From: Mimi Zohar <zohar@linux.ibm.com>
To: Jarkko Sakkinen <jarkko@kernel.org>,
Nayna Jain <nayna@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-security-module@vger.kernel.org,
inux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 6/6] integrity: PowerVM support for loading third party code signing keys
Date: Wed, 16 Aug 2023 17:06:14 -0400 [thread overview]
Message-ID: <cedb2c8f7c9d3f22f5e3d570c039bfcf59cc5a6e.camel@linux.ibm.com> (raw)
In-Reply-To: <CUU9A4V7EREZ.2CPPYURBAGN95@suppilovahvero>
On Wed, 2023-08-16 at 23:36 +0300, Jarkko Sakkinen wrote:
> On Tue Aug 15, 2023 at 2:27 PM EEST, Nayna Jain wrote:
> > On secure boot enabled PowerVM LPAR, third party code signing keys are
> > needed during early boot to verify signed third party modules. These
> > third party keys are stored in moduledb object in the Platform
> > KeyStore (PKS).
> >
> > Load third party code signing keys onto .secondary_trusted_keys keyring.
> >
> > Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> > ---
> > certs/system_keyring.c | 30 +++++++++++++++++++
> > include/keys/system_keyring.h | 4 +++
> > .../platform_certs/keyring_handler.c | 8 +++++
> > .../platform_certs/keyring_handler.h | 5 ++++
> > .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++
> > 5 files changed, 64 insertions(+)
> >
> > diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> > index b348e0898d34..33841c91f12c 100644
> > --- a/certs/system_keyring.c
> > +++ b/certs/system_keyring.c
> > @@ -152,6 +152,36 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
> >
> > return restriction;
> > }
> > +
> > +/**
> > + * add_to_secondary_keyring - Add to secondary keyring.
> > + * @source: Source of key
> > + * @data: The blob holding the key
> > + * @len: The length of the data blob
> > + *
> > + * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin,
> > + * machine or secondary keyring itself.
> > + */
> > +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len)
> > +{
> > + key_ref_t key;
> > + key_perm_t perm;
> > +
> > + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> > +
> > + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
> > + "asymmetric",
> > + NULL, data, len, perm,
> > + KEY_ALLOC_NOT_IN_QUOTA);
> > + if (IS_ERR(key)) {
> > + pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n",
> > + source, PTR_ERR(key));
> > + return;
> > + }
> > +
> > + pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description);
> > + key_ref_put(key);
> > +}
> > #endif
> > #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> > void __init set_machine_trusted_keys(struct key *keyring)
> > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> > index 7e2583208820..8365adf842ef 100644
> > --- a/include/keys/system_keyring.h
> > +++ b/include/keys/system_keyring.h
> > @@ -50,9 +50,13 @@ int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring,
> > const struct key_type *type,
> > const union key_payload *payload,
> > struct key *restriction_key);
> > +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len);
> > #else
> > #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
> > #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
> > +static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len)
> > +{
> > +}
> > #endif
> >
> > #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> > diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
> > index 586027b9a3f5..13ea17207902 100644
> > --- a/security/integrity/platform_certs/keyring_handler.c
> > +++ b/security/integrity/platform_certs/keyring_handler.c
> > @@ -78,6 +78,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
> > return NULL;
> > }
> >
> > +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
> > +{
> > + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
> > + return add_to_secondary_keyring;
> > +
> > + return NULL;
> > +}
> > +
> > /*
> > * Return the appropriate handler for particular signature list types found in
> > * the UEFI dbx and MokListXRT tables.
> > diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
> > index 6f15bb4cc8dc..f92895cc50f6 100644
> > --- a/security/integrity/platform_certs/keyring_handler.h
> > +++ b/security/integrity/platform_certs/keyring_handler.h
> > @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
> > */
> > efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);
> >
> > +/*
> > + * Return the handler for particular signature list types for code signing keys.
> > + */
> > +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type);
> > +
> > /*
> > * Return the handler for particular signature list types found in the dbx.
> > */
> > diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> > index 339053d9726d..c85febca3343 100644
> > --- a/security/integrity/platform_certs/load_powerpc.c
> > +++ b/security/integrity/platform_certs/load_powerpc.c
> > @@ -60,6 +60,7 @@ static int __init load_powerpc_certs(void)
> > {
> > void *db = NULL, *dbx = NULL, *data = NULL;
> > void *trustedca;
> > + void *moduledb;
> > u64 dsize = 0;
> > u64 offset = 0;
> > int rc = 0;
> > @@ -137,6 +138,22 @@ static int __init load_powerpc_certs(void)
> > kfree(data);
> > }
> >
> > + data = get_cert_list("moduledb", 9, &dsize);
> > + if (!data) {
> > + pr_info("Couldn't get moduledb list from firmware\n");
> > + } else if (IS_ERR(data)) {
> > + rc = PTR_ERR(data);
> > + pr_err("Error reading moduledb from firmware: %d\n", rc);
> > + } else {
> > + extract_esl(moduledb, data, dsize, offset);
> > +
> > + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize,
> > + get_handler_for_code_signing_keys);
> > + if (rc)
> > + pr_err("Couldn't parse moduledb signatures: %d\n", rc);
> > + kfree(data);
> > + }
> > +
> > return rc;
> > }
> > late_initcall(load_powerpc_certs);
> > --
> > 2.31.1
>
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> I can pick this. My last PR did not went too great partly because of
> mess with tpm_tis but now things are calmer.
Glad things have settled down. Whatever you prefer is fine. This
patch set needs to make it into linux-next as soon as possible. Please
don't forget to add Nageswara's "Tested-by" and fix mine on 4/6.
--
thanks,
Mimi
next prev parent reply other threads:[~2023-08-16 21:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-15 11:27 [PATCH v4 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
2023-08-15 11:27 ` [PATCH v4 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
2023-08-16 14:40 ` R Nageswara Sastry
2023-08-16 20:34 ` Jarkko Sakkinen
2023-08-15 11:27 ` [PATCH v4 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
2023-08-16 14:41 ` R Nageswara Sastry
2023-08-15 11:27 ` [PATCH v4 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain
2023-08-16 14:41 ` R Nageswara Sastry
2023-08-15 11:27 ` [PATCH v4 4/6] integrity: check whether imputed trust is enabled Nayna Jain
2023-08-16 14:41 ` R Nageswara Sastry
2023-08-15 11:27 ` [PATCH v4 5/6] integrity: PowerVM machine keyring enablement Nayna Jain
2023-08-16 14:42 ` R Nageswara Sastry
2023-08-15 11:27 ` [PATCH v4 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain
2023-08-15 20:30 ` Mimi Zohar
2023-08-16 14:42 ` R Nageswara Sastry
2023-08-16 20:36 ` Jarkko Sakkinen
2023-08-16 21:06 ` Mimi Zohar [this message]
2023-08-16 21:11 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cedb2c8f7c9d3f22f5e3d570c039bfcf59cc5a6e.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=eric.snowberg@oracle.com \
--cc=inux-kernel@vger.kernel.org \
--cc=jarkko@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).