On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote: > Hi, as the subject, this is a patch that links the new introduced > .platform keyring into .secondary_trusted_keys keyring. This is > mainly for the kexec_file_load, make kexec_file_load be able to verify > the kernel image agains keys provided by platform or firmware. > kexec_file_load already could verify the image agains secondary_trusted_keys > if secondary_trusted_keys exits, so this will make kexec_file_load be ware > of platform keys as well.
The builtin and secondary keyrings have a signature change of trust rooted in the signed kernel image. Adding the pre-boot keys to the secondary keyring breaks that signature chain of trust. Mimi > > This may also useful for things like module sign verify that are using > secondary_trusted_keys. I'm not sure if it will be better to move the > INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use > the keyring there, so just linked the .platform keyring into kernel's > .secondary_trusted_keys keyring. > > It workd for my case, tested in a VM, I signed the kernel image locally > with pesign and imported the cert to EFI's MokList variable. > > Kairui Song (1): > KEYS, integrity: Link .platform keyring to .secondary_trusted_keys > > certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++ > include/keys/platform_keyring.h | 12 ++++++++++++ > security/integrity/digsig.c | 7 +++++++ > 3 files changed, 49 insertions(+) > create mode 100644 include/keys/platform_keyring.h >
