From: Kairui Song <kasong@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: jwboyer@fedoraproject.org, Kairui Song <kasong@redhat.com>,
ebiggers@google.com, dyoung@redhat.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, jmorris@namei.org,
zohar@linux.ibm.com, dhowells@redhat.com,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
dwmw2@infradead.org, bauerman@linux.ibm.com, serge@hallyn.com
Subject: [PATCH v5 0/2] let kexec_file_load use platform keyring to verify the kernel image
Date: Mon, 21 Jan 2019 17:59:27 +0800 [thread overview]
Message-ID: <20190121095929.26915-1-kasong@redhat.com> (raw)
This patch series adds a .platform_trusted_keys in system_keyring as the
reference to .platform keyring in integrity subsystem, when platform
keyring is being initialized it will be updated, so it will be
accessable for verifying PE signed kernel image.
This patch series let kexec_file_load use platform keyring as fall
back if it failed to verify the image against secondary keyring,
so the actually PE signature verify process will use keys provides
by firmware.
After this patch kexec_file_load will be able to verify a signed PE
bzImage using keys in platform keyring.
Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.
To test this patch series on latest kernel, you need to ensure this commit
is applied as there is an regression bug in sanity_check_segment_list():
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=993a110319a4a60aadbd02f6defdebe048f7773b
Update from V4:
- Drop ifdef in security/integrity/digsig.c to make code clearer
- Fix a potential issue, set_platform_trusted_keys should not be
called when keyring initialization failed
Update from V3:
- Tweak and simplify commit message as suggested by Mimi Zohar
Update from V2:
- Use IS_ENABLED in kexec_file_load to judge if platform_trusted_keys
should be used for verifying image as suggested by Mimi Zohar
Update from V1:
- Make platform_trusted_keys static, and update commit message as suggested
by Mimi Zohar
- Always check if platform keyring is initialized before use it
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
certs/system_keyring.c | 22 +++++++++++++++++++++-
include/keys/system_keyring.h | 9 +++++++++
include/linux/verification.h | 1 +
security/integrity/digsig.c | 3 +++
5 files changed, 44 insertions(+), 4 deletions(-)
--
2.20.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next reply other threads:[~2019-01-21 10:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 9:59 Kairui Song [this message]
2019-01-21 9:59 ` [PATCH v5 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-22 15:37 ` Mimi Zohar
2019-01-21 9:59 ` [PATCH v5 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-22 15:37 ` Mimi Zohar
2019-01-23 2:35 ` Dave Young
2019-01-21 10:03 ` [PATCH v5 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-23 18:36 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190121095929.26915-1-kasong@redhat.com \
--to=kasong@redhat.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox