All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Snowberg <eric.snowberg@oracle.com>
To: zohar@linux.ibm.com, jarkko@kernel.org, dhowells@redhat.com,
	dwmw2@infradead.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
	jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com,
	stefanb@linux.ibm.com, nayna@linux.ibm.com,
	mic@linux.microsoft.com, konrad.wilk@oracle.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH 0/4] Add CA enforcement in the machine keyring
Date: Tue,  1 Mar 2022 12:36:47 -0500	[thread overview]
Message-ID: <20220301173651.3435350-1-eric.snowberg@oracle.com> (raw)

A key added to the IMA keyring must be signed by a key contained in either the
built-in trusted or secondary trusted keyring. IMA also requires these keys 
to be a CA. The only option for an end-user to add their own CA is to compile
it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
do not want to compile their own kernels.  With the insert-sys-cert option, 
there are missing upstream changes. 

Currently, all Machine Owner Keys (MOK) load into the machine keyring.  Add 
a new Kconfig option to only allow CA keys into the machine keyring.  When 
compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
keys will load into the platform keyring instead. This will allow the end-
user to enroll their own CA key into the machine keyring for use with IMA.

These patches are based on Jarkko's linux-tpmdd tree.
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git


Eric Snowberg (4):
  KEYS: Create static version of public_key_verify_signature
  X.509: Parse Basic Constraints for CA
  KEYS: CA link restriction
  integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca

 certs/system_keyring.c                        |  9 ++--
 crypto/asymmetric_keys/restrict.c             | 43 +++++++++++++++++++
 crypto/asymmetric_keys/x509_cert_parser.c     |  9 ++++
 include/crypto/public_key.h                   | 25 +++++++++++
 include/keys/system_keyring.h                 |  3 +-
 security/integrity/Kconfig                    | 21 +++++++++
 security/integrity/Makefile                   |  1 +
 security/integrity/digsig.c                   | 14 ++++--
 security/integrity/integrity.h                |  3 +-
 .../platform_certs/keyring_handler.c          |  4 +-
 10 files changed, 123 insertions(+), 9 deletions(-)


base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1
-- 
2.27.0


             reply	other threads:[~2022-03-01 17:39 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-01 17:36 Eric Snowberg [this message]
2022-03-01 17:36 ` [PATCH 1/4] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-03-01 17:36 ` [PATCH 2/4] X.509: Parse Basic Constraints for CA Eric Snowberg
2022-03-04 15:10   ` Stefan Berger
2022-03-07 18:02     ` Eric Snowberg
2022-03-01 17:36 ` [PATCH 3/4] KEYS: CA link restriction Eric Snowberg
2022-03-04 15:28   ` Stefan Berger
2022-03-07 18:06     ` Eric Snowberg
2022-03-07 23:01       ` Mimi Zohar
2022-03-07 23:38         ` Eric Snowberg
2022-03-08  2:31           ` Stefan Berger
2022-03-08 12:45             ` Mimi Zohar
2022-03-08 13:56               ` Stefan Berger
2022-03-08 18:02               ` Eric Snowberg
2022-03-09 17:12                 ` Stefan Berger
2022-03-09 17:17                   ` Stefan Berger
2022-03-09 18:13                   ` Eric Snowberg
2022-03-09 19:02                     ` Stefan Berger
2022-03-11 18:44                       ` Eric Snowberg
2022-03-11 20:23                         ` Stefan Berger
2022-03-14 12:00                           ` Stefan Berger
2022-03-09 17:33                 ` Mimi Zohar
2022-03-01 17:36 ` [PATCH 4/4] integrity: CA enforcement in machine keyring Eric Snowberg
2022-03-04 23:19   ` Stefan Berger
2022-03-07 18:13     ` Eric Snowberg
2022-03-07 18:36       ` Stefan Berger
2022-03-07 18:48         ` Eric Snowberg
2022-03-06 23:33 ` [PATCH 0/4] Add CA enforcement in the " Mimi Zohar
2022-03-07 18:55   ` Eric Snowberg
2022-03-09 18:43 ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220301173651.3435350-1-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@linux.microsoft.com \
    --cc=nayna@linux.ibm.com \
    --cc=serge@hallyn.com \
    --cc=stefanb@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.