summaryrefslogtreecommitdiff
path: root/certs
AgeCommit message (Collapse)AuthorFilesLines
2024-05-09kbuild: use $(src) instead of $(srctree)/$(src) for source directoryMasahiro Yamada1-2/+2
Kbuild conventionally uses $(obj)/ for generated files, and $(src)/ for checked-in source files. It is merely a convention without any functional difference. In fact, $(obj) and $(src) are exactly the same, as defined in scripts/Makefile.build: src := $(obj) When the kernel is built in a separate output directory, $(src) does not accurately reflect the source directory location. While Kbuild resolves this discrepancy by specifying VPATH=$(srctree) to search for source files, it does not cover all cases. For example, when adding a header search path for local headers, -I$(srctree)/$(src) is typically passed to the compiler. This introduces inconsistency between upstream and downstream Makefiles because $(src) is used instead of $(srctree)/$(src) for the latter. To address this inconsistency, this commit changes the semantics of $(src) so that it always points to the directory in the source tree. Going forward, the variables used in Makefiles will have the following meanings: $(obj) - directory in the object tree $(src) - directory in the source tree (changed by this commit) $(objtree) - the top of the kernel object tree $(srctree) - the top of the kernel source tree Consequently, $(srctree)/$(src) in upstream Makefiles need to be replaced with $(src). Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
2023-11-03Merge tag 'v6.7-p1' of ↵Linus Torvalds1-2/+4
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto updates from Herbert Xu: "API: - Add virtual-address based lskcipher interface - Optimise ahash/shash performance in light of costly indirect calls - Remove ahash alignmask attribute Algorithms: - Improve AES/XTS performance of 6-way unrolling for ppc - Remove some uses of obsolete algorithms (md4, md5, sha1) - Add FIPS 202 SHA-3 support in pkcs1pad - Add fast path for single-page messages in adiantum - Remove zlib-deflate Drivers: - Add support for S4 in meson RNG driver - Add STM32MP13x support in stm32 - Add hwrng interface support in qcom-rng - Add support for deflate algorithm in hisilicon/zip" * tag 'v6.7-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (283 commits) crypto: adiantum - flush destination page before unmapping crypto: testmgr - move pkcs1pad(rsa,sha3-*) to correct place Documentation/module-signing.txt: bring up to date module: enable automatic module signing with FIPS 202 SHA-3 crypto: asymmetric_keys - allow FIPS 202 SHA-3 signatures crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support crypto: FIPS 202 SHA-3 register in hash info for IMA x509: Add OIDs for FIPS 202 SHA-3 hash and signatures crypto: ahash - optimize performance when wrapping shash crypto: ahash - check for shash type instead of not ahash type crypto: hash - move "ahash wrapping shash" functions to ahash.c crypto: talitos - stop using crypto_ahash::init crypto: chelsio - stop using crypto_ahash::init crypto: ahash - improve file comment crypto: ahash - remove struct ahash_request_priv crypto: ahash - remove crypto_ahash_alignmask crypto: gcm - stop using alignmask of ahash crypto: chacha20poly1305 - stop using alignmask of ahash crypto: ccm - stop using alignmask of ahash net: ipv6: stop checking crypto_ahash_alignmask ...
2023-10-31certs: Only allow certs signed by keys on the builtin keyringMimi Zohar1-1/+15
Originally the secondary trusted keyring provided a keyring to which extra keys may be added, provided those keys were not blacklisted and were vouched for by a key built into the kernel or already in the secondary trusted keyring. On systems with the machine keyring configured, additional keys may also be vouched for by a key on the machine keyring. Prevent loading additional certificates directly onto the secondary keyring, vouched for by keys on the machine keyring, yet allow these certificates to be loaded onto other trusted keyrings. Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2023-10-27module: enable automatic module signing with FIPS 202 SHA-3Dimitri John Ledkov1-1/+1
Add Kconfig options to use SHA-3 for kernel module signing. 256 size for RSA only, and higher sizes for RSA and NIST P-384. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-20certs: Limit MODULE_SIG_KEY_TYPE_ECDSA to SHA384 or SHA512Dimitri John Ledkov1-2/+4
NIST FIPS 186-5 states that it is recommended that the security strength associated with the bit length of n and the security strength of the hash function be the same, or higher upon agreement. Given NIST P384 curve is used, force using either SHA384 or SHA512. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-08-17certs: Reference revocation list for all keyringsEric Snowberg1-6/+6
Systems booted with shim have a Forbidden Signature Database called mokx. During boot, hashes and certs contained within the mokx are loaded into the blacklist keyring. When calling verify_pkcs7_message_sig the contents of the blacklist keyring (or revocation list) are referenced when validating keys on the platform keyring. Currently, when validating against the secondary or builtin keyrings, the revocation list is not referenced. Move up the check to allow the revocation list to be used with all keyrings, including the secondary and builtin, allowing the system owner to take corrective action should a vulnerability be found within keys contained within either keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-08-17integrity: PowerVM support for loading third party code signing keysNayna Jain1-0/+30
On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore (PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-08-17KEYS: DigitalSignature link restrictionEric Snowberg1-0/+49
Add a new link restriction. Restrict the addition of keys in a keyring based on the key having digitalSignature usage set. Additionally, verify the new certificate against the ones in the system keyrings. Add two additional functions to use the new restriction within either the builtin or secondary keyrings. [jarkko@kernel.org: Fix checkpatch.pl --strict issues] Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-04-24KEYS: Add missing function documentationEric Snowberg1-3/+11
Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Fix wrong function name restrict_link_to_builtin_trusted. Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-02-26Merge tag 'kbuild-v6.3' of ↵Linus Torvalds1-3/+6
git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild updates from Masahiro Yamada: - Change V=1 option to print both short log and full command log - Allow V=1 and V=2 to be combined as V=12 - Make W=1 detect wrong .gitignore files - Tree-wide cleanups for unused command line arguments passed to Clang - Stop using -Qunused-arguments with Clang - Make scripts/setlocalversion handle only correct release tags instead of any arbitrary annotated tag - Create Debian and RPM source packages without cleaning the source tree - Various cleanups for packaging * tag 'kbuild-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (74 commits) kbuild: rpm-pkg: remove unneeded KERNELRELEASE from modules/headers_install docs: kbuild: remove description of KBUILD_LDS_MODULE .gitattributes: use 'dts' diff driver for *.dtso files kbuild: deb-pkg: improve the usability of source package kbuild: deb-pkg: fix binary-arch and clean in debian/rules kbuild: tar-pkg: use tar rules in scripts/Makefile.package kbuild: make perf-tar*-src-pkg work without relying on git kbuild: deb-pkg: switch over to source format 3.0 (quilt) kbuild: deb-pkg: make .orig tarball a hard link if possible kbuild: deb-pkg: hide KDEB_SOURCENAME from Makefile kbuild: srcrpm-pkg: create source package without cleaning kbuild: rpm-pkg: build binary packages from source rpm kbuild: deb-pkg: create source package without cleaning kbuild: add a tool to list files ignored by git Documentation/llvm: add Chimera Linux, Google and Meta datacenters setlocalversion: use only the correct release tag for git-describe setlocalversion: clean up the construction of version output .gitignore: ignore *.cover and *.mbx kbuild: remove --include-dir MAKEFLAG from top Makefile kbuild: fix trivial typo in comment ...
2023-02-13certs: don't try to update blacklist keysThomas Weißschuh1-9/+12
When the same key is blacklisted repeatedly logging at pr_err() level is excessive as no functionality is impaired. When these duplicates are provided by buggy firmware there is nothing the user can do to fix the situation. Instead of spamming the bootlog with errors we use a warning that can still be seen by OEMs when testing their firmware. Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/ Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Tested-by: Paul Menzel <pmenzel@molgen.mpg.de> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-02-13certs: make blacklisted hash available in klogThomas Weißschuh1-1/+1
One common situation triggering this log statement are duplicate hashes reported by the system firmware. These duplicates should be removed from the firmware. Without logging the blacklisted hash triggering the issue however the users can not report it properly to the firmware vendors and the firmware vendors can not easily see which specific hash is duplicated. While changing the log message also use the dedicated ERR_PTR format placeholder for the returned error value. Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-01-31certs: Fix build error when PKCS#11 URI contains semicolonJan Luebbe1-2/+2
When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a semicolon, signing_key.x509 fails to build: certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509 Usage: extract-cert <source> <dest> Add quotes to the extract-cert argument to avoid splitting by the shell. This approach was suggested by Masahiro Yamada <masahiroy@kernel.org>. Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf") Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2023-01-22kbuild: do not print extra logs for V=2Masahiro Yamada1-3/+6
Some scripts increase the verbose level when V=1, but others when not V=0. I think the former is correct because V=2 is not a log level but a switch to print the reason for rebuilding. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
2022-09-23certs: make system keyring depend on built-in x509 parserMasahiro Yamada1-1/+1
Commit e90886291c7c ("certs: make system keyring depend on x509 parser") is not the right fix because x509_load_certificate_list() can be modular. The combination of CONFIG_SYSTEM_TRUSTED_KEYRING=y and CONFIG_X509_CERTIFICATE_PARSER=m still results in the following error: LD .tmp_vmlinux.kallsyms1 ld: certs/system_keyring.o: in function `load_system_certificate_list': system_keyring.c:(.init.text+0x8c): undefined reference to `x509_load_certificate_list' make: *** [Makefile:1169: vmlinux] Error 1 Fixes: e90886291c7c ("certs: make system keyring depend on x509 parser") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Tested-by: Adam Borowski <kilobyte@angband.pl>
2022-08-10Merge tag 'kbuild-v5.20' of ↵Linus Torvalds4-15/+43
git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild updates from Masahiro Yamada: - Remove the support for -O3 (CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3) - Fix error of rpm-pkg cross-builds - Support riscv for checkstack tool - Re-enable -Wformwat warnings for Clang - Clean up modpost, Makefiles, and misc scripts * tag 'kbuild-v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (30 commits) modpost: remove .symbol_white_list field entirely modpost: remove unneeded .symbol_white_list initializers modpost: add PATTERNS() helper macro modpost: shorten warning messages in report_sec_mismatch() Revert "Kbuild, lto, workaround: Don't warn for initcall_reference in modpost" modpost: use more reliable way to get fromsec in section_rel(a)() modpost: add array range check to sec_name() modpost: refactor get_secindex() kbuild: set EXIT trap before creating temporary directory modpost: remove unused Elf_Sword macro Makefile.extrawarn: re-enable -Wformat for clang kbuild: add dtbs_prepare target kconfig: Qt5: tell the user which packages are required modpost: use sym_get_data() to get module device_table data modpost: drop executable ELF support checkstack: add riscv support for scripts/checkstack.pl kconfig: shorten the temporary directory name for cc-option scripts: headers_install.sh: Update config leak ignore entries kbuild: error out if $(INSTALL_MOD_PATH) contains % or : kbuild: error out if $(KBUILD_EXTMOD) contains % or : ...
2022-07-27certs: unify blacklist_hashes.c and blacklist_nohashes.cMasahiro Yamada3-14/+5
These two files are very similar. Unify them. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-07-27certs: move scripts/check-blacklist-hashes.awk to certs/Masahiro Yamada2-1/+38
This script is only used in certs/Makefile, so certs/ is a better home for it. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-07-24certs: make system keyring depend on x509 parserAdam Borowski1-0/+1
This code requires x509_load_certificate_list() to be built-in. Fixes: 60050ffe3d77 ("certs: Move load_certificate_list() to be with the asymmetric keys code") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Steven Rostedt <rostedt@goodmis.org> Link: https://lore.kernel.org/all/202206221515.DqpUuvbQ-lkp@intel.com/ Link: https://lore.kernel.org/all/20220712104554.408dbf42@gandalf.local.home/ Signed-off-by: Adam Borowski <kilobyte@angband.pl> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-06-21Merge tag 'certs-20220621' of ↵Linus Torvalds5-75/+9
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull signature checking selftest from David Howells: "The signature checking code, as used by module signing, kexec, etc., is non-FIPS compliant as there is no selftest. For a kernel to be FIPS-compliant, signature checking would have to be tested before being used, and the box would need to panic if it's not available (probably reasonable as simply disabling signature checking would prevent you from loading any driver modules). Deal with this by adding a minimal test. This is split into two patches: the first moves load_certificate_list() to the same place as the X.509 code to make it more accessible internally; the second adds a selftest" * tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: certs: Add FIPS selftests certs: Move load_certificate_list() to be with the asymmetric keys code
2022-06-21certs: Move load_certificate_list() to be with the asymmetric keys codeDavid Howells5-75/+9
Move load_certificate_list(), which loads a series of binary X.509 certificates from a blob and inserts them as keys into a keyring, to be with the asymmetric keys code that it drives. This makes it easier to add FIPS selftest code in which we need to load up a private keyring for the tests to use. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Herbert Xu <herbert@gondor.apana.org.au> cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/
2022-06-15certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST buildMasahiro Yamada3-12/+12
Commit addf466389d9 ("certs: Check that builtin blacklist hashes are valid") was applied 8 months after the submission. In the meantime, the base code had been removed by commit b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"). Fix the Makefile. Create a local copy of $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST). It is included from certs/blacklist_hashes.c and also works as a timestamp. Send error messages from check-blacklist-hashes.awk to stderr instead of stdout. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-06-15certs/blacklist_hashes.c: fix const confusion in certs blacklistMasahiro Yamada1-1/+1
This file fails to compile as follows: CC certs/blacklist_hashes.o certs/blacklist_hashes.c:4:1: error: ignoring attribute ‘section (".init.data")’ because it conflicts with previous ‘section (".init.rodata")’ [-Werror=attributes] 4 | const char __initdata *const blacklist_hashes[] = { | ^~~~~ In file included from certs/blacklist_hashes.c:2: certs/blacklist.h:5:38: note: previous declaration here 5 | extern const char __initconst *const blacklist_hashes[]; | ^~~~~~~~~~~~~~~~ Apply the same fix as commit 2be04df5668d ("certs/blacklist_nohashes.c: fix const confusion in certs blacklist"). Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-06-10certs: Convert spaces in certs/Makefile to a tabDavid Howells1-1/+1
There's a rule in certs/Makefile for which the command begins with eight spaces. This results in: ../certs/Makefile:21: FORCE prerequisite is missing ../certs/Makefile:21: *** missing separator. Stop. Fix this by turning the spaces into a tab. Fixes: addf466389d9 ("certs: Check that builtin blacklist hashes are valid") Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mickaël Salaün <mic@linux.microsoft.com> cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/486b1b80-9932-aab6-138d-434c541c934a@digikod.net/ # v1 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-06-08cert host tools: Stop complaining about deprecated OpenSSL functionsLinus Torvalds1-0/+7
OpenSSL 3.0 deprecated the OpenSSL's ENGINE API. That is as may be, but the kernel build host tools still use it. Disable the warning about deprecated declarations until somebody who cares fixes it. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2022-05-26Merge tag 'kbuild-v5.19' of ↵Linus Torvalds1-2/+2
git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild updates from Masahiro Yamada: - Add HOSTPKG_CONFIG env variable to allow users to override pkg-config - Support W=e as a shorthand for KCFLAGS=-Werror - Fix CONFIG_IKHEADERS build to support toybox cpio - Add scripts/dummy-tools/pahole to ease distro packagers' life - Suppress false-positive warnings from checksyscalls.sh for W=2 build - Factor out the common code of arch/*/boot/install.sh into scripts/install.sh - Support 'kernel-install' tool in scripts/prune-kernel - Refactor module-versioning to link the symbol versions at the final link of vmlinux and modules - Remove CONFIG_MODULE_REL_CRCS because module-versioning now works in an arch-agnostic way - Refactor modpost, Makefiles * tag 'kbuild-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (56 commits) genksyms: adjust the output format to modpost kbuild: stop merging *.symversions kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS modpost: extract symbol versions from *.cmd files modpost: add sym_find_with_module() helper modpost: change the license of EXPORT_SYMBOL to bool type modpost: remove left-over cross_compile declaration kbuild: record symbol versions in *.cmd files kbuild: generate a list of objects in vmlinux modpost: move *.mod.c generation to write_mod_c_files() modpost: merge add_{intree_flag,retpoline,staging_flag} to add_header scripts/prune-kernel: Use kernel-install if available kbuild: factor out the common installation code into scripts/install.sh modpost: split new_symbol() to symbol allocation and hash table addition modpost: make sym_add_exported() always allocate a new symbol modpost: make multiple export error modpost: dump Module.symvers in the same order of modules.order modpost: traverse the namespace_list in order modpost: use doubly linked list for dump_lists modpost: traverse unresolved symbols in order ...
2022-05-23certs: Explain the rationale to call panic()Mickaël Salaün1-0/+9
The blacklist_init() function calls panic() for memory allocation errors. This change documents the reason why we don't return -ENODEV. Link: https://lore.kernel.org/r/20220322111323.542184-2-mic@digikod.net Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi Suggested-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23certs: Allow root user to append signed hashes to the blacklist keyringMickaël Salaün2-21/+85
Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user to dynamically add new keys to the blacklist keyring. This enables to invalidate new certificates, either from being loaded in a keyring, or from being trusted in a PKCS#7 certificate chain. This also enables to add new file hashes to be denied by the integrity infrastructure. Being able to untrust a certificate which could have normaly been trusted is a sensitive operation. This is why adding new hashes to the blacklist keyring is only allowed when these hashes are signed and vouched by the builtin trusted keyring. A blacklist hash is stored as a key description. The PKCS#7 signature of this description must be provided as the key payload. Marking a certificate as untrusted should be enforced while the system is running. It is then forbiden to remove such blacklist keys. Update blacklist keyring, blacklist key and revoked certificate access rights: * allows the root user to search for a specific blacklisted hash, which make sense because the descriptions are already viewable; * forbids key update (blacklist and asymmetric ones); * restricts kernel rights on the blacklist keyring to align with the root user rights. See help in tools/certs/print-cert-tbs-hash.sh . Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-6-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23certs: Check that builtin blacklist hashes are validMickaël Salaün3-3/+19
Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will effectively be taken into account as blacklisted hashes. This is useful to debug invalid hash formats, and it make sure that previous hashes which could have been loaded in the kernel, but silently ignored, are now noticed and deal with by the user at kernel build time. This also prevent stricter blacklist key description checking (provided by following commits) to failed for builtin hashes. Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of a hash string and how to generate certificate ones. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23certs: Make blacklist_vet_description() more strictMickaël Salaün1-10/+36
Before exposing this new key type to user space, make sure that only meaningful blacklisted hashes are accepted. This is also checked for builtin blacklisted hashes, but a following commit make sure that the user will notice (at built time) and will fix the configuration if it already included errors. Check that a blacklist key description starts with a valid prefix and then a valid hexadecimal string. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20210712170313.884724-4-mic@digikod.net Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23certs: Factor out the blacklist hash creationMickaël Salaün1-18/+58
Factor out the blacklist hash creation with the get_raw_hash() helper. This also centralize the "tbs" and "bin" prefixes and make them private, which help to manage them consistently. Cc: David Howells <dhowells@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-5-mic@digikod.net Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-04-05kbuild: Allow kernel installation packaging to override pkg-configChun-Tse Shao1-2/+2
Add HOSTPKG_CONFIG to allow tooling that builds the kernel to override what pkg-config and parameters are used. Signed-off-by: Chun-Tse Shao <ctshao@google.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-03-31Merge tag 'kbuild-v5.18-v2' of ↵Linus Torvalds2-29/+11
git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild updates from Masahiro Yamada: - Add new environment variables, USERCFLAGS and USERLDFLAGS to allow additional flags to be passed to user-space programs. - Fix missing fflush() bugs in Kconfig and fixdep - Fix a minor bug in the comment format of the .config file - Make kallsyms ignore llvm's local labels, .L* - Fix UAPI compile-test for cross-compiling with Clang - Extend the LLVM= syntax to support LLVM=<suffix> form for using a particular version of LLVm, and LLVM=<prefix> form for using custom LLVM in a particular directory path. - Clean up Makefiles * tag 'kbuild-v5.18-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: Make $(LLVM) more flexible kbuild: add --target to correctly cross-compile UAPI headers with Clang fixdep: use fflush() and ferror() to ensure successful write to files arch: syscalls: simplify uapi/kapi directory creation usr/include: replace extra-y with always-y certs: simplify empty certs creation in certs/Makefile certs: include certs/signing_key.x509 unconditionally kallsyms: ignore all local labels prefixed by '.L' kconfig: fix missing '# end of' for empty menu kconfig: add fflush() before ferror() check kbuild: replace $(if A,A,B) with $(or A,B) kbuild: Add environment variables for userprogs flags kbuild: unify cmd_copy and cmd_shipped
2022-03-08KEYS: Introduce link restriction for machine keysEric Snowberg1-1/+34
Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. With the introduction of the machine keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .machine keyring will contain these keys. If not, the machine keyring will always be empty. Update the restriction check to allow the secondary trusted keyring to also trust machine keys. Allow the .machine keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .machine keyring will automatically be searched when searching secondary_trusted_keys. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-03-08KEYS: store reference to machine keyringEric Snowberg1-0/+9
Expose the .machine keyring created in integrity code by adding a reference. Store a reference to the machine keyring in system keyring code. The system keyring code needs this to complete the keyring link to the machine keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-03-03certs: simplify empty certs creation in certs/MakefileMasahiro Yamada1-10/+11
To create an empty cert file, we need to pass "" to the extract-cert tool, which is common for all the three call-sites of cmd_extract_certs. Factor out the logic into extract-cert-in. One exceptional case is PKCS#11 case, where we override extract-cert-in with the URI. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
2022-03-03certs: include certs/signing_key.x509 unconditionallyMasahiro Yamada2-19/+0
I do not see much sense in the #if conditional in system_certificates.S; even if the condition is true, there exists no signing key when CONFIG_MODULE_SIG_KEY="". So, certs/Makefile generates empty certs/signing_key.x509 in such a case. We can always do this, irrespective of CONFIG_MODULE_SIG or (CONFIG_IMA_APPRAISE_MODSIG && CONFIG_MODULES). We only need to check CONFIG_MODULE_SIG_KEY, then both *.S and Makefile will become much simpler. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-22certs: Fix build error when CONFIG_MODULE_SIG_KEY is emptyMasahiro Yamada1-1/+1
Since b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro"), when CONFIG_MODULE_SIG_KEY is empty, signing_key.x509 fails to build: CERT certs/signing_key.x509 Usage: extract-cert <source> <dest> make[1]: *** [certs/Makefile:78: certs/signing_key.x509] Error 2 make: *** [Makefile:1831: certs] Error 2 Pass "" to the first argument of extract-cert to fix the build error. Link: https://lore.kernel.org/linux-kbuild/20220120094606.2skuyb26yjlnu66q@lion.mk-sys.cz/T/#u Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro") Reported-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Tested-by: Michal Kubecek <mkubecek@suse.cz>
2022-01-22certs: Fix build error when CONFIG_MODULE_SIG_KEY is PKCS#11 URIMasahiro Yamada1-1/+1
When CONFIG_MODULE_SIG_KEY is PKCS#11 URL (pkcs11:*), signing_key.x509 fails to build: certs/Makefile:77: *** target pattern contains no '%'. Stop. Due to the typo, $(X509_DEP) contains a colon. Fix it. Fixes: b8c96a6b466c ("certs: simplify $(srctree)/ handling and remove config_filename macro") Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08certs: move scripts/extract-cert to certs/Masahiro Yamada3-4/+172
extract-cert is only used in certs/Makefile. Move it there and build extract-cert on demand. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08kbuild: do not quote string values in include/config/auto.confMasahiro Yamada1-8/+2
The previous commit fixed up all shell scripts to not include include/config/auto.conf. Now that include/config/auto.conf is only included by Makefiles, we can change it into a more Make-friendly form. Previously, Kconfig output string values enclosed with double-quotes (both in the .config and include/config/auto.conf): CONFIG_X="foo bar" Unlike shell, Make handles double-quotes (and single-quotes as well) verbatim. We must rip them off when used. There are some patterns: [1] $(patsubst "%",%,$(CONFIG_X)) [2] $(CONFIG_X:"%"=%) [3] $(subst ",,$(CONFIG_X)) [4] $(shell echo $(CONFIG_X)) These are not only ugly, but also fragile. [1] and [2] do not work if the value contains spaces, like CONFIG_X=" foo bar " [3] does not work correctly if the value contains double-quotes like CONFIG_X="foo\"bar" [4] seems to work better, but has a cost of forking a process. Anyway, quoted strings were always PITA for our Makefiles. This commit changes Kconfig to stop quoting in include/config/auto.conf. These are the string type symbols referenced in Makefiles or scripts: ACPI_CUSTOM_DSDT_FILE ARC_BUILTIN_DTB_NAME ARC_TUNE_MCPU BUILTIN_DTB_SOURCE CC_IMPLICIT_FALLTHROUGH CC_VERSION_TEXT CFG80211_EXTRA_REGDB_KEYDIR EXTRA_FIRMWARE EXTRA_FIRMWARE_DIR EXTRA_TARGETS H8300_BUILTIN_DTB INITRAMFS_SOURCE LOCALVERSION MODULE_SIG_HASH MODULE_SIG_KEY NDS32_BUILTIN_DTB NIOS2_DTB_SOURCE OPENRISC_BUILTIN_DTB SOC_CANAAN_K210_DTB_SOURCE SYSTEM_BLACKLIST_HASH_LIST SYSTEM_REVOCATION_KEYS SYSTEM_TRUSTED_KEYS TARGET_CPU UNUSED_KSYMS_WHITELIST XILINX_MICROBLAZE0_FAMILY XILINX_MICROBLAZE0_HW_VER XTENSA_VARIANT_NAME I checked them one by one, and fixed up the code where necessary. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08certs: simplify $(srctree)/ handling and remove config_filename macroMasahiro Yamada1-19/+13
The complex macro, config_filename, was introduced to do: [1] drop double-quotes from the string value [2] add $(srctree)/ prefix in case the file is not found in $(objtree) [3] escape spaces and more [1] will be more generally handled by Kconfig later. As for [2], Kbuild uses VPATH to search for files in $(objtree), $(srctree) in this order. GNU Make can natively handle it. As for [3], converting $(space) to $(space_escape) back and forth looks questionable to me. It is well-known that GNU Make cannot handle file paths with spaces in the first place. Instead of using the complex macro, use $< so it will be expanded to the file path of the key. Remove config_filename, finally. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08certs: remove misleading comments about GCC PRMasahiro Yamada1-2/+0
This dependency is necessary irrespective of the mentioned GCC PR because the embedded certificates are build artifacts and must be generated by extract_certs before *.S files are compiled. The comment sounds like we are hoping to remove these dependencies someday. No, we cannot remove them. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08certs: refactor file cleaningMasahiro Yamada1-4/+5
'make clean' removes files listed in 'targets'. It is redundant to specify both 'targets' and 'clean-files'. Move 'targets' assignments out of the ifeq-conditionals so scripts/Makefile.clean can see them. One effective change is that certs/certs/signing_key.x509 is now deleted by 'make clean' instead of 'make mrproper. This certificate is embedded in the kernel. It is not used in any way by external module builds. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
2022-01-08certs: remove unneeded -I$(srctree) option for system_certificates.oMasahiro Yamada1-3/+0
The .incbin directive in certs/system_certificates.S includes certs/signing_key.x509 and certs/x509_certificate_list, both of which are generated by extract_certs, i.e. exist in $(objtree). This option -I$(srctree) is unneeded. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2022-01-08certs: unify duplicated cmd_extract_certs and improve the logMasahiro Yamada1-6/+3
cmd_extract_certs is defined twice. Unify them. The current log shows the input file $(2), which might be empty. You cannot know what is being created from the log, "EXTRACT_CERTS". Change the log to show the output file with better alignment. [Before] EXTRACT_CERTS certs/signing_key.pem CC certs/system_keyring.o EXTRACT_CERTS AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o EXTRACT_CERTS AS certs/revocation_certificates.o [After] CERT certs/signing_key.x509 CC certs/system_keyring.o CERT certs/x509_certificate_list AS certs/system_certificates.o CC certs/common.o CC certs/blacklist.o CERT certs/x509_revocation_list AS certs/revocation_certificates.o Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
2022-01-08certs: use $< and $@ to simplify the key generation ruleMasahiro Yamada1-3/+2
Do not repeat $(obj)/x509.genkey or $(obj)/signing_key.pem Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Reviewed-by: Nicolas Schier <n.schier@avm.de>
2021-12-11certs: use if_changed to re-generate the key when the key type is changedMasahiro Yamada1-24/+6
If the key type of the existing signing key does not match to CONFIG_MODULE_SIG_KEY_TYPE_*, the Makefile removes it so that it is re-generated. Use if_changed so that the key is re-generated when the key type is changed (that is, the openssl command line is changed). Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2021-12-11certs: use 'cmd' to hide openssl output in silent builds more simplyMasahiro Yamada1-6/+6
Commit 5d06ee20b662 ("modsign: hide openssl output in silent builds") silenced the key generation log from openssl in silent builds. Since commit 174a1dcc9642 ("kbuild: sink stdout from cmd for silent build"), the 'cmd' macro can handle it in a cleaner way. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
2021-12-11certs: remove noisy messages while generating the signing keyMasahiro Yamada1-11/+0
When you run Kbuild with the parallel option -j, the messages from this rule and others are interleaved, like follows: ### CC arch/x86/mm/pat/set_memory.o ### Now generating an X.509 key pair to be used for signing modules. ### ### If this takes a long time, you might wish to run rngd in the ### background to keep the supply of entropy topped up. It CC arch/x86/events/intel/bts.o HDRTEST usr/include/linux/qnx4_fs.h CC arch/x86/events/zhaoxin/core.o ### needs to be run as root, and uses a hardware random ### number generator if one is available. AR init/built-in.a ### On modern machines, it does not take a long time to generate the key. Remove the ugly log messages. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>