On Fri, 2022-03-11 at 18:39 +0200, Jarkko Sakkinen wrote: > On Thu, 2022-03-10 at 16:44 -0500, Nayna Jain wrote: > > Some firmware support secure boot by embedding static keys to verify the > > Linux kernel during boot. However, these firmware do not expose an > > interface for the kernel to load firmware keys onto the ".platform" > > keyring, preventing the kernel from verifying the kexec kernel image > > signature. > > > > This patchset exports load_certificate_list() and defines a new function > > load_builtin_platform_cert() to load compiled in certificates onto the > > ".platform" keyring. > > > > Changelog: > > v11: > > * Added a new patch to conditionally build extract-cert if > > PLATFORM_KEYRING is enabled. > > > > v10: > > * Fixed the externs warning for Patch 3. > > > > v9: > > * Rebased on Jarkko's repo - > > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git > > > > v8: > > * Includes Jarkko's feedback on patch description and removed Reported-by > > for Patch 1. > > > > v7: > > * Incldues Jarkko's feedback on patch description for Patch 1 and 3. > > > > v6: > > * Includes Jarkko's feedback: > > * Split Patch 2 into two. > > * Update Patch description. > > > > v5: > > * Renamed load_builtin_platform_cert() to load_platform_certificate_list() > > and config INTEGRITY_PLATFORM_BUILTIN_KEYS to INTEGRITY_PLATFORM_KEYS, as > > suggested by Mimi Zohar. > > > > v4: > > * Split into two patches as per Mimi Zohar and Dimitri John Ledkov > > recommendation. > > > > v3: > > * Included Jarkko's feedback > > ** updated patch description to include approach. > > ** removed extern for function declaration in the .h file. > > * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. > > > > v2: > > * Fixed the error reported by kernel test robot > > * Updated patch description based on Jarkko's feedback. > > > > Nayna Jain (4): > > certs: export load_certificate_list() to be used outside certs/ > > integrity: make integrity_keyring_from_id() non-static > > certs: conditionally build extract-cert if platform keyring is enabled > > integrity: support including firmware ".platform" keys at build time > > > > certs/Makefile | 9 ++++++-- > > certs/blacklist.c | 1 - > > certs/common.c | 2 +- > > certs/common.h | 9 -------- > > certs/system_keyring.c | 1 - > > include/keys/system_keyring.h | 6 +++++ > > security/integrity/Kconfig | 10 ++++++++ > > security/integrity/Makefile | 15 +++++++++++- > > security/integrity/digsig.c | 2 +- > > security/integrity/integrity.h | 9 ++++++++ > > .../integrity/platform_certs/platform_cert.S | 23 +++++++++++++++++++ > > .../platform_certs/platform_keyring.c | 23 +++++++++++++++++++ > > 12 files changed, 94 insertions(+), 16 deletions(-) > > delete mode 100644 certs/common.h > > create mode 100644 security/integrity/platform_certs/platform_cert.S > > > > > > base-commit: fb5abce6b2bb5cb3d628aaa63fa821da8c4600f9 > > I tuned tags. Nayna, Mimi is this how it should be: Either v11 or v12 is fine by me, except Masahiro Yamada requested to move extract_certs back to the scripts/ directory. v12 moves extract_certs back, as requested. Also Nageswara Sastry tested both v11 and v12 versions. thanks, Mimi
