All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Snowberg <eric.snowberg@oracle.com>
Cc: dhowells@redhat.com, dwmw2@infradead.org, ardb@kernel.org,
	jmorris@namei.org, serge@hallyn.com, nayna@linux.ibm.com,
	zohar@linux.ibm.com, keescook@chromium.org,
	torvalds@linux-foundation.org, weiyongjun1@huawei.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
	James.Bottomley@hansenpartnership.com, pjones@redhat.com,
	konrad.wilk@oracle.com
Subject: Re: [PATCH v9 4/8] KEYS: store reference to machine keyring
Date: Sun, 9 Jan 2022 00:22:36 +0200	[thread overview]
Message-ID: <YdoOrAOdWaVrRzMR@iki.fi> (raw)
In-Reply-To: <20220105235012.2497118-5-eric.snowberg@oracle.com>

On Wed, Jan 05, 2022 at 06:50:08PM -0500, Eric Snowberg wrote:
> Expose the .machine keyring created in integrity code by adding
> a reference.  Store a reference to the machine keyring in
> system keyring code. The system keyring code needs this to complete
> the keyring link to the machine keyring.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
> v2: Initial version
> v3: Unmodified from v2
> v4: Removed trust_moklist check
> v5: Rename to machine keyring
> v8: Unmodified from v5
> v9: Combine with "add reference to machine keyring" patch
> ---
>  certs/system_keyring.c        | 9 +++++++++
>  include/keys/system_keyring.h | 8 ++++++++
>  security/integrity/digsig.c   | 2 ++
>  3 files changed, 19 insertions(+)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 692365dee2bd..08ea542c8096 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>  static struct key *secondary_trusted_keys;
>  #endif
> +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> +static struct key *machine_trusted_keys;
> +#endif
>  #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  static struct key *platform_trusted_keys;
>  #endif
> @@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
>  	return restriction;
>  }
>  #endif
> +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> +void __init set_machine_trusted_keys(struct key *keyring)
> +{
> +	machine_trusted_keys = keyring;
> +}
> +#endif
>  
>  /*
>   * Create the trusted keyrings
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 6acd3cf13a18..98c9b10cdc17 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
>  #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
>  #endif
>  
> +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> +extern void __init set_machine_trusted_keys(struct key *keyring);
> +#else
> +static inline void __init set_machine_trusted_keys(struct key *keyring)
> +{
> +}
> +#endif
> +
>  extern struct pkcs7_message *pkcs7;
>  #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
>  extern int mark_hash_blacklisted(const char *hash);
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 2b7fa85613c0..7b719aa76188 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id,
>  	} else {
>  		if (id == INTEGRITY_KEYRING_PLATFORM)
>  			set_platform_trusted_keys(keyring[id]);
> +		if (id == INTEGRITY_KEYRING_MACHINE)
> +			set_machine_trusted_keys(keyring[id]);
>  		if (id == INTEGRITY_KEYRING_IMA)
>  			load_module_cert(keyring[id]);
>  	}
> -- 
> 2.18.4
> 


Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

  reply	other threads:[~2022-01-08 22:22 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-05 23:50 [PATCH v9 0/8] Enroll kernel keys thru MOK Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 1/8] integrity: Fix warning about missing prototypes Eric Snowberg
2022-01-08 16:25   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine Eric Snowberg
2022-01-09 21:57   ` Mimi Zohar
2022-01-10 23:25     ` Eric Snowberg
2022-01-11 18:16       ` Mimi Zohar
2022-01-11 21:26         ` Eric Snowberg
2022-01-12  1:14           ` Mimi Zohar
2022-01-12 19:41             ` Mimi Zohar
2022-01-12 23:00               ` Eric Snowberg
2022-01-12 19:41             ` Mimi Zohar
2022-01-15 17:11               ` Jarkko Sakkinen
2022-01-15 19:12                 ` Eric Snowberg
2022-01-15 19:14                   ` Jarkko Sakkinen
2022-01-15 19:15                     ` Jarkko Sakkinen
2022-01-16  2:55                       ` Mimi Zohar
2022-01-16 20:10                         ` Jarkko Sakkinen
2022-01-18 16:32                           ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 3/8] integrity: add new keyring handler for mok keys Eric Snowberg
2022-01-08 22:21   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 4/8] KEYS: store reference to machine keyring Eric Snowberg
2022-01-08 22:22   ` Jarkko Sakkinen [this message]
2022-01-05 23:50 ` [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-01-08 22:25   ` Jarkko Sakkinen
2022-01-09 22:42   ` Mimi Zohar
2022-01-10 23:36     ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 6/8] efi/mokvar: move up init order Eric Snowberg
2022-01-08 22:27   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 7/8] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-01-08 22:28   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-01-08 22:30   ` Jarkko Sakkinen
2022-01-09  1:47     ` Mimi Zohar
2022-01-10  0:12       ` Mimi Zohar
2022-01-11  2:26       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YdoOrAOdWaVrRzMR@iki.fi \
    --to=jarkko@kernel.org \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=ardb@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=eric.snowberg@oracle.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.