[PATCH v2 0/5] ima: kernel build support for loading the kernel module signing key
From: Nayna Jain
Date: Thu Feb 18 2021 - 17:01:35 EST
Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring. On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.
In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings. This series of patches enables IMA
verification of signed kernel modules by:
* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto the .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.
* Enable module signing at build time for IMA_APPRAISE_MODSIG as well
v2:
* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (5):
keys: cleanup build time module signing keys
keys: generate self-signed module signing key using CSR
ima: update kernel module signing process during build
keys: define build time generated ephemeral kernel CA key
ima: enable loading of build time generated key on .ima keyring
Makefile | 9 ++--
certs/Kconfig | 2 +-
certs/Makefile | 77 ++++++++++++++++++++++++++++++++---
certs/system_certificates.S | 16 +++++++-
certs/system_keyring.c | 55 +++++++++++++++++++------
include/keys/system_keyring.h | 9 +++-
init/Kconfig | 6 +--
security/integrity/digsig.c | 4 ++
8 files changed, 150 insertions(+), 28 deletions(-)
--
2.29.2