From patchwork Fri Jul 14 15:34:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120546 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2607677vqm; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) X-Google-Smtp-Source: APBJJlFuW8dihp9oOsEX7PYuFO5eOIrhzX2dMSGEksV9ZFxS/t9WTuwYgoSqEzHlKbheIe8LSU9q X-Received: by 2002:a17:907:9197:b0:961:be96:b0e7 with SMTP id bp23-20020a170907919700b00961be96b0e7mr4635398ejb.48.1689351154077; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689351154; cv=none; d=google.com; s=arc-20160816; b=Sadi9jYOa5v9qeTfavjtbnsToQQZPv+qKPbTAw553vSSyE7RyQ0ypL5K2MWHwHqArJ CQqPpBKX8dmAKgJWFZZ45rP6v6xkD3ema0wvikSMftpUUMK080ZJl/+Ol5zAetXDcQeK gTX6VmJwBuS4/8/XAIx1sOnF6pq85z6Fh5w93TI7JY+mXeaaqj0nThiR14YWxa7+PZjx BudX5WkLBSLNMPqplA8WCNrS4m+egxK/g17MBjNsZXGvqmNRrXsxuDvD5FHXpjHj5yTU 4SqtqGSapJpMyIR5LviOm2P6jgB5kKNnQByZblaZXimNUREY8qW9zwAzg0s2LwzmzMoz KH2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=tL0m4fwTLrDaT1FJZArUDOHwbLem3qqD2uxfAntb1T0=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=sE1qUONSUXoaCh7V0y+Lz5mbXFIFiup78Nu2IUgPUQJC+vxxBt3sOryKpQQgtUOi2H bMBt2+I3XoZRyDa4S888ccv/zN1/yY8+wzl+XiMJ+RfPx1byhRwhJc5c+eZezlm1Xuz/ B/UQlp00aqeB+I5KUOeiZvA06Jq1aG5ikhv9xEWS/7eE3ea2gKIMyWv9VWWzIO/3Vwqk ZDVfdckqIRLcS2U7ywrP8KJGth2Q882rOFfbnQvxTYU7Q0Po/7HzkfATLAqAiSGSelYB E50HNesdhSONbUJdrEvrfaJ9TKkj40yq7t3X3s5J2nJWXqRNVtV/zM4txmInAQhOhjTA WgDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=PZDoHFwE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jo2-20020a170906f6c200b00992b32e3e3esi8957547ejb.468.2023.07.14.09.12.09; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=PZDoHFwE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235689AbjGNPfI (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236264AbjGNPfA (ORCPT ); Fri, 14 Jul 2023 11:35:00 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ED102D7B; Fri, 14 Jul 2023 08:34:59 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMm10013054; Fri, 14 Jul 2023 15:34:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=tL0m4fwTLrDaT1FJZArUDOHwbLem3qqD2uxfAntb1T0=; b=PZDoHFwE1v4DfnY8Im2ziMqbCWuBHVV5szYztmpnjnwTHm7kY349OA/9qtPK7EBSpxdg 3CHbRKn7qOaJOgUVcnmeQv8zJVVxqrb8XLHfMFwJqwOlXJWgZo0GCX+iK4/wL/r6JKhH UDk7gQrDEMBTfFSePjgCsnZ2dJqL7b8ygNTvvSFDgMBbLs2/gBTen92m/kDi9FUNm7c3 Z/gwTolU3EWo8tCDgPeNTS7GzLZXMAvVNWreCha6JXZNF5fKJg1z4Q1EOLNiXQP5I46S 7DslT7nLJHt8mltwBMoIZv/0X1jFI7c6m5+M8Jdg/QoUanum+5R2Hqly4R21hXv3rXIi 9w== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8xx896x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:48 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E7dcdt031282; Fri, 14 Jul 2023 15:34:47 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3rtpvu1fxa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:47 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYigF61931910 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:44 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 20B6520040; Fri, 14 Jul 2023 15:34:44 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BD41720043; Fri, 14 Jul 2023 15:34:41 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:41 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Date: Fri, 14 Jul 2023 11:34:30 -0400 Message-Id: <20230714153435.28155-2-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: uebrzntp3wjPpLKH4e_2E5v_WpCN0MU4 X-Proofpoint-GUID: uebrzntp3wjPpLKH4e_2E5v_WpCN0MU4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771413075623439447 X-GMAIL-MSGID: 1771413075623439447 Keys that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust". CA keys with imputed trust can be loaded onto the machine keyring. The mechanism for loading these keys onto the machine keyring is platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain --- .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ .../integrity/platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 8a1124e4d769..1649d047e3b8 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_machine_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 212d894a8c0c..6f15bb4cc8dc 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for CA keys. + */ +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 170789dc63d2..6263ce3b3f1e 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; + void *trustedca = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("trustedcadb", 12, &dsize); + if (!data) { + pr_info("Couldn't get trustedcadb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading trustedcadb from firmware: %d\n", rc); + } else { + extract_esl(trustedca, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, + get_handler_for_ca_keys); + if (rc) + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs);