On Thu, 2021-02-11 at 17:13 -0500, Stefan Berger wrote:

On 2/11/21 2:54 PM, Nayna Jain wrote:

quoted

Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin and secondary trusted keyring.

This patch creates and includes in the kernel image an ephemeral CA
key, at build time when IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---

<snip>

quoted

diff --git a/certs/Makefile b/certs/Makefile

quoted

@@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
  	@$(kecho) "### needs to be run as root, and uses a hardware random"
  	@$(kecho) "### number generator if one is available."
  	@$(kecho) "###"
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+	# Generate kernel build time CA Certificate.
+	@$(Q)openssl req -new -nodes -utf8 \
+		-$(CONFIG_MODULE_SIG_HASH) -days 36500 \
+		-subj "/CN=Build time autogenerated kernel CA key" \
+		-batch -x509 -config $(obj)/x509.genkey \
+		-outform PEM -out $(CA_KEY) \
+		-keyout $(CA_KEY) -extensions ca_ext \
+		$($(quiet)redirect_openssl)
+endif # CONFIG_IMA_APPRAISE_MODSIG
  	$(Q)openssl req -new -nodes -utf8 \
  		-batch -config $(obj)/x509.genkey \
  		-outform PEM -out $(obj)/signing_key.csr \
  		-keyout $(obj)/signing_key.key -extensions myexts \
  		$($(quiet)redirect_openssl)
  	$(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \
-		-outform PEM -out $(obj)/signing_key.crt \
-		-signkey $(obj)/signing_key.key \
+		-outform PEM -out $(obj)/signing_key.crt $(SIGNER) \
  		-$(CONFIG_MODULE_SIG_HASH) -extensions myexts \
  		-extfile $(obj)/x509.genkey \
  		$($(quiet)redirect_openssl)

It may make things easier (also below) if the CA was always created and 
the kernel signing key was always signed by that CA rather than doing 
this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an 
opinion on that?

Thanks, Stefan.  It would definitely simplify the code.  We wanted to
minimize the code change and solicit feedback, before making such a
change.

Mimi