------- Comment From daniel.axte...@ibm.com 2021-03-18 00:22 EDT-------
Apologies once again for the delay.
> @Daniel
> "In either case, however, the CA that signs the kernel signing key needs to
> be built in to the kernel's .builtin_trusted_keys keyring."
>
> On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our
> understanding that firmware doesn't support verifying signature chains to a
> CA. Thus instead we use self-signed certificates for the kernel which have
> not been signed by a CA.
>
> Thus we should simply include them all in trusted keyring, and there is no
> need to ship anything on disk or load anything from the userspace.
My mistake. Yes, if you build the kernel signing key into the trusted
keyring, that should cover everything.
Kind regards,
Daniel
------- Comment From daniel.axte...@ibm.com 2021-03-18 00:29 EDT-------
Wait, no, hang on, this keeps tripping me up.
IMA kexec appended-signature verification uses only the %.ima and
%.platform keyrings. Having the key in %.builtin_trusted_keys should
logically be enough, but that's not how the code works, much to my
regular frustration. Here's groovy/master
security/integrity/ima/ima_appraise.c modsig_verify():
rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
func == KEXEC_KERNEL_CHECK)
rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
modsig);
if (rc) {
*cause = "invalid-signature";
*status = INTEGRITY_FAIL;
} else {
*status = INTEGRITY_PASS;
}
So just having it in %:.builtin_trusted_keys doesn't suffice, we need to
get it into %:.ima or %:.platform somehow.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1903288
Title:
Power guest secure boot with static keys: kernel portion
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
