On 11/03/22 3:14 am, Nayna Jain wrote:
Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.
This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.
Changelog:
v11:
* Added a new patch to conditionally build extract-cert if
PLATFORM_KEYRING is enabled.
Tested the following four patches with and with out setting
CONFIG_INTEGRITY_PLATFORM_KEYS
Tested-by: Nageswara R Sastry <rnsastry@xxxxxxxxxxxxx>
1. With set CONFIG_INTEGRITY_PLATFORM_KEYS
# grep pem .config
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
# grep
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST"
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS="certs/kernel.pem"
# CONFIG_SYSTEM_REVOCATION_LIST is not set
# cat /proc/keys | grep platform
0e60c88d I------ 1 perm 1f0b0000 0 0 keyring .platform: 1
# keyctl show %keyring:.platform
Keyring
241223821 ---lswrv 0 0 keyring: .platform
308815460 ---lswrv 0 0 \_ asymmetric: IBM Corporation:
Guest Secure Boot Imprint Kernel Signing Key:
a0cf9069c30875320cb10a77325d4fa7012f8d12
2. With out set CONFIG_INTEGRITY_PLATFORM_KEYS
# grep pem .config
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"
# grep
"CONFIG_INTEGRITY_PLATFORM_KEYS\|INTEGRITY_PLATFORM_KEYRING\|SYSTEM_REVOCATION_LIST"
.config
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYS=""
# CONFIG_SYSTEM_REVOCATION_LIST is not set
# cat /proc/keys | grep platform
12a5f301 I------ 1 perm 1f0b0000 0 0 keyring .platform: empty
# keyctl show %keyring:.platform
Keyring
312865537 ---lswrv 0 0 keyring: .platform
base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9
--
Thanks and Regards
R.Nageswara Sastry