[PATCH 0/5] ima: kernel build support for loading the kernel module signing key

Nayna Jain nayna at linux.ibm.com
Thu Feb 11 19:54:30 UTC 2021

Kernel modules are currently only signed when CONFIG_MODULE_SIG is enabled.
The kernel module signing key is a self-signed CA only loaded onto the
.builtin_trusted_key keyring.  On secure boot enabled systems with an arch
specific IMA policy enabled, but without MODULE_SIG enabled, kernel modules
are not signed, nor is the kernel module signing public key loaded onto the
IMA keyring.

In order to load the the kernel module signing key onto the IMA trusted
keyring ('.ima'), the certificate needs to be signed by a CA key either on
the builtin or secondary keyrings.  This series of patches enables IMA
verification of signed kernel modules by:

* Defining a kernel CA key. The CA key signs the kernel module signing key
and is loaded onto .builtin_trusted_key keyring, only when the kernel
module signing key is loaded onto the .ima keyring.

* Enable module signing at build time for IMA_APPRAISE_MODSIG as well

Nayna Jain (5):
  keys: cleanup build time module signing keys
  keys: generate self-signed module signing key using CSR
  ima: update kernel module signing process during build
  keys: define build time generated ephemeral kernel CA key
  ima: enable loading of build time generated key to .ima keyring

 Makefile                      |  9 ++--
 certs/Kconfig                 |  2 +-
 certs/Makefile                | 77 ++++++++++++++++++++++++++++++++---
 certs/system_certificates.S   | 16 +++++++-
 certs/system_keyring.c        | 56 +++++++++++++++++++------
 include/keys/system_keyring.h |  9 +++-
 init/Kconfig                  |  6 +--
 security/integrity/digsig.c   |  4 ++
 8 files changed, 151 insertions(+), 28 deletions(-)


More information about the Linux-security-module-archive mailing list