 11:45:27 -0500 [thread overview]
Message-ID: <1543423527.3902.239.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-1-nayna@linux.ibm.com>
Hi Nayna,
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> On secure boot enabled systems, a verified kernel may need to kexec
> additional kernels. For example, it may be used as a bootloader needing
> to kexec a target kernel or it may need to kexec a crashdump kernel.
> In such cases, it may want to verify the signature of the next kernel
> image.
>
> It is possible that the new kernel image is signed with third party keys
> which are stored as platform or firmware keys in the 'db' variable. The
> kernel, however, can not directly verify these platform keys, and an
> administrator may therefore not want to trust them for arbitrary usage.
> In order to differentiate platform keys from other keys and provide the
> necessary separation of trust the kernel needs an additional keyring to
> store platform/firmware keys.
>
> The secure boot key database is expected to store the keys as EFI
> Signature List(ESL). The patch set uses David Howells and Josh Boyer's
> patch to access and parse the ESL to extract the certificates and load
> them onto the platform keyring.
>
> The last patch in this patch set adds support for IMA-appraisal to
> verify the kexec'ed kernel image based on keys stored in the platform
> keyring.
>
> Changelog:
>
> v0:
> - The original patches loaded the certificates onto the secondary
> trusted keyring. This patch set defines a new keyring named
> ".platform" and adds the certificates to this new keyring
> - removed CONFIG EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS
> - moved files from certs/ to security/integrity/platform_certs/
This patch set is looking really good! There are a couple of
checkpatch.pl warnings that need to be addressed before these patches
can be upstreamed. I'd also like to see some Reviews/Acks for them as
well.
For the time being these patches are queued in the #next-integrity-
queued branch.
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.
git/
thanks!
Mimi
>
> Dave Howells (2):
> efi: Add EFI signature data types
> efi: Add an EFI signature blob parser
>
> Josh Boyer (2):
> efi: Import certificates from UEFI Secure Boot
> efi: Allow the "db" UEFI variable to be suppressed
>
> Nayna Jain (3):
> integrity: define a trusted platform keyring
> integrity: load certs to the platform keyring
> ima: support platform keyring for kernel appraisal
>
> include/linux/efi.h | 34 ++++
> security/integrity/Kconfig | 11 ++
> security/integrity/Makefile | 5 +
> security/integrity/digsig.c | 115 ++++++++----
> security/integrity/ima/ima_appraise.c | 11 +-
> security/integrity/integrity.h | 23 ++-
> security/integrity/platform_certs/efi_parser.c | 112 ++++++++++++
> security/integrity/platform_certs/load_uefi.c | 192 +++++++++++++++++++++
> .../integrity/platform_certs/platform_keyring.c | 62 +++++++
> 9 files changed, 527 insertions(+), 38 deletions(-)
> create mode 100644 security/integrity/platform_certs/efi_parser.c
> create mode 100644 security/integrity/platform_certs/load_uefi.c
> create mode 100644 security/integrity/platform_certs/platform_keyring.c
>
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, seth.forshee@canonical.com,
kexec@lists.infradead.org, keyrings@vger.kernel.org,
vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au
Subject: Re: [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA
Date: Wed, 28 Nov 2018 16:45:27 +0000 [thread overview]
Message-ID: <1543423527.3902.239.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-1-nayna@linux.ibm.com>
Hi Nayna,
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> On secure boot enabled systems, a verified kernel may need to kexec
> additional kernels. For example, it may be used as a bootloader needing
> to kexec a target kernel or it may need to kexec a crashdump kernel.
> In such cases, it may want to verify the signature of the next kernel
> image.
>
> It is possible that the new kernel image is signed with third party keys
> which are stored as platform or firmware keys in the 'db' variable. The
> kernel, however, can not directly verify these platform keys, and an
> administrator may therefore not want to trust them for arbitrary usage.
> In order to differentiate platform keys from other keys and provide the
> necessary separation of trust the kernel needs an additional keyring to
> store platform/firmware keys.
>
> The secure boot key database is expected to store the keys as EFI
> Signature List(ESL). The patch set uses David Howells and Josh Boyer's
> patch to access and parse the ESL to extract the certificates and load
> them onto the platform keyring.
>
> The last patch in this patch set adds support for IMA-appraisal to
> verify the kexec'ed kernel image based on keys stored in the platform
> keyring.
>
> Changelog:
>
> v0:
> - The original patches loaded the certificates onto the secondary
> trusted keyring. This patch set defines a new keyring named
> ".platform" and adds the certificates to this new keyring
> - removed CONFIG EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS
> - moved files from certs/ to security/integrity/platform_certs/
This patch set is looking really good! There are a couple of
checkpatch.pl warnings that need to be addressed before these patches
can be upstreamed. I'd also like to see some Reviews/Acks for them as
well.
For the time being these patches are queued in the #next-integrity-
queued branch.
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.
git/
thanks!
Mimi
>
> Dave Howells (2):
> efi: Add EFI signature data types
> efi: Add an EFI signature blob parser
>
> Josh Boyer (2):
> efi: Import certificates from UEFI Secure Boot
> efi: Allow the "db" UEFI variable to be suppressed
>
> Nayna Jain (3):
> integrity: define a trusted platform keyring
> integrity: load certs to the platform keyring
> ima: support platform keyring for kernel appraisal
>
> include/linux/efi.h | 34 ++++
> security/integrity/Kconfig | 11 ++
> security/integrity/Makefile | 5 +
> security/integrity/digsig.c | 115 ++++++++----
> security/integrity/ima/ima_appraise.c | 11 +-
> security/integrity/integrity.h | 23 ++-
> security/integrity/platform_certs/efi_parser.c | 112 ++++++++++++
> security/integrity/platform_certs/load_uefi.c | 192 +++++++++++++++++++++
> .../integrity/platform_certs/platform_keyring.c | 62 +++++++
> 9 files changed, 527 insertions(+), 38 deletions(-)
> create mode 100644 security/integrity/platform_certs/efi_parser.c
> create mode 100644 security/integrity/platform_certs/load_uefi.c
> create mode 100644 security/integrity/platform_certs/platform_keyring.c
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, seth.forshee@canonical.com,
kexec@lists.infradead.org, keyrings@vger.kernel.org,
vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au
Subject: Re: [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA
Date: Wed, 28 Nov 2018 11:45:27 -0500 [thread overview]
Message-ID: <1543423527.3902.239.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-1-nayna@linux.ibm.com>
Hi Nayna,
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> On secure boot enabled systems, a verified kernel may need to kexec
> additional kernels. For example, it may be used as a bootloader needing
> to kexec a target kernel or it may need to kexec a crashdump kernel.
> In such cases, it may want to verify the signature of the next kernel
> image.
>
> It is possible that the new kernel image is signed with third party keys
> which are stored as platform or firmware keys in the 'db' variable. The
> kernel, however, can not directly verify these platform keys, and an
> administrator may therefore not want to trust them for arbitrary usage.
> In order to differentiate platform keys from other keys and provide the
> necessary separation of trust the kernel needs an additional keyring to
> store platform/firmware keys.
>
> The secure boot key database is expected to store the keys as EFI
> Signature List(ESL). The patch set uses David Howells and Josh Boyer's
> patch to access and parse the ESL to extract the certificates and load
> them onto the platform keyring.
>
> The last patch in this patch set adds support for IMA-appraisal to
> verify the kexec'ed kernel image based on keys stored in the platform
> keyring.
>
> Changelog:
>
> v0:
> - The original patches loaded the certificates onto the secondary
> trusted keyring. This patch set defines a new keyring named
> ".platform" and adds the certificates to this new keyring
> - removed CONFIG EFI_SIGNATURE_LIST_PARSER and LOAD_UEFI_KEYS
> - moved files from certs/ to security/integrity/platform_certs/
This patch set is looking really good! There are a couple of
checkpatch.pl warnings that need to be addressed before these patches
can be upstreamed. I'd also like to see some Reviews/Acks for them as
well.
For the time being these patches are queued in the #next-integrity-
queued branch.
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.
git/
thanks!
Mimi
>
> Dave Howells (2):
> efi: Add EFI signature data types
> efi: Add an EFI signature blob parser
>
> Josh Boyer (2):
> efi: Import certificates from UEFI Secure Boot
> efi: Allow the "db" UEFI variable to be suppressed
>
> Nayna Jain (3):
> integrity: define a trusted platform keyring
> integrity: load certs to the platform keyring
> ima: support platform keyring for kernel appraisal
>
> include/linux/efi.h | 34 ++++
> security/integrity/Kconfig | 11 ++
> security/integrity/Makefile | 5 +
> security/integrity/digsig.c | 115 ++++++++----
> security/integrity/ima/ima_appraise.c | 11 +-
> security/integrity/integrity.h | 23 ++-
> security/integrity/platform_certs/efi_parser.c | 112 ++++++++++++
> security/integrity/platform_certs/load_uefi.c | 192 +++++++++++++++++++++
> .../integrity/platform_certs/platform_keyring.c | 62 +++++++
> 9 files changed, 527 insertions(+), 38 deletions(-)
> create mode 100644 security/integrity/platform_certs/efi_parser.c
> create mode 100644 security/integrity/platform_certs/load_uefi.c
> create mode 100644 security/integrity/platform_certs/platform_keyring.c
>
next prev parent reply other threads:[~2018-11-28 16:46 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-25 15:14 [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 1/7] integrity: Define a trusted platform keyring Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 2/7] integrity: Load certs to the " Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 3/7] efi: Add EFI signature data types Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 4/7] efi: Add an EFI signature blob parser Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-28 15:52 ` Mimi Zohar
2018-11-28 15:52 ` Mimi Zohar
2018-11-28 15:52 ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 5/7] efi: Import certificates from UEFI Secure Boot Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-28 15:46 ` Mimi Zohar
2018-11-28 15:46 ` Mimi Zohar
2018-11-28 15:46 ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 6/7] efi: Allow the "db" UEFI variable to be suppressed Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:15 ` [PATCH 7/7] ima: Support platform keyring for kernel appraisal Nayna Jain
2018-11-25 15:27 ` Nayna Jain
2018-11-25 15:15 ` Nayna Jain
2018-12-06 23:09 ` Serge E. Hallyn
2018-12-06 23:09 ` Serge E. Hallyn
2018-12-06 23:09 ` Serge E. Hallyn
2018-11-28 16:45 ` Mimi Zohar [this message]
2018-11-28 16:45 ` [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Mimi Zohar
2018-11-28 16:45 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1543423527.3902.239.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=seth.forshee@canonical.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.