Re: [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2019-01-10 at 00:48 +0800, Kairui Song wrote:
> Currently kexec_file_load will verify the kernel image being loaded
> against .builtin_trusted_keys or .secondary_trusted_keys, but the
> image could be signed with third part keys which will be provided by
> platform or firmware and the keys won't be available in keyrings mentioned
> above.
> 
> After commit ea93102f3224 ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware. And with a few following commits, now keys required to verify
> the image is being imported to .platform keyring, but currently, only
> IMA-appraisal could use the keyring and verify the image.
> 
> This patch exposes the .platform and makes other components, like
> kexec_file_load, could use this .platform keyring to verify the
> kernel image.

The "platform" keyring was upstreamed in order to verify the kernel
image being loaded by the kexec_file_load syscall.  The intentions of
this patch description needs to be clearer.

> 
> Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> Signed-off-by: Kairui Song <kasong@xxxxxxxxxx>
> ---
>  certs/system_keyring.c        | 3 +++
>  include/keys/system_keyring.h | 5 +++++
>  security/integrity/digsig.c   | 4 ++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..a61b95390b80 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>  static struct key *secondary_trusted_keys;
>  #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +struct key *platform_trusted_keys;

Please make it static.

Mimi

> +#endif




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux