From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
jmorris@namei.org, jarkko@kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, zohar@linux.ibm.com,
torvalds@linux-foundation.org, serge@hallyn.com,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
glin@suse.com
Subject: [RFC PATCH 1/3] keys: Add ability to trust the platform keyring
Date: Mon, 17 May 2021 18:57:12 -0400 [thread overview]
Message-ID: <20210517225714.498032-2-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210517225714.498032-1-eric.snowberg@oracle.com>
Add the ability to allow the secondary_trusted keyring to trust
keys in the platform keyring. This is done by doing a key_link
of the platform_trusted_keys to the secondary_trusted_keys.
After they are linked, the platform_trusted_keys can be used for
validation instead of the secondary_trusted_keys if the user
chooses. This functionality will be used in a follow on patch.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
certs/system_keyring.c | 19 ++++++++++++++++++-
include/keys/system_keyring.h | 10 ++++++++++
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 4b693da488f1..471eb13e3cca 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -23,6 +23,7 @@ static struct key *secondary_trusted_keys;
#endif
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
static struct key *platform_trusted_keys;
+bool secondary_trusts_platform;
#endif
extern __initconst const u8 system_certificate_list[];
@@ -67,6 +68,10 @@ int restrict_link_by_builtin_and_secondary_trusted(
/* Allow the builtin keyring to be added to the secondary */
return 0;
+ if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && secondary_trusts_platform)
+ return restrict_link_by_signature(dest_keyring, type, payload,
+ platform_trusted_keys);
+
return restrict_link_by_signature(dest_keyring, type, payload,
secondary_trusted_keys);
}
@@ -227,7 +232,11 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
trusted_keys = builtin_trusted_keys;
} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
- trusted_keys = secondary_trusted_keys;
+ if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) &&
+ secondary_trusts_platform)
+ trusted_keys = platform_trusted_keys;
+ else
+ trusted_keys = secondary_trusted_keys;
#else
trusted_keys = builtin_trusted_keys;
#endif
@@ -312,4 +321,12 @@ void __init set_platform_trusted_keys(struct key *keyring)
{
platform_trusted_keys = keyring;
}
+
+void __init set_trust_platform_keys(void)
+{
+ secondary_trusts_platform = true;
+
+ if (key_link(platform_trusted_keys, secondary_trusted_keys) < 0)
+ panic("Can't link trusted keyrings\n");
+}
#endif
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index fb8b07daa9d1..ffa5f0173ba8 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -72,4 +72,14 @@ static inline void set_platform_trusted_keys(struct key *keyring)
}
#endif
+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
+ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) && \
+ defined(CONFIG_SECONDARY_TRUSTED_KEYRING)
+extern void __init set_trust_platform_keys(void);
+#else
+static inline void __init set_trust_platform_keys(void)
+{
+}
+#endif
+
#endif /* _KEYS_SYSTEM_KEYRING_H */
--
2.18.4
next prev parent reply other threads:[~2021-05-17 22:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 22:57 [RFC PATCH 0/3] Add additional MOK vars Eric Snowberg
2021-05-17 22:57 ` Eric Snowberg [this message]
2021-05-20 15:59 ` [RFC PATCH 1/3] keys: Add ability to trust the platform keyring Jarkko Sakkinen
2021-05-17 22:57 ` [RFC PATCH 2/3] keys: Trust platform keyring if MokTrustPlatform found Eric Snowberg
2021-05-17 22:57 ` [RFC PATCH 3/3] ima: Enable IMA SB Policy if MokIMAPolicy found Eric Snowberg
2021-05-19 7:55 ` [RFC PATCH 0/3] Add additional MOK vars Jarkko Sakkinen
2021-05-19 14:32 ` Mimi Zohar
2021-05-19 22:04 ` Eric Snowberg
2021-05-20 12:22 ` Mimi Zohar
2021-05-20 20:37 ` Eric Snowberg
2021-05-21 11:44 ` Mimi Zohar
2021-05-24 0:57 ` Eric Snowberg
2021-05-24 11:12 ` Mimi Zohar
2021-06-01 15:24 ` Eric Snowberg
2021-05-24 10:09 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210517225714.498032-2-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=glin@suse.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.