From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, Dave Young <dyoung@redhat.com>
Cc: jwboyer@fedoraproject.org, ebiggers@google.com,
dyoung@redhat.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, jmorris@namei.org,
dhowells@redhat.com, keyrings@vger.kernel.org,
linux-integrity@vger.kernel.org, dwmw2@infradead.org,
bauerman@linux.ibm.com, serge@hallyn.com
Subject: Re: [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Thu, 17 Jan 2019 20:08:04 -0500 [thread overview]
Message-ID: <1547773684.4026.10.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-1-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> This patch series adds a .platform_trusted_keys in system_keyring as the
> reference to .platform keyring in integrity subsystem, when platform
> keyring is being initialized it will be updated. So other component could
> use this keyring as well.
Remove "other component could use ...".
>
> This patch series also let kexec_file_load use platform keyring as fall
> back if it failed to verify the image against secondary keyring, make it
> possible to load kernel signed by third part key if third party key is
> imported in the firmware.
This is the only reason for these patches. Please remove "also".
>
> After this patch kexec_file_load will be able to verify a signed PE
> bzImage using keys in platform keyring.
>
> Tested in a VM with locally signed kernel with pesign and imported the
> cert to EFI's MokList variable.
It's taken so long for me to review/test this patch set due to a
regression in sanity_check_segment_list(), introduced somewhere
between 4.20 and 5.0.0-rc1. The sgement overlap test - "if ((mend >
pstart) && (mstart < pend))" - fails, returning a -EINVAL.
Is anyone else seeing this?
Mimi
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> Update from V2:
> - Use IS_ENABLED in kexec_file_load to judge if platform_trusted_keys
> should be used for verifying image as suggested by Mimi Zohar
>
> Update from V1:
> - Make platform_trusted_keys static, and update commit message as suggested
> by Mimi Zohar
> - Always check if platform keyring is initialized before use it
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
> certs/system_keyring.c | 22 +++++++++++++++++++++-
> include/keys/system_keyring.h | 5 +++++
> include/linux/verification.h | 1 +
> security/integrity/digsig.c | 6 ++++++
> 5 files changed, 43 insertions(+), 4 deletions(-)
>
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, Dave Young <dyoung@redhat.com>
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Fri, 18 Jan 2019 01:08:04 +0000 [thread overview]
Message-ID: <1547773684.4026.10.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-1-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> This patch series adds a .platform_trusted_keys in system_keyring as the
> reference to .platform keyring in integrity subsystem, when platform
> keyring is being initialized it will be updated. So other component could
> use this keyring as well.
Remove "other component could use ...".
>
> This patch series also let kexec_file_load use platform keyring as fall
> back if it failed to verify the image against secondary keyring, make it
> possible to load kernel signed by third part key if third party key is
> imported in the firmware.
This is the only reason for these patches.  Please remove "also".
>
> After this patch kexec_file_load will be able to verify a signed PE
> bzImage using keys in platform keyring.
>
> Tested in a VM with locally signed kernel with pesign and imported the
> cert to EFI's MokList variable.
It's taken so long for me to review/test this patch set due to a
regression in sanity_check_segment_list(), introduced somewhere
between 4.20 and 5.0.0-rc1.  The sgement overlap test - "if ((mend >
pstart) && (mstart < pend))" - fails, returning a -EINVAL.
Is anyone else seeing this?
Mimi
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> Update from V2:
> - Use IS_ENABLED in kexec_file_load to judge if platform_trusted_keys
> should be used for verifying image as suggested by Mimi Zohar
>
> Update from V1:
> - Make platform_trusted_keys static, and update commit message as suggested
> by Mimi Zohar
> - Always check if platform keyring is initialized before use it
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
> certs/system_keyring.c | 22 +++++++++++++++++++++-
> include/keys/system_keyring.h | 5 +++++
> include/linux/verification.h | 1 +
> security/integrity/digsig.c | 6 ++++++
> 5 files changed, 43 insertions(+), 4 deletions(-)
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, Dave Young <dyoung@redhat.com>
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Thu, 17 Jan 2019 20:08:04 -0500 [thread overview]
Message-ID: <1547773684.4026.10.camel@linux.ibm.com> (raw)
In-Reply-To: <20190116101654.7288-1-kasong@redhat.com>
On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote:
> This patch series adds a .platform_trusted_keys in system_keyring as the
> reference to .platform keyring in integrity subsystem, when platform
> keyring is being initialized it will be updated. So other component could
> use this keyring as well.
Remove "other component could use ...".
>
> This patch series also let kexec_file_load use platform keyring as fall
> back if it failed to verify the image against secondary keyring, make it
> possible to load kernel signed by third part key if third party key is
> imported in the firmware.
This is the only reason for these patches. Please remove "also".
>
> After this patch kexec_file_load will be able to verify a signed PE
> bzImage using keys in platform keyring.
>
> Tested in a VM with locally signed kernel with pesign and imported the
> cert to EFI's MokList variable.
It's taken so long for me to review/test this patch set due to a
regression in sanity_check_segment_list(), introduced somewhere
between 4.20 and 5.0.0-rc1. The sgement overlap test - "if ((mend >
pstart) && (mstart < pend))" - fails, returning a -EINVAL.
Is anyone else seeing this?
Mimi
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> Update from V2:
> - Use IS_ENABLED in kexec_file_load to judge if platform_trusted_keys
> should be used for verifying image as suggested by Mimi Zohar
>
> Update from V1:
> - Make platform_trusted_keys static, and update commit message as suggested
> by Mimi Zohar
> - Always check if platform keyring is initialized before use it
>
> Kairui Song (2):
> integrity, KEYS: add a reference to platform keyring
> kexec, KEYS: Make use of platform keyring for signature verify
>
> arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
> certs/system_keyring.c | 22 +++++++++++++++++++++-
> include/keys/system_keyring.h | 5 +++++
> include/linux/verification.h | 1 +
> security/integrity/digsig.c | 6 ++++++
> 5 files changed, 43 insertions(+), 4 deletions(-)
>
next prev parent reply other threads:[~2019-01-18 1:08 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-16 10:16 [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` [PATCH v3 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-17 23:20 ` Mimi Zohar
2019-01-17 23:20 ` Mimi Zohar
2019-01-17 23:20 ` Mimi Zohar
2019-01-16 10:16 ` [PATCH v3 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-16 10:16 ` Kairui Song
2019-01-17 23:25 ` Mimi Zohar
2019-01-17 23:25 ` Mimi Zohar
2019-01-17 23:25 ` Mimi Zohar
2019-01-18 1:08 ` Mimi Zohar [this message]
2019-01-18 1:08 ` [PATCH v3 0/2] let kexec_file_load use platform keyring to verify the kernel image Mimi Zohar
2019-01-18 1:08 ` Mimi Zohar
2019-01-18 1:35 ` Dave Young
2019-01-18 1:35 ` Dave Young
2019-01-18 1:35 ` Dave Young
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 1:52 ` Mimi Zohar
2019-01-18 2:00 ` Dave Young
2019-01-18 2:00 ` Dave Young
2019-01-18 2:00 ` Dave Young
2019-01-18 2:16 ` Kairui Song
2019-01-18 2:16 ` Kairui Song
2019-01-18 2:16 ` Kairui Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1547773684.4026.10.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.