From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FDD1C433EF for ; Thu, 19 May 2022 17:11:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242463AbiESRL5 (ORCPT ); Thu, 19 May 2022 13:11:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242457AbiESRLz (ORCPT ); Thu, 19 May 2022 13:11:55 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6BC032DD77; Thu, 19 May 2022 10:11:37 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 21E1221B3D; Thu, 19 May 2022 17:11:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1652980296; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rWh53tGkveY7idEYFsxjbZWpUxq42gDwANR/tTyoynA=; b=GxK3G4QLKN08IdF1ihND5wQ2Ww5O75CoNT+XUN7JDy50/venD87zCA7NNiKGjKc7afCOQl AJJ5F93tVyNCQykjtCBVlUCg2y+WuJP5RKwsDcYZqyf5Ay+FiM9ovzjRmUPAtQ/D/K6glv t+j3pn2by0hLM1Kv95IUGaIORWEpBlw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1652980296; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rWh53tGkveY7idEYFsxjbZWpUxq42gDwANR/tTyoynA=; b=VMNYKei+gBjUYDhmu+fbZxs5FqWeJIPthSZxCZVqoA4oKbJkLMG5IVS8fNKOmI9Y3PrJ+X 8Tz99XX8TMgJYqAg== Received: from kunlun.suse.cz (unknown [10.100.128.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 885302C141; Thu, 19 May 2022 17:11:35 +0000 (UTC) Date: Thu, 19 May 2022 19:11:34 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Baoquan He Cc: Mimi Zohar , Coiby Xu , Heiko Carstens , akpm@linux-foundation.org, kexec@lists.infradead.org, keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Dave Young , Will Deacon , "Eric W . Biederman" , Chun-Yi Lee , stable@vger.kernel.org, Philipp Rudo , linux-security-module@vger.kernel.org, Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Martin Schwidefsky , "open list:S390" , open list , linux-integrity , Jarkko Sakkinen Subject: Re: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Message-ID: <20220519171134.GN163591@kunlun.suse.cz> References: <20220512070123.29486-1-coxu@redhat.com> <20220512070123.29486-5-coxu@redhat.com> <20220519003902.GE156677@MiWiFi-R3L-srv> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Thu, May 19, 2022 at 10:22:15PM +0800, Baoquan He wrote: > On 05/19/22 at 07:56am, Mimi Zohar wrote: > > [Cc'ing Jarkko, linux-integrity] > > > > On Thu, 2022-05-19 at 08:39 +0800, Baoquan He wrote: > > > On 05/18/22 at 01:29pm, Heiko Carstens wrote: > > > > On Thu, May 12, 2022 at 03:01:23PM +0800, Coiby Xu wrote: > > > > > From: Michal Suchanek > > > > > > > > > > commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") > > > > > adds support for KEXEC_SIG verification with keys from platform keyring > > > > > but the built-in keys and secondary keyring are not used. > > > > > > > > > > Add support for the built-in keys and secondary keyring as x86 does. > > > > > > > > > > Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") > > > > > Cc: stable@vger.kernel.org > > > > > Cc: Philipp Rudo > > > > > Cc: kexec@lists.infradead.org > > > > > Cc: keyrings@vger.kernel.org > > > > > Cc: linux-security-module@vger.kernel.org > > > > > Signed-off-by: Michal Suchanek > > > > > Reviewed-by: "Lee, Chun-Yi" > > > > > Acked-by: Baoquan He > > > > > Signed-off-by: Coiby Xu > > > > > --- > > > > > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > > > > > 1 file changed, 13 insertions(+), 5 deletions(-) > > > > > > > > As far as I can tell this doesn't have any dependency to the other > > > > patches in this series, so should I pick this up for the s390 tree, or > > > > how will this go upstream? > > > > > > Thanks, Heiko. > > > > > > I want to ask Mimi if this can be taken into KEYS-ENCRYPTED tree. > > > Otherwise I will ask Andrew to help pick this whole series. > > > > > > Surely, this patch 4 can be taken into s390 seperately since it's > > > independent, both looks good. > > > > KEYS-ENCRYTPED is a type of key, unrelated to using the .platform, > > .builtin, .machine, or .secondary keyrings. One of the main reasons > > for this patch set is to use the new ".machine" keyring, which, if > > enabled, is linked to the "secondary" keyring. However, the only > > reference to the ".machine" keyring is in the cover letter, not any of > > the patch descriptions. Since this is the basis for the system's > > integrity, this seems like a pretty big omission. > > > > From patch 2/4: > > "The code in bzImage64_verify_sig makes use of system keyrings > > including > > .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to > > verify signed kernel image as PE file..." > > > > From patch 3/4: > > "This patch allows to verify arm64 kernel image signature using not > > only > > .builtin_trusted_keys but also .platform and .secondary_trusted_keys > > keyring." > > > > From patch 4/4: > > "... with keys from platform keyring but the built-in keys and > > secondary keyring are not used." > > > > This patch set could probably go through KEYS/KEYRINGS_INTEGRITY, but > > it's kind of late to be asking. Has it been in linux-next? Should I > > assume this patch set has been fully tested or can we get some "tags"? > > Right, it should be KEYS/KEYRINGS_INTEGRITY related, I made mistaken. > Now it got two ACKs from Michal and me. Michal met the same issue on > arm64 and posted another series of patches, finally Coiby integrated > Michal's patch and his to make this patchset. That would be great if > this can get reviewing from experts on key/keyring. Surely, Coiby need > update the patch log to add the '.machine' keyring into patch logs as > you pointed out. > > IIRC, Coiby has tested it on x86_64/arm64, not sure if he took test on > s390. No, this hasn't been in linux-next. I used the s390 code on powerpc and there it did not work because the built-in key was needed to verify the kernel. I did not really run this on s390, only ported the fix I needed on powerpc back to s390. Thanks Michal