From: Eric Snowberg <eric.snowberg@oracle.com>
To: linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com,
eric.snowberg@oracle.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH RFC 6/8] keys: Add ability to track intended usage of the public key
Date: Mon, 11 Mar 2024 12:11:09 -0400 [thread overview]
Message-ID: <20240311161111.3268190-7-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20240311161111.3268190-1-eric.snowberg@oracle.com>
Add two new fields in public_key_signature to track the intended usage of
the signature. Also add a flag for the revocation pass. During signiture
validation, two verifications can take place for the same signature. One
to see if it verifies against something on the .blacklist keyring and
the other to see if it verifies against the supplied keyring. The flag
is used to determine which stage the verification is in.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
certs/blacklist.c | 3 +++
crypto/asymmetric_keys/pkcs7_trust.c | 20 ++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_verify.c | 4 ++++
include/crypto/pkcs7.h | 3 +++
include/crypto/public_key.h | 4 ++++
5 files changed, 34 insertions(+)
diff --git a/certs/blacklist.c b/certs/blacklist.c
index 675dd7a8f07a..dd34e56a6362 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -17,6 +17,7 @@
#include <linux/uidgid.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
+#include <crypto/public_key.h>
#include "blacklist.h"
/*
@@ -289,7 +290,9 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
{
int ret;
+ pkcs7_set_usage_flag(pkcs7, PKS_REVOCATION_PASS);
ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+ pkcs7_clear_usage_flag(pkcs7, PKS_REVOCATION_PASS);
if (ret == 0)
return -EKEYREJECTED;
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index 9a87c34ed173..64d70eb68864 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -131,6 +131,26 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
return 0;
}
+void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage)
+{
+ struct pkcs7_signed_info *sinfo;
+
+ for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+ if (sinfo->sig)
+ clear_bit(usage, &sinfo->sig->usage_flags);
+ }
+}
+
+void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage)
+{
+ struct pkcs7_signed_info *sinfo;
+
+ for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+ if (sinfo->sig)
+ set_bit(usage, &sinfo->sig->usage_flags);
+ }
+}
+
/**
* pkcs7_validate_trust - Validate PKCS#7 trust chain
* @pkcs7: The PKCS#7 certificate to validate
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 1dc80e68ce96..44b8bd0ad4d8 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -455,6 +455,10 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
return ret;
}
actual_ret = 0;
+ if (sinfo->sig) {
+ sinfo->sig->usage = usage;
+ set_bit(PKS_USAGE_SET, &sinfo->sig->usage_flags);
+ }
}
kleave(" = %d", actual_ret);
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 38ec7f5f9041..6c3c9061b118 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -32,6 +32,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring);
+extern void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage);
+extern void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage);
+
/*
* pkcs7_verify.c
*/
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 462f8a34cdf8..3ddfbc20a55f 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -48,6 +48,10 @@ struct public_key_signature {
const char *pkey_algo;
const char *hash_algo;
const char *encoding;
+ u32 usage; /* Intended usage */
+ unsigned long usage_flags;
+#define PKS_USAGE_SET 0
+#define PKS_REVOCATION_PASS 1
};
extern void public_key_signature_free(struct public_key_signature *sig);
--
2.39.3
next prev parent reply other threads:[~2024-03-11 16:19 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 16:11 [PATCH RFC 0/8] Clavis LSM Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 1/8] certs: Introduce ability to link to a system key Eric Snowberg
2024-03-11 19:16 ` Jarkko Sakkinen
2024-03-11 21:29 ` Eric Snowberg
2024-03-11 19:18 ` Jarkko Sakkinen
2024-03-11 21:31 ` Eric Snowberg
2024-03-12 15:18 ` Jarkko Sakkinen
2024-03-12 6:00 ` [EXTERNAL] " Bharat Bhushan
2024-04-04 22:40 ` Mimi Zohar
2024-04-05 12:56 ` Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 2/8] clavis: Introduce a new system keyring called clavis Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 3/8] efi: Make clavis boot param persist across kexec Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 4/8] clavis: Prevent clavis boot param from changing during kexec Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Eric Snowberg
2024-03-11 16:11 ` Eric Snowberg [this message]
2024-03-11 16:11 ` [PATCH RFC 7/8] clavis: Introduce a new key type called clavis_key_acl Eric Snowberg
2024-03-11 16:11 ` [PATCH RFC 8/8] clavis: Introduce new LSM called clavis Eric Snowberg
2024-03-12 2:45 ` Randy Dunlap
2024-03-12 14:04 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240311161111.3268190-7-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=ardb@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).