From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: jwboyer@fedoraproject.org, Kairui Song <kasong@redhat.com>,
ebiggers@google.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
jmorris@namei.org, dhowells@redhat.com,
linux-security-module <linux-security-module@vger.kernel.org>,
keyrings@vger.kernel.org,
linux-integrity <linux-integrity@vger.kernel.org>,
dwmw2@infradead.org, bauerman@linux.ibm.com, serge@hallyn.com
Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date: Wed, 09 Jan 2019 09:07:36 -0500 [thread overview]
Message-ID: <1547042856.19931.229.camel@linux.ibm.com> (raw)
In-Reply-To: <20190109013356.GA2610@dhcp-128-65.nay.redhat.com>
On Wed, 2019-01-09 at 09:33 +0800, Dave Young wrote:
> CC kexec list
> On 01/08/19 at 10:18am, Mimi Zohar wrote:
> > [Cc'ing the LSM and integrity mailing lists]
> >
> > Repeating my comment on PATCH 0/1 here with the expanded set of
> > mailing lists.
> >
> > The builtin and secondary keyrings have a signature change of trust
> > rooted in the signed kernel image. Adding the pre-boot keys to the
> > secondary keyring breaks that signature chain of trust.
> >
> > Please do NOT add the pre-boot "platform" keys to the secondary
> > keyring.
>
> If we regard kexec as a bootloader, it sounds natural to use the
> platform key to verify the signature with kexec_file_load syscall.
>
> It will be hard for user to manually sign a kernel and import the key
> then to reuse kexec_file_load.
This is really a generic topic, not limited to kexec, which should be
discussed. Let's defer this discussion for now.
>
> I think we do not care if platform key can be added to secondary or not,
> any suggestions how can kexec_file to use the platform key?
I assume the problem is accessing the keyring id.
Instead of defining a function to return the keyring id, as below,
define a function that sets a variable with the keyring id.
platform_keyring_init() would call that function to set the variable.
Similar to builtin_trusted_keys and secondary_trusted_keys, define a
variable named platform_trusted_keys.
[snip]
> > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> > > index f45d6edecf99..397758d4f12d 100644
> > > --- a/security/integrity/digsig.c
> > > +++ b/security/integrity/digsig.c
> > > @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source,
> > > pr_info("Loading X.509 certificate: %s\n", source);
> > > return integrity_add_key(id, data, len, perm);
> > > }
> > > +
> > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> > > +struct key* __init integrity_get_platform_keyring(void)
> > > +{
> > > + return keyring[INTEGRITY_KEYRING_PLATFORM];
> > > +}
> > > +#endif
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, jwboyer@fedoraproject.org,
keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
kexec@lists.infradead.org
Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date: Wed, 09 Jan 2019 14:07:36 +0000 [thread overview]
Message-ID: <1547042856.19931.229.camel@linux.ibm.com> (raw)
In-Reply-To: <20190109013356.GA2610@dhcp-128-65.nay.redhat.com>
On Wed, 2019-01-09 at 09:33 +0800, Dave Young wrote:
> CC kexec list
> On 01/08/19 at 10:18am, Mimi Zohar wrote:
> > [Cc'ing the LSM and integrity mailing lists]
> >
> > Repeating my comment on PATCH 0/1 here with the expanded set of
> > mailing lists.
> >
> > The builtin and secondary keyrings have a signature change of trust
> > rooted in the signed kernel image. Adding the pre-boot keys to the
> > secondary keyring breaks that signature chain of trust.
> >
> > Please do NOT add the pre-boot "platform" keys to the secondary
> > keyring.
>
> If we regard kexec as a bootloader, it sounds natural to use the
> platform key to verify the signature with kexec_file_load syscall.
>
> It will be hard for user to manually sign a kernel and import the key
> then to reuse kexec_file_load.
This is really a generic topic, not limited to kexec, which should be
discussed. Let's defer this discussion for now.
>
> I think we do not care if platform key can be added to secondary or not,
> any suggestions how can kexec_file to use the platform key?
I assume the problem is accessing the keyring id.
Instead of defining a function to return the keyring id, as below,
define a function that sets a variable with the keyring id.
platform_keyring_init() would call that function to set the variable.
Similar to builtin_trusted_keys and secondary_trusted_keys, define a
variable named platform_trusted_keys.
[snip]
> > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> > > index f45d6edecf99..397758d4f12d 100644
> > > --- a/security/integrity/digsig.c
> > > +++ b/security/integrity/digsig.c
> > > @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source,
> > > pr_info("Loading X.509 certificate: %s\n", source);
> > > return integrity_add_key(id, data, len, perm);
> > > }
> > > +
> > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> > > +struct key* __init integrity_get_platform_keyring(void)
> > > +{
> > > + return keyring[INTEGRITY_KEYRING_PLATFORM];
> > > +}
> > > +#endif
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, jwboyer@fedoraproject.org,
keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
kexec@lists.infradead.org
Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
Date: Wed, 09 Jan 2019 09:07:36 -0500 [thread overview]
Message-ID: <1547042856.19931.229.camel@linux.ibm.com> (raw)
In-Reply-To: <20190109013356.GA2610@dhcp-128-65.nay.redhat.com>
On Wed, 2019-01-09 at 09:33 +0800, Dave Young wrote:
> CC kexec list
> On 01/08/19 at 10:18am, Mimi Zohar wrote:
> > [Cc'ing the LSM and integrity mailing lists]
> >
> > Repeating my comment on PATCH 0/1 here with the expanded set of
> > mailing lists.
> >
> > The builtin and secondary keyrings have a signature change of trust
> > rooted in the signed kernel image. Adding the pre-boot keys to the
> > secondary keyring breaks that signature chain of trust.
> >
> > Please do NOT add the pre-boot "platform" keys to the secondary
> > keyring.
>
> If we regard kexec as a bootloader, it sounds natural to use the
> platform key to verify the signature with kexec_file_load syscall.
>
> It will be hard for user to manually sign a kernel and import the key
> then to reuse kexec_file_load.
This is really a generic topic, not limited to kexec, which should be
discussed. Let's defer this discussion for now.
>
> I think we do not care if platform key can be added to secondary or not,
> any suggestions how can kexec_file to use the platform key?
I assume the problem is accessing the keyring id.
Instead of defining a function to return the keyring id, as below,
define a function that sets a variable with the keyring id.
platform_keyring_init() would call that function to set the variable.
Similar to builtin_trusted_keys and secondary_trusted_keys, define a
variable named platform_trusted_keys.
[snip]
> > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> > > index f45d6edecf99..397758d4f12d 100644
> > > --- a/security/integrity/digsig.c
> > > +++ b/security/integrity/digsig.c
> > > @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source,
> > > pr_info("Loading X.509 certificate: %s\n", source);
> > > return integrity_add_key(id, data, len, perm);
> > > }
> > > +
> > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> > > +struct key* __init integrity_get_platform_keyring(void)
> > > +{
> > > + return keyring[INTEGRITY_KEYRING_PLATFORM];
> > > +}
> > > +#endif
Mimi
next prev parent reply other threads:[~2019-01-09 14:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-08 8:12 [RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys Kairui Song
2019-01-08 8:12 ` [RFC PATCH 1/1] " Kairui Song
2019-01-08 15:18 ` Mimi Zohar
2019-01-08 15:18 ` Mimi Zohar
2019-01-09 1:33 ` Dave Young
2019-01-09 1:33 ` Dave Young
2019-01-09 1:33 ` Dave Young
2019-01-09 2:02 ` Kairui Song
2019-01-09 2:02 ` Kairui Song
2019-01-09 2:02 ` Kairui Song
2019-01-09 14:07 ` Mimi Zohar [this message]
2019-01-09 14:07 ` Mimi Zohar
2019-01-09 14:07 ` Mimi Zohar
2019-01-17 15:04 ` David Howells
2019-01-17 16:15 ` Kairui Song
2019-01-08 14:31 ` [RFC PATCH 0/1] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1547042856.19931.229.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.