From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: jwboyer@fedoraproject.org, ebiggers@google.com,
dyoung@redhat.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, jmorris@namei.org,
dhowells@redhat.com, keyrings@vger.kernel.org,
linux-integrity@vger.kernel.org, dwmw2@infradead.org,
bauerman@linux.ibm.com, serge@hallyn.com
Subject: Re: [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring
Date: Tue, 22 Jan 2019 10:37:18 -0500 [thread overview]
Message-ID: <1548171438.4038.2.camel@linux.ibm.com> (raw)
In-Reply-To: <20190121095929.26915-2-kasong@redhat.com>
On Mon, 2019-01-21 at 17:59 +0800, Kairui Song wrote:
> commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> introduced a .platform keyring for storing preboot keys, used for
> verifying kernel images' signature. Currently only IMA-appraisal is able
> to use the keyring to verify kernel images that have their signature
> stored in xattr.
>
> This patch exposes the .platform keyring, making it
> accessible for verifying PE signed kernel images as well.
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 9 +++++++++
> security/integrity/digsig.c | 3 +++
> 3 files changed, 21 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..df766ef8f03c 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,14 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#else
> +
> +static inline void set_platform_trusted_keys(struct key* keyring) { };
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..e19c2eb72c51 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> pr_info("Can't allocate %s keyring (%d)\n",
> keyring_name[id], err);
> keyring[id] = NULL;
> + } else {
> + if (id == INTEGRITY_KEYRING_PLATFORM)
> + set_platform_trusted_keys(keyring[id]);
> }
>
> return err;
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring
Date: Tue, 22 Jan 2019 15:37:18 +0000 [thread overview]
Message-ID: <1548171438.4038.2.camel@linux.ibm.com> (raw)
In-Reply-To: <20190121095929.26915-2-kasong@redhat.com>
On Mon, 2019-01-21 at 17:59 +0800, Kairui Song wrote:
> commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> introduced a .platform keyring for storing preboot keys, used for
> verifying kernel images' signature. Currently only IMA-appraisal is able
> to use the keyring to verify kernel images that have their signature
> stored in xattr.
>
> This patch exposes the .platform keyring, making it
> accessible for verifying PE signed kernel images as well.
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 9 +++++++++
> security/integrity/digsig.c | 3 +++
> 3 files changed, 21 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..df766ef8f03c 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,14 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#else
> +
> +static inline void set_platform_trusted_keys(struct key* keyring) { };
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..e19c2eb72c51 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> pr_info("Can't allocate %s keyring (%d)\n",
> keyring_name[id], err);
> keyring[id] = NULL;
> + } else {
> + if (id = INTEGRITY_KEYRING_PLATFORM)
> + set_platform_trusted_keys(keyring[id]);
> }
>
> return err;
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Kairui Song <kasong@redhat.com>, linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
jwboyer@fedoraproject.org, keyrings@vger.kernel.org,
jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com,
ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring
Date: Tue, 22 Jan 2019 10:37:18 -0500 [thread overview]
Message-ID: <1548171438.4038.2.camel@linux.ibm.com> (raw)
In-Reply-To: <20190121095929.26915-2-kasong@redhat.com>
On Mon, 2019-01-21 at 17:59 +0800, Kairui Song wrote:
> commit 9dc92c45177a ('integrity: Define a trusted platform keyring')
> introduced a .platform keyring for storing preboot keys, used for
> verifying kernel images' signature. Currently only IMA-appraisal is able
> to use the keyring to verify kernel images that have their signature
> stored in xattr.
>
> This patch exposes the .platform keyring, making it
> accessible for verifying PE signed kernel images as well.
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
Reviewed/Tested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/system_keyring.c | 9 +++++++++
> include/keys/system_keyring.h | 9 +++++++++
> security/integrity/digsig.c | 3 +++
> 3 files changed, 21 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..4690ef9cda8a 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
> #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
> static struct key *secondary_trusted_keys;
> #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +static struct key *platform_trusted_keys;
> +#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -265,4 +268,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
> EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +void __init set_platform_trusted_keys(struct key *keyring) {
> + platform_trusted_keys = keyring;
> +}
> +#endif
> +
> #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 359c2f936004..df766ef8f03c 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -61,5 +61,14 @@ static inline struct key *get_ima_blacklist_keyring(void)
> }
> #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
>
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +
> +extern void __init set_platform_trusted_keys(struct key* keyring);
> +
> +#else
> +
> +static inline void set_platform_trusted_keys(struct key* keyring) { };
> +
> +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
>
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index f45d6edecf99..e19c2eb72c51 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
> pr_info("Can't allocate %s keyring (%d)\n",
> keyring_name[id], err);
> keyring[id] = NULL;
> + } else {
> + if (id == INTEGRITY_KEYRING_PLATFORM)
> + set_platform_trusted_keys(keyring[id]);
> }
>
> return err;
next prev parent reply other threads:[~2019-01-22 15:37 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 9:59 [PATCH v5 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-21 9:59 ` [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-22 15:37 ` Mimi Zohar [this message]
2019-01-22 15:37 ` Mimi Zohar
2019-01-22 15:37 ` Mimi Zohar
2019-01-21 9:59 ` [PATCH v5 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-21 9:59 ` Kairui Song
2019-01-22 15:37 ` Mimi Zohar
2019-01-22 15:37 ` Mimi Zohar
2019-01-22 15:37 ` Mimi Zohar
2019-01-23 2:35 ` Dave Young
2019-01-23 2:35 ` Dave Young
2019-01-23 2:35 ` Dave Young
2019-01-21 10:03 ` [PATCH v5 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-21 10:03 ` Kairui Song
2019-01-21 10:03 ` Kairui Song
2019-01-23 18:36 ` Mimi Zohar
2019-01-23 18:36 ` Mimi Zohar
2019-01-23 18:36 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1548171438.4038.2.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.