cert update procedure with insert-sys-cert

Daniel Walker danielwa at cisco.com
Wed Apr 7 18:08:39 UTC 2021


On Wed, Apr 07, 2021 at 12:51:13PM -0400, Mimi Zohar wrote:
> [Cc'ing Nayna Jain, George Wilson]
> 
> Hi Daniel,
> 
> On Wed, 2021-04-07 at 09:32 -0700, Daniel Walker wrote:
> > Hi,
> > 
> > I was wondering about the practical use of this insert-sys-cert. How is the compressed
> > kernel re-made ? You submitted this change,
> > 
> > https://patchwork.kernel.org/project/linux-security-module/patch/20180502230811.2751-4-mkayaalp@linux.vnet.ibm.com/
> > 
> > for re-assemble a bzImage for x86. Is it the case that the bzImage can not be
> > re-assembled by using the make system ?
> > 
> > Cisco is similar to IBM in that we internally distribute a binary SDK with a
> > kernel. The actual build tree is only saved in a partial form.
> > 
> > We currently use the above commit to insert a certificate for x86, however, I've
> > found that other architecture are more complex than x86. For example , powerpc
> > images maybe not have ELF headers.
> > 
> > I'm wondering what values does the insert-sys-cert have without the bzImage
> > commit ? Am I using it wrong, and there's a way to use the make system to
> > reassemble ?
> 
> On powerpc, the kernel image is signed with an appended signature,
> using the same format as kernel modules.  scripts/sign-file.c can be
> used to append the kernel image signature.  Verifying the kernel image
> is limited on powerpc to kexec_file_load syscall.
> 
> The CONFIG_IMA_ARCH_POLICY loads architecture specific rules.  With
> secure boot enabled on powerpc, it loads a policy requiring the kernel
> image to be signed.

There is no way to insert new certificates with the insert-sys-cert tool ? Or
maybe I'm not understanding your comments.

Daniel



More information about the Linux-security-module-archive mailing list