From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gjQNa-0000gv-Sg for kexec@lists.infradead.org; Tue, 15 Jan 2019 15:11:52 +0000 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x0FF3uHf141598 for ; Tue, 15 Jan 2019 10:11:46 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 2q1g50eq5b-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 15 Jan 2019 10:11:46 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 15 Jan 2019 15:11:45 -0000 MIME-Version: 1.0 Date: Tue, 15 Jan 2019 10:17:13 -0500 From: nayna Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> <1547482251.4156.127.camel@linux.ibm.com> <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> Message-Id: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Dave Young Cc: jwboyer@fedoraproject.org, Kairui Song , ebiggers@google.com, nayna@linux.ibm.com, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Mimi Zohar , jmorris@namei.org, dhowells@redhat.com, keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, dwmw2@infradead.org, bauerman@linux.ibm.com, serge@hallyn.com T24gMjAxOS0wMS0xNCAyMTo0MiwgRGF2ZSBZb3VuZyB3cm90ZToKPiBPbiAwMS8xNC8xOSBhdCAx MToxMGFtLCBNaW1pIFpvaGFyIHdyb3RlOgo+PiBPbiBTdW4sIDIwMTktMDEtMTMgYXQgMDk6Mzkg KzA4MDAsIERhdmUgWW91bmcgd3JvdGU6Cj4+ID4gSGksCj4+ID4KPj4gPiBPbiAwMS8xMS8xOSBh dCAxMToxM2FtLCBNaW1pIFpvaGFyIHdyb3RlOgo+PiA+ID4gT24gRnJpLCAyMDE5LTAxLTExIGF0 IDIxOjQzICswODAwLCBEYXZlIFlvdW5nIHdyb3RlOgo+PiA+ID4gW3NuaXBdCj4+ID4gPgo+PiA+ ID4gPiBQZXJzb25hbGx5IEkgd291bGQgbGlrZSB0byBzZWUgcGxhdGZvcm0ga2V5IHNlcGFyYXRl ZCBmcm9tIGludGVncml0eS4KPj4gPiA+ID4gQnV0IGZvciB0aGUga2V4ZWNfZmlsZSBwYXJ0IEkg dGhpbmsgaXQgaXMgZ29vZCBhdCBsZWFzdCBpdCB3b3JrcyB3aXRoCj4+ID4gPiA+IHRoaXMgZml4 Lgo+PiA+ID4gPgo+PiA+ID4gPiBBY2tlZC1ieTogRGF2ZSBZb3VuZyA8ZHlvdW5nQHJlZGhhdC5j b20+Cj4+ID4gPgo+PiA+ID4gVGhlIG9yaWdpbmFsICJwbGF0Zm9ybSIga2V5cmluZyBwYXRjaGVz IHRoYXQgTmF5bmEgcG9zdGVkIG11bHRpcGxlCj4+ID4gPiB0aW1lcyB3ZXJlIGluIHRoZSBjZXJ0 cyBkaXJlY3RvcnksIGJ1dCBub2JvZHkgY29tbWVudGVkL3Jlc3BvbmRlZC4gwqBTbwo+PiA+ID4g c2hlIHJld29ya2VkIHRoZSBwYXRjaGVzLCBtb3ZpbmcgdGhlbSB0byB0aGUgaW50ZWdyaXR5IGRp cmVjdG9yeSBhbmQKPj4gPiA+IHBvc3RlZCB0aGVtIChjYydpbmcgdGhlIGtleGVjIG1haWxpbmcg bGlzdCkuIMKgSXQncyBhIGJpdCBsYXRlIHRvIGJlCj4+ID4gPiBhc2tpbmcgdG8gbW92ZSBpdCwg aXNuJ3QgaXQ/Cj4+ID4KPj4gPiBIbW0sIGFwb2xvZ2l6ZSBmb3IgYmVpbmcgbGF0ZSwgIEkgZGlk IG5vdCBnZXQgY2hhbmNlIHRvIGhhdmUgYSBsb29rIHRoZQo+PiA+IG9sZCBzZXJpZXMuICBTaW5j ZSB3ZSBoYXZlIHRoZSBuZWVkcyBub3csIGl0IHNob3VsZCBiZSBzdGlsbCBmaW5lCj4+ID4KPj4g PiBNYXliZSBLYWlydWkgY2FuIGNoZWNrIE5heW5hJ3Mgb2xkIHNlcmllcywgc2VlIGlmIGhlIGNh biBkbyBzb21ldGhpbmcKPj4gPiBhZ2Fpbj8KPj4gCj4+IFdoZXRoZXIgdGhlIHBsYXRmb3JtIGtl eXJpbmcgaXMgZGVmaW5lZCBpbiBjZXJ0cy8gb3IgaW4gaW50ZWdyaXR5LyB0aGUKPj4ga2V5cmlu ZyBpZCBuZWVkcyB0byBiZSBhY2Nlc3NpYmxlIHRvIHRoZSBvdGhlciwgd2l0aG91dCBtYWtpbmcg dGhlCj4+IGtleXJpbmcgaWQgZ2xvYmFsLiDCoE1vdmluZyB3aGVyZSB0aGUgcGxhdGZvcm0ga2V5 cmluZyBpcyBkZWZpbmVkIGlzCj4+IG5vdCB0aGUgcHJvYmxlbS4KPiAKPiBBZ3JlZWQsIGJ1dCBq dXN0IGZlZWwga2V4ZWMgZGVwZW5kcyBvbiBJTUEgc291bmRzIG5vdCBnb29kLgoKVGhlIHBsYXRm b3JtIGtleXJpbmcgaXMgbm90IGRlcGVuZGVudCBvbiBJTUEsIGl0IGlzIGRlcGVuZGVudCBvbiAK ImludGVncml0eSIgLSBDT05GSUdfSU5URUdSSVRZX0FTWU1NRVRSSUNfS0VZUy4KT3RoZXIgQ09O RklHUyB3aGljaCBpdCBuZWVkcyBhcmUgQ09ORklHX1NZU1RFTV9CTEFDS0xJU1RfS0VZUklORywg CkNPTkZJR19FRkkuCgpUaGFua3MgJiBSZWdhcmRzLAogICAgLSBOYXluYQoKCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdApr ZXhlY0BsaXN0cy5pbmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxt YW4vbGlzdGluZm8va2V4ZWMK From mboxrd@z Thu Jan 1 00:00:00 1970 From: nayna Date: Tue, 15 Jan 2019 15:17:13 +0000 Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Message-Id: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit List-Id: References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> <1547482251.4156.127.camel@linux.ibm.com> <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> To: Dave Young Cc: Mimi Zohar , Kairui Song , linux-kernel@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org On 2019-01-14 21:42, Dave Young wrote: > On 01/14/19 at 11:10am, Mimi Zohar wrote: >> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote: >> > Hi, >> > >> > On 01/11/19 at 11:13am, Mimi Zohar wrote: >> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote: >> > > [snip] >> > > >> > > > Personally I would like to see platform key separated from integrity. >> > > > But for the kexec_file part I think it is good at least it works with >> > > > this fix. >> > > > >> > > > Acked-by: Dave Young >> > > >> > > The original "platform" keyring patches that Nayna posted multiple >> > > times were in the certs directory, but nobody commented/responded.  So >> > > she reworked the patches, moving them to the integrity directory and >> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be >> > > asking to move it, isn't it? >> > >> > Hmm, apologize for being late, I did not get chance to have a look the >> > old series. Since we have the needs now, it should be still fine >> > >> > Maybe Kairui can check Nayna's old series, see if he can do something >> > again? >> >> Whether the platform keyring is defined in certs/ or in integrity/ the >> keyring id needs to be accessible to the other, without making the >> keyring id global.  Moving where the platform keyring is defined is >> not the problem. > > Agreed, but just feel kexec depends on IMA sounds not good. The platform keyring is not dependent on IMA, it is dependent on "integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS. Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING, CONFIG_EFI. Thanks & Regards, - Nayna From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EF62C43387 for ; Tue, 15 Jan 2019 15:11:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5591120645 for ; Tue, 15 Jan 2019 15:11:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727307AbfAOPLr (ORCPT ); Tue, 15 Jan 2019 10:11:47 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45798 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730638AbfAOPLr (ORCPT ); Tue, 15 Jan 2019 10:11:47 -0500 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x0FF7w3u073093 for ; Tue, 15 Jan 2019 10:11:46 -0500 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 2q1h7h2fa7-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 15 Jan 2019 10:11:46 -0500 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 15 Jan 2019 15:11:45 -0000 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 15 Jan 2019 15:11:41 -0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x0FFBd9e25886816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 15 Jan 2019 15:11:39 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D4B7A78066; Tue, 15 Jan 2019 15:11:39 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5BE687805F; Tue, 15 Jan 2019 15:11:39 +0000 (GMT) Received: from ltc.linux.ibm.com (unknown [9.16.170.189]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 15 Jan 2019 15:11:39 +0000 (GMT) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 15 Jan 2019 10:17:13 -0500 From: nayna To: Dave Young Cc: Mimi Zohar , Kairui Song , linux-kernel@vger.kernel.org, dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> References: <20190109164824.19708-1-kasong@redhat.com> <20190109164824.19708-3-kasong@redhat.com> <20190111134303.GA12760@dhcp-128-65.nay.redhat.com> <1547223220.19931.471.camel@linux.ibm.com> <20190113013958.GA14019@dhcp-128-65.nay.redhat.com> <1547482251.4156.127.camel@linux.ibm.com> <20190115024243.GA9199@dhcp-128-65.nay.redhat.com> X-Sender: nayna@linux.vnet.ibm.com User-Agent: Roundcube Webmail/1.0.1 X-TM-AS-GCONF: 00 x-cbid: 19011515-0012-0000-0000-000016FA6096 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010411; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000274; SDB=6.01146863; UDB=6.00597358; IPR=6.00927155; MB=3.00025137; MTD=3.00000008; XFM=3.00000015; UTC=2019-01-15 15:11:44 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19011515-0013-0000-0000-000055D416D9 Message-Id: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-15_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901150126 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 2019-01-14 21:42, Dave Young wrote: > On 01/14/19 at 11:10am, Mimi Zohar wrote: >> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote: >> > Hi, >> > >> > On 01/11/19 at 11:13am, Mimi Zohar wrote: >> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote: >> > > [snip] >> > > >> > > > Personally I would like to see platform key separated from integrity. >> > > > But for the kexec_file part I think it is good at least it works with >> > > > this fix. >> > > > >> > > > Acked-by: Dave Young >> > > >> > > The original "platform" keyring patches that Nayna posted multiple >> > > times were in the certs directory, but nobody commented/responded.  So >> > > she reworked the patches, moving them to the integrity directory and >> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be >> > > asking to move it, isn't it? >> > >> > Hmm, apologize for being late, I did not get chance to have a look the >> > old series. Since we have the needs now, it should be still fine >> > >> > Maybe Kairui can check Nayna's old series, see if he can do something >> > again? >> >> Whether the platform keyring is defined in certs/ or in integrity/ the >> keyring id needs to be accessible to the other, without making the >> keyring id global.  Moving where the platform keyring is defined is >> not the problem. > > Agreed, but just feel kexec depends on IMA sounds not good. The platform keyring is not dependent on IMA, it is dependent on "integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS. Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING, CONFIG_EFI. Thanks & Regards, - Nayna