Thread (23 messages) 23 messages, 4 authors, 2018-12-13

Re: [PATCH v2 0/7] add platform/firmware keys support for kernel verification by IMA

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2018-12-09 18:40:20
Also in: kexec, keyrings, linux-efi, linux-integrity, lkml

Hi Nayna,

On Sun, 2018-12-09 at 01:56 +0530, Nayna Jain wrote:
On secure boot enabled systems, a verified kernel may need to kexec
additional kernels. For example, it may be used as a bootloader needing
to kexec a target kernel or it may need to kexec a crashdump kernel.
In such cases, it may want to verify the signature of the next kernel
image.

It is possible that the new kernel image is signed with third party keys
which are stored as platform or firmware keys in the 'db' variable. The
kernel, however, can not directly verify these platform keys, and an
administrator may therefore not want to trust them for arbitrary usage.
In order to differentiate platform keys from other keys and provide the
necessary separation of trust the kernel needs an additional keyring to
store platform/firmware keys.

The secure boot key database is expected to store the keys as EFI
Signature List(ESL). The patch set uses David Howells and Josh Boyer's
patch to access and parse the ESL to extract the certificates and load
them onto the platform keyring.

The last patch in this patch set adds support for IMA-appraisal to
verify the kexec'ed kernel image based on keys stored in the platform
keyring.
Thanks!  This patch set is now in the #next-integrity branch.

https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/

Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help