Comment 14 for bug 1903288

------- Comment From <email address hidden> 2021-03-18 00:22 EDT-------
Apologies once again for the delay.

> @Daniel
> "In either case, however, the CA that signs the kernel signing key needs to
> be built in to the kernel's .builtin_trusted_keys keyring."
>
> On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our
> understanding that firmware doesn't support verifying signature chains to a
> CA. Thus instead we use self-signed certificates for the kernel which have
> not been signed by a CA.
>
> Thus we should simply include them all in trusted keyring, and there is no
> need to ship anything on disk or load anything from the userspace.

My mistake. Yes, if you build the kernel signing key into the trusted keyring, that should cover everything.

Kind regards,
Daniel

------- Comment From <email address hidden> 2021-03-18 00:29 EDT-------
Wait, no, hang on, this keeps tripping me up.

IMA kexec appended-signature verification uses only the %.ima and %.platform keyrings. Having the key in %.builtin_trusted_keys should logically be enough, but that's not how the code works, much to my regular frustration. Here's groovy/master security/integrity/ima/ima_appraise.c modsig_verify():

rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
func == KEXEC_KERNEL_CHECK)
rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
modsig);
if (rc) {
*cause = "invalid-signature";
*status = INTEGRITY_FAIL;
} else {
*status = INTEGRITY_PASS;
}

So just having it in %:.builtin_trusted_keys doesn't suffice, we need to get it into %:.ima or %:.platform somehow.