From: Daniel Walker <danielwa@cisco.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>,
Nayna Jain <nayna@linux.ibm.com>,
George Wilson <gcwilson@us.ibm.com>,
David Howells <dhowells@redhat.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: cert update procedure with insert-sys-cert
Date: Wed, 7 Apr 2021 11:08:39 -0700 [thread overview]
Message-ID: <20210407180839.GB3981976@zorba> (raw)
In-Reply-To: <ef2f5a5ac6396a0c29a5680cff0388b0c42a0400.camel@linux.ibm.com>
On Wed, Apr 07, 2021 at 12:51:13PM -0400, Mimi Zohar wrote:
> [Cc'ing Nayna Jain, George Wilson]
>
> Hi Daniel,
>
> On Wed, 2021-04-07 at 09:32 -0700, Daniel Walker wrote:
> > Hi,
> >
> > I was wondering about the practical use of this insert-sys-cert. How is the compressed
> > kernel re-made ? You submitted this change,
> >
> > https://patchwork.kernel.org/project/linux-security-module/patch/20180502230811.2751-4-mkayaalp@linux.vnet.ibm.com/
> >
> > for re-assemble a bzImage for x86. Is it the case that the bzImage can not be
> > re-assembled by using the make system ?
> >
> > Cisco is similar to IBM in that we internally distribute a binary SDK with a
> > kernel. The actual build tree is only saved in a partial form.
> >
> > We currently use the above commit to insert a certificate for x86, however, I've
> > found that other architecture are more complex than x86. For example , powerpc
> > images maybe not have ELF headers.
> >
> > I'm wondering what values does the insert-sys-cert have without the bzImage
> > commit ? Am I using it wrong, and there's a way to use the make system to
> > reassemble ?
>
> On powerpc, the kernel image is signed with an appended signature,
> using the same format as kernel modules. scripts/sign-file.c can be
> used to append the kernel image signature. Verifying the kernel image
> is limited on powerpc to kexec_file_load syscall.
>
> The CONFIG_IMA_ARCH_POLICY loads architecture specific rules. With
> secure boot enabled on powerpc, it loads a policy requiring the kernel
> image to be signed.
There is no way to insert new certificates with the insert-sys-cert tool ? Or
maybe I'm not understanding your comments.
Daniel
parent reply other threads:[~2021-04-07 18:15 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <ef2f5a5ac6396a0c29a5680cff0388b0c42a0400.camel@linux.ibm.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210407180839.GB3981976@zorba \
--to=danielwa@cisco.com \
--cc=dhowells@redhat.com \
--cc=gcwilson@us.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@linux.vnet.ibm.com \
--cc=nayna@linux.ibm.com \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).