Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key
Hi Nayna,
I love your patch! Yet something to improve:
[auto build test ERROR on kbuild/for-next]
[also build test ERROR on integrity/next-integrity linus/master
security/next-testing v5.11-rc7]
[cannot apply to next-20210211]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
base:
https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git
for-next
config: x86_64-randconfig-a013-20210209 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project
c9439ca36342fb6013187d0a69aef92736951476)
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
#
https://github.com/0day-ci/linux/commit/84acbcedcd14fe43bf648857b4642c9bf426afd4
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review
Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
git checkout 84acbcedcd14fe43bf648857b4642c9bf426afd4
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
All errors (new ones prefixed by >>):
Can't open certs/signing_key.crt for reading, No such file or directory
>> 140683809875072:error:02001002:system library:fopen:No such file or
>> directory:../crypto/bio/bss_file.c:69:fopen('certs/signing_key.crt','r')
>> 140683809875072:error:2006D080:BIO routines:BIO_new_file:no such
>> file:../crypto/bio/bss_file.c:76:
unable to load certificate
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key
Hi Nayna,
I love your patch! Yet something to improve:
[auto build test ERROR on kbuild/for-next]
[also build test ERROR on integrity/next-integrity linus/master
security/next-testing v5.11-rc7]
[cannot apply to next-20210211]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
base:
https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git
for-next
config: nds32-allyesconfig (attached as .config)
compiler: nds32le-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
#
https://github.com/0day-ci/linux/commit/84acbcedcd14fe43bf648857b4642c9bf426afd4
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review
Nayna-Jain/ima-kernel-build-support-for-loading-the-kernel-module-signing-key/20210212-040003
git checkout 84acbcedcd14fe43bf648857b4642c9bf426afd4
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross
ARCH=nds32
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
All errors (new ones prefixed by >>):
Can't open certs/signing_key.crt for reading, No such file or directory
>> 139789059654784:error:02001002:system library:fopen:No such file or
>> directory:../crypto/bio/bss_file.c:69:fopen('certs/signing_key.crt','r')
>> 139789059654784:error:2006D080:BIO routines:BIO_new_file:no such
>> file:../crypto/bio/bss_file.c:76:
unable to load certificate
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key
On Thu, 2021-02-11 at 17:13 -0500, Stefan Berger wrote: > On 2/11/21 2:54 PM, Nayna Jain wrote: > > Certificates being loaded onto the IMA trusted keyring must be signed by > > a key on either the builtin and secondary trusted keyring. > > > > This patch creates and includes in the kernel image an ephemeral CA > > key, at build time when IMA_APPRAISE_MODSIG is enabled. > > > > Signed-off-by: Nayna Jain > > --- > > diff --git a/certs/Makefile b/certs/Makefile > > > @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey > > @$(kecho) "### needs to be run as root, and uses a hardware random" > > @$(kecho) "### number generator if one is available." > > @$(kecho) "###" > > +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) > > + # Generate kernel build time CA Certificate. > > + @$(Q)openssl req -new -nodes -utf8 \ > > + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ > > + -subj "/CN=Build time autogenerated kernel CA key" \ > > + -batch -x509 -config $(obj)/x509.genkey \ > > + -outform PEM -out $(CA_KEY) \ > > + -keyout $(CA_KEY) -extensions ca_ext \ > > + $($(quiet)redirect_openssl) > > +endif # CONFIG_IMA_APPRAISE_MODSIG > > $(Q)openssl req -new -nodes -utf8 \ > > -batch -config $(obj)/x509.genkey \ > > -outform PEM -out $(obj)/signing_key.csr \ > > -keyout $(obj)/signing_key.key -extensions myexts \ > > $($(quiet)redirect_openssl) > > $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ > > - -outform PEM -out $(obj)/signing_key.crt \ > > - -signkey $(obj)/signing_key.key \ > > + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \ > > -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ > > -extfile $(obj)/x509.genkey \ > > $($(quiet)redirect_openssl) > > It may make things easier (also below) if the CA was always created and > the kernel signing key was always signed by that CA rather than doing > this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an > opinion on that? Thanks, Stefan. It would definitely simplify the code. We wanted to minimize the code change and solicit feedback, before making such a change. Mimi
Re: [PATCH 4/5] keys: define build time generated ephemeral kernel CA key
On 2/11/21 2:54 PM, Nayna Jain wrote: Certificates being loaded onto the IMA trusted keyring must be signed by a key on either the builtin and secondary trusted keyring. This patch creates and includes in the kernel image an ephemeral CA key, at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain --- Makefile| 2 ++ certs/Makefile | 68 ++--- certs/system_certificates.S | 16 - 3 files changed, 80 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 9c87fdd600d8..a1d4b0a1745e 100644 --- a/Makefile +++ b/Makefile @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated \ certs/signing_key.pem certs/signing_key.x509 \ certs/x509.genkey certs/signing_key.key \ certs/signing_key.crt certs/signing_key.csr \ + certs/ca_signing_key.pem certs/ca_signing_key.x509 \ + certs/ca_signing_key.srl \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index b2be7eb413d3..c3592ba63a05 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) +SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +SIGN_KEY = y +endif + +ifdef SIGN_KEY ### # # If module signing is requested, say by allyesconfig, but a key has not been @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +# openssl arguments for CA Signed certificate. +CA_KEY = certs/ca_signing_key.pem +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial +else +# openssl arguments for Self Signed certificate. +SIGNER = -signkey $(obj)/signing_key.key +endif # CONFIG_IMA_APPRAISE_MODSIG + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + # Generate kernel build time CA Certificate. + @$(Q)openssl req -new -nodes -utf8 \ + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ + -subj "/CN=Build time autogenerated kernel CA key" \ + -batch -x509 -config $(obj)/x509.genkey \ + -outform PEM -out $(CA_KEY) \ + -keyout $(CA_KEY) -extensions ca_ext \ + $($(quiet)redirect_openssl) +endif # CONFIG_IMA_APPRAISE_MODSIG $(Q)openssl req -new -nodes -utf8 \ -batch -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.csr \ -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ - -outform PEM -out $(obj)/signing_key.crt \ - -signkey $(obj)/signing_key.key \ + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \ -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ -extfile $(obj)/x509.genkey \ $($(quiet)redirect_openssl) It may make things easier (also below) if the CA was always created and the kernel signing key was always signed by that CA rather than doing this only in the IMA_APPRAISE_MODSIG case. Maybe someone else has an opinion on that? @@ -95,19 +122,50 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ + @echo >>$@ "[ ca_ext ]" + @echo >>$@ "keyUsage=critical,keyCertSign" + @echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) +SUBJECT=CN = Build time autogenerated kernel key +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it + +# GCC PR#66871 again. +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + +# Remove existing keys if it is self-signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey)) +CA_KEY = certs/ca_signing_key.pem + +$(obj)/system_certif
[PATCH 4/5] keys: define build time generated ephemeral kernel CA key
Certificates being loaded onto the IMA trusted keyring must be signed by a key on either the builtin and secondary trusted keyring. This patch creates and includes in the kernel image an ephemeral CA key, at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain --- Makefile| 2 ++ certs/Makefile | 68 ++--- certs/system_certificates.S | 16 - 3 files changed, 80 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 9c87fdd600d8..a1d4b0a1745e 100644 --- a/Makefile +++ b/Makefile @@ -1475,6 +1475,8 @@ MRPROPER_FILES += include/config include/generated \ certs/signing_key.pem certs/signing_key.x509 \ certs/x509.genkey certs/signing_key.key \ certs/signing_key.crt certs/signing_key.csr \ + certs/ca_signing_key.pem certs/ca_signing_key.x509 \ + certs/ca_signing_key.srl \ vmlinux-gdb.py \ *.spec diff --git a/certs/Makefile b/certs/Makefile index b2be7eb413d3..c3592ba63a05 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) +SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +SIGN_KEY = y +endif + +ifdef SIGN_KEY ### # # If module signing is requested, say by allyesconfig, but a key has not been @@ -51,6 +59,16 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +# openssl arguments for CA Signed certificate. +CA_KEY = certs/ca_signing_key.pem +SIGNER = -CA $(CA_KEY) -CAkey $(CA_KEY) -CAcreateserial +else +# openssl arguments for Self Signed certificate. +SIGNER = -signkey $(obj)/signing_key.key +endif # CONFIG_IMA_APPRAISE_MODSIG + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." @@ -60,14 +78,23 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + # Generate kernel build time CA Certificate. + @$(Q)openssl req -new -nodes -utf8 \ + -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ + -subj "/CN=Build time autogenerated kernel CA key" \ + -batch -x509 -config $(obj)/x509.genkey \ + -outform PEM -out $(CA_KEY) \ + -keyout $(CA_KEY) -extensions ca_ext \ + $($(quiet)redirect_openssl) +endif # CONFIG_IMA_APPRAISE_MODSIG $(Q)openssl req -new -nodes -utf8 \ -batch -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.csr \ -keyout $(obj)/signing_key.key -extensions myexts \ $($(quiet)redirect_openssl) $(Q)openssl x509 -req -days 36500 -in $(obj)/signing_key.csr \ - -outform PEM -out $(obj)/signing_key.crt \ - -signkey $(obj)/signing_key.key \ + -outform PEM -out $(obj)/signing_key.crt $(SIGNER) \ -$(CONFIG_MODULE_SIG_HASH) -extensions myexts \ -extfile $(obj)/x509.genkey \ $($(quiet)redirect_openssl) @@ -95,19 +122,50 @@ $(obj)/x509.genkey: @echo >>$@ "keyUsage=digitalSignature" @echo >>$@ "subjectKeyIdentifier=hash" @echo >>$@ "authorityKeyIdentifier=keyid" + @echo >>$@ + @echo >>$@ "[ ca_ext ]" + @echo >>$@ "keyUsage=critical,keyCertSign" + @echo >>$@ "basicConstraints=critical,CA:TRUE,pathlen:0" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif # CONFIG_MODULE_SIG_KEY $(eval $(call config_filename,MODULE_SIG_KEY)) +SUBJECT=CN = Build time autogenerated kernel key +ISSUER=$(shell openssl x509 -in certs/signing_key.crt -noout -issuer) # If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it + +# GCC PR#66871 again. +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + +# Remove existing keys if it is self-signed. +$(if $(findstring $(SUBJECT),$(ISSUER)),$(shell rm -f certs/signing_key.* certs/x509.genkey)) +CA_KEY = certs/ca_signing_key.pem + +$(obj)/system_certificates.o: $(obj)/ca_signing_key.x509 $(obj)/signing_key.x509 + +targets += ca_signing_key.x509 +$(obj)/ca_signing_key.x509: $(obj)/signing_key.x509 scripts/extract-cert FORCE + $(call if_changed,extract_certs,$(CA_KEY)) + +targets += signing_key.x509 +$(obj)/signing_key.x509: $(obj)/signing_key
