From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
scott.branden@broadcom.com, weiyongjun1@huawei.com,
nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
nramas@linux.microsoft.com, lszubowi@redhat.com,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: [PATCH v4 03/12] KEYS: CA link restriction
Date: Wed, 18 Aug 2021 20:21:00 -0400 [thread overview]
Message-ID: <20210819002109.534600-4-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com>
Add a new link restriction. Restrict the addition of keys in a keyring
based on the key to be added being a CA (self-signed).
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v2: Removed secondary keyring references
v3: Removed restrict_link_by_system_trusted_or_ca
Simplify restrict_link_by_ca - only see if the key is a CA
Did not add __init in front of restrict_link_by_ca in case
restriction could be resued in the future
v4: Unmodified from v3
---
crypto/asymmetric_keys/restrict.c | 40 +++++++++++++++++++++++++++++++
include/crypto/public_key.h | 5 ++++
2 files changed, 45 insertions(+)
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 84cefe3b3585..9ae43d3f862b 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring,
return ret;
}
+/**
+ * restrict_link_by_ca - Restrict additions to a ring of CA keys
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @trusted: Unused.
+ *
+ * Check if the new certificate is a CA. If it is a CA, then mark the new
+ * certificate as being ok to link.
+ *
+ * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find
+ * a matching parent certificate in the trusted list. -ENOPKG if the signature
+ * uses unsupported crypto, or some other error if there is a matching
+ * certificate but the signature check cannot be performed.
+ */
+int restrict_link_by_ca(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trust_keyring)
+{
+ const struct public_key_signature *sig;
+ const struct public_key *pkey;
+
+ if (type != &key_type_asymmetric)
+ return -EOPNOTSUPP;
+
+ sig = payload->data[asym_auth];
+ if (!sig)
+ return -ENOPKG;
+
+ if (!sig->auth_ids[0] && !sig->auth_ids[1])
+ return -ENOKEY;
+
+ pkey = payload->data[asym_crypto];
+ if (!pkey)
+ return -ENOPKG;
+
+ return public_key_verify_signature(pkey, sig);
+}
+
static bool match_either_id(const struct asymmetric_key_ids *pair,
const struct asymmetric_key_id *single)
{
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 47accec68cb0..545af1ea57de 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
const union key_payload *payload,
struct key *trusted);
+extern int restrict_link_by_ca(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trust_keyring);
+
extern int query_asymmetric_key(const struct kernel_pkey_params *,
struct kernel_pkey_query *);
--
2.18.4
next prev parent reply other threads:[~2021-08-19 0:22 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-19 0:20 [PATCH v4 00/12] Enroll kernel keys thru MOK Eric Snowberg
2021-08-19 0:20 ` [PATCH v4 01/12] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) Eric Snowberg
2021-08-19 0:20 ` [PATCH v4 02/12] integrity: Do not allow mok keyring updates following init Eric Snowberg
2021-08-19 0:21 ` Eric Snowberg [this message]
2021-08-19 0:21 ` [PATCH v4 04/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 05/12] integrity: add new keyring handler for mok keys Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 06/12] KEYS: add a reference to mok keyring Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 07/12] KEYS: Introduce link restriction to include builtin, secondary and mok keys Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 08/12] KEYS: integrity: change link restriction to trust the mok keyring Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 09/12] KEYS: link secondary_trusted_keys to mok trusted keys Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 10/12] integrity: store reference to mok keyring Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 11/12] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-08-19 0:21 ` [PATCH v4 12/12] integrity: Only use mok keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-08-19 11:38 ` [PATCH v4 00/12] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-08-19 13:10 ` Mimi Zohar
2021-08-19 15:23 ` Eric Snowberg
2021-08-19 17:32 ` Mimi Zohar
2021-08-23 17:51 ` Jarkko Sakkinen
2021-08-23 20:48 ` Nayna
2021-08-24 14:34 ` Mimi Zohar
2021-08-25 22:21 ` Jarkko Sakkinen
2021-08-25 22:27 ` James Bottomley
2021-08-27 20:44 ` Nayna
2021-08-30 17:39 ` Eric Snowberg
2021-09-01 0:52 ` Nayna
2021-09-01 1:51 ` Eric Snowberg
2021-09-02 10:18 ` Mimi Zohar
2021-09-01 4:34 ` Jarkko Sakkinen
2021-09-01 4:36 ` Jarkko Sakkinen
2021-09-01 4:46 ` Jarkko Sakkinen
2021-08-23 17:37 ` Jarkko Sakkinen
2021-08-23 17:35 ` Jarkko Sakkinen
2021-08-23 17:48 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210819002109.534600-4-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=scott.branden@broadcom.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.