On Mon, 2022-07-04 at 09:51 +0800, Coiby Xu wrote: > Currently when loading a kernel image via the kexec_file_load() system > call, x86 can make use of three keyrings i.e. the .builtin_trusted_keys, > .secondary_trusted_keys and .platform keyrings to verify a signature. > However, arm64 and s390 can only use the .builtin_trusted_keys and > .platform keyring respectively. For example, one resulting problem is > kexec'ing a kernel image would be rejected with the error "Lockdown: > kexec: kexec of unsigned images is restricted; see man > kernel_lockdown.7". > > This patch set enables arm64 and s390 to make use of the same keyrings > as x86 to verify the signature kexec'ed kernel image. > > The recently introduced .machine keyring impacts the roots of trust by > linking the .machine keyring to the .secondary keyring. The roots of > trust for different keyrings are described as follows, > > .builtin_trusted_keys: > > Keys may be built into the kernel during build or inserted into memory > reserved for keys post build. The root of trust is based on verification > of the kernel image signature. For example, on a physical system in a > secure boot environment, this trust is rooted in hardware. > > .machine: > > If the end-users choose to trust the keys provided by first-stage UEFI > bootloader shim i.e. Machine Owner Keys (MOK keys), the keys will be > added to this keyring which is linked to the .secondary_trusted_keys > keyring as the same as the .builtin_trusted_keys keyring. Shim has > built-in keys from a Linux distribution or the end-users-enrolled keys. > So the root of trust of this keyring is either a Linux distribution > vendor or the end-users. > > .secondary_trusted_keys: > > Certificates signed by keys on the .builtin_trusted_keys, .machine, or > existing keys on the .secondary_trusted_keys keryings may be loaded > onto the .secondary_trusted_keys keyring. This establishes a signature > chain of trust based on keys loaded on either the .builtin_trusted_keys > or .machine keyrings, if configured and enabled. > > .platform: > > The .platform keyring consist of UEFI db and MOK keys which are used by > shim to verify the first boot kernel's image signature. If end-users > choose to trust MOK keys and the kernel has the .machine keyring > enabled, the .platform keyring only consists of UEFI db keys since the > MOK keys are added to the .machine keyring instead. Because the > end-users could also enroll their own MOK keys, the root of trust could > be hardware and the end-users. > > The 3rd arm64 patch depends on the first two patches. The 4th s390 patch > can be applied independently. > > I've tested the patch set on 5.19.0-rc2 and it works as expected. > > For arm64, the tests were done as follows, > 1. build 5.19.0-rc2 > 2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI > db; > 3. sign different kernel images with different keys including keys > from .builtin_trusted_key, .secondary_trusted_keys keyring, a UEFI db > key and MOK key > 4. Without lockdown, all kernel images can be kexec'ed; with lockdown > enabled, only the kernel image signed by the key from the > .builtin_trusted_key keyring can be kexec'ed Just confirming, for arm64, this patch set allows verifying the kexec'ed kernel image signature using keys on either the .platform or .secondary_trusted_keys keyrings. thanks, Mimi > > For 390, I commented out the code that skips signature verification when > secure boot is not enabled since the testing machine doesn't supports > secure boot and can confirm before applying the patch, kernel images > signed by keys from .builtin_trusted_key, .secondary_trusted_keys > couldn't be kexec'ed when lockdown is enabled; after applying the patch, > those kernel images could be kexec'ed.
