From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87291C433FE for ; Fri, 5 Nov 2021 10:55:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B94A6124A for ; Fri, 5 Nov 2021 10:55:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231908AbhKEK6g (ORCPT ); Fri, 5 Nov 2021 06:58:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231818AbhKEK6g (ORCPT ); Fri, 5 Nov 2021 06:58:36 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EFF75C061714 for ; Fri, 5 Nov 2021 03:55:56 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id k4so10834620plx.8 for ; Fri, 05 Nov 2021 03:55:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=7fdsM52daXciJqnyU5/OzVCaVhDKnkuUr417/ZYsvNw=; b=EFNE6b2w+3luKQ+85xyK/0sEBmwzOUa7Vv/yzXOCuyMM+atPYW4qW18bcKfqFUct38 P7fjJPzHA2fblddnmcuJCjTHn+yrLSk2tgPRRg7axeQ0wcS/yhzxV+smfQI3wRzP9EOd VmB9G17c2IpvCQYT9NzttCjp42sdLKog7sNIQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=7fdsM52daXciJqnyU5/OzVCaVhDKnkuUr417/ZYsvNw=; b=XHmg+3BU2nLCZHi7VsVo6yzNc5LfCv6VmSy42pi2q5SW8vmG2+73DpR6jiJ3GZ0YgS f+N5GbLeqdeaIjqtXyun5zp9edoS/g3U07r+NMVBac81i8CyO29tWbYkx2M42Ciud4ZC KL/s+FLhnw+u9DfTPjthebz3Iv3GCf9DC4CNyVtKTKt1nmcx26iDLb1xnD0HoCZ4rNEi HeSAMhJlzv0EGhoseN7NTsJSUqZbO6K3f9NEvIXoltzKu3vzwZ1Vve/ro0R3UU+ICGgS YsWTWj9SfbxFIMjy5FYWyImb8kiZitWE8NvRb7vOKC8OUEWdUyQJr3j4Qtaz4kWiuHrS MtfQ== X-Gm-Message-State: AOAM532BEZAn1BU9f9cQwasWhw7EmvQOM6MLnekdaPtuj4FBphd0Hvak zWfNMat1P/VJ7Sm8aJ2rmrkKsg== X-Google-Smtp-Source: ABdhPJwCTOEks/HqEB3MsjkY3hl6kqZcTdp01TkyVsdwZ6RzuTp6/FHOriFqQpl7OvwI6sbG3UD4OA== X-Received: by 2002:a17:90a:bb14:: with SMTP id u20mr20557433pjr.139.1636109756579; Fri, 05 Nov 2021 03:55:56 -0700 (PDT) Received: from localhost ([2001:4479:e000:e400:c94c:529e:ffcd:fff0]) by smtp.gmail.com with ESMTPSA id q6sm7423217pfk.115.2021.11.05.03.55.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Nov 2021 03:55:56 -0700 (PDT) From: Daniel Axtens To: Michal Suchanek , keyrings@vger.kernel.org Cc: Rob Herring , linux-s390@vger.kernel.org, Vasily Gorbik , Lakshmi Ramasubramanian , Heiko Carstens , Jessica Yu , linux-kernel@vger.kernel.org, David Howells , Christian Borntraeger , Luis Chamberlain , Paul Mackerras , Hari Bathini , Alexander Gordeev , Michal Suchanek , linuxppc-dev@lists.ozlabs.org, Frank van der Linden , Thiago Jung Bauermann Subject: Re: [PATCH 0/3] KEXEC_SIG with appended signature In-Reply-To: References: Date: Fri, 05 Nov 2021 21:55:52 +1100 Message-ID: <87czneeurr.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Michal Suchanek writes: > S390 uses appended signature for kernel but implements the check > separately from module loader. > > Support for secure boot on powerpc with appended signature is planned - > grub patches submitted upstream but not yet merged. Power Non-Virtualised / OpenPower already supports secure boot via kexec with signature verification via IMA. I think you have now sent a follow-up series that merges some of the IMA implementation, I just wanted to make sure it was clear that we actually already have support for this in the kernel, it's just grub that is getting new support. > This is an attempt at unified appended signature verification. I am always in favour of fewer reimplementations of the same feature in the kernel :) Regards, Daniel > > Thanks > > Michal > > Michal Suchanek (3): > s390/kexec_file: Don't opencode appended signature verification. > module: strip the signature marker in the verification function. > powerpc/kexec_file: Add KEXEC_SIG support. > > arch/powerpc/Kconfig | 11 +++++++ > arch/powerpc/kexec/elf_64.c | 14 +++++++++ > arch/s390/kernel/machine_kexec_file.c | 42 +++------------------------ > include/linux/verification.h | 3 ++ > kernel/module-internal.h | 2 -- > kernel/module.c | 11 +++---- > kernel/module_signing.c | 32 ++++++++++++++------ > 7 files changed, 59 insertions(+), 56 deletions(-) > > -- > 2.31.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99A96C433F5 for ; Fri, 5 Nov 2021 10:56:42 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0D94B6120D for ; Fri, 5 Nov 2021 10:56:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0D94B6120D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4HlyB04GWsz3bWb for ; Fri, 5 Nov 2021 21:56:40 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=EFNE6b2w; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::633; helo=mail-pl1-x633.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=EFNE6b2w; dkim-atps=neutral Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Hly9D4LCxz2yQw for ; Fri, 5 Nov 2021 21:55:59 +1100 (AEDT) Received: by mail-pl1-x633.google.com with SMTP id u11so10863134plf.3 for ; Fri, 05 Nov 2021 03:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=7fdsM52daXciJqnyU5/OzVCaVhDKnkuUr417/ZYsvNw=; b=EFNE6b2w+3luKQ+85xyK/0sEBmwzOUa7Vv/yzXOCuyMM+atPYW4qW18bcKfqFUct38 P7fjJPzHA2fblddnmcuJCjTHn+yrLSk2tgPRRg7axeQ0wcS/yhzxV+smfQI3wRzP9EOd VmB9G17c2IpvCQYT9NzttCjp42sdLKog7sNIQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=7fdsM52daXciJqnyU5/OzVCaVhDKnkuUr417/ZYsvNw=; b=jdHMW4OqFCn33+5iYbXknkUxeAKbwWyY8PjQrWY9fi8J3QOv/FhQqZJhibwTsZgX7H bGeV6TUUz8fNRzk5fXyWouAASI9yB0wD/0B0IzKTkGkHuF3iYqUhOg1jNw1FxvxSWPz7 epuqAvixNK52nDlJ04FIx/fEq4pnuPEg8oKkPQQWDNCXCa/GNDhysKjzASe39b03l9yf PEHHJRDgh3q/6ksLtDMWSu+X9WqAn7l6rWeuPMKxcKN3JkJoWCnyZNoiam8PnoL6Ua4i xG/2ciZp0wZNAXyaZvRan0dpTz57lbaDRPtuRLVjtGCmLea8bE9z5WqEeQP5tW+uow6p u/mw== X-Gm-Message-State: AOAM532t4KOJDsCXd15B57UkW+QM1N1umFDjgBvSRPzC1vRJZOPVYRhz PGzCUKh80ycRCj3PZyhJKtqC/g== X-Google-Smtp-Source: ABdhPJwCTOEks/HqEB3MsjkY3hl6kqZcTdp01TkyVsdwZ6RzuTp6/FHOriFqQpl7OvwI6sbG3UD4OA== X-Received: by 2002:a17:90a:bb14:: with SMTP id u20mr20557433pjr.139.1636109756579; Fri, 05 Nov 2021 03:55:56 -0700 (PDT) Received: from localhost ([2001:4479:e000:e400:c94c:529e:ffcd:fff0]) by smtp.gmail.com with ESMTPSA id q6sm7423217pfk.115.2021.11.05.03.55.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Nov 2021 03:55:56 -0700 (PDT) From: Daniel Axtens To: Michal Suchanek , keyrings@vger.kernel.org Subject: Re: [PATCH 0/3] KEXEC_SIG with appended signature In-Reply-To: References: Date: Fri, 05 Nov 2021 21:55:52 +1100 Message-ID: <87czneeurr.fsf@dja-thinkpad.axtens.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thiago Jung Bauermann , Rob Herring , Vasily Gorbik , linux-s390@vger.kernel.org, Heiko Carstens , linux-kernel@vger.kernel.org, David Howells , Lakshmi Ramasubramanian , Luis Chamberlain , Paul Mackerras , Frank van der Linden , Jessica Yu , Alexander Gordeev , Michal Suchanek , linuxppc-dev@lists.ozlabs.org, Christian Borntraeger , Hari Bathini Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Michal Suchanek writes: > S390 uses appended signature for kernel but implements the check > separately from module loader. > > Support for secure boot on powerpc with appended signature is planned - > grub patches submitted upstream but not yet merged. Power Non-Virtualised / OpenPower already supports secure boot via kexec with signature verification via IMA. I think you have now sent a follow-up series that merges some of the IMA implementation, I just wanted to make sure it was clear that we actually already have support for this in the kernel, it's just grub that is getting new support. > This is an attempt at unified appended signature verification. I am always in favour of fewer reimplementations of the same feature in the kernel :) Regards, Daniel > > Thanks > > Michal > > Michal Suchanek (3): > s390/kexec_file: Don't opencode appended signature verification. > module: strip the signature marker in the verification function. > powerpc/kexec_file: Add KEXEC_SIG support. > > arch/powerpc/Kconfig | 11 +++++++ > arch/powerpc/kexec/elf_64.c | 14 +++++++++ > arch/s390/kernel/machine_kexec_file.c | 42 +++------------------------ > include/linux/verification.h | 3 ++ > kernel/module-internal.h | 2 -- > kernel/module.c | 11 +++---- > kernel/module_signing.c | 32 ++++++++++++++------ > 7 files changed, 59 insertions(+), 56 deletions(-) > > -- > 2.31.1