Re: [PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling

2015-12-01 Thread Mehmet Kayaalp 
Hi David,

New keys can be added to the keyring by signing them with existing ones, and 
existing ones come from UEFI or are compiled into the kernel.  With this patch,
we can add the "compiled in" ones without recompiling the kernel. The scenario
is, a key is inserted into a stock kernel and the resulting kernel image is 
re-signed
to create a custom image for secure boot that can trust that key. Instead of 
giving
away the signing key, we can give the inserted key to the user of the image.

Does this make sense?

Mehmet

> On Nov 26, 2015, at 10:00 AM, David Howells  wrote:
> 
> Mehmet Kayaalp  wrote:
> 
>> Place a system_extra_cert buffer of configurable size, right after the
>> system_certificate_list, so that inserted keys can be readily processed by
>> the existing mechanism.
> 
> Do you have a particular use case for this?
> 
> David
> --
> To unsubscribe from this list: send the line "unsubscribe keyrings" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] KEYS: Reserve an extra certificate symbol for inserting without recompiling

2015-11-25 Thread Mimi Zohar 
On Tue, 2015-11-24 at 16:18 -0500, Mehmet Kayaalp wrote:
> Place a system_extra_cert buffer of configurable size, right after the
> system_certificate_list, so that inserted keys can be readily processed by
> the existing mechanism. Added script takes a key file and a kernel image
> and inserts its contents to the reserved area. The
> system_certificate_list_size is also adjusted accordingly.
> 
> Call the script as:
> 
> scripts/insert-sys-cert -b  -c 
> 
> If vmlinux has no symbol table, supply System.map file with -s flag.
> Subsequent runs replace the previously inserted key, instead of appending
> the new one.
> 
> Signed-off-by: Mehmet Kayaalp 

Thanks, Mehmet!

Although the expected usecase scenario for inserting certificates in the
image is for modifying an existing kernel image, not for building a
kernel,  you might want to modify "make" to compare the uncompressed and
compressed image time stamps.  If the compressed image time stamp is
earlier than the uncompressed one, output a message indicating the image
changed and compress the image again.

For now, anyone attempting to insert an additional or different
certificate needs to remove the existing compressed image.

Acked-by:  Mimi Zohar 

> ---
>  certs/Kconfig   |  16 ++
>  certs/system_certificates.S |  12 ++
>  scripts/.gitignore  |   1 +
>  scripts/Makefile|   1 +
>  scripts/insert-sys-cert.c   | 410 
> 
>  5 files changed, 440 insertions(+)
>  create mode 100644 scripts/insert-sys-cert.c
> 
> diff --git a/certs/Kconfig b/certs/Kconfig
> index b030b9c7ed34..f0f8a4433685 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS
> form of DER-encoded *.x509 files in the top-level build directory,
> those are no longer used. You will need to set this option instead.
> 
> +config SYSTEM_EXTRA_CERTIFICATE
> + bool "Reserve area for inserting a certificate without recompiling"
> + depends on SYSTEM_TRUSTED_KEYRING
> + help
> +   If set, space for an extra certificate will be reserved in the kernel
> +   image. This allows introducing a trusted certificate to the default
> +   system keyring without recompiling the kernel.
> +
> +config SYSTEM_EXTRA_CERTIFICATE_SIZE
> + int "Number of bytes to reserve for the extra certificate"
> + depends on SYSTEM_EXTRA_CERTIFICATE
> + default 4096
> + help
> +   This is the number of bytes reserved in the kernel image for a
> +   certificate to be inserted.
> +
>  endmenu
> diff --git a/certs/system_certificates.S b/certs/system_certificates.S
> index 9216e8c81764..f82e1b22eac4 100644
> --- a/certs/system_certificates.S
> +++ b/certs/system_certificates.S
> @@ -13,6 +13,18 @@ __cert_list_start:
>   .incbin "certs/x509_certificate_list"
>  __cert_list_end:
> 
> +#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE
> + .globl VMLINUX_SYMBOL(system_extra_cert)
> + .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE
> +VMLINUX_SYMBOL(system_extra_cert):
> + .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0
> +
> + .globl VMLINUX_SYMBOL(system_extra_cert_used)
> +VMLINUX_SYMBOL(system_extra_cert_used):
> + .int 0
> +
> +#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */
> +
>   .align 8
>   .globl VMLINUX_SYMBOL(system_certificate_list_size)
>  VMLINUX_SYMBOL(system_certificate_list_size):
> diff --git a/scripts/.gitignore b/scripts/.gitignore
> index 1f78169d4254..e063daa3ec4a 100644
> --- a/scripts/.gitignore
> +++ b/scripts/.gitignore
> @@ -13,3 +13,4 @@ sortextable
>  asn1_compiler
>  extract-cert
>  sign-file
> +insert-sys-cert
> diff --git a/scripts/Makefile b/scripts/Makefile
> index fd0d53d4a234..822ab4a6a4aa 100644
> --- a/scripts/Makefile
> +++ b/scripts/Makefile
> @@ -19,6 +19,7 @@ hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable
>  hostprogs-$(CONFIG_ASN1)  += asn1_compiler
>  hostprogs-$(CONFIG_MODULE_SIG)+= sign-file
>  hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
> +hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
> 
>  HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include
>  HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
> diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
> new file mode 100644
> index ..8902836c2342
> --- /dev/null
> +++ b/scripts/insert-sys-cert.c
> @@ -0,0 +1,410 @@
> +/* Write the contents of the  into kernel symbol system_extra_cert
> + *
> + * Copyright (C) IBM Corporation, 2015
> + *
> + * Author: Mehmet Kayaalp 
> + *
> + * This software may be used and distributed according to the terms
> + * of the GNU General Public License, incorporated herein by reference.
> + *
> + * Usage: insert-sys-cert [-s  -b  -c 
> + */
> +
> +#define _GNU_SOURCE
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
>