Re: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: joeyli <jlee@suse.com>
Cc: "Catalin Marinas" <catalin.marinas@arm.com>,
	"Will Deacon" <will@kernel.org>,
	"Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>,
	"Christian Borntraeger" <borntraeger@linux.ibm.com>,
	"Sven Schnelle" <svens@linux.ibm.com>,
	"Philipp Rudo" <prudo@redhat.com>, "Baoquan He" <bhe@redhat.com>,
	"Alexander Egorenkov" <egorenar@linux.ibm.com>,
	"AKASHI Takahiro" <takahiro.akashi@linaro.org>,
	"James Morse" <james.morse@arm.com>,
	"Dave Young" <dyoung@redhat.com>,
	"Kairui Song" <kasong@redhat.com>,
	"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
	linux-modules@vger.kernel.org, keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org, stable@kernel.org,
	"Eric Snowberg" <eric.snowberg@oracle.com>,
	"Michal Suchánek" <msuchanek@suse.de>,
	"Luis Chamberlain" <mcgrof@kernel.org>
Subject: Re: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification
Date: Mon, 28 Mar 2022 09:28:14 -0400	[thread overview]
Message-ID: <7265798627defd6111af4e3a863b8525b07c511d.camel@linux.ibm.com> (raw)
In-Reply-To: <20220328101557.GA11641@linux-l9pv.suse>

On Mon, 2022-03-28 at 18:15 +0800, joeyli wrote:

Hi Joey,

> Hi Mimi,
> 
> Sorry for bother you for this old topic.

Cc'ing Luis the kernel modules maintainer.

> 
> On Tue, Feb 15, 2022 at 09:47:30PM +0100, Michal Suchánek wrote:
> > Hello,
> > 
> > On Tue, Feb 15, 2022 at 03:08:18PM -0500, Mimi Zohar wrote:
> > > [Cc'ing Eric Snowberg]
> > > 
> > > Hi Michal,
> > > 
> > > On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> > > > Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> > > > adds support for use of platform keyring in kexec verification but
> > > > support for modules is missing.
> > > > 
> > > > Add support for verification of modules with keys from platform keyring
> > > > as well.
> > > 
> > > Permission for loading the pre-OS keys onto the "platform" keyring and
> > > using them is limited to verifying the kexec kernel image, nothing
> > > else.
> > 
> > Why is the platform keyring limited to kexec, and nothing else?
> > 
> > It should either be used for everything or for nothing. You have the
> > option to compile it in and then it should be used, and the option to
> > not compile it in and then it cannot be used.
> > 
> > There are two basic use cases:
> > 
> > (1) there is a vendor key which is very hard to use so you sign
> > something small and simple like shim with the vendor key, and sign your
> > kernel and modules with your own key that's typically enrolled with shim
> > MOK, and built into the kernel.
> > 
> > (2) you import your key into the firmware, and possibly disable the
> > vendor key. You can load the kernel directly without shim, and then your
> > signing key is typically in the platform keyring and built into the
> > kernel.
> >
> 
> In the second use case, if user can enroll their own key to db either before
> or after hardware shipping. And they don't need shim because they removed
> Microsoft or OEM/ODM keys.  Why kernel can not provide a Kconfig option to
> them for trusting db keys for verifying kernel module, or for IMA (using CA
> in db)?
>  
> In the above use case for distro, partner doesn't need to re-compiler distro
> kernel. They just need to re-sign distro kernel and modules. Which means
> that the partner trusted distro. Then the partner's key in db can be used to
> verify kernel image and also kernel module without shim involve.

From what I understand, distros don't want customers resigning their
kernels.  If they did, then they could have enabled the
CONFIG_SYSTEM_EXTRA_CERTIFICATE, which would load the keys onto the
"builtin" keyring, and anything signed by those keys could be loaded
onto the secondary keyring.  (Of course CONFIG_SYSTEM_EXTRA_CERTIFICATE
would need to be fixed/updated.)

We've gone through "what if" scenarios before.  My response then, as
now, is post it as a patch with the real motivation for such a change.

thanks,

Mimi

next prev parent reply	other threads:[~2022-03-28 13:28 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1644953683.git.msuchanek@suse.de>
2022-02-15 19:39 ` [PATCH 1/4] Fix arm64 kexec forbidding kernels signed with keys in the secondary keyring to boot Michal Suchanek
2022-04-06 15:41   ` joeyli
2022-04-08  7:11   ` Baoquan He
2022-02-15 19:39 ` [PATCH 2/4] kexec, KEYS, arm64: Make use of platform keyring for signature verification Michal Suchanek
2022-04-06 15:45   ` joeyli
2022-02-15 19:39 ` [PATCH 3/4] kexec, KEYS, s390: Make use of built-in and secondary " Michal Suchanek
2022-04-06 15:46   ` joeyli
2022-02-15 19:39 ` [PATCH 4/4] module, KEYS: Make use of platform " Michal Suchanek
2022-02-15 20:08   ` Mimi Zohar
2022-02-15 20:47     ` Michal Suchánek
2022-02-15 22:12       ` Mimi Zohar
2022-02-16 10:56         ` Michal Suchánek
2022-02-16 11:04           ` Michal Suchánek
2022-02-16 11:58           ` Mimi Zohar
2022-02-16 12:09             ` Michal Suchánek
2022-03-22 17:37               ` Luis Chamberlain
2022-03-22 18:55                 ` Mimi Zohar
2022-03-28 10:15       ` joeyli
2022-03-28 13:28         ` Mimi Zohar [this message]
2022-03-28 14:03           ` Michal Suchánek
2022-03-28 14:44         ` Eric Snowberg
2022-03-28 16:29           ` Michal Suchánek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7265798627defd6111af4e3a863b8525b07c511d.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=agordeev@linux.ibm.com \
    --cc=bhe@redhat.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=catalin.marinas@arm.com \
    --cc=dyoung@redhat.com \
    --cc=egorenar@linux.ibm.com \
    --cc=eric.snowberg@oracle.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=james.morse@arm.com \
    --cc=jlee@suse.com \
    --cc=kasong@redhat.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=msuchanek@suse.de \
    --cc=prudo@redhat.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=stable@kernel.org \
    --cc=svens@linux.ibm.com \
    --cc=takahiro.akashi@linaro.org \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).