From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date: Tue, 08 Jan 2019 15:18:00 +0000 [thread overview]
Message-ID: <1546960680.19931.114.camel@linux.ibm.com> (raw)
In-Reply-To: <20190108081247.2266-2-kasong@redhat.com>
[Cc'ing the LSM and integrity mailing lists]
Repeating my comment on PATCH 0/1 here with the expanded set of
mailing lists.
The builtin and secondary keyrings have a signature change of trust
rooted in the signed kernel image. Adding the pre-boot keys to the
secondary keyring breaks that signature chain of trust.
Please do NOT add the pre-boot "platform" keys to the secondary
keyring.
Mimi
On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote:
> Currently kexec may need to verify the kerne image, and the kernel image
> could be signed with third part keys which are provided by paltform or
> firmware (eg. stored in MokListRT EFI variable). And the same time,
> kexec_file_load will only verify the image agains .builtin_trusted_keys
> or .secondary_trusted_keys according to configuration, but there is no
> way for kexec_file_load to verify the image against any third part keys
> mentioned above.
>
> In ea93102f3224 ('integrity: Define a trusted platform keyring') a
> .platform keyring is introduced to store the keys provided by platform
> or firmware. And with a few following commits including 15ea0e1e3e185
> ('efi: Import certificates from UEFI Secure Boot'), now keys required to
> verify the image is being imported to .paltform keyring, and later
> IMA-appraisal could access the keyring and verify the image.
>
> This patch links the .platform keyring to .secondary_trusted_keys so
> kexec_file_load could also leverage the .platform keyring to verify the
> kernel image.
>
> Signed-off-by: Kairui Song <kasong@redhat.com>
> ---
> certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++
> include/keys/platform_keyring.h | 12 ++++++++++++
> security/integrity/digsig.c | 7 +++++++
> 3 files changed, 49 insertions(+)
> create mode 100644 include/keys/platform_keyring.h
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..dcef0259e149 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -18,12 +18,14 @@
> #include <linux/verification.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> +#include <keys/platform_keyring.h>
> #include <crypto/pkcs7.h>
>
> static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +static struct key *platform_keys = NULL;
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -67,6 +69,12 @@ int restrict_link_by_builtin_and_secondary_trusted(
> /* Allow the builtin keyring to be added to the secondary */
> return 0;
>
> + if (type = &key_type_keyring &&
> + dest_keyring = secondary_trusted_keys &&
> + payload = &platform_keys->payload)
> + /* Allow the platform keyring to be added to the secondary */
> + return 0;
> +
> return restrict_link_by_signature(dest_keyring, type, payload,
> secondary_trusted_keys);
> }
> @@ -188,6 +196,28 @@ static __init int load_system_certificate_list(void)
> }
> late_initcall(load_system_certificate_list);
>
> +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && defined(CONFIG_SECONDARY_TRUSTED_KEYRING)
> +
> +/*
> + * Link .platform keyring to .secondary_trusted_key keyring
> + */
> +static __init int load_platform_certificate_list(void)
> +{
> + int ret = 0;
> + platform_keys = integrity_get_platform_keyring();
> + if (!platform_keys) {
> + return 0;
> + }
> + ret = key_link(secondary_trusted_keys, platform_keys);
> + if (ret < 0) {
> + pr_err("Failed to link platform keyring: %d", ret);
> + }
> + return 0;
> +}
> +late_initcall(load_platform_certificate_list);
> +
> +#endif
> +
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> /**
> diff --git a/include/keys/platform_keyring.h b/include/keys/platform_keyring.h
> new file mode 100644
> index 000000000000..4f92ed6c0b42
> --- /dev/null
> +++ b/include/keys/platform_keyring.h
> @@ -0,0 +1,12 @@
> +#ifndef _KEYS_PLATFORM_KEYRING_H
> +#define _KEYS_PLATFORM_KEYRING_H
> +
> +#include <linux/key.h>
> +
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern const struct key* __init integrity_get_platform_keyring(void);
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
> +
> +#endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..397758d4f12d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source,
> pr_info("Loading X.509 certificate: %s\n", source);
> return integrity_add_key(id, data, len, perm);
> }
> +
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +struct key* __init integrity_get_platform_keyring(void)
> +{
> + return keyring[INTEGRITY_KEYRING_PLATFORM];
> +}
> +#endif
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date: Tue, 08 Jan 2019 10:18:00 -0500 [thread overview]
Message-ID: <1546960680.19931.114.camel@linux.ibm.com> (raw)
In-Reply-To: <20190108081247.2266-2-kasong@redhat.com>
[Cc'ing the LSM and integrity mailing lists]
Repeating my comment on PATCH 0/1 here with the expanded set of
mailing lists.
The builtin and secondary keyrings have a signature change of trust
rooted in the signed kernel image. Adding the pre-boot keys to the
secondary keyring breaks that signature chain of trust.
Please do NOT add the pre-boot "platform" keys to the secondary
keyring.
Mimi
On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote:
> Currently kexec may need to verify the kerne image, and the kernel image
> could be signed with third part keys which are provided by paltform or
> firmware (eg. stored in MokListRT EFI variable). And the same time,
> kexec_file_load will only verify the image agains .builtin_trusted_keys
> or .secondary_trusted_keys according to configuration, but there is no
> way for kexec_file_load to verify the image against any third part keys
> mentioned above.
>
> In ea93102f3224 ('integrity: Define a trusted platform keyring') a
> .platform keyring is introduced to store the keys provided by platform
> or firmware. And with a few following commits including 15ea0e1e3e185
> ('efi: Import certificates from UEFI Secure Boot'), now keys required to
> verify the image is being imported to .paltform keyring, and later
> IMA-appraisal could access the keyring and verify the image.
>
> This patch links the .platform keyring to .secondary_trusted_keys so
> kexec_file_load could also leverage the .platform keyring to verify the
> kernel image.
>
> Signed-off-by: Kairui Song <kasong@redhat.com>
> ---
> certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++
> include/keys/platform_keyring.h | 12 ++++++++++++
> security/integrity/digsig.c | 7 +++++++
> 3 files changed, 49 insertions(+)
> create mode 100644 include/keys/platform_keyring.h
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..dcef0259e149 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -18,12 +18,14 @@
> #include <linux/verification.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> +#include <keys/platform_keyring.h>
> #include <crypto/pkcs7.h>
>
> static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +static struct key *platform_keys = NULL;
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -67,6 +69,12 @@ int restrict_link_by_builtin_and_secondary_trusted(
> /* Allow the builtin keyring to be added to the secondary */
> return 0;
>
> + if (type == &key_type_keyring &&
> + dest_keyring == secondary_trusted_keys &&
> + payload == &platform_keys->payload)
> + /* Allow the platform keyring to be added to the secondary */
> + return 0;
> +
> return restrict_link_by_signature(dest_keyring, type, payload,
> secondary_trusted_keys);
> }
> @@ -188,6 +196,28 @@ static __init int load_system_certificate_list(void)
> }
> late_initcall(load_system_certificate_list);
>
> +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && defined(CONFIG_SECONDARY_TRUSTED_KEYRING)
> +
> +/*
> + * Link .platform keyring to .secondary_trusted_key keyring
> + */
> +static __init int load_platform_certificate_list(void)
> +{
> + int ret = 0;
> + platform_keys = integrity_get_platform_keyring();
> + if (!platform_keys) {
> + return 0;
> + }
> + ret = key_link(secondary_trusted_keys, platform_keys);
> + if (ret < 0) {
> + pr_err("Failed to link platform keyring: %d", ret);
> + }
> + return 0;
> +}
> +late_initcall(load_platform_certificate_list);
> +
> +#endif
> +
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> /**
> diff --git a/include/keys/platform_keyring.h b/include/keys/platform_keyring.h
> new file mode 100644
> index 000000000000..4f92ed6c0b42
> --- /dev/null
> +++ b/include/keys/platform_keyring.h
> @@ -0,0 +1,12 @@
> +#ifndef _KEYS_PLATFORM_KEYRING_H
> +#define _KEYS_PLATFORM_KEYRING_H
> +
> +#include <linux/key.h>
> +
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern const struct key* __init integrity_get_platform_keyring(void);
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
> +
> +#endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..397758d4f12d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source,
> pr_info("Loading X.509 certificate: %s\n", source);
> return integrity_add_key(id, data, len, perm);
> }
> +
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +struct key* __init integrity_get_platform_keyring(void)
> +{
> + return keyring[INTEGRITY_KEYRING_PLATFORM];
> +}
> +#endif
next prev parent reply other threads:[~2019-01-08 15:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-08 8:12 [RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys Kairui Song
2019-01-08 8:12 ` [RFC PATCH 1/1] " Kairui Song
2019-01-08 15:18 ` Mimi Zohar [this message]
2019-01-08 15:18 ` Mimi Zohar
2019-01-09 1:33 ` Dave Young
2019-01-09 1:33 ` Dave Young
2019-01-09 1:33 ` Dave Young
2019-01-09 2:02 ` Kairui Song
2019-01-09 2:02 ` Kairui Song
2019-01-09 2:02 ` Kairui Song
2019-01-09 14:07 ` Mimi Zohar
2019-01-09 14:07 ` Mimi Zohar
2019-01-09 14:07 ` Mimi Zohar
2019-01-17 15:04 ` David Howells
2019-01-17 16:15 ` Kairui Song
2019-01-08 14:31 ` [RFC PATCH 0/1] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1546960680.19931.114.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.