From: Eric Snowberg <eric.snowberg@oracle.com>
To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
roberto.sassu@huawei.com, nramas@linux.microsoft.com,
eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH 4/7] KEYS: Introduce a builtin root of trust key flag
Date: Tue, 5 Apr 2022 21:53:34 -0400 [thread overview]
Message-ID: <20220406015337.4000739-5-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com>
Some subsystems are interested in knowing if keys within a keyring could
be used as a foundation of a root of trust. Introduce a new builtin root
of trust key flag.
The first type of key to use this is X.509. When a X.509 certificate
is self signed, has the kernCertSign Key Usage set and contains the
CA bit set this new flag is set.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
crypto/asymmetric_keys/x509_public_key.c | 2 ++
include/linux/key-type.h | 2 ++
include/linux/key.h | 2 ++
security/keys/key.c | 8 ++++++++
4 files changed, 14 insertions(+)
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 91a4ad50dea2..7290e765f46b 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -215,6 +215,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
prep->payload.data[asym_auth] = cert->sig;
prep->description = desc;
prep->quotalen = 100;
+ if (cert->is_kcs_set && cert->self_signed && cert->is_root_ca)
+ prep->payload_flags |= KEY_ALLOC_ROT;
/* We've finished with the certificate */
cert->pub = NULL;
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7d985a1dfe4a..ed0aaad3849b 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -36,6 +36,8 @@ struct key_preparsed_payload {
size_t datalen; /* Raw datalen */
size_t quotalen; /* Quota length for proposed payload */
time64_t expiry; /* Expiry time of key */
+ unsigned int payload_flags; /* Proposed payload flags */
+#define KEY_ALLOC_ROT 0x0001 /* Proposed Root of Trust (ROT) key */
} __randomize_layout;
typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
diff --git a/include/linux/key.h b/include/linux/key.h
index 7febc4881363..97f6a1f86a27 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -230,6 +230,7 @@ struct key {
#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
+#define KEY_FLAG_BUILTIN_ROT 10 /* set if key is a builtin Root of Trust key */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -290,6 +291,7 @@ extern struct key *key_alloc(struct key_type *type,
#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
#define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */
+#define KEY_ALLOC_BUILT_IN_ROT 0x0040 /* Add builtin root of trust key */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
diff --git a/security/keys/key.c b/security/keys/key.c
index c45afdd1dfbb..732bb837fc51 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key->flags |= 1 << KEY_FLAG_UID_KEYRING;
if (flags & KEY_ALLOC_SET_KEEP)
key->flags |= 1 << KEY_FLAG_KEEP;
+ if (flags & KEY_ALLOC_BUILT_IN_ROT)
+ key->flags |= 1 << KEY_FLAG_BUILTIN_ROT;
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC;
@@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
perm |= KEY_POS_WRITE;
}
+ /* Only allow KEY_ALLOC_BUILT_IN_ROT flag to be set by preparser contents */
+ if (prep.payload_flags & KEY_ALLOC_ROT)
+ flags |= KEY_ALLOC_BUILT_IN_ROT;
+ else
+ flags &= ~KEY_ALLOC_BUILT_IN_ROT;
+
/* allocate a new key */
key = key_alloc(index_key.type, index_key.description,
cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
--
2.27.0
next prev parent reply other threads:[~2022-04-06 16:28 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 1:53 [PATCH 0/7] Add CA enforcement keyring restrictions Eric Snowberg
2022-04-06 1:53 ` [PATCH 1/7] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-04-06 1:53 ` [PATCH 2/7] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2022-04-08 14:39 ` Mimi Zohar
2022-04-08 15:31 ` Eric Snowberg
2022-04-06 1:53 ` [PATCH 3/7] KEYS: X.509: Parse Key Usage Eric Snowberg
2022-04-08 14:39 ` Mimi Zohar
2022-04-06 1:53 ` Eric Snowberg [this message]
2022-04-08 14:40 ` [PATCH 4/7] KEYS: Introduce a builtin root of trust key flag Mimi Zohar
2022-04-08 15:27 ` Eric Snowberg
2022-04-08 16:55 ` Mimi Zohar
2022-04-08 17:34 ` Eric Snowberg
2022-04-08 18:49 ` Mimi Zohar
2022-04-08 21:59 ` Eric Snowberg
2022-04-11 15:30 ` Mimi Zohar
2022-04-14 16:36 ` Eric Snowberg
2022-04-14 18:09 ` Mimi Zohar
2022-04-14 21:59 ` Eric Snowberg
2022-04-15 16:14 ` Mimi Zohar
2022-04-06 1:53 ` [PATCH 5/7] KEYS: Introduce sig restriction that validates root of trust Eric Snowberg
2022-04-06 19:55 ` kernel test robot
2022-04-06 1:53 ` [PATCH 6/7] KEYS: X.509: Flag Intermediate CA certs as built in Eric Snowberg
2022-04-07 1:04 ` kernel test robot
2022-04-06 1:53 ` [PATCH 7/7] integrity: Use root of trust signature restriction Eric Snowberg
2022-04-06 20:45 ` [PATCH 0/7] Add CA enforcement keyring restrictions Mimi Zohar
2022-04-06 22:53 ` Eric Snowberg
2022-04-08 14:41 ` Mimi Zohar
2022-11-04 13:20 ` Coiby Xu
2022-11-04 21:06 ` Eric Snowberg
2022-11-09 1:24 ` Elaine Palmer
2022-11-09 14:25 ` Eric Snowberg
2022-11-09 14:58 ` Elaine Palmer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220406015337.4000739-5-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).