On a secure boot enabled PowerVM guest, local and third party code signing keys are needed to verify signed applications, configuration files, and kernel modules. Loading these keys onto either the .secondary_trusted_keys or .ima keyrings requires the certificates be signed by keys on the .builtin_trusted_keys, .machine or .secondary_trusted_keys keyrings. Keys on the .builtin_trusted_keys keyring are trusted because of the chain of trust from secure boot up to and including the linux kernel. Keys on the .machine keyring that derive their trust from an entity such as a security officer, administrator, system owner, or machine owner are said to have "imputed trust." The type of certificates and the mechanism for loading them onto the .machine keyring is platform dependent. Userspace may load certificates onto the .secondary_trusted_keys or .ima keyrings. However, keys may also need to be loaded by the kernel if they are needed for verification in early boot time. On PowerVM guest, third party code signing keys are loaded from the moduledb variable in the Platform KeyStore(PKS) onto the .secondary_trusted_keys. The purpose of this patch set is to allow loading of local and third party code signing keys on PowerVM. Changelog: v3: * Included Jarkko's feedback for Patch 6/6. v2: * Patch 5/6: Update CA restriction to allow only key signing CA's. * Rebase on Jarkko's master tree - https://kernel.googlesource.com/pub/scm/linux/kernel/git/jarkko/linux-tpmdd * Tested after reverting cfa7522f280aa95 because of build failure due to this commit. Nayna Jain (6): integrity: PowerVM support for loading CA keys on machine keyring integrity: ignore keys failing CA restrictions on non-UEFI platform integrity: remove global variable from machine_keyring.c integrity: check whether imputed trust is enabled integrity: PowerVM machine keyring enablement integrity: PowerVM support for loading third party code signing keys certs/system_keyring.c | 30 +++++++++++++++++ include/keys/system_keyring.h | 7 ++++ security/integrity/Kconfig | 4 ++- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 6 ++-- .../platform_certs/keyring_handler.c | 19 ++++++++++- .../platform_certs/keyring_handler.h | 10 ++++++ .../integrity/platform_certs/load_powerpc.c | 33 +++++++++++++++++++ .../platform_certs/machine_keyring.c | 22 ++++++++++--- 9 files changed, 124 insertions(+), 9 deletions(-) -- 2.31.1
