From: Eric Snowberg <eric.snowberg@oracle.com>
To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
roberto.sassu@huawei.com, nramas@linux.microsoft.com,
eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH 5/7] KEYS: Introduce sig restriction that validates root of trust
Date: Tue, 5 Apr 2022 21:53:35 -0400 [thread overview]
Message-ID: <20220406015337.4000739-6-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com>
The current keyring restrictions validate if a key can be vouched for by
another key already contained in a keyring. Add a new restriction called
restrict_link_by_rot_and_signature that both vouches for the new key and
validates the vouching key contains the builtin root of trust flag.
Two new system keyring restrictions are added to use
restrict_link_by_rot_and_signature. The first restriction called
restrict_link_by_rot_builtin_trusted uses the builtin_trusted_keys as
the restricted keyring. The second system keyring restriction called
restrict_link_by_rot_builtin_and_secondary_trusted uses the
secondary_trusted_keys as the restricted keyring. Should the machine
keyring be defined, it shall be validated too, since it is linked to
the secondary_trusted_keys keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
certs/system_keyring.c | 18 +++++++++++++
crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++++++++++
include/keys/system_keyring.h | 17 ++++++++++++-
3 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 05b66ce9d1c9..a8b53446ec25 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -48,6 +48,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
builtin_trusted_keys);
}
+int restrict_link_by_rot_builtin_trusted(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused)
+{
+ return restrict_link_by_rot_and_signature(dest_keyring, type, payload,
+ builtin_trusted_keys);
+}
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
/**
* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
@@ -76,6 +84,16 @@ int restrict_link_by_builtin_and_secondary_trusted(
secondary_trusted_keys);
}
+int restrict_link_by_rot_builtin_and_secondary_trusted(
+ struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused)
+{
+ return restrict_link_by_rot_and_signature(dest_keyring, type, payload,
+ secondary_trusted_keys);
+}
+
/**
* Allocate a struct key_restriction for the "builtin and secondary trust"
* keyring. Only for use in system_trusted_keyring_init().
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b1ac5f5896a..840ea302b40a 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -108,6 +108,48 @@ int restrict_link_by_signature(struct key *dest_keyring,
return ret;
}
+int restrict_link_by_rot_and_signature(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trust_keyring)
+{
+ const struct public_key_signature *sig;
+ struct key *key;
+ int ret;
+
+ if (!trust_keyring)
+ return -ENOKEY;
+
+ if (type != &key_type_asymmetric)
+ return -EOPNOTSUPP;
+
+ sig = payload->data[asym_auth];
+ if (!sig)
+ return -ENOPKG;
+ if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
+ return -ENOKEY;
+
+ if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
+ return -EPERM;
+
+ /* See if we have a key that signed this one. */
+ key = find_asymmetric_key(trust_keyring,
+ sig->auth_ids[0], sig->auth_ids[1],
+ sig->auth_ids[2], false);
+ if (IS_ERR(key))
+ return -ENOKEY;
+
+ if (!test_bit(KEY_FLAG_BUILTIN_ROT, &key->flags))
+ ret = -ENOKEY;
+ else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+ ret = -ENOKEY;
+ else
+ ret = verify_signature(key, sig);
+ key_put(key);
+ return ret;
+}
+
+
static bool match_either_id(const struct asymmetric_key_id **pair,
const struct asymmetric_key_id *single)
{
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 2419a735420f..2c1241042f1f 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -17,9 +17,18 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
const union key_payload *payload,
struct key *restriction_key);
extern __init int load_module_cert(struct key *keyring);
-
+extern int restrict_link_by_rot_builtin_trusted(struct key *keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused);
+extern int restrict_link_by_rot_and_signature(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused);
#else
#define restrict_link_by_builtin_trusted restrict_link_reject
+#define restrict_link_by_rot_and_signature restrict_link_reject
+#define restrict_link_by_rot_builtin_trusted restrict_link_reject
static inline __init int load_module_cert(struct key *keyring)
{
@@ -34,8 +43,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+extern int restrict_link_by_rot_builtin_and_secondary_trusted(
+ struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *restrict_key);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+#define restrict_link_by_rot_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
--
2.27.0
next prev parent reply other threads:[~2022-04-06 12:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 1:53 [PATCH 0/7] Add CA enforcement keyring restrictions Eric Snowberg
2022-04-06 1:53 ` [PATCH 1/7] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-04-06 1:53 ` [PATCH 2/7] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2022-04-08 14:39 ` Mimi Zohar
2022-04-08 15:31 ` Eric Snowberg
2022-04-06 1:53 ` [PATCH 3/7] KEYS: X.509: Parse Key Usage Eric Snowberg
2022-04-08 14:39 ` Mimi Zohar
2022-04-06 1:53 ` [PATCH 4/7] KEYS: Introduce a builtin root of trust key flag Eric Snowberg
2022-04-08 14:40 ` Mimi Zohar
2022-04-08 15:27 ` Eric Snowberg
2022-04-08 16:55 ` Mimi Zohar
2022-04-08 17:34 ` Eric Snowberg
2022-04-08 18:49 ` Mimi Zohar
2022-04-08 21:59 ` Eric Snowberg
2022-04-11 15:30 ` Mimi Zohar
2022-04-14 16:36 ` Eric Snowberg
2022-04-14 18:09 ` Mimi Zohar
2022-04-14 21:59 ` Eric Snowberg
2022-04-15 16:14 ` Mimi Zohar
2022-04-06 1:53 ` Eric Snowberg [this message]
2022-04-06 19:55 ` [PATCH 5/7] KEYS: Introduce sig restriction that validates root of trust kernel test robot
2022-04-06 1:53 ` [PATCH 6/7] KEYS: X.509: Flag Intermediate CA certs as built in Eric Snowberg
2022-04-07 1:04 ` kernel test robot
2022-04-06 1:53 ` [PATCH 7/7] integrity: Use root of trust signature restriction Eric Snowberg
2022-04-06 20:45 ` [PATCH 0/7] Add CA enforcement keyring restrictions Mimi Zohar
2022-04-06 22:53 ` Eric Snowberg
2022-04-08 14:41 ` Mimi Zohar
2022-11-04 13:20 ` Coiby Xu
2022-11-04 21:06 ` Eric Snowberg
2022-11-09 1:24 ` Elaine Palmer
2022-11-09 14:25 ` Eric Snowberg
2022-11-09 14:58 ` Elaine Palmer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220406015337.4000739-6-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).