From patchwork Fri Jul 14 15:34:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120546 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2607677vqm; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) X-Google-Smtp-Source: APBJJlFuW8dihp9oOsEX7PYuFO5eOIrhzX2dMSGEksV9ZFxS/t9WTuwYgoSqEzHlKbheIe8LSU9q X-Received: by 2002:a17:907:9197:b0:961:be96:b0e7 with SMTP id bp23-20020a170907919700b00961be96b0e7mr4635398ejb.48.1689351154077; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689351154; cv=none; d=google.com; s=arc-20160816; b=Sadi9jYOa5v9qeTfavjtbnsToQQZPv+qKPbTAw553vSSyE7RyQ0ypL5K2MWHwHqArJ CQqPpBKX8dmAKgJWFZZ45rP6v6xkD3ema0wvikSMftpUUMK080ZJl/+Ol5zAetXDcQeK gTX6VmJwBuS4/8/XAIx1sOnF6pq85z6Fh5w93TI7JY+mXeaaqj0nThiR14YWxa7+PZjx BudX5WkLBSLNMPqplA8WCNrS4m+egxK/g17MBjNsZXGvqmNRrXsxuDvD5FHXpjHj5yTU 4SqtqGSapJpMyIR5LviOm2P6jgB5kKNnQByZblaZXimNUREY8qW9zwAzg0s2LwzmzMoz KH2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=tL0m4fwTLrDaT1FJZArUDOHwbLem3qqD2uxfAntb1T0=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=sE1qUONSUXoaCh7V0y+Lz5mbXFIFiup78Nu2IUgPUQJC+vxxBt3sOryKpQQgtUOi2H bMBt2+I3XoZRyDa4S888ccv/zN1/yY8+wzl+XiMJ+RfPx1byhRwhJc5c+eZezlm1Xuz/ B/UQlp00aqeB+I5KUOeiZvA06Jq1aG5ikhv9xEWS/7eE3ea2gKIMyWv9VWWzIO/3Vwqk ZDVfdckqIRLcS2U7ywrP8KJGth2Q882rOFfbnQvxTYU7Q0Po/7HzkfATLAqAiSGSelYB E50HNesdhSONbUJdrEvrfaJ9TKkj40yq7t3X3s5J2nJWXqRNVtV/zM4txmInAQhOhjTA WgDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=PZDoHFwE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jo2-20020a170906f6c200b00992b32e3e3esi8957547ejb.468.2023.07.14.09.12.09; Fri, 14 Jul 2023 09:12:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=PZDoHFwE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235689AbjGNPfI (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236264AbjGNPfA (ORCPT ); Fri, 14 Jul 2023 11:35:00 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ED102D7B; Fri, 14 Jul 2023 08:34:59 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMm10013054; Fri, 14 Jul 2023 15:34:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=tL0m4fwTLrDaT1FJZArUDOHwbLem3qqD2uxfAntb1T0=; b=PZDoHFwE1v4DfnY8Im2ziMqbCWuBHVV5szYztmpnjnwTHm7kY349OA/9qtPK7EBSpxdg 3CHbRKn7qOaJOgUVcnmeQv8zJVVxqrb8XLHfMFwJqwOlXJWgZo0GCX+iK4/wL/r6JKhH UDk7gQrDEMBTfFSePjgCsnZ2dJqL7b8ygNTvvSFDgMBbLs2/gBTen92m/kDi9FUNm7c3 Z/gwTolU3EWo8tCDgPeNTS7GzLZXMAvVNWreCha6JXZNF5fKJg1z4Q1EOLNiXQP5I46S 7DslT7nLJHt8mltwBMoIZv/0X1jFI7c6m5+M8Jdg/QoUanum+5R2Hqly4R21hXv3rXIi 9w== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8xx896x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:48 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E7dcdt031282; Fri, 14 Jul 2023 15:34:47 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3rtpvu1fxa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:47 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYigF61931910 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:44 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 20B6520040; Fri, 14 Jul 2023 15:34:44 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BD41720043; Fri, 14 Jul 2023 15:34:41 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:41 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Date: Fri, 14 Jul 2023 11:34:30 -0400 Message-Id: <20230714153435.28155-2-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: uebrzntp3wjPpLKH4e_2E5v_WpCN0MU4 X-Proofpoint-GUID: uebrzntp3wjPpLKH4e_2E5v_WpCN0MU4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771413075623439447 X-GMAIL-MSGID: 1771413075623439447 Keys that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust". CA keys with imputed trust can be loaded onto the machine keyring. The mechanism for loading these keys onto the machine keyring is platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain --- .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ .../integrity/platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 8a1124e4d769..1649d047e3b8 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_machine_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 212d894a8c0c..6f15bb4cc8dc 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for CA keys. + */ +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 170789dc63d2..6263ce3b3f1e 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; + void *trustedca = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("trustedcadb", 12, &dsize); + if (!data) { + pr_info("Couldn't get trustedcadb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading trustedcadb from firmware: %d\n", rc); + } else { + extract_esl(trustedca, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, + get_handler_for_ca_keys); + if (rc) + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); From patchwork Fri Jul 14 15:34:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120538 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2593754vqm; Fri, 14 Jul 2023 08:51:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlFowksiWQB7jEoFpni/FQRwSKeEVL4req3xMb7kohOYoOmlp3jylRUj58bJZzjEHjrhCy74 X-Received: by 2002:a05:6a20:244d:b0:126:d0e2:3fb4 with SMTP id t13-20020a056a20244d00b00126d0e23fb4mr5706968pzc.56.1689349888853; Fri, 14 Jul 2023 08:51:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689349888; cv=none; d=google.com; s=arc-20160816; b=KJl3SdJbOkMOoDg8r/5tJLSF5OYnmdg9E8LgomwmHiHT2IGDUflrH5wDXW3hU26/nd hjgtpy8KN/EzEUS0ZJNrJmhGqb2rG17drwM70YCZHLjYSYcyp9ss8wLLJOG4fQQToaFB W8ak3Gjaz4VRq3j3o2PTsDkN967raXLqUCGetXhBpnKzaIuU2p1Ir/1OMb7C8gpUcikm FlaINHQfNvjIE1xog/OpYtQwovOdkoR1fwonYejeZo1BnTZ6bsMucz+O+3POmyhuO0YY SWMIZURV0jzv6oOkWEZWo1vfPVcqRJzjdjdZl0gH6C4HTS27kQ2wzx8cIIzFhEqJtzkJ 7kvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=UYmZLJIjUId/1XEmnLnxhQB3awjVh4Lt7A9mezfmqhc=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=de2DYzQ67w2oZKV0s7aeCTOoqxGb1mwwFUM/BdJV7PyzqhWGjRNl8K5rCEetktW0R0 6TsQULA2EgbTQaJ6mm1jWbT4sZmTYegv0ad6L3eZA4dNFEArPIEDFQmdKewGFeYsC+UA zdWo0RjOQr2Rb65F8gbiEoR9MIt9+P36xqf0F/TkUpIPVaZbnadPpL7lqRw4g4+CTgzf 9CXUhuF/KDdu4txwg5wf8yhPrRZQIgS05lF5OyCzf2N4WOYnZScsyweJdRwhn/n92C+1 K8MhtzDIBoc+L+CKpWpPAxClFKk0AssjL0LGfmkoLpfS6nazBgrDsQmfAkdKD2Yn+0eF /FvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XLKw4ekI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ch12-20020a056a00288c00b00680252dda3csi7132795pfb.87.2023.07.14.08.51.15; Fri, 14 Jul 2023 08:51:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XLKw4ekI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235519AbjGNPfA (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236372AbjGNPe6 (ORCPT ); Fri, 14 Jul 2023 11:34:58 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43A3730FF; Fri, 14 Jul 2023 08:34:58 -0700 (PDT) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMnfv018982; Fri, 14 Jul 2023 15:34:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=UYmZLJIjUId/1XEmnLnxhQB3awjVh4Lt7A9mezfmqhc=; b=XLKw4ekIyK4yes8uXXze1ZP3EpP/vw/zc9a00grLlyrmuescJxCoO5Wig9GigPz567SE YYDqZHPHCF+fzTGoaYZgQdxE2Sb1lk46azON01zYQ6Y6mOgwxv5ZnYtVYzj3jTPy1krt 9xfflxRrJAOHCsQVnL0ESo2KAL2gUTprcLJNicUkQKjlav7xWUpcghJ7GpCEojgJN/NU AzE/39mAu/khx1Aa3fJQoHfJoMj62CfwgZ3M+joZsE58FH3+AWO97SKjIr5S3jra+5X5 sgU5gViMCk/fZXFamB1AdMUCQ0Tbpy1nbVQfovzr4Vn0HA2bcFhLbQF7RFvSDjfbUIch 6g== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8y1r8eq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:51 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E7lWiS019677; Fri, 14 Jul 2023 15:34:50 GMT Received: from smtprelay06.fra02v.mail.ibm.com ([9.218.2.230]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3rtpvthg07-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:49 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay06.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYkTX39518638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:46 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9230020040; Fri, 14 Jul 2023 15:34:46 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7D1192004B; Fri, 14 Jul 2023 15:34:44 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:44 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Date: Fri, 14 Jul 2023 11:34:31 -0400 Message-Id: <20230714153435.28155-3-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: ETAppa6TO6I2VSKI2Euo68F29ztuiuKS X-Proofpoint-ORIG-GUID: ETAppa6TO6I2VSKI2Euo68F29ztuiuKS X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771411749132261588 X-GMAIL-MSGID: 1771411749132261588 On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain --- security/integrity/platform_certs/machine_keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 7aaed7950b6e..389a6e7c9245 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -36,7 +36,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t * If the restriction check does not pass and the platform keyring * is configured, try to add it into that keyring instead. */ - if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, perm); From patchwork Fri Jul 14 15:34:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120536 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2590452vqm; Fri, 14 Jul 2023 08:45:04 -0700 (PDT) X-Google-Smtp-Source: APBJJlGQPwZUUiBdPKsDcteLEsOWsgQ5nJDzU4pyF28gOjVL6InzPlP1N/Qc1YeAnCAjorh+1+L7 X-Received: by 2002:a92:d986:0:b0:345:b536:61f with SMTP id r6-20020a92d986000000b00345b536061fmr4325372iln.31.1689349504323; Fri, 14 Jul 2023 08:45:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689349504; cv=none; d=google.com; s=arc-20160816; b=LwsaMawT7VXPSxKpkuVWrjXrMlgfHK1ZnoiJ8m3+UHhN+xIduNCOrTZSeVPRNyqS/P NTqFU0svSdsYwwxG5Cx5VBP9BeqfTOfIVs1lQKMBsCSchztURb2vs+JHZIxXOMW42jN5 I853yMthtp+CEPpezzDLszuveIUS6DdLMAmLP95+pEYw8yZaFwLStEqfBW+vIDmTqWbC zOU7NdcdTcdPBHqnuNSTsaNDSdqq7LuYJ9Nn3YwyQVq8vtRVnZOmWYertQHBkRuGbKDe cFdMaBILdm/BPRCz3FAzyKMVJRgM02TPcK1bXP/3Wxrau/AFygu74/qCjozDSoC7MG2B 3d8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gBZmB9VFj+p+lHN+6p+ctuqQ3BKIbqxNVoPsF4cR2EA=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=a3BIViHN0WV7Ju9/pQoRhpakgILx1LOTHacIjIiuahOwQTQFrVbmmETmJf8YWvQRAd alTZkbNsb031dKpwoSA8MxQRBb7vCxkEGmi8EZNi8vEeLzrSiCirN19fetsob0yUHrSB rVfAQW0PXWcCv0IQGB66KL3HKn2Ovu2l67eyGsMULkb+fK47CbmyNSdkwMqlFQPFdBEi EHS9HliA8a/hTayEButW2568k6Vr9Eky8ByUvB+p7QdsReTMp3nxPpgpMF40tPFdv3te Zczy6yUvZeHzzjxdmWZasmmvbfqR3v1HZpJcjyeJfdU/bxLRdpjRJN7diPtGde1vUK4i ZPig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=RbZcWo3Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my5-20020a17090b4c8500b00262ebe643a2si1478292pjb.186.2023.07.14.08.44.51; Fri, 14 Jul 2023 08:45:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=RbZcWo3Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236410AbjGNPfY (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236372AbjGNPfC (ORCPT ); Fri, 14 Jul 2023 11:35:02 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5021030C0; Fri, 14 Jul 2023 08:35:01 -0700 (PDT) Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFO325005483; Fri, 14 Jul 2023 15:34:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=gBZmB9VFj+p+lHN+6p+ctuqQ3BKIbqxNVoPsF4cR2EA=; b=RbZcWo3Qq0koh6utTvoNaUcO8+1bi4gHP1OlF9x2rSQ5YVK2ra5Ic0NET1xkMCWuN1IK P4ukMnExlP6A7kP2au064w7GWz3g03F2EnXww8y+Ly07fCMUQkEwzQgELL260SxeoL0x Pkttpr0GgSjFk8WR+RSW0ymeOwNTGyn/J5aqgpYhweDuOgairn1pINlvWUA5kkVQreFf L9cXNAcXLiEzzfQ+XssQoBiHm1j0o1CQ546twrzXKgUKHos83mp/7uhIR31ULnAIlIKV pwQi4Gd3X0qsdIEUMBRpZmwsOCg8TAuFnhztSqygbS1SEqhoQWfyEpaSFxzfQzNF/GtF YA== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8ye06cq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:54 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E851RB031217; Fri, 14 Jul 2023 15:34:52 GMT Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3rtpvu1fxg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:52 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYnor12059136 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:49 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F02D420043; Fri, 14 Jul 2023 15:34:48 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 01BBE20040; Fri, 14 Jul 2023 15:34:47 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:46 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 3/6] integrity: remove global variable from machine_keyring.c Date: Fri, 14 Jul 2023 11:34:32 -0400 Message-Id: <20230714153435.28155-4-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: PyBeY9VwSIV3Cgl31GPC5WSb6N2iXmIZ X-Proofpoint-GUID: PyBeY9VwSIV3Cgl31GPC5WSb6N2iXmIZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 clxscore=1015 malwarescore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771411346037387103 X-GMAIL-MSGID: 1771411346037387103 trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 389a6e7c9245..9482e16cb2ca 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,8 +8,6 @@ #include #include "../integrity.h" -static bool trust_mok; - static __init int machine_keyring_init(void) { int rc; @@ -65,9 +63,11 @@ static __init bool uefi_check_trust_mok_keys(void) bool __init trust_moklist(void) { static bool initialized; + static bool trust_mok; if (!initialized) { initialized = true; + trust_mok = false; if (uefi_check_trust_mok_keys()) trust_mok = true; From patchwork Fri Jul 14 15:34:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120541 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2600767vqm; Fri, 14 Jul 2023 09:03:18 -0700 (PDT) X-Google-Smtp-Source: APBJJlFAmZPuzQGYXgiE2Hz/NAkQvDK/pkloCN9/xMv5wWES8qCtcTHlFm0Nf6fK+kr9ql9Blq3p X-Received: by 2002:a05:6a20:2d7:b0:133:afff:4d2a with SMTP id 23-20020a056a2002d700b00133afff4d2amr1964594pzb.30.1689350598388; Fri, 14 Jul 2023 09:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689350598; cv=none; d=google.com; s=arc-20160816; b=HqQqw2FuUZ41XiODHwN/VPqcjKjzAd6Zf1TDmTiepsgqWyJX1+LzWHD96rF3fPiOBa uGyYMjcNupLNLs9raVa1ezzDlXGiaYkIbd2lGRc+iJHboNhmYVhNWpOCl/W6cWq1RjAb R0DVgyxX7ITY16i6k/VCsIhwtL0Jc9WRCIft91Pyysmf9EI9VBR2UeETEqpd1HIl4Uz4 nyuNQmdE8mfZE4/xjFzgS8AynyXu6AWGYd95NVn3V9voPZFH7OAgKa5hCV/JdOaMBc13 uYSIMhnfk4dOffWaHUiXatezm6QHKtkO6+m8Djaf/ElLZEgeEzoJEr3e83LUxW35V3UX 1fCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+RvnfWZAmGRLXbRgAF1QJ11Guj5P6AWFfBClRn7Eijs=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=OwSaY5LHrWmv06097hzWWbQ6c/UNbM/Vq3RmHbZHRuRd4xdILuP2XmAaJZBLMX2WL9 r4iUzVMI7Yn/gGRy7RfVbaaJ3Cm76Pdb+dCDyHiN2qACd7v8Qx3j1b0aZ6VctdozCGKZ pRiwI1uNM0tqFOBdbCISyY1xWw/iQhrW+QouG72TpYIC5cE1A52AC9tMJoHDPfc5gyNo a0o1EXDIB8kuytYrNEEHrIKzAdRdpQgMkuK8r+smfkz30SsAedHQ5D+b6Wo8x93Eq5sM VRl8BUrHahurDwikFb6ZPwg/+qKnuEQJGYLn1wUHfM4sKsbz+SK78HaI2jrF4mhRE5TJ R7+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FsyzRCNO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k2-20020a056a00134200b0068269b1ebcbsi7231314pfu.394.2023.07.14.09.03.05; Fri, 14 Jul 2023 09:03:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FsyzRCNO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236418AbjGNPf0 (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236155AbjGNPfW (ORCPT ); Fri, 14 Jul 2023 11:35:22 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D40FB30FF; Fri, 14 Jul 2023 08:35:04 -0700 (PDT) Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFNhcm004338; Fri, 14 Jul 2023 15:34:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=+RvnfWZAmGRLXbRgAF1QJ11Guj5P6AWFfBClRn7Eijs=; b=FsyzRCNOvUdO2O/iCdgbLoUB/hTVgB4Ts0IbTpg+VHJ2yXUYsLP0CyIoCOzeYjbkuCAp 9aK4M/eSH+js3r9ze2/mweGfhZw0W92iblbh1ln6k2BBp77bFMuHftOPyDVsB7hfB7vC ULpjFllh+tifJ0k6pUNY1owygkthE48/lMfVGpDBbripC/t95L6tUdUZZasq1s3jb1Pe LOsIbgToKO/1VJylRjtM3chshf62lP/+eeC6iITu6LIu8IqO/42hG2VqitA56+5jM5PM RxtioDeCVKoNT+9+etRnIuXp61yOlYUNf02D4xJRupEjFUX44YjB2XgUlw98lPgXu5A0 sw== Received: from ppma06fra.de.ibm.com (48.49.7a9f.ip4.static.sl-reverse.com [159.122.73.72]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8ye06eh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:58 +0000 Received: from pps.filterd (ppma06fra.de.ibm.com [127.0.0.1]) by ppma06fra.de.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E9nB9l007566; Fri, 14 Jul 2023 15:34:55 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma06fra.de.ibm.com (PPS) with ESMTPS id 3rtpwc8bhc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:55 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYpJu48300392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:51 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7BC832004B; Fri, 14 Jul 2023 15:34:51 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51A4C20040; Fri, 14 Jul 2023 15:34:49 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:49 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 4/6] integrity: check whether imputed trust is enabled Date: Fri, 14 Jul 2023 11:34:33 -0400 Message-Id: <20230714153435.28155-5-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: _5KBNV4CSkm2y1G-sJGFw2pbKHyBzaG_ X-Proofpoint-GUID: _5KBNV4CSkm2y1G-sJGFw2pbKHyBzaG_ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 suspectscore=0 impostorscore=0 bulkscore=0 mlxscore=0 clxscore=1015 malwarescore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771412492944726048 X-GMAIL-MSGID: 1771412492944726048 trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++-- .../integrity/platform_certs/keyring_handler.c | 2 +- .../integrity/platform_certs/machine_keyring.c | 15 ++++++++++++++- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f31ffe23c48..48d505cacd81 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) + if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..d7553c93f5c0 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); -bool __init trust_moklist(void); +bool __init imputed_trust_enabled(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } -static inline bool __init trust_moklist(void) + +static inline bool __init imputed_trust_enabled(void) { return false; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 1649d047e3b8..b3e5df136e50 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && imputed_trust_enabled()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 9482e16cb2ca..58cd72b193e6 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -60,7 +60,7 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } -bool __init trust_moklist(void) +static bool __init trust_moklist(void) { static bool initialized; static bool trust_mok; @@ -75,3 +75,16 @@ bool __init trust_moklist(void) return trust_mok; } + +/* + * Provides platform specific check for trusting imputed keys before loading + * on .machine keyring. UEFI systems enable this trust based on a variable, + * and for other platforms, it is always enabled. + */ +bool __init imputed_trust_enabled(void) +{ + if (efi_enabled(EFI_BOOT)) + return trust_moklist(); + + return true; +} From patchwork Fri Jul 14 15:34:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120537 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2591497vqm; Fri, 14 Jul 2023 08:47:00 -0700 (PDT) X-Google-Smtp-Source: APBJJlEe1jFj3hwPn2X+g8GncIWDaVLbq609bXNgPUDBugFCC9Qfs8gy0cQ1velwiNDkhRn03p+d X-Received: by 2002:a92:ce0e:0:b0:345:af1c:29c4 with SMTP id b14-20020a92ce0e000000b00345af1c29c4mr4301216ilo.25.1689349620608; Fri, 14 Jul 2023 08:47:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689349620; cv=none; d=google.com; s=arc-20160816; b=eKUc4yZQkaxqWD0e6qsD5hUOCVcVJEc/IJ5Ig4p6+MITosTbs0iVl2RNXcMWyMIGYj 9A06GCOKzZLbQJU8by1RpkH4/75hcyGcfFUWoIGgDcWAaLfWNkdvj3m4khy87doX/SAK Dd6NsR6k7ZLhmS9EOKMsvnfGa9jaaj6mRJLU068WKn7KvJc2I5m0XxkcUKtmiOc6LVXb phVv5iu81BDgN0lTV/EHiRtBeuaZMeCiOFpiRqMF99f+gEqL55Fdk/wiw1JCO4QdV00Y E40RSLDZ5GUox6cCxl9xvwi/zZaGkSUl0OATrTNMOlt2j3ggUvy0NsUVMpmveejjzCST pEDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=wKsyvZxINajd7roXNUCnVAM2kv5ZDuXfXM1O5Z/e+FE=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=TnUgl2yB1qMxGys7/JveWp8g5IpDBlvXqfW6HD6STHJG/3M6+W76wi0kmjsKVB8adN iPPug1QHzV2hsie0Imt4I1+7PFXXFzXy2qEkGlJlraCgkYjvfOnys82KBrRLws3eH7yG D2eKr3Rop016eYaESBfo2+MtGZjGVa0YEUIDeeilMSjAnH6oUVbv+Ut7+OveA56cFdMq A5gWAU3aiiu0r2jQFajQLXpEMtVrkgYpv7u4+Rvl50HUOVA1IXtzX5Gz0144fI/0LiXn qdElH0QC5ohoZEHVokRvAEggHDKmT8a0376wcpSQGGKTIfQk5uL1BiOajtIKkm7I5fhY rb0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=dtBvY+pi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my5-20020a17090b4c8500b00262ebe643a2si1478292pjb.186.2023.07.14.08.46.47; Fri, 14 Jul 2023 08:47:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=dtBvY+pi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236399AbjGNPfa (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236253AbjGNPfW (ORCPT ); Fri, 14 Jul 2023 11:35:22 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4CFA0358C; Fri, 14 Jul 2023 08:35:06 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMYnI012606; Fri, 14 Jul 2023 15:34:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=wKsyvZxINajd7roXNUCnVAM2kv5ZDuXfXM1O5Z/e+FE=; b=dtBvY+piveb0hYj84Caj7pwA1KwyTm/ytpILz7xuN0N9eZA9Y+saHj/0Wo2F0O2PBeTW xzPe+1Tqe3nJjT+qD/0XzKb7fCMFiL2ktqOHQTurySG2yEbpCDb6QmWYw+DlQqiS+ReI LRqlOkEyqHY8dR22vV3yd7QYsHt4xq6nyiCJhQVxhZawCErEshK2cwBKRLaVxjVVsrWd tHgptJ6vIul/1JQrSghD+D4juxtUp+lnWC6eZaSlOU5/XGaSyJ5NMHFR127UuBVfGw5P XjOi4ar/MWR7tHjPIGC+hs+f+Q3BDExTY7DTA98DBWHtONHPah407T9Xz31+ZN+Nn1uB QA== Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8xx89fr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:59 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36E0l58X015810; Fri, 14 Jul 2023 15:34:57 GMT Received: from smtprelay06.fra02v.mail.ibm.com ([9.218.2.230]) by ppma06ams.nl.ibm.com (PPS) with ESMTPS id 3rtqk18dj9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:57 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay06.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYrFh37880536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:54 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D271920040; Fri, 14 Jul 2023 15:34:53 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DEB502004B; Fri, 14 Jul 2023 15:34:51 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:51 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 5/6] integrity: PowerVM machine keyring enablement. Date: Fri, 14 Jul 2023 11:34:34 -0400 Message-Id: <20230714153435.28155-6-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: g3KV4gdNzUJaP78dc5MT3c94cq4gzGii X-Proofpoint-GUID: g3KV4gdNzUJaP78dc5MT3c94cq4gzGii X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 mlxlogscore=786 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771411467801116516 X-GMAIL-MSGID: 1771411467801116516 Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Signed-off-by: Nayna Jain --- security/integrity/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index ec6e0d789da1..03c40ade0214 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -67,7 +67,8 @@ config INTEGRITY_MACHINE_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING - depends on LOAD_UEFI_KEYS + depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS + select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys From patchwork Fri Jul 14 15:34:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 120545 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp2605804vqm; Fri, 14 Jul 2023 09:09:54 -0700 (PDT) X-Google-Smtp-Source: APBJJlH79wnQg3lw7Fqtke4ksMmCDZqjB/013e6un33y9384iOj81XHdTBwWM6diW7VQPOzZejXb X-Received: by 2002:a05:6402:6d6:b0:51e:1b80:2f46 with SMTP id n22-20020a05640206d600b0051e1b802f46mr4204493edy.15.1689350993929; Fri, 14 Jul 2023 09:09:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689350993; cv=none; d=google.com; s=arc-20160816; b=pjZm7fs30A7XwGptdIcnyoeznnjEKhNvX3XasoRG5k+dKOTUL5yundwM4dvWCPtbCz eYX5FYtKtUbixKLbwOKM0xiwITuDNFFrnhGtrz6KRbOvI9mR1qyIrEZ3icceR197m6WF VHiX7ev3DbjbH9cn+cqedE3eKPLGEs9UL0tj9jDcGhtWBaFwnbVNUMF0NMFmC54+ARB3 BTWd90kr50EWHhiWcXPku3tonJ8kh0RyfHobqan/XV/xa/VRw95u1tG0MoLaEI5Eyg4R 5PaOO1zXMuqCueE8Y6FCBEY2ey+UJ/R1nzNWhwhORpLJyvZyamrIf92/CRbcbpB2DTpJ 8mNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ulu5vJbACvbiSK46ko2yUJA6DNl8Z+GY2OmXOKSupq0=; fh=xUlcC+Arz0lYctjWPpiaPSbbcPpWgnum2V1Myf8/1N8=; b=a1MVPZoQ03bgtzMNXhxbvTQkuQ9uyAfZ9N7N1Inty5Il6rP7vZ9ws3okdsyrbWRH6X YytrpyJnyAxzEwu06SSExyC26HOGcI8o3qtYHVfFG6o40Er8c429EUeWWt8vvU08oq0c x9qtdHoBTVH6YKYz0ihOf7jRWpxTqZ3Jrj0tg8DjyRoMZiZsXL2uu1+QqsMGifBxEWEB Q16oIBu1pWekrfnWrI4z9sUXV87Nv3AXQ1vTTsj3QzTpBCSgSneITuq5Yw5X/ajKjy8y 5dw2rYxgnsKt+hOT8farsZFWjkGS5GaUu9c6ropWmlp0uif6jgHuFu9OVCHQeRD9RPmg P2VA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=jaZH2lNG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b9-20020aa7c909000000b0051e0f0b46d9si9099279edt.688.2023.07.14.09.09.25; Fri, 14 Jul 2023 09:09:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=jaZH2lNG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235759AbjGNPfq (ORCPT + 99 others); Fri, 14 Jul 2023 11:35:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236408AbjGNPfY (ORCPT ); Fri, 14 Jul 2023 11:35:24 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D966B3A8E; Fri, 14 Jul 2023 08:35:12 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36EFMZLs012619; Fri, 14 Jul 2023 15:35:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=ulu5vJbACvbiSK46ko2yUJA6DNl8Z+GY2OmXOKSupq0=; b=jaZH2lNGYV2tcInAEhA1Pm7nnEwBDz5nM2uK2uAoNR8oUP9HIUg+VwTaUjJ6MtL5IqHn dFxBQ2HyccguC+VHz2SJSIkIZXIbD9dbKYc1GWY+ddMoLqDN496TWO5N+FBhthFDmn8g SRFJXenNrncdHYXTm9a7mA9XbcL8rrvGc9CyjWmOGzfW9XpcNZP8qtpd4zAnTFc4q1Q0 5nazqsWhuTJyZ3j8jJCfCWLey4iSHduFUv2eiVA1041eulnHB0z6gAatOmsCOLU23w1i lLRHQNznjcbJHoXwrc1zp6ngYH8y89ETajSdVtrWfHvHRqV9TcJ1Elp6+xsJrOZFu/tW NQ== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3ru8xx89h6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:35:01 +0000 Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36EDO0Vf007362; Fri, 14 Jul 2023 15:34:59 GMT Received: from smtprelay01.fra02v.mail.ibm.com ([9.218.2.227]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 3rtpvs217b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 Jul 2023 15:34:59 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay01.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36EFYuDq17433334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 14 Jul 2023 15:34:56 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6E1D72004B; Fri, 14 Jul 2023 15:34:56 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4185E20040; Fri, 14 Jul 2023 15:34:54 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.52.39]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Fri, 14 Jul 2023 15:34:54 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linuxppc-dev , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Date: Fri, 14 Jul 2023 11:34:35 -0400 Message-Id: <20230714153435.28155-7-nayna@linux.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com> References: <20230714153435.28155-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: HwOzgwTify1fGTbAt7-M_LdjlMbR_BHa X-Proofpoint-GUID: HwOzgwTify1fGTbAt7-M_LdjlMbR_BHa X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-14_06,2023-07-13_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307140141 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771412907274424402 X-GMAIL-MSGID: 1771412907274424402 On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore(PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain --- Jarkko, this patch is based on Linus master tree branch, which does not contain the following commits yet: c9d004712300 integrity: Enforce digitalSignature usage in the ima and evm keyrings 59b656eb58fe KEYS: DigitalSignature link restriction certs/system_keyring.c | 22 +++++++++++++++++++ include/keys/system_keyring.h | 8 +++++++ security/integrity/integrity.h | 1 + .../platform_certs/keyring_handler.c | 8 +++++++ .../platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 18 ++++++++++++++- 6 files changed, 61 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..b0235732c1d4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -347,3 +347,25 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ + key_ref_t key; + key_perm_t perm; + int rc = 0; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate %d\n", rc); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..a57a77ccf003 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -41,8 +41,16 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); + +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len); + #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..efaa2eb789ad 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id, { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index b3e5df136e50..6095df043498 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -77,6 +77,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dc..f92895cc50f6 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 6263ce3b3f1e..32c4e5fbf0fb 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; - void *trustedca = NULL; + void *trustedca = NULL, *moduledb = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs);