------- Comment From <email address hidden> 2021-03-18 00:22 EDT-------
Apologies once again for the delay.
> @Daniel
> "In either case, however, the CA that signs the kernel signing key needs to
> be built in to the kernel's .builtin_trusted_keys keyring."
>
> On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our
> understanding that firmware doesn't support verifying signature chains to a
> CA. Thus instead we use self-signed certificates for the kernel which have
> not been signed by a CA.
>
> Thus we should simply include them all in trusted keyring, and there is no
> need to ship anything on disk or load anything from the userspace.
My mistake. Yes, if you build the kernel signing key into the trusted keyring, that should cover everything.
Kind regards,
Daniel
------- Comment From <email address hidden> 2021-03-18 00:29 EDT-------
Wait, no, hang on, this keeps tripping me up.
IMA kexec appended-signature verification uses only the %.ima and %.platform keyrings. Having the key in %.builtin_trusted_keys should logically be enough, but that's not how the code works, much to my regular frustration. Here's groovy/master security/integrity/ima/ima_appraise.c modsig_verify():
------- Comment From <email address hidden> 2021-03-18 00:22 EDT-------
Apologies once again for the delay.
> @Daniel trusted_ keys keyring."
> "In either case, however, the CA that signs the kernel signing key needs to
> be built in to the kernel's .builtin_
>
> On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our
> understanding that firmware doesn't support verifying signature chains to a
> CA. Thus instead we use self-signed certificates for the kernel which have
> not been signed by a CA.
>
> Thus we should simply include them all in trusted keyring, and there is no
> need to ship anything on disk or load anything from the userspace.
My mistake. Yes, if you build the kernel signing key into the trusted keyring, that should cover everything.
Kind regards,
Daniel
------- Comment From <email address hidden> 2021-03-18 00:29 EDT-------
Wait, no, hang on, this keeps tripping me up.
IMA kexec appended-signature verification uses only the %.ima and %.platform keyrings. Having the key in %.builtin_ trusted_ keys should logically be enough, but that's not how the code works, much to my regular frustration. Here's groovy/master security/ integrity/ ima/ima_ appraise. c modsig_verify():
rc = integrity_ modsig_ verify( INTEGRITY_ KEYRING_ IMA, modsig); CONFIG_ INTEGRITY_ PLATFORM_ KEYRING) && rc && modsig_ verify( INTEGRITY_ KEYRING_ PLATFORM, signature" ;
if (IS_ENABLED(
func == KEXEC_KERNEL_CHECK)
rc = integrity_
modsig);
if (rc) {
*cause = "invalid-
*status = INTEGRITY_FAIL;
} else {
*status = INTEGRITY_PASS;
}
So just having it in %:.builtin_ trusted_ keys doesn't suffice, we need to get it into %:.ima or %:.platform somehow.