From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Dimitri John Ledkov <dimitri.ledkov@canonical.com>,
Seth Forshee <seth@forshee.me>, Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH v5 0/2] integrity: support including firmware ".platform" keys at build time
Date: Wed, 24 Nov 2021 15:47:12 -0500 [thread overview]
Message-ID: <20211124204714.82514-1-nayna@linux.ibm.com> (raw)
Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.
This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.
Changelog:
v5:
* Renamed load_builtin_platform_cert() to load_platform_certificate_list()
and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as
suggested by Mimi Zohar.
v4:
* Split into two patches as per Mimi Zohar and Dimitri John Ledkov
recommendation.
v3:
* Included Jarkko's feedback
** updated patch description to include approach.
** removed extern for function declaration in the .h file.
* Included load_certificate_list() within #ifdef CONFIG_KEYS condition.
v2:
* Fixed the error reported by kernel test robot
* Updated patch description based on Jarkko's feedback.
Nayna Jain (2):
certs: export load_certificate_list() to be used outside certs/
integrity: support including firmware ".platform" keys at build time
certs/Makefile | 5 ++--
certs/blacklist.c | 1 -
certs/common.c | 2 +-
certs/common.h | 9 -------
certs/system_keyring.c | 1 -
include/keys/system_keyring.h | 6 +++++
security/integrity/Kconfig | 10 +++++++
security/integrity/Makefile | 17 +++++++++++-
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h | 6 +++++
.../integrity/platform_certs/platform_cert.S | 23 ++++++++++++++++
.../platform_certs/platform_keyring.c | 26 +++++++++++++++++++
12 files changed, 92 insertions(+), 16 deletions(-)
delete mode 100644 certs/common.h
create mode 100644 security/integrity/platform_certs/platform_cert.S
--
2.27.0
next reply other threads:[~2021-11-24 20:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 20:47 Nayna Jain [this message]
2021-11-24 20:47 ` [PATCH v5 1/2] certs: export load_certificate_list() to be used outside certs/ Nayna Jain
2021-12-05 13:45 ` Mimi Zohar
2021-11-24 20:47 ` [PATCH v5 2/2] integrity: support including firmware ".platform" keys at build time Nayna Jain
2021-12-05 13:45 ` Mimi Zohar
2021-12-11 8:10 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211124204714.82514-1-nayna@linux.ibm.com \
--to=nayna@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dimitri.ledkov@canonical.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=seth@forshee.me \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).