Re: [PATCH v3 2/3] ima: enable signing of modules with build time generated key

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Berger <stefanb@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
	linux-integrity@vger.kernel.org, keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH v3 2/3] ima: enable signing of modules with build time generated key
Date: Fri, 2 Apr 2021 07:27:18 -0400	[thread overview]
Message-ID: <c0df8b07-79de-80cb-9eaa-ed70fbf8414b@linux.ibm.com> (raw)
In-Reply-To: <20210330131636.21711-3-nayna@linux.ibm.com>


On 3/30/21 9:16 AM, Nayna Jain wrote:
> The kernel build process currently only signs kernel modules when
> MODULE_SIG is enabled. Also, sign the kernel modules at build time when
> IMA_APPRAISE_MODSIG is enabled.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   certs/Kconfig  | 2 +-
>   certs/Makefile | 8 ++++++++
>   init/Kconfig   | 6 +++---
>   3 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..48675ad319db 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -4,7 +4,7 @@ menu "Certificates for signature checking"
>   config MODULE_SIG_KEY
>   	string "File name or PKCS#11 URI of module signing key"
>   	default "certs/signing_key.pem"
> -	depends on MODULE_SIG
> +	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
>   	help
>            Provide the file name of a private key/certificate in PEM format,
>            or a PKCS#11 URI according to RFC7512. The file should contain, or
> diff --git a/certs/Makefile b/certs/Makefile
> index f4c25b67aad9..e3185c57fbd8 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
>   clean-files := x509_certificate_list .x509.list
>   
>   ifeq ($(CONFIG_MODULE_SIG),y)
> +	SIGN_KEY = y
> +endif
> +
> +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
> +	SIGN_KEY = y
> +endif
> +
> +ifdef SIGN_KEY
>   ###############################################################################
>   #
>   # If module signing is requested, say by allyesconfig, but a key has not been
> diff --git a/init/Kconfig b/init/Kconfig
> index 5f5c776ef192..85e48a578f90 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE
>   config MODULE_SIG_ALL
>   	bool "Automatically sign all modules"
>   	default y
> -	depends on MODULE_SIG
> +	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
>   	help
>   	  Sign all modules during make modules_install. Without this option,
>   	  modules must be signed manually, using the scripts/sign-file tool.
> @@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
>   
>   choice
>   	prompt "Which hash algorithm should modules be signed with?"
> -	depends on MODULE_SIG
> +	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
>   	help
>   	  This determines which sort of hashing algorithm will be used during
>   	  signature generation.  This algorithm _must_ be built into the kernel
> @@ -2206,7 +2206,7 @@ endchoice
>   
>   config MODULE_SIG_HASH
>   	string
> -	depends on MODULE_SIG
> +	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
>   	default "sha1" if MODULE_SIG_SHA1
>   	default "sha224" if MODULE_SIG_SHA224
>   	default "sha256" if MODULE_SIG_SHA256

next prev parent reply	other threads:[~2021-04-02 11:27 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-30 13:16 [PATCH v3 0/3] ima: kernel build support for loading the kernel module signing key Nayna Jain
2021-03-30 13:16 ` [PATCH v3 1/3] keys: cleanup build time module signing keys Nayna Jain
2021-03-31  2:55   ` Jarkko Sakkinen
2021-03-30 13:16 ` [PATCH v3 2/3] ima: enable signing of modules with build time generated key Nayna Jain
2021-04-02 11:27   ` Stefan Berger [this message]
2021-03-30 13:16 ` [PATCH v3 3/3] ima: enable loading of build time generated key on .ima keyring Nayna Jain
2021-04-02 11:29   ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c0df8b07-79de-80cb-9eaa-ed70fbf8414b@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).