Re: How to list keys used for kexec

From: Guozihua (Scott)
Date: Tue Apr 26 2022 - 00:10:25 EST

Next message: Alexei Starovoitov: "Re: [RFC bpf-next v4 3/7] error-inject: add new type that carries if the function is non sleepable"
Previous message: Masahiro Yamada: "Re: [PATCH 16/27] modpost: make multiple export error"
Next in thread: Michal Suchánek: "Re: How to list keys used for kexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2022/4/15 1:59, Michal Suchánek wrote:

Hello,

apparently modules are verified by keys from 'secondary' keyring on all
platforms.

If you happen to know that it's this particular keyring, and know how
to list keyrings recursively you can find the keys that are used for
verifying modules.

However, for kexec we have

- primary keyring on aarch64
- platform keyring on s390
- secondary AND platform keyring on x86

How is a user supposed to know which keys are used for kexec image
verification?

There is an implicit keyring that is ad-hoc constructed by the code that
does the kexec verification but there is no key list observable from
userspace that corresponds to this ad-hoc keyring only known to the kexec
code.

Can the kernel make the information which keys are used for what purpose
available to the user?

Thanks

Michal

.

Hi Michal

I'll try my best to understand and answer your question.

First of all, the "key" you mentioned here is actually certificate. And there are no way for the kernel to know "which certificate is used for what purpose" but to get a hint from the certificate's extension, if they exist. However, the extension only points out what this certificate should be used for, but not exactly what it is actually used for.

Secondly, the verification process requires the module (kernel image in this question) to contain information on which certificate should be used to verify itself. The signature provided by the module is in PKCS#7 format which contains a list of certificates for the verifier to construct a "chain of trust". Each certificates contains information pointing to the certificate of it's issuer, and eventually to one of the certificate stored in one of the keyrings you mentioned.

All in all, certificates in these keyrings you mentioned can be used for various purpose, and it's the responsibility for the modules being verified to provide information stating which certificate should be used for verification. Thus, the best way to find out which key is used for kexec is to look at key used to sign the kernel image.

--
Best
GUO Zihua

Next message: Alexei Starovoitov: "Re: [RFC bpf-next v4 3/7] error-inject: add new type that carries if the function is non sleepable"
Previous message: Masahiro Yamada: "Re: [PATCH 16/27] modpost: make multiple export error"
Next in thread: Michal Suchánek: "Re: How to list keys used for kexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]