From patchwork Sun Aug 13 02:15:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 135020 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2106034vqi; Sun, 13 Aug 2023 02:08:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF3adb6mNRGKCY6sbgwPBLCKStUdQz8xTMEIOljSPUtZSgGOCSLgOGlvyx8bQ5TPhVIWPwA X-Received: by 2002:aa7:88cd:0:b0:687:6184:deed with SMTP id k13-20020aa788cd000000b006876184deedmr6866319pff.22.1691917721778; Sun, 13 Aug 2023 02:08:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691917721; cv=none; d=google.com; s=arc-20160816; b=kJLSIjSxMJi31DH3CZtRK6dEm2gbDd6FD1BOaxX1OHmjZqPRHVE9aLShupWvwphDir Z93ch5lT2B6jZl7kTuz4M8+vjCbDig3m+3ofmoseURLZuHIx1xUfnrOj4aR5Z6BqSEEK bojQQk/SWj3LP+Dg5TdmZG8eTgINT5qgmxUoVlxohGzQsWahlT91AjtqQAOevBncKJEZ UgvmKvCnfIkAk8m8xRygHivP8QOcxUn91Q1V9D+YsOACga6unoDVJ8KBk+yy6thxz5FF l+gavympPzq63SlZ3qljI0EduLlMTB2QeU52+Vw9e7PXDBvoejuE+9Mb1Ltci3CHaSHu em7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Qz4Dew3cRnzz1YOHjjbIpeIDKp5w8Os4Y5mnSWoXiMg=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=gW+O6cvbI1L6EHVSnUotrwPyr5gbgtXvE/9LjGdC1oerV3Zr+j2cCqgZpIkCQ2092x iO9lNO4/apfCLupQJKHcTFRWXhc9Kd4bi2Naypdh7r0K6ZkKN9jR4bqOHWIhYu0dRjte g3CNabguczRNOhrNID51c1Kx+skzBWskxtZknstv3sEGvOGvJ0LvmMCFGWP6N0Nw3Q8V cqYsuoK9HqkLr9mtyIxn/PFNJztMlQc1XFei4hDcbVUUSYaOQHoRec4fIKDNROs+xoNx 1pE9VK1zkSOOp0mbjsvqsL2jyjGOXblrpcp8PT355ZY3hO/vGbc2ooJTD54P/OR5E8uj Trog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=sdlSQYCN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id fi41-20020a056a0039a900b00687501ac7dasi6251940pfb.363.2023.08.13.02.08.28; Sun, 13 Aug 2023 02:08:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=sdlSQYCN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230140AbjHMCQA (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbjHMCP6 (ORCPT ); Sat, 12 Aug 2023 22:15:58 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CCD4D7; Sat, 12 Aug 2023 19:16:01 -0700 (PDT) Received: from pps.filterd (m0353722.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D28ODV004202; Sun, 13 Aug 2023 02:15:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Qz4Dew3cRnzz1YOHjjbIpeIDKp5w8Os4Y5mnSWoXiMg=; b=sdlSQYCNCAeUWQLgZT+rSMDjXazRRHmcM2iYTPt4vqenubsR9QZ/QzJEMDOsPBXweOGU ae801xn7y1dCEZIHTEzvyXrwMW2ZylLuM5kossHmizLsw6kryakhQwd74g/iXpoizlET /A3YOM5XmC2UCNKSA8QqkffYK0oyNm1N78i2viY2aI3+m3mkyNOEMwEYuuON95aY0dOB puu2hwFT2bqkurfso9oMoOUZiA+tglG+kDEIkCe/EDozqGfyoyL0TGSxqy94a4toVU+N qUculUl8vAoHrlb/qiwT4NWG7YO0VnkLDnSOHwOYoO0SyMpDYHHGWmuNe7BKy81sn66i 6g== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3senyng7a6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:46 +0000 Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D10Aqk023203; Sun, 13 Aug 2023 02:15:45 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 3se2wpffd6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:45 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2Fg8m62783904 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:42 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6698320040; Sun, 13 Aug 2023 02:15:42 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 28E0A2004B; Sun, 13 Aug 2023 02:15:40 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:39 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 1/6] integrity: PowerVM support for loading CA keys on machine keyring Date: Sat, 12 Aug 2023 22:15:26 -0400 Message-Id: <20230813021531.1382815-2-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: mFtw3MoagmJbvUfPmCngNQFkk2UEvBIt X-Proofpoint-GUID: mFtw3MoagmJbvUfPmCngNQFkk2UEvBIt X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774104317032656084 X-GMAIL-MSGID: 1774104317032656084 Keys that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust". CA keys with imputed trust can be loaded onto the machine keyring. The mechanism for loading these keys onto the machine keyring is platform dependent. Load keys stored in the variable trustedcadb onto the .machine keyring on PowerVM platform. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar --- .../integrity/platform_certs/keyring_handler.c | 8 ++++++++ .../integrity/platform_certs/keyring_handler.h | 5 +++++ .../integrity/platform_certs/load_powerpc.c | 17 +++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 8a1124e4d769..1649d047e3b8 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_machine_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 212d894a8c0c..6f15bb4cc8dc 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for CA keys. + */ +efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 170789dc63d2..6263ce3b3f1e 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; + void *trustedca = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("trustedcadb", 12, &dsize); + if (!data) { + pr_info("Couldn't get trustedcadb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading trustedcadb from firmware: %d\n", rc); + } else { + extract_esl(trustedca, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, + get_handler_for_ca_keys); + if (rc) + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); From patchwork Sun Aug 13 02:15:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 135000 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2008485vqi; Sat, 12 Aug 2023 20:42:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGmbT0Be+/Ya7JiZ4pvnli8IwXpGIxYoPaXQ+8AJi4OwVFBi2i99mn2jTGwBWI/tBaQH4dm X-Received: by 2002:aa7:c2d3:0:b0:523:4996:a4f9 with SMTP id m19-20020aa7c2d3000000b005234996a4f9mr4590742edp.34.1691898131199; Sat, 12 Aug 2023 20:42:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691898131; cv=none; d=google.com; s=arc-20160816; b=oqgBe31EMgPFwxJLZ6IjITBxq7wOTaWrfCuwjqJobOYPdjjgMrLrmaDK1nB2AWRd4H Mi9thMgazihU3FgUuBqkUc4uE+OjntAK/KfjRtn9vPuJCjxjIOokAcYPEnr00k3chLKX s8d9zBDW8GneqyEW6a0YZv/lKqgC41QG+KZD7RpciSEhin6UfAYQ2QCnbqbCqdtICWKm HY0kxXYw2geFBxFTpCvZmIs+wz4b1V7KGRIkb25xbA6VHe9Ek0eRNGXj+gFFtSXNWtRW eQrg77uluY7XsctP/J54ZAdJe9BkrER5U37iU9tBSHEtx5ecFLuMCrJEDqiYlHP26qir 6tZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+Ki1oKIwDxjtgyY+7vdefE9L5j5AW/bixMirZNbv5xM=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=WB/MlwfGw8O7Yoo8gp5lit77ZaGjBP1Cs1LILA4JysEI15vZiCR7JypacsyVsXNruL DHbQYrEHe0TwIrMZk6QA3lz6F0tdcd6Y4vf7Y5Kbp8Rc8zF/kR2VQRqGwM3+w40ULqw2 aLKb6q7D8E2wG4ttNS7yAuMKeO4557ZgoElhoBTZ6pI2QQ4rlBYY2WlBdBswz8HEWl0F gXWfwq8oD9xjMKiUOlDdFw3hShqGU5cQCaLslEM/YOYWMblMZWYKNXWK/oXAMq+2cQoo IH7EgPTbyvf69ibh11i6d1brZ7pQZFGBlGEUH0tzyv1W3lEqZlO9tTpdyWiGMj9xXmsi 6uJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZvjUsqPb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z6-20020aa7cf86000000b0052275937198si5648933edx.628.2023.08.12.20.41.33; Sat, 12 Aug 2023 20:42:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZvjUsqPb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230245AbjHMCQF (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229839AbjHMCP7 (ORCPT ); Sat, 12 Aug 2023 22:15:59 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A480D7; Sat, 12 Aug 2023 19:16:02 -0700 (PDT) Received: from pps.filterd (m0353724.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D26frd006382; Sun, 13 Aug 2023 02:15:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=+Ki1oKIwDxjtgyY+7vdefE9L5j5AW/bixMirZNbv5xM=; b=ZvjUsqPb1P7t4n9Na9JpD/dIC8opKoZDsGPu7gATYUcBLXq/z93zoAecqipGkipIaI8w wgU1XZGCYXmPkvbDdlH4ztxpsLTq802IZ5Avoj35J88m4Zh1AMU0GCDFCdMGzhrYC4P/ krDX+YUXfsLZ4IDWnEpsOy3dKouZ1c420LYvePQa7JXBg+S8b9gHoXNJEiX6l8JgqXj4 AqbcNAN25B3UIf4RsazNba81DNWSW3SZ+WpKIAHQb7N5k12Ytc9PlxZRuvGmJcj7nWYs LkAaicEH7OR+gBAuKtiS5sCiRYIUrZMnBqzJWhvgE8ovlgJj0vKDGQsUvZh7jo/lOnvI iQ== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3senyj0ag4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:48 +0000 Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1GYBx017899; Sun, 13 Aug 2023 02:15:47 GMT Received: from smtprelay02.fra02v.mail.ibm.com ([9.218.2.226]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 3se376qb3g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:47 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay02.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2Fi1x21037618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:45 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D43AA2004B; Sun, 13 Aug 2023 02:15:44 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C328620040; Sun, 13 Aug 2023 02:15:42 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:42 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Date: Sat, 12 Aug 2023 22:15:27 -0400 Message-Id: <20230813021531.1382815-3-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 49hTOhTodGLnNVQfdBd1ia4D0jdHCKer X-Proofpoint-GUID: 49hTOhTodGLnNVQfdBd1ia4D0jdHCKer X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 malwarescore=0 phishscore=0 impostorscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774083774802525550 X-GMAIL-MSGID: 1774083774802525550 On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Acked-by: Jarkko Sakkinen --- security/integrity/platform_certs/machine_keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 7aaed7950b6e..389a6e7c9245 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -36,7 +36,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t * If the restriction check does not pass and the platform keyring * is configured, try to add it into that keyring instead. */ - if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, perm); From patchwork Sun Aug 13 02:15:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 135008 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2061894vqi; Sat, 12 Aug 2023 23:55:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHYsP70x7H+h8i/wryjA9GWAwJpyoeyZX1Ni2IAqPWXnAuKvoC1Y3y8/sDKgyzuNTobPa89 X-Received: by 2002:a17:906:2921:b0:99c:da06:bca with SMTP id v1-20020a170906292100b0099cda060bcamr5060116ejd.4.1691909732902; Sat, 12 Aug 2023 23:55:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691909732; cv=none; d=google.com; s=arc-20160816; b=Wcq8xvIT8DoaqxydpYghPoPXTYjiJmijUJRW85fGOnxkF/abZpjRIu4kMyJr7H5pmp TDt84dwo8UkDdT0WbiVSoGag7+7SmeLwHr9q9+WQEhjshchb015YSU/5dQAq+OOT9hac QCXRgcEcWC8JuGLwLYpd0I7AtaEZFRKeaeJHnJbJXDHn+/HPU5ezEVrC7vDidlCOu2Sn 8LtKmyxtyh0+m7DEkvQuQwkzRf0lv1IdxktjYGcf4IwlE9t2yZ+EX4TgTIEcLvLAdluk Kou3sqEU9j2WBfWd2Od5OKyZiQl2o1rEERcwB3Q0d+IYm9bpVz0oMbvwbeQ5OB/TfgW2 h19g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=M/sQfVzrC8d2QZrImPRGkYy/MfrT1TGVavwMdGxuas8=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=hh61a9UvJYA6u0JqYLuCXbu8D9vH0mcd9+RScskhvJiK6v+sSJ/XeuBJNtzpv8Ik8J dQnsuLyAP7IYQ+ppgO9GpLrfkyhSo0NMyO+VivaOjknaEEb3j1nKuoh2KWeZCgW7JNoG /wt6aKstuF49YJv3fefWNStyaCfeasVLLLbU++Ceb+AWDBKGYjDwassAs+LJYZYpsS8E 4OsbO8wW5TCqeL2ThUVlZFFGiCm4Gqz4nflW+jueycOfhSI4W+Yshq4HyYOwug2kI/pc IOvGMxJc8MOC6xB5zlhA88nJWLPgL37qsQin/NjFp4woLiGIwrcoMb+5dIpHWi3oyPgq 6ONQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Nnxewv6U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w22-20020a17090633d600b00992d26308c0si5764215eja.538.2023.08.12.23.55.09; Sat, 12 Aug 2023 23:55:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Nnxewv6U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230300AbjHMCQK (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230203AbjHMCQA (ORCPT ); Sat, 12 Aug 2023 22:16:00 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E54AD7; Sat, 12 Aug 2023 19:16:03 -0700 (PDT) Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1vaP5031051; Sun, 13 Aug 2023 02:15:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=M/sQfVzrC8d2QZrImPRGkYy/MfrT1TGVavwMdGxuas8=; b=Nnxewv6U97hNjNYX0MRQiDDB3SbFX7x+Nny4wJAbb1nd4Kczn60JywIRdJTdlcUqhayS Y9GywYiSxjfzjgWHnAVN5jGv5cLKlmcsBAH7n3pL9yMn2T1ote2S8JJD5Yniueg4Nh6I kraFbxn39SYUemlW3uRxS5/GO2LAFNsK/yR4A91MCCSWP50OTtGmbJw3UN3s83pljhyG h6xFRb+R/PdePtbC/f6FrIFL0F8SuKCLn0aZssiz+hSOK8hobQAdqhmLzkeCkv4VEi/t R6GWS8CbXHmk+l9XEnfcu3k8tPmukPkqMC9jVfpyYHuPCNxY7x5yeUoxRydyPTcN6lKq 6Q== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3senyjgaq1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:53 +0000 Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D11mDl023275; Sun, 13 Aug 2023 02:15:53 GMT Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 3se2wpffdu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:52 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2Fl1U11272716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:47 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6EE7420040; Sun, 13 Aug 2023 02:15:47 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45B4F20043; Sun, 13 Aug 2023 02:15:45 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:44 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 3/6] integrity: remove global variable from machine_keyring.c Date: Sat, 12 Aug 2023 22:15:28 -0400 Message-Id: <20230813021531.1382815-4-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: O_m3GKHuCti4qe_9VJP7CuUqJmeWkA1c X-Proofpoint-GUID: O_m3GKHuCti4qe_9VJP7CuUqJmeWkA1c X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 lowpriorityscore=0 mlxscore=0 bulkscore=0 adultscore=0 impostorscore=0 clxscore=1015 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774095940075057982 X-GMAIL-MSGID: 1774095940075057982 trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/platform_certs/machine_keyring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 389a6e7c9245..9482e16cb2ca 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,8 +8,6 @@ #include #include "../integrity.h" -static bool trust_mok; - static __init int machine_keyring_init(void) { int rc; @@ -65,9 +63,11 @@ static __init bool uefi_check_trust_mok_keys(void) bool __init trust_moklist(void) { static bool initialized; + static bool trust_mok; if (!initialized) { initialized = true; + trust_mok = false; if (uefi_check_trust_mok_keys()) trust_mok = true; From patchwork Sun Aug 13 02:15:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 134999 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2002036vqi; Sat, 12 Aug 2023 20:17:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IErcoH0WEEXBY1F25RgfA0JwbVtRWHEcdnDGedkGzkkvCR+P0Oda9Yd3aS5qFiV2cgo/t74 X-Received: by 2002:a05:6a20:4415:b0:13b:9d80:673d with SMTP id ce21-20020a056a20441500b0013b9d80673dmr7149327pzb.48.1691896620149; Sat, 12 Aug 2023 20:17:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691896620; cv=none; d=google.com; s=arc-20160816; b=nVAS5/RlI0eBXZu8eej3c11JuIkZ+TbthW7Zq8ccsrFQHYcf3/jhvqIJzC0ekAdP6S Iqe7wE/pMVeV99qJ0NupEBM5k64WGEN287/KrRcB/lvdNBW5zovtiphXsL1gM1AKvzgk 0FfKUTWp1+ELJEM0p/BQYH2r2tO0c8GU3TjAI/goblKg2Vw2Q4gwM4FOil1UQacJqHtX HtDBR4bdsC9kGi0x38jFYUIw8q6ODF+YJBkjgOTHhlvg+cooTGs383mgrjxvzq9ekV/r jXN6wrzky98F/xYwNJC/4YplWMA5qj3ltsKoei2xJznJO7D5LZfaUKp12BRHciAiA9YE i9OQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=2K+xOl9iCiEdHbs8U9vWbwZhgSfvBN7iaw7oWsKkQPc=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=RDoKBr6mpNRGE8kgyoxguV92e5E4C9WEaA2HgiwsKOStGkv83CS9piqmZszO9ViqjK xf5olnaUBTwDO40HSz1Vhmkr+3b5GLb8L2jyDUcHNeUZCXWOeemDuPj5iAyDJB+zaR06 4sPFzN2LGAU4jGr3lP0alRzF1lDHcSqhxc64N3h3QzXWr+rqITMUTgUZJA0r1+CCbufT n+z0AjDt88nagnjzeN/zoElfZCly7hiToJL8f41r0JK4QZi7Li/KWyKA6oqPh/MROxGi G8b9fK8Kn+d1RAq3GybYAacDFD/UGA+lwXDo3GKoSkRu8868Xa4UZTFmvo4zW0NAQNvt jiKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="Y1MlxIf/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q22-20020a056a00085600b0068747cdd58fsi5910608pfk.272.2023.08.12.20.16.47; Sat, 12 Aug 2023 20:17:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="Y1MlxIf/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230216AbjHMCQD (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbjHMCP7 (ORCPT ); Sat, 12 Aug 2023 22:15:59 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09779E3; Sat, 12 Aug 2023 19:16:01 -0700 (PDT) Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D23On8001718; Sun, 13 Aug 2023 02:15:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=2K+xOl9iCiEdHbs8U9vWbwZhgSfvBN7iaw7oWsKkQPc=; b=Y1MlxIf/1ZjDvARGS/38b29bYPgWKDhDA8lLNVpODheoWZHzVE8EqrZOPoShmLD9arzy SFO8Ig+6nfkQuUNZkyKMxO1etM6NSoq9umm46EcWA4d/hdrIxWnht+tV0JUd4WDMK0P8 1d8PjmxcK8A1cNfjeYm+RCoXbQJ8939c5L01vx40azrROo2AmN/eg3FVk5Ja/j4Q6t0e tlI2Rjf85LKibNSNEdGE8IpOzlJbqfvWT70z+BdfN0T57u97IVxnH2VnxwflhHLOdZ68 LmJcDEsZB7Wu2yO03sGXZiPKFWdbQLeHYu9Azbyyx8VSJskstD/x6+RIY16w1sXvxFcq EA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3sep23g9jj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:53 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1JJRG002421; Sun, 13 Aug 2023 02:15:53 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3sendmgakp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:52 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2FnC046792962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:49 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CB32020043; Sun, 13 Aug 2023 02:15:49 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CE75720040; Sun, 13 Aug 2023 02:15:47 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:47 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 4/6] integrity: check whether imputed trust is enabled Date: Sat, 12 Aug 2023 22:15:29 -0400 Message-Id: <20230813021531.1382815-5-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: Q8MMqNLo0iQYYxOCPC_ddTykZoT6zN_v X-Proofpoint-GUID: Q8MMqNLo0iQYYxOCPC_ddTykZoT6zN_v X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 clxscore=1015 impostorscore=0 adultscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774082190638697162 X-GMAIL-MSGID: 1774082190638697162 trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain Reviewed-off-by: Mimi Zohar --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++-- .../integrity/platform_certs/keyring_handler.c | 3 ++- .../integrity/platform_certs/machine_keyring.c | 18 ++++++++++++++++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index d0704b1597d4..df387de29bfa 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) + if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..d7553c93f5c0 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); -bool __init trust_moklist(void); +bool __init imputed_trust_enabled(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } -static inline bool __init trust_moklist(void) + +static inline bool __init imputed_trust_enabled(void) { return false; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 1649d047e3b8..586027b9a3f5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,7 +61,8 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && + imputed_trust_enabled()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 9482e16cb2ca..a401640a63cd 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -34,7 +34,8 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t * If the restriction check does not pass and the platform keyring * is configured, try to add it into that keyring instead. */ - if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + if (rc && efi_enabled(EFI_BOOT) && + IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, perm); @@ -60,7 +61,7 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } -bool __init trust_moklist(void) +static bool __init trust_moklist(void) { static bool initialized; static bool trust_mok; @@ -75,3 +76,16 @@ bool __init trust_moklist(void) return trust_mok; } + +/* + * Provides platform specific check for trusting imputed keys before loading + * on .machine keyring. UEFI systems enable this trust based on a variable, + * and for other platforms, it is always enabled. + */ +bool __init imputed_trust_enabled(void) +{ + if (efi_enabled(EFI_BOOT)) + return trust_moklist(); + + return true; +} From patchwork Sun Aug 13 02:15:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 135002 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2036152vqi; Sat, 12 Aug 2023 22:28:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFRjeZUmCXqbq7I4HLvplVb8WoeSM+7n3mBjWqzF+ZEUnv1F68TarLYD2GLRJey2g2KKGqM X-Received: by 2002:aa7:c3d3:0:b0:522:2dc0:1354 with SMTP id l19-20020aa7c3d3000000b005222dc01354mr4649593edr.23.1691904503895; Sat, 12 Aug 2023 22:28:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691904503; cv=none; d=google.com; s=arc-20160816; b=XvYNXhWiarPj72CK7YXqPbBO0nZ9logebEhDNPMJ1hTRoISAf0oQfbKzxXRdlOyhU/ u5UB4uxjnTYI2+abtw4n26ruASPLdU9MSpGsl/QLTcBkl+S0Zv63ub0usYLEovATbwp6 Fq8GAB2xpfOcYHUtY5/mfqkX74AGAscQ55K8feXnyBcO+wCxLThDMndegQWR0oJICCrb mrU0mMa5RM4gkpfBztg0GeY3wYMqBoTIHcNglO+gcAOanBg0LS7H1MO7rK5XbL7l2pDL 31aCUnpzN71ZC0aBLASRexrNWI4bSgrrSo3IigyJWXp5P+yLh+KrYLDuF8ETGNyFiKyV F/ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=sVOFvv/GjMTXAoEgnozP0KUynypHEZH44thYGVoiQ1o=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=z/hiC3yMMRHeoNST1rFUUJhZuHhAJfF/l1I8k3MTn0hTPYnn4hKB0ksbZUIeSc9R6J DsU9VBOyub0Udm/uOBzaZ0NQKM60ixoPGu+SvGqqNp+JJj0dmlK+WnZrpgn2vNeGougr VrtY6qgdKyQQIl9FJ3lC0PxWt9iG+WyE6OSlW5iguv7yXpzf+8XpmIvUkQbPuzm1u0oI yvi8p2682zPHEZUoeTuQuDLI4M3A53oKu6lV7Q+YYCB+jPAVoDeNGFk/rkNru0lB9kN3 wNBOZ2WdJ5VfUd7wYie+Q8LZfEBTd9PzXTjrWyD8Gk6o2cuKeG4PhfBmEv/xFFDi2omj 3xPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=GxRWzQAp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m8-20020a50ef08000000b005231f38ea66si5972470eds.680.2023.08.12.22.27.47; Sat, 12 Aug 2023 22:28:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=GxRWzQAp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230184AbjHMCQP (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230233AbjHMCQE (ORCPT ); Sat, 12 Aug 2023 22:16:04 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 050AD1717; Sat, 12 Aug 2023 19:16:06 -0700 (PDT) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D27I5t015966; Sun, 13 Aug 2023 02:15:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=sVOFvv/GjMTXAoEgnozP0KUynypHEZH44thYGVoiQ1o=; b=GxRWzQAprtJVVWUaNrtgVLyxiwIWNGGuKo/iFh5aKLNu/GDj2v6PilnIaZRclgTNwe5X pWghuw9OVNm6sLktiEc7dtTPXAe0CCgDwZzn9/lLJxfPhM5x8tAfF/f+tmBsR6+V4nN6 nU5c9Ub7sEFyQpMNSr9Q1KHooBlM42uFMR7cjjTDMZ7On9ZE+MaeqLBz22IFOrjFXSEi GNa7EgGd0lDROYUbAwiRBHyLebbDRBWHRpTedluzSEH2rNX+6O3LFSV5IisTrHqj4eXM Auq6SYKQooqHD11WoKcWUJ8w+f+ckwSBhMo2cVwMwe5xooDC19N6f/0lNDR4x4b4J/92 dA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3senx9r8p8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:56 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1JLjc002460; Sun, 13 Aug 2023 02:15:55 GMT Received: from smtprelay03.fra02v.mail.ibm.com ([9.218.2.224]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3sendmgakw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:55 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay03.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2FqMU11928234 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:52 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 471E020043; Sun, 13 Aug 2023 02:15:52 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4A59C20040; Sun, 13 Aug 2023 02:15:50 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:50 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 5/6] integrity: PowerVM machine keyring enablement Date: Sat, 12 Aug 2023 22:15:30 -0400 Message-Id: <20230813021531.1382815-6-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: iaMhPZClZo6216D_oXkiI1V0x-6VXzQU X-Proofpoint-ORIG-GUID: iaMhPZClZo6216D_oXkiI1V0x-6VXzQU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 adultscore=0 mlxlogscore=799 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774090457091370582 X-GMAIL-MSGID: 1774090457091370582 Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Only key signing CA keys are allowed. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- security/integrity/Kconfig | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index ec6e0d789da1..232191ee09e3 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -67,7 +67,9 @@ config INTEGRITY_MACHINE_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING - depends on LOAD_UEFI_KEYS + depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS + select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS + select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys From patchwork Sun Aug 13 02:15:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nayna Jain X-Patchwork-Id: 135004 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp2046130vqi; Sat, 12 Aug 2023 23:03:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFcQJa72Wb3xP0yz4p8JgUbyymU2Fs+/GHHl+vgu9bo0DfokpLlEbYjx8KEoHo3Llg/nnnT X-Received: by 2002:a17:90b:2282:b0:268:60d9:92cc with SMTP id kx2-20020a17090b228200b0026860d992ccmr5545287pjb.43.1691906601729; Sat, 12 Aug 2023 23:03:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691906601; cv=none; d=google.com; s=arc-20160816; b=vkwIJTi+OY5Oe9osaBzS4pmrTDo+51D+xwkfipsWg4DUEsTjuw2AAcmNgBF1ODLLOe qwf24Q6XCfU24KDaX20oqWJHBfWVd7286keR4Y1a15IC2AppqJcGYQQvXbASxIud923f S7CW4L/RJMwqdI9fX7om+hyNXRYL1z5dll9Bbn2sUPDyoQ50yT4hK5u/DhnNZ37PLKY8 G9BCsWWpbHMroWhTZ2QBVz4J+EjH/hb8xJV2dmOqMyyv4buuxGtri9roWqnUOIKCOJWg NytZVXfTTop3Q32gmetouXuphU08enGWFd02H/jEQYvXWI8xZAyNl5QWV4upThOZG2mD GsHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Qov6xhMvUsybgON3K9/QVFsICKMST5yepQsQdrZe2Ic=; fh=0HZxfkAJyx3Soo8VtDkZ0DPjkqS1NGJP1dkSl6x0XCg=; b=d1QnHv6N6sHxPZrfaTHX0bHM06wxQqoj3qi7nLZ0QsSxtDzdjzyRpC1MeyQkqN3BlH YlV0Ac6A9QWLbzBE9vyc3VqfGrMq1liPXmsr8Sbd5ywFmSHip0dhZU0F3JMws9WP81G+ StrwPwR/ntKGEngXWpWsxEakb2M7waS24CFEh21VNbXD5IdHXQZPVCrh4GkRkf/N8jAT b1YCOLNQNjnVGvcH7uDHKCRbHGAKDxDjAbTUffZDTmu01gI5newReRWS0Zp53GPkDyzw Urb2A9K6Pjv0eCce8ky8AzoB0CeM1IQCArbaoZMDBQaafQA8rYhdUW9GZtcmgdywrIu2 3+kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="m8Lrw/hQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d5-20020a17090a8d8500b002681dc4472esi8137153pjo.134.2023.08.12.23.03.08; Sat, 12 Aug 2023 23:03:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b="m8Lrw/hQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230267AbjHMCQT (ORCPT + 99 others); Sat, 12 Aug 2023 22:16:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230225AbjHMCQE (ORCPT ); Sat, 12 Aug 2023 22:16:04 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D91EAE3; Sat, 12 Aug 2023 19:16:06 -0700 (PDT) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1vf3O031276; Sun, 13 Aug 2023 02:15:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Qov6xhMvUsybgON3K9/QVFsICKMST5yepQsQdrZe2Ic=; b=m8Lrw/hQUx+I5sOZSwDcrLn7G/03Fh8D1tYmqVY9zQIziU3tCgduVrrOamLM7IYwF46m i165MaqdmCME8yOE+u/7U0VhkBpCjcX7du/nRoQ1WgH8ViWgO0ox8Ghr4IU2aPlaPp66 Fpd6ZHFFd2maBk+n87/l+x/mMSyuyuPS/WYi9VJB6UEaZhZvH/yuOA1DHuHQrYusvuqe 0dBh+OrSE4PnTr/JzocvVx1qcuU822iHwpYVxO5oHwUnyhnK9qNUGoqqQiMMs4KteELi yB3/b9iBXAuTRmjJaGfcCdWC7W9OZPzLfN9T2dWyVDyBrgcp8nLOh4czsx20knsQiMel ww== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3senyfrcn4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:58 +0000 Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 37D1rMPE007848; Sun, 13 Aug 2023 02:15:58 GMT Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3senwjg47p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 13 Aug 2023 02:15:57 +0000 Received: from smtpav07.fra02v.mail.ibm.com (smtpav07.fra02v.mail.ibm.com [10.20.54.106]) by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 37D2FsjQ20185658 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 13 Aug 2023 02:15:54 GMT Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B7AB820043; Sun, 13 Aug 2023 02:15:54 +0000 (GMT) Received: from smtpav07.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9BABB20040; Sun, 13 Aug 2023 02:15:52 +0000 (GMT) Received: from li-4b5937cc-25c4-11b2-a85c-cea3a66903e4.ibm.com (unknown [9.61.3.84]) by smtpav07.fra02v.mail.ibm.com (Postfix) with ESMTP; Sun, 13 Aug 2023 02:15:52 +0000 (GMT) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Jarkko Sakkinen , Eric Snowberg , Paul Moore , linux-security-module@vger.kernel.org, linuxppc-dev , linux-kernel@vger.kernel.org, Nayna Jain Subject: [PATCH v3 6/6] integrity: PowerVM support for loading third party code signing keys Date: Sat, 12 Aug 2023 22:15:31 -0400 Message-Id: <20230813021531.1382815-7-nayna@linux.ibm.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20230813021531.1382815-1-nayna@linux.ibm.com> References: <20230813021531.1382815-1-nayna@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: dxFJrGHsNTKZu6gaA7VuNgEm8YQrZdRm X-Proofpoint-ORIG-GUID: dxFJrGHsNTKZu6gaA7VuNgEm8YQrZdRm X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-12_27,2023-08-10_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 spamscore=0 impostorscore=0 clxscore=1015 malwarescore=0 phishscore=0 lowpriorityscore=0 mlxscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308130016 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774092656556174884 X-GMAIL-MSGID: 1774092656556174884 On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore(PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain --- certs/system_keyring.c | 30 +++++++++++++++++++ include/keys/system_keyring.h | 7 +++++ security/integrity/integrity.h | 1 + .../platform_certs/keyring_handler.c | 8 +++++ .../platform_certs/keyring_handler.h | 5 ++++ .../integrity/platform_certs/load_powerpc.c | 18 ++++++++++- 6 files changed, 68 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index b348e0898d34..e458d414918d 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -396,3 +396,33 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +/** + * add_to_secondary_keyring - Add to secondary keyring. + * @source: Source of key + * @data: The blob holding the key + * @len: The length of the data blob + * + * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin, + * machine or secondary keyring itself. + */ +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) +{ + key_ref_t key; + key_perm_t perm; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), + "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n", + source, PTR_ERR(key)); + return; + } + + pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); + key_ref_put(key); +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 7e2583208820..4188f75d1bac 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -50,9 +50,16 @@ int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len); + #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin +void __init add_to_secondary_keyring(const char *source, const void *data, + size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..efaa2eb789ad 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -228,6 +228,7 @@ static inline int __init integrity_load_cert(const unsigned int id, { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 586027b9a3f5..13ea17207902 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -78,6 +78,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dc..f92895cc50f6 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -34,6 +34,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); */ efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 6263ce3b3f1e..32c4e5fbf0fb 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -59,7 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; - void *trustedca = NULL; + void *trustedca = NULL, *moduledb = NULL; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +137,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs);