[PATCH 0/5] ima: kernel build support for loading the kernel module signing key

From: Nayna Jain
Date: Thu Feb 11 2021 - 14:58:14 EST


Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring. On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings. This series of patches enables IMA
verification of signed kernel modules by:

* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.

* Enable module signing at build time for IMA_APPRAISE_MODSIG as well

Nayna Jain (5):
keys: cleanup build time module signing keys
keys: generate self-signed module signing key using CSR
ima: update kernel module signing process during build
keys: define build time generated ephemeral kernel CA key
ima: enable loading of build time generated key to .ima keyring

Makefile | 9 ++--
certs/Kconfig | 2 +-
certs/Makefile | 77 ++++++++++++++++++++++++++++++++---
certs/system_certificates.S | 16 +++++++-
certs/system_keyring.c | 56 +++++++++++++++++++------
include/keys/system_keyring.h | 9 +++-
init/Kconfig | 6 +--
security/integrity/digsig.c | 4 ++
8 files changed, 151 insertions(+), 28 deletions(-)

--
2.18.1