Re: [PATCH v2 4/4] powerpc: load firmware trusted keys into kernel keyring
From: Greg Kroah-Hartman
Date: Wed Aug 21 2019 - 12:46:46 EST
On Wed, Aug 21, 2019 at 11:08:23AM -0400, Nayna Jain wrote:
> The keys used to verify the Host OS kernel are managed by OPAL as secure
> variables. This patch loads the verification keys into the .platform
> keyring and revocation keys into .blacklist keyring. This enables
> verification and loading of the kernels signed by the boot time keys which
> are trusted by firmware.
>
> Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
> ---
> security/integrity/Kconfig | 9 ++
> security/integrity/Makefile | 3 +
> .../integrity/platform_certs/load_powerpc.c | 94 +++++++++++++++++++
> 3 files changed, 106 insertions(+)
> create mode 100644 security/integrity/platform_certs/load_powerpc.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 0bae6adb63a9..2b4109c157e2 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
> depends on S390
> def_bool y
>
> +config LOAD_PPC_KEYS
> + bool "Enable loading of platform and revocation keys for POWER"
> + depends on INTEGRITY_PLATFORM_KEYRING
> + depends on PPC_SECURE_BOOT
> + def_bool y
def_bool y only for things that the system will not boot if it is not
enabled because you added a new feature. Otherwise just do not set the
default.
> + help
> + Enable loading of db keys to the .platform keyring and dbx keys to
> + the .blacklist keyring for powerpc based platforms.
> +
> config INTEGRITY_AUDIT
> bool "Enables integrity auditing support "
> depends on AUDIT
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 525bf1d6e0db..9eeb6b053de3 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -14,6 +14,9 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
> platform_certs/load_uefi.o \
> platform_certs/keyring_handler.o
> integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
> +integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
> + platform_certs/load_powerpc.o \
> + platform_certs/keyring_handler.o
> $(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
> subdir-$(CONFIG_IMA) += ima
> diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
> new file mode 100644
> index 000000000000..f4d869171062
> --- /dev/null
> +++ b/security/integrity/platform_certs/load_powerpc.c
> @@ -0,0 +1,94 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain <nayna@xxxxxxxxxxxxx>
> + *
> + * load_powernv.c
That's not the name of this file :(
And the perfect example of why you NEVER have the name of the file in
the file itself, as it's not needed and easy to get wrong :)
thanks,
greg k-h