Re: [PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling
Hi David, New keys can be added to the keyring by signing them with existing ones, and existing ones come from UEFI or are compiled into the kernel. With this patch, we can add the "compiled in" ones without recompiling the kernel. The scenario is, a key is inserted into a stock kernel and the resulting kernel image is re-signed to create a custom image for secure boot that can trust that key. Instead of giving away the signing key, we can give the inserted key to the user of the image. Does this make sense? Mehmet > On Nov 26, 2015, at 10:00 AM, David Howellswrote: > > Mehmet Kayaalp wrote: > >> Place a system_extra_cert buffer of configurable size, right after the >> system_certificate_list, so that inserted keys can be readily processed by >> the existing mechanism. > > Do you have a particular use case for this? > > David > -- > To unsubscribe from this list: send the line "unsubscribe keyrings" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling
On Tue, 2015-11-24 at 16:18 -0500, Mehmet Kayaalp wrote: > Place a system_extra_cert buffer of configurable size, right after the > system_certificate_list, so that inserted keys can be readily processed by > the existing mechanism. Added script takes a key file and a kernel image > and inserts its contents to the reserved area. The > system_certificate_list_size is also adjusted accordingly. > > Call the script as: > > scripts/insert-sys-cert -b -c > > If vmlinux has no symbol table, supply System.map file with -s flag. > Subsequent runs replace the previously inserted key, instead of appending > the new one. > > Signed-off-by: Mehmet KayaalpThanks, Mehmet! Although the expected usecase scenario for inserting certificates in the image is for modifying an existing kernel image, not for building a kernel, you might want to modify "make" to compare the uncompressed and compressed image time stamps. If the compressed image time stamp is earlier than the uncompressed one, output a message indicating the image changed and compress the image again. For now, anyone attempting to insert an additional or different certificate needs to remove the existing compressed image. Acked-by: Mimi Zohar > --- > certs/Kconfig | 16 ++ > certs/system_certificates.S | 12 ++ > scripts/.gitignore | 1 + > scripts/Makefile| 1 + > scripts/insert-sys-cert.c | 410 > > 5 files changed, 440 insertions(+) > create mode 100644 scripts/insert-sys-cert.c > > diff --git a/certs/Kconfig b/certs/Kconfig > index b030b9c7ed34..f0f8a4433685 100644 > --- a/certs/Kconfig > +++ b/certs/Kconfig > @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS > form of DER-encoded *.x509 files in the top-level build directory, > those are no longer used. You will need to set this option instead. > > +config SYSTEM_EXTRA_CERTIFICATE > + bool "Reserve area for inserting a certificate without recompiling" > + depends on SYSTEM_TRUSTED_KEYRING > + help > + If set, space for an extra certificate will be reserved in the kernel > + image. This allows introducing a trusted certificate to the default > + system keyring without recompiling the kernel. > + > +config SYSTEM_EXTRA_CERTIFICATE_SIZE > + int "Number of bytes to reserve for the extra certificate" > + depends on SYSTEM_EXTRA_CERTIFICATE > + default 4096 > + help > + This is the number of bytes reserved in the kernel image for a > + certificate to be inserted. > + > endmenu > diff --git a/certs/system_certificates.S b/certs/system_certificates.S > index 9216e8c81764..f82e1b22eac4 100644 > --- a/certs/system_certificates.S > +++ b/certs/system_certificates.S > @@ -13,6 +13,18 @@ __cert_list_start: > .incbin "certs/x509_certificate_list" > __cert_list_end: > > +#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE > + .globl VMLINUX_SYMBOL(system_extra_cert) > + .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE > +VMLINUX_SYMBOL(system_extra_cert): > + .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0 > + > + .globl VMLINUX_SYMBOL(system_extra_cert_used) > +VMLINUX_SYMBOL(system_extra_cert_used): > + .int 0 > + > +#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */ > + > .align 8 > .globl VMLINUX_SYMBOL(system_certificate_list_size) > VMLINUX_SYMBOL(system_certificate_list_size): > diff --git a/scripts/.gitignore b/scripts/.gitignore > index 1f78169d4254..e063daa3ec4a 100644 > --- a/scripts/.gitignore > +++ b/scripts/.gitignore > @@ -13,3 +13,4 @@ sortextable > asn1_compiler > extract-cert > sign-file > +insert-sys-cert > diff --git a/scripts/Makefile b/scripts/Makefile > index fd0d53d4a234..822ab4a6a4aa 100644 > --- a/scripts/Makefile > +++ b/scripts/Makefile > @@ -19,6 +19,7 @@ hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable > hostprogs-$(CONFIG_ASN1) += asn1_compiler > hostprogs-$(CONFIG_MODULE_SIG)+= sign-file > hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert > +hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert > > HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include > HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include > diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c > new file mode 100644 > index ..8902836c2342 > --- /dev/null > +++ b/scripts/insert-sys-cert.c > @@ -0,0 +1,410 @@ > +/* Write the contents of the into kernel symbol system_extra_cert > + * > + * Copyright (C) IBM Corporation, 2015 > + * > + * Author: Mehmet Kayaalp > + * > + * This software may be used and distributed according to the terms > + * of the GNU General Public License, incorporated herein by reference. > + * > + * Usage: insert-sys-cert [-s -b -c > + */ > + > +#define _GNU_SOURCE > +#include > +#include > +#include > +#include > +#include >
[PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling
Place a system_extra_cert buffer of configurable size, right after the system_certificate_list, so that inserted keys can be readily processed by the existing mechanism. Added script takes a key file and a kernel image and inserts its contents to the reserved area. The system_certificate_list_size is also adjusted accordingly. Call the script as: scripts/insert-sys-cert -b -c If vmlinux has no symbol table, supply System.map file with -s flag. Subsequent runs replace the previously inserted key, instead of appending the new one. Signed-off-by: Mehmet Kayaalp--- certs/Kconfig | 16 ++ certs/system_certificates.S | 12 ++ scripts/.gitignore | 1 + scripts/Makefile| 1 + scripts/insert-sys-cert.c | 410 5 files changed, 440 insertions(+) create mode 100644 scripts/insert-sys-cert.c diff --git a/certs/Kconfig b/certs/Kconfig index b030b9c7ed34..f0f8a4433685 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS form of DER-encoded *.x509 files in the top-level build directory, those are no longer used. You will need to set this option instead. +config SYSTEM_EXTRA_CERTIFICATE + bool "Reserve area for inserting a certificate without recompiling" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, space for an extra certificate will be reserved in the kernel + image. This allows introducing a trusted certificate to the default + system keyring without recompiling the kernel. + +config SYSTEM_EXTRA_CERTIFICATE_SIZE + int "Number of bytes to reserve for the extra certificate" + depends on SYSTEM_EXTRA_CERTIFICATE + default 4096 + help + This is the number of bytes reserved in the kernel image for a + certificate to be inserted. + endmenu diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 9216e8c81764..f82e1b22eac4 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -13,6 +13,18 @@ __cert_list_start: .incbin "certs/x509_certificate_list" __cert_list_end: +#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE + .globl VMLINUX_SYMBOL(system_extra_cert) + .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE +VMLINUX_SYMBOL(system_extra_cert): + .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0 + + .globl VMLINUX_SYMBOL(system_extra_cert_used) +VMLINUX_SYMBOL(system_extra_cert_used): + .int 0 + +#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */ + .align 8 .globl VMLINUX_SYMBOL(system_certificate_list_size) VMLINUX_SYMBOL(system_certificate_list_size): diff --git a/scripts/.gitignore b/scripts/.gitignore index 1f78169d4254..e063daa3ec4a 100644 --- a/scripts/.gitignore +++ b/scripts/.gitignore @@ -13,3 +13,4 @@ sortextable asn1_compiler extract-cert sign-file +insert-sys-cert diff --git a/scripts/Makefile b/scripts/Makefile index fd0d53d4a234..822ab4a6a4aa 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -19,6 +19,7 @@ hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable hostprogs-$(CONFIG_ASN1)+= asn1_compiler hostprogs-$(CONFIG_MODULE_SIG) += sign-file hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert +hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c new file mode 100644 index ..8902836c2342 --- /dev/null +++ b/scripts/insert-sys-cert.c @@ -0,0 +1,410 @@ +/* Write the contents of the into kernel symbol system_extra_cert + * + * Copyright (C) IBM Corporation, 2015 + * + * Author: Mehmet Kayaalp + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * + * Usage: insert-sys-cert [-s -b -c + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define CERT_SYM "system_extra_cert" +#define USED_SYM "system_extra_cert_used" +#define LSIZE_SYM "system_certificate_list_size" + +#define info(format, args...) fprintf(stderr, "INFO:" format, ## args) +#define warn(format, args...) fprintf(stdout, "WARNING: " format, ## args) +#define err(format, args...) fprintf(stderr, "ERROR: " format, ## args) + +#if UINTPTR_MAX == 0x +#define CURRENT_ELFCLASS ELFCLASS32 +#define Elf_Ehdr Elf32_Ehdr +#define Elf_Shdr Elf32_Shdr +#define Elf_SymElf32_Sym +#else +#define CURRENT_ELFCLASS ELFCLASS64 +#define Elf_Ehdr Elf64_Ehdr +#define Elf_Shdr Elf64_Shdr +#define Elf_SymElf64_Sym +#endif + +static unsigned char