| Message ID | 20230714153435.28155-1-nayna@linux.ibm.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2603863vqm;
Fri, 14 Jul 2023 09:07:13 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlHXa9C6eRENnTdZNoRfkI4d0/jhrg9TLNRflMKscFh1T0ySD5E3j/BKOFt7/PaZP+DVcVLV
X-Received: by 2002:a05:6a20:3ca2:b0:132:c07e:5e6c with SMTP id
b34-20020a056a203ca200b00132c07e5e6cmr4568889pzj.5.1689350833476;
Fri, 14 Jul 2023 09:07:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689350833; cv=none;
d=google.com; s=arc-20160816;
b=pYxVSmlPk3P2Ol5YXWuTRBJCBQcdDISdVg1bzfzxdE9uLRtK070WW+p13cABJtF5fz
XjZ4y38KiN+hk6GsH+jaN2avFr005x/c3Aw7jR7Gl7VWHfCvtBKAUtjyExar5eFe6J+1
BThQqzIOB+iWY9FZxcy2HPmGe7XGyIBsWYIZFX5uNsRHLy7AyVtHtXrUGpisvEYG8frQ
Wx1nmghaBaE7/KSTi2MWDmmaeFuTYK74HCm9Ccpt5P+A9oBVjuPkyUqVVWJRVg6rQodF
P9CYAmpcwAI6zUqefoNY1iXZzoi77zIQUQ0IS850CsKc2KNwbO3csHWYvspZf2CTtx4L
su5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=I58DtO1jDAs3385q9kf+6TLixmeR40qzFKVz2joocio=;
fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=;
b=f4HZn6+oGfcVypVGEaFs/znZrRryS4zFjdtEusrXBc8+5CeV1hfe/pQwrZkWBkyH3o
Iw4CV3Az+bNUYd0EcY7r5RSErpMAZ2tOieXbsEjWfkOFEbV1HzcPljkDA41uCKiEt4XL
NnscD9KVJVDC7FPKKqFAb05s3O+iUsa6q9iUpGDhS5T3dXLHOYtAO1403eH4kRMZXXsz
eC6YCCidQQnhkHC4lpar9ORrfXi79MWsq4oDutJbHM/I4tLZyroTg8rnfOfxNvRiZ6zx
zJj+qUbRZZZOAnTf0FV5GX+kp+YN4aCq/B/gk4sZpJTSMoNjQt9BsZF2glbCD//1doLZ
o3IA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=VFDVUSV3;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
h193-20020a636cca000000b005534371608dsi7160270pgc.849.2023.07.14.09.06.54;
Fri, 14 Jul 2023 09:07:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=VFDVUSV3;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235788AbjGNPfE (ORCPT <rfc822;tebrre53rla2o@gmail.com>
+ 99 others); Fri, 14 Jul 2023 11:35:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55602 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S236357AbjGNPe6 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 14 Jul 2023 11:34:58 -0400
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
[148.163.156.1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76BD830F8;
Fri, 14 Jul 2023 08:34:57 -0700 (PDT)
Received: from pps.filterd (m0353726.ppops.net [127.0.0.1])
by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
36EFMslC019583;
Fri, 14 Jul 2023 15:34:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
h=from : to : cc : subject
: date : message-id : mime-version : content-transfer-encoding; s=pp1;
bh=I58DtO1jDAs3385q9kf+6TLixmeR40qzFKVz2joocio=;
b=VFDVUSV3sRbheIlipEcdse5i4QwBNu0viWOase0+OZE/EPI13j4JXoS4be/rtU5/otHu
5tKJf/Wjw9wZLlInDVSiX5K9svuehnMLuXrrTp4YaphiTg6S1zuZqnrT5aTa43AagGzx
2aDTPl60h/KAdTca8zOOOYHOq/JCO+SE4JlsF09ArhTNyX5pw2Nplvwr82cT+nQkC79L
pyRNtwh1+s9LjF2sHNPcN1l1jcCy62DvY/l65l+uRmE7PmF3hwCHk5d2qnlQs7ioPrYr
eXUAAgNdO2KFuITF3KTJ+zrWG2xMgYChLR5qGFlETvrWtB9dCxsI9Q1jhXREIb1FlcH9 Dg==
Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com
[149.81.74.108])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8y1r8ap-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Fri, 14 Jul 2023 15:34:47 +0000
Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1])
by ppma05fra.de.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id
36ECkIJ4009989;
Fri, 14 Jul 2023 15:34:45 GMT
Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228])
by ppma05fra.de.ibm.com (PPS) with ESMTPS id 3rtpxb8bhy-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Fri, 14 Jul 2023 15:34:44 +0000
Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com
[10.20.54.106])
by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with
ESMTP id 36EFYfdS43778410
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Fri, 14 Jul 2023 15:34:41 GMT
Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 556F420043;
Fri, 14 Jul 2023 15:34:41 +0000 (GMT)
Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 02FB920040;
Fri, 14 Jul 2023 15:34:39 +0000 (GMT)
Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown
[9.61.52.39])
by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP;
Fri, 14 Jul 2023 15:34:38 +0000 (GMT)
From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>
Subject: [PATCH 0/6] Enable loading local and third party keys on PowerVM
guest
Date: Fri, 14 Jul 2023 11:34:29 -0400
Message-Id: <20230714153435.28155-1-nayna@linux.ibm.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: PLp-AzxDzBEvofFsHrcs_Pp1hOMLig2q
X-Proofpoint-ORIG-GUID: PLp-AzxDzBEvofFsHrcs_Pp1hOMLig2q
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26
definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
priorityscore=1501
bulkscore=0 clxscore=1011 lowpriorityscore=0 suspectscore=0
mlxlogscore=747 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0
malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771412739656649582
X-GMAIL-MSGID: 1771412739656649582
|
| Series |
Enable loading local and third party keys on PowerVM guest
|
|
Message
Nayna Jain
July 14, 2023, 3:34 p.m. UTC
On a secure boot enabled PowerVM guest, local and third party code signing keys are needed to verify signed applications, configuration files, and kernel modules. Loading these keys onto either the .secondary_trusted_keys or .ima keyrings requires the certificates be signed by keys on the .builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings. Keys on the .builtin_trusted_keys keyring are trusted because of the chain of trust from secure boot up to and including the linux kernel. Keys on the .machine keyring that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust." The type of certificates and the mechanism for loading them onto the .machine keyring is platform dependent. Userspace may load certificates onto the .secondary_trusted_keys or .ima keyrings. However, keys may also need to be loaded by the kernel if they are needed for verification in early boot time. On PowerVM guest, third party code signing keys are loaded from the moduledb variable in the Platform KeyStore(PKS) onto the .secondary_trusted_keys. The purpose of this patch set is to allow loading of local and third party code signing keys on PowerVM. Nayna Jain (6): integrity: PowerVM support for loading CA keys on machine keyring integrity: ignore keys failing CA restrictions on non-UEFI platform integrity: remove global variable from machine_keyring.c integrity: check whether imputed trust is enabled integrity: PowerVM machine keyring enablement. integrity: PowerVM support for loading third party code signing keys certs/system_keyring.c | 22 +++++++++++++ include/keys/system_keyring.h | 8 +++++ security/integrity/Kconfig | 3 +- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 6 ++-- .../platform_certs/keyring_handler.c | 18 +++++++++- .../platform_certs/keyring_handler.h | 10 ++++++ .../integrity/platform_certs/load_powerpc.c | 33 +++++++++++++++++++ .../platform_certs/machine_keyring.c | 21 +++++++++--- 9 files changed, 114 insertions(+), 9 deletions(-) base-commit: 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5
Comments
On Fri, 2023-07-14 at 11:34 -0400, Nayna Jain wrote: > On a secure boot enabled PowerVM guest, local and third party code signing > keys are needed to verify signed applications, configuration files, and > kernel modules. > > Loading these keys onto either the .secondary_trusted_keys or .ima > keyrings requires the certificates be signed by keys on the > .builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings. > > Keys on the .builtin_trusted_keys keyring are trusted because of the chain > of trust from secure boot up to and including the linux kernel. Keys on > the .machine keyring that derive their trust from an entity such as a > security officer, administrator, system owner, or machine owner are said > to have "imputed trust." The type of certificates and the mechanism for > loading them onto the .machine keyring is platform dependent. > > Userspace may load certificates onto the .secondary_trusted_keys or .ima > keyrings. However, keys may also need to be loaded by the kernel if they > are needed for verification in early boot time. On PowerVM guest, third > party code signing keys are loaded from the moduledb variable in the > Platform KeyStore(PKS) onto the .secondary_trusted_keys. Thanks, Nayna. I've reviewed and done some initially testing up to 5/6. Mimi