Re: [PATCH v3 6/6] integrity: PowerVM support for loading third party code signing keys

Linux Security Modules development
 help / color / mirror / Atom feed

From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Nayna Jain" <nayna@linux.ibm.com>, <linux-integrity@vger.kernel.org>
Cc: "Mimi Zohar" <zohar@linux.ibm.com>,
	"Eric Snowberg" <eric.snowberg@oracle.com>,
	"Paul Moore" <paul@paul-moore.com>,
	<linux-security-module@vger.kernel.org>,
	"linuxppc-dev" <linuxppc-dev@lists.ozlabs.org>,
	<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 6/6] integrity: PowerVM support for loading third party code signing keys
Date: Mon, 14 Aug 2023 20:42:30 +0300	[thread overview]
Message-ID: <CUSGBX9YASR6.1HQHWGQOS3B6Z@suppilovahvero> (raw)
In-Reply-To: <20230813021531.1382815-7-nayna@linux.ibm.com>

On Sun Aug 13, 2023 at 5:15 AM EEST, Nayna Jain wrote:
> On secure boot enabled PowerVM LPAR, third party code signing keys are
> needed during early boot to verify signed third party modules. These
> third party keys are stored in moduledb object in the Platform
> KeyStore(PKS).
>
> Load third party code signing keys onto .secondary_trusted_keys keyring.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> ---
>  certs/system_keyring.c                        | 30 +++++++++++++++++++
>  include/keys/system_keyring.h                 |  7 +++++
>  security/integrity/integrity.h                |  1 +
>  .../platform_certs/keyring_handler.c          |  8 +++++
>  .../platform_certs/keyring_handler.h          |  5 ++++
>  .../integrity/platform_certs/load_powerpc.c   | 18 ++++++++++-
>  6 files changed, 68 insertions(+), 1 deletion(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index b348e0898d34..e458d414918d 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -396,3 +396,33 @@ void __init set_platform_trusted_keys(struct key *keyring)
>  	platform_trusted_keys = keyring;
>  }
>  #endif
> +
> +/**
> + * add_to_secondary_keyring - Add to secondary keyring.
> + * @source: Source of key
> + * @data: The blob holding the key
> + * @len: The length of the data blob
> + *
> + * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin,
> + * machine or secondary keyring itself.
> + */
> +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len)
> +{
> +	key_ref_t key;
> +	key_perm_t perm;
> +
> +	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> +
> +	key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
> +				   "asymmetric",
> +				   NULL, data, len, perm,
> +				   KEY_ALLOC_NOT_IN_QUOTA);
> +	if (IS_ERR(key)) {
> +		pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n",
> +		       source, PTR_ERR(key));
> +		return;
> +	}
> +
> +	pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description);
> +	key_ref_put(key);
> +}
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 7e2583208820..4188f75d1bac 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -50,9 +50,16 @@ int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring,
>  						  const struct key_type *type,
>  						  const union key_payload *payload,
>  						  struct key *restriction_key);
> +void __init add_to_secondary_keyring(const char *source, const void *data,
> +				     size_t len);
> +
>  #else
>  #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
>  #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
> +void __init add_to_secondary_keyring(const char *source, const void *data,
> +				     size_t len)
> +{
> +}
>  #endif
>  
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index d7553c93f5c0..efaa2eb789ad 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id,
>  {
>  	return 0;
>  }
> +
>  #endif /* CONFIG_INTEGRITY_SIGNATURE */
>  
>  #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
> diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
> index 586027b9a3f5..13ea17207902 100644
> --- a/security/integrity/platform_certs/keyring_handler.c
> +++ b/security/integrity/platform_certs/keyring_handler.c
> @@ -78,6 +78,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
>  	return NULL;
>  }
>  
> +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
> +{
> +	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
> +		return add_to_secondary_keyring;
> +
> +	return NULL;
> +}
> +
>  /*
>   * Return the appropriate handler for particular signature list types found in
>   * the UEFI dbx and MokListXRT tables.
> diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
> index 6f15bb4cc8dc..f92895cc50f6 100644
> --- a/security/integrity/platform_certs/keyring_handler.h
> +++ b/security/integrity/platform_certs/keyring_handler.h
> @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
>   */
>  efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);
>  
> +/*
> + * Return the handler for particular signature list types for code signing keys.
> + */
> +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type);
> +
>  /*
>   * Return the handler for particular signature list types found in the dbx.
>   */
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> index 6263ce3b3f1e..32c4e5fbf0fb 100644
> --- a/security/integrity/platform_certs/load_powerpc.c
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
>  static int __init load_powerpc_certs(void)
>  {
>  	void *db = NULL, *dbx = NULL, *data = NULL;
> -	void *trustedca = NULL;
> +	void *trustedca = NULL, *moduledb = NULL;

The patch looks otherwise good but I'm not sure about this initialization.

>  	u64 dsize = 0;
>  	u64 offset = 0;
>  	int rc = 0;
> @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void)
>  		kfree(data);
>  	}
>  
> +	data = get_cert_list("moduledb", 9,  &dsize);
> +	if (!data) {
> +		pr_info("Couldn't get moduledb list from firmware\n");
> +	} else if (IS_ERR(data)) {
> +		rc = PTR_ERR(data);
> +		pr_err("Error reading moduledb from firmware: %d\n", rc);
> +	} else {
> +		extract_esl(moduledb, data, dsize, offset);
> +
> +		rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize,
> +					      get_handler_for_code_signing_keys);
> +		if (rc)
> +			pr_err("Couldn't parse moduledb signatures: %d\n", rc);
> +		kfree(data);
> +	}
> +
>  	return rc;
>  }
>  late_initcall(load_powerpc_certs);
> -- 
> 2.31.1

BR, Jarkko

     prev parent reply	other threads:[~2023-08-14 17:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-13  2:15 [PATCH v3 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
2023-08-13  2:15 ` [PATCH v3 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
2023-08-14 17:37   ` Jarkko Sakkinen
2023-08-13  2:15 ` [PATCH v3 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
2023-08-14 17:38   ` Jarkko Sakkinen
2023-08-16 12:58     ` Mimi Zohar
2023-08-16 21:04       ` Jarkko Sakkinen
2023-08-13  2:15 ` [PATCH v3 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain
2023-08-13  2:15 ` [PATCH v3 4/6] integrity: check whether imputed trust is enabled Nayna Jain
2023-08-13  2:15 ` [PATCH v3 5/6] integrity: PowerVM machine keyring enablement Nayna Jain
2023-08-13  2:15 ` [PATCH v3 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain
2023-08-14 17:42   ` Jarkko Sakkinen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CUSGBX9YASR6.1HQHWGQOS3B6Z@suppilovahvero \
    --to=jarkko@kernel.org \
    --cc=eric.snowberg@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=nayna@linux.ibm.com \
    --cc=paul@paul-moore.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox