All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
	torvalds@linux-foundation.org, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com,
	konrad.wilk@oracle.com
Subject: [PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca
Date: Mon, 15 Nov 2021 19:15:34 -0500	[thread overview]
Message-ID: <20211116001545.2639333-7-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20211116001545.2639333-1-eric.snowberg@oracle.com>

Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to
restrict_link_by_ca.  This will only allow CA keys into the machine
keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok
    keyring gets created even when it isn't enabled
v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca
v4: removed unnecessary restriction->check set
v5: Rename to machine keyring
v6: split line over 80 char (suggested by Mimi)
v7: Unmodified from v6
---
 security/integrity/digsig.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 910fe29a5037..e7dfc55a7c55 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id)
 		goto out;
 	}
 
-	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
+	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) &&
+	    id != INTEGRITY_KEYRING_MACHINE)
 		return 0;
 
 	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
 	if (!restriction)
 		return -ENOMEM;
 
-	restriction->check = restrict_link_to_ima;
+	if (id == INTEGRITY_KEYRING_MACHINE)
+		restriction->check = restrict_link_by_ca;
+	else
+		restriction->check = restrict_link_to_ima;
 
 	/*
 	 * No additional keys shall be allowed to load into the machine
-- 
2.18.4


  parent reply	other threads:[~2021-11-16  0:19 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-16  0:15 [PATCH v7 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 01/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-17 13:01   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 02/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-17 13:18   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-17 13:32   ` Mimi Zohar
2021-11-17 13:53     ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 04/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-18 22:59   ` Mimi Zohar
2021-11-18 23:29     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 05/17] KEYS: CA link restriction Eric Snowberg
2021-11-16  0:15 ` Eric Snowberg [this message]
2021-11-23  2:09   ` [PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca kernel test robot
2021-11-23  2:09     ` kernel test robot
2021-11-16  0:15 ` [PATCH v7 07/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-17 15:16   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2021-11-19  0:20   ` Mimi Zohar
2021-11-19  2:50     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-19  0:23   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-11-18 12:32   ` Mimi Zohar
2021-11-18 21:37     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 14/17] integrity: store reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 15/17] efi/mokvar: move up init order Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-11-16 16:00 ` [PATCH v7 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-11-16 16:18   ` Konrad Rzeszutek Wilk
2021-11-16 16:24     ` Jarkko Sakkinen
2021-11-16 16:39       ` Konrad Rzeszutek Wilk
2021-11-17  7:50         ` Jarkko Sakkinen
2021-11-17  7:51           ` Jarkko Sakkinen
2021-11-17 17:02             ` Konrad Rzeszutek Wilk
2021-11-17 17:20               ` Eric Snowberg
2021-11-18  3:14                 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211116001545.2639333-7-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jason@zx2c4.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.