* [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:58 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
` (5 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
Keys that derive their trust from an entity such as a security officer,
administrator, system owner, or machine owner are said to have "imputed
trust". CA keys with imputed trust can be loaded onto the machine keyring.
The mechanism for loading these keys onto the machine keyring is platform
dependent.
Load keys stored in the variable trustedcadb onto the .machine keyring
on PowerVM platform.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
.../integrity/platform_certs/keyring_handler.c | 8 ++++++++
.../integrity/platform_certs/keyring_handler.h | 5 +++++
.../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++
3 files changed, 30 insertions(+)
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 8a1124e4d769..1649d047e3b8 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
return NULL;
}
+__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
+{
+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
+ return add_to_machine_keyring;
+
+ return NULL;
+}
+
/*
* Return the appropriate handler for particular signature list types found in
* the UEFI dbx and MokListXRT tables.
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
index 212d894a8c0c..6f15bb4cc8dc 100644
--- a/security/integrity/platform_certs/keyring_handler.h
+++ b/security/integrity/platform_certs/keyring_handler.h
@@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
*/
efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
+/*
+ * Return the handler for particular signature list types for CA keys.
+ */
+efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);
+
/*
* Return the handler for particular signature list types found in the dbx.
*/
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index 170789dc63d2..6263ce3b3f1e 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
static int __init load_powerpc_certs(void)
{
void *db = NULL, *dbx = NULL, *data = NULL;
+ void *trustedca = NULL;
u64 dsize = 0;
u64 offset = 0;
int rc = 0;
@@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void)
kfree(data);
}
+ data = get_cert_list("trustedcadb", 12, &dsize);
+ if (!data) {
+ pr_info("Couldn't get trustedcadb list from firmware\n");
+ } else if (IS_ERR(data)) {
+ rc = PTR_ERR(data);
+ pr_err("Error reading trustedcadb from firmware: %d\n", rc);
+ } else {
+ extract_esl(trustedca, data, dsize, offset);
+
+ rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize,
+ get_handler_for_ca_keys);
+ if (rc)
+ pr_err("Couldn't parse trustedcadb signatures: %d\n", rc);
+ kfree(data);
+ }
+
return rc;
}
late_initcall(load_powerpc_certs);
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring
2023-07-14 15:34 ` [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
@ 2023-08-02 22:58 ` Mimi Zohar
0 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2023-08-02 22:58 UTC (permalink / raw)
To: Nayna Jain, linux-integrity
Cc: Jarkko Sakkinen, Eric Snowberg, Paul Moore, linuxppc-dev,
linux-security-module, linux-kernel
On Fri, 2023-07-14 at 11:34 -0400, Nayna Jain wrote:
> Keys that derive their trust from an entity such as a security officer,
> administrator, system owner, or machine owner are said to have "imputed
> trust". CA keys with imputed trust can be loaded onto the machine keyring.
> The mechanism for loading these keys onto the machine keyring is platform
> dependent.
>
> Load keys stored in the variable trustedcadb onto the .machine keyring
> on PowerVM platform.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
2023-07-14 15:34 ` [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:59 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain
` (4 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
On non-UEFI platforms, handle restrict_link_by_ca failures differently.
Certificates which do not satisfy CA restrictions on non-UEFI platforms
are ignored.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/platform_certs/machine_keyring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 7aaed7950b6e..389a6e7c9245 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -36,7 +36,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t
* If the restriction check does not pass and the platform keyring
* is configured, try to add it into that keyring instead.
*/
- if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+ if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
data, len, perm);
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform
2023-07-14 15:34 ` [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
@ 2023-08-02 22:59 ` Mimi Zohar
0 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2023-08-02 22:59 UTC (permalink / raw)
To: Nayna Jain, linux-integrity
Cc: Jarkko Sakkinen, Eric Snowberg, Paul Moore, linuxppc-dev,
linux-security-module, linux-kernel
On Fri, 2023-07-14 at 11:34 -0400, Nayna Jain wrote:
> On non-UEFI platforms, handle restrict_link_by_ca failures differently.
>
> Certificates which do not satisfy CA restrictions on non-UEFI platforms
> are ignored.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 3/6] integrity: remove global variable from machine_keyring.c
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
2023-07-14 15:34 ` [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
2023-07-14 15:34 ` [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:58 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 4/6] integrity: check whether imputed trust is enabled Nayna Jain
` (3 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
trust_mok variable is accessed within a single function locally.
Change trust_mok from global to local static variable.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/platform_certs/machine_keyring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 389a6e7c9245..9482e16cb2ca 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -8,8 +8,6 @@
#include <linux/efi.h>
#include "../integrity.h"
-static bool trust_mok;
-
static __init int machine_keyring_init(void)
{
int rc;
@@ -65,9 +63,11 @@ static __init bool uefi_check_trust_mok_keys(void)
bool __init trust_moklist(void)
{
static bool initialized;
+ static bool trust_mok;
if (!initialized) {
initialized = true;
+ trust_mok = false;
if (uefi_check_trust_mok_keys())
trust_mok = true;
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 4/6] integrity: check whether imputed trust is enabled
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
` (2 preceding siblings ...)
2023-07-14 15:34 ` [PATCH 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:59 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 5/6] integrity: PowerVM machine keyring enablement Nayna Jain
` (2 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
trust_moklist() is specific to UEFI enabled systems. Other platforms
rely only on the Kconfig.
Define a generic wrapper named imputed_trust_enabled().
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h | 5 +++--
.../integrity/platform_certs/keyring_handler.c | 2 +-
.../integrity/platform_certs/machine_keyring.c | 15 ++++++++++++++-
4 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f31ffe23c48..48d505cacd81 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
} else {
if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]);
- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
+ if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled())
set_machine_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_IMA)
load_module_cert(keyring[id]);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7167a6e99bdc..d7553c93f5c0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source,
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
-bool __init trust_moklist(void);
+bool __init imputed_trust_enabled(void);
#else
static inline void __init add_to_machine_keyring(const char *source,
const void *data, size_t len)
{
}
-static inline bool __init trust_moklist(void)
+
+static inline bool __init imputed_trust_enabled(void)
{
return false;
}
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 1649d047e3b8..b3e5df136e50 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
{
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && imputed_trust_enabled())
return add_to_machine_keyring;
else
return add_to_platform_keyring;
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 9482e16cb2ca..58cd72b193e6 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -60,7 +60,7 @@ static __init bool uefi_check_trust_mok_keys(void)
return false;
}
-bool __init trust_moklist(void)
+static bool __init trust_moklist(void)
{
static bool initialized;
static bool trust_mok;
@@ -75,3 +75,16 @@ bool __init trust_moklist(void)
return trust_mok;
}
+
+/*
+ * Provides platform specific check for trusting imputed keys before loading
+ * on .machine keyring. UEFI systems enable this trust based on a variable,
+ * and for other platforms, it is always enabled.
+ */
+bool __init imputed_trust_enabled(void)
+{
+ if (efi_enabled(EFI_BOOT))
+ return trust_moklist();
+
+ return true;
+}
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 5/6] integrity: PowerVM machine keyring enablement.
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
` (3 preceding siblings ...)
2023-07-14 15:34 ` [PATCH 4/6] integrity: check whether imputed trust is enabled Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:59 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain
2023-08-02 22:58 ` [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Mimi Zohar
6 siblings, 1 reply; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
Update Kconfig to enable machine keyring and limit to CA certificates
on PowerVM.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index ec6e0d789da1..03c40ade0214 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -67,7 +67,8 @@ config INTEGRITY_MACHINE_KEYRING
depends on SECONDARY_TRUSTED_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
depends on SYSTEM_BLACKLIST_KEYRING
- depends on LOAD_UEFI_KEYS
+ depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
+ select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
help
If set, provide a keyring to which Machine Owner Keys (MOK) may
be added. This keyring shall contain just MOK keys. Unlike keys
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
` (4 preceding siblings ...)
2023-07-14 15:34 ` [PATCH 5/6] integrity: PowerVM machine keyring enablement Nayna Jain
@ 2023-07-14 15:34 ` Nayna Jain
2023-08-02 22:58 ` [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Mimi Zohar
6 siblings, 0 replies; 13+ messages in thread
From: Nayna Jain @ 2023-07-14 15:34 UTC (permalink / raw)
To: linux-integrity
Cc: Mimi Zohar, Jarkko Sakkinen, Eric Snowberg, Paul Moore,
linuxppc-dev, linux-security-module, linux-kernel, Nayna Jain
On secure boot enabled PowerVM LPAR, third party code signing keys are
needed during early boot to verify signed third party modules. These
third party keys are stored in moduledb object in the Platform
KeyStore(PKS).
Load third party code signing keys onto .secondary_trusted_keys keyring.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
Jarkko, this patch is based on Linus master tree branch, which does
not contain the following commits yet:
c9d004712300 integrity: Enforce digitalSignature usage in the ima and
evm keyrings
59b656eb58fe KEYS: DigitalSignature link restriction
certs/system_keyring.c | 22 +++++++++++++++++++
include/keys/system_keyring.h | 8 +++++++
security/integrity/integrity.h | 1 +
.../platform_certs/keyring_handler.c | 8 +++++++
.../platform_certs/keyring_handler.h | 5 +++++
.../integrity/platform_certs/load_powerpc.c | 18 ++++++++++++++-
6 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index a7a49b17ceb1..b0235732c1d4 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -347,3 +347,25 @@ void __init set_platform_trusted_keys(struct key *keyring)
platform_trusted_keys = keyring;
}
#endif
+
+void __init add_to_secondary_keyring(const char *source, const void *data,
+ size_t len)
+{
+ key_ref_t key;
+ key_perm_t perm;
+ int rc = 0;
+
+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+
+ key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), "asymmetric",
+ NULL, data, len, perm,
+ KEY_ALLOC_NOT_IN_QUOTA);
+ if (IS_ERR(key)) {
+ rc = PTR_ERR(key);
+ pr_err("Problem loading X.509 certificate %d\n", rc);
+ } else {
+ pr_notice("Loaded X.509 cert '%s'\n",
+ key_ref_to_ptr(key)->description);
+ key_ref_put(key);
+ }
+}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 91e080efb918..a57a77ccf003 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -41,8 +41,16 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+
+void __init add_to_secondary_keyring(const char *source, const void *data,
+ size_t len);
+
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+void __init add_to_secondary_keyring(const char *source, const void *data,
+ size_t len)
+{
+}
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index d7553c93f5c0..efaa2eb789ad 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id,
{
return 0;
}
+
#endif /* CONFIG_INTEGRITY_SIGNATURE */
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index b3e5df136e50..6095df043498 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -77,6 +77,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
return NULL;
}
+__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
+{
+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
+ return add_to_secondary_keyring;
+
+ return NULL;
+}
+
/*
* Return the appropriate handler for particular signature list types found in
* the UEFI dbx and MokListXRT tables.
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
index 6f15bb4cc8dc..f92895cc50f6 100644
--- a/security/integrity/platform_certs/keyring_handler.h
+++ b/security/integrity/platform_certs/keyring_handler.h
@@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
*/
efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);
+/*
+ * Return the handler for particular signature list types for code signing keys.
+ */
+efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type);
+
/*
* Return the handler for particular signature list types found in the dbx.
*/
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index 6263ce3b3f1e..32c4e5fbf0fb 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
static int __init load_powerpc_certs(void)
{
void *db = NULL, *dbx = NULL, *data = NULL;
- void *trustedca = NULL;
+ void *trustedca = NULL, *moduledb = NULL;
u64 dsize = 0;
u64 offset = 0;
int rc = 0;
@@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void)
kfree(data);
}
+ data = get_cert_list("moduledb", 9, &dsize);
+ if (!data) {
+ pr_info("Couldn't get moduledb list from firmware\n");
+ } else if (IS_ERR(data)) {
+ rc = PTR_ERR(data);
+ pr_err("Error reading moduledb from firmware: %d\n", rc);
+ } else {
+ extract_esl(moduledb, data, dsize, offset);
+
+ rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize,
+ get_handler_for_code_signing_keys);
+ if (rc)
+ pr_err("Couldn't parse moduledb signatures: %d\n", rc);
+ kfree(data);
+ }
+
return rc;
}
late_initcall(load_powerpc_certs);
--
2.31.1
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH 0/6] Enable loading local and third party keys on PowerVM guest
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
` (5 preceding siblings ...)
2023-07-14 15:34 ` [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain
@ 2023-08-02 22:58 ` Mimi Zohar
6 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2023-08-02 22:58 UTC (permalink / raw)
To: Nayna Jain, linux-integrity
Cc: Jarkko Sakkinen, Eric Snowberg, Paul Moore, linuxppc-dev,
linux-security-module, linux-kernel
On Fri, 2023-07-14 at 11:34 -0400, Nayna Jain wrote:
> On a secure boot enabled PowerVM guest, local and third party code signing
> keys are needed to verify signed applications, configuration files, and
> kernel modules.
>
> Loading these keys onto either the .secondary_trusted_keys or .ima
> keyrings requires the certificates be signed by keys on the
> .builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings.
>
> Keys on the .builtin_trusted_keys keyring are trusted because of the chain
> of trust from secure boot up to and including the linux kernel. Keys on
> the .machine keyring that derive their trust from an entity such as a
> security officer, administrator, system owner, or machine owner are said
> to have "imputed trust." The type of certificates and the mechanism for
> loading them onto the .machine keyring is platform dependent.
>
> Userspace may load certificates onto the .secondary_trusted_keys or .ima
> keyrings. However, keys may also need to be loaded by the kernel if they
> are needed for verification in early boot time. On PowerVM guest, third
> party code signing keys are loaded from the moduledb variable in the
> Platform KeyStore(PKS) onto the .secondary_trusted_keys.
Thanks, Nayna. I've reviewed and done some initially testing up to
5/6.
Mimi
^ permalink raw reply [flat|nested] 13+ messages in thread