Re: [PATCH v7 4/4] powerpc: load firmware trusted keys/hashes into kernel keyring
From: Michael Ellerman
Date: Fri Nov 08 2019 - 04:42:42 EST
Eric Richter <erichte@xxxxxxxxxxxxx> writes:
> From: Nayna Jain <nayna@xxxxxxxxxxxxx>
>
> The keys used to verify the Host OS kernel are managed by firmware as
> secure variables. This patch loads the verification keys into the .platform
> keyring and revocation hashes into .blacklist keyring. This enables
> verification and loading of the kernels signed by the boot time keys which
> are trusted by firmware.
>
> Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> Signed-off-by: Eric Richter <erichte@xxxxxxxxxxxxx>
> ---
> arch/powerpc/Kconfig | 1 +
> security/integrity/Kconfig | 8 ++
> security/integrity/Makefile | 4 +-
> .../integrity/platform_certs/load_powerpc.c | 98 +++++++++++++++++++
> 4 files changed, 110 insertions(+), 1 deletion(-)
> create mode 100644 security/integrity/platform_certs/load_powerpc.c
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index cabc091f3fe1..498967a5ef4e 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
> bool
> depends on PPC_POWERNV
> depends on IMA_ARCH_POLICY
> + select LOAD_PPC_KEYS
This gave me a warning:
WARNING: unmet direct dependencies detected for LOAD_PPC_KEYS
Depends on [n]: INTEGRITY [=y] && INTEGRITY_PLATFORM_KEYRING [=n] && PPC_SECURE_BOOT [=y]
Selected by [y]:
- PPC_SECURE_BOOT [=y] && PPC_POWERNV [=y] && IMA_ARCH_POLICY [=y]
I think you should probably just drop the select ..
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 0bae6adb63a9..26abee23e4e3 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -72,6 +72,14 @@ config LOAD_IPL_KEYS
> depends on S390
> def_bool y
>
> +config LOAD_PPC_KEYS
> + bool "Enable loading of platform and blacklisted keys for POWER"
> + depends on INTEGRITY_PLATFORM_KEYRING
> + depends on PPC_SECURE_BOOT
> + help
> + Enable loading of keys to the .platform keyring and blacklisted
> + hashes to the .blacklist keyring for powerpc based platforms.
And instead make this default y, if you think it should be enabled by
default when its prerequisites are met.
cheers