linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com,
	dwmw2@infradead.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
	dmitry.kasatkin@gmail.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
	tadeusz.struk@intel.com, eric.snowberg@oracle.com,
	kanth.ghatraju@oracle.com, konrad.wilk@oracle.com,
	erpalmer@linux.vnet.ibm.com, coxu@redhat.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v4 0/6] Add CA enforcement keyring restrictions
Date: Mon,  6 Feb 2023 21:59:52 -0500	[thread overview]
Message-ID: <20230207025958.974056-1-eric.snowberg@oracle.com> (raw)

Prior to the introduction of the machine keyring, most distros simply 
allowed all keys contained within the platform keyring to be used
for both kernel and module verification.  This was done by an out of
tree patch.  Some distros took it even further and loaded all these keys
into the secondary trusted keyring.  This also allowed the system owner 
to add their own key for IMA usage.

Each distro contains similar documentation on how to sign kernel modules
and enroll the key into the MOK.  The process is fairly straightforward.
With the introduction of the machine keyring, the process remains
basically the same, without the need for any out of tree patches.

The machine keyring allowed distros to eliminate the out of tree patches
for kernel module signing.  However, it falls short in allowing the end 
user to add their own keys for IMA. Currently, the machine keyring can not 
be used as another trust anchor for adding keys to the ima keyring, since 
CA enforcement does not currently exist.  This would expand the current 
integrity gap. The IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 
Kconfig states that keys may be added to the ima keyrings if the key is 
validly signed by a CA cert in the system built-in or secondary trusted 
keyring.  Currently, there is not code that enforces the contents of a
CA cert.

This series introduces a way to do CA enforement with the machine
keyring. It introduces three different ways to configure the machine
keyring. A new menu option is added to control the type of keys that may
be added to it.  The options include none, min, and max restrictions. The
default is CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE. This allows all MOK
keys into the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN
is selected, the X.509 CA bit must be true.  Also, the key usage must
contain keyCertSign, any other usage field may also be set. When 
CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the X.509 CA bit
must be true.  Also, the key usage must contain keyCertSign and the
digitialSignature usage may not be set. If a key doesn't pass the CA
restriction check, instead of going into the machine keyring, it is
added to the platform keyring. With the ability to configure the machine
keyring with CA restrictions, code that prevented the machine keyring
from being enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
has been removed.

Changelog:
v4:
- Removed all code that validated the certificate chain back to the root
  CA. Now the only restriction is what is initially placed in the
  machine keyring.
- Check and store if the X.509 usage contains digitalSignature
- New Kconfig menu item with none, min and max CA restriction on the 
  machine keyring

v3:
- Allow Intermediate CA certs to be enrolled through the MOK. The
  Intermediate CA cert must contain keyCertSign key usage and have the 
  CA bit set to true. This was done by removing the self signed
  requirement.

Eric Snowberg (6):
  KEYS: Create static version of public_key_verify_signature
  KEYS: Add missing function documentation
  KEYS: X.509: Parse Basic Constraints for CA
  KEYS: X.509: Parse Key Usage
  KEYS: CA link restriction
  integrity: machine keyring CA configuration

 certs/system_keyring.c                    | 14 +++++--
 crypto/asymmetric_keys/restrict.c         | 40 ++++++++++++++++++
 crypto/asymmetric_keys/x509_cert_parser.c | 50 +++++++++++++++++++++++
 include/crypto/public_key.h               | 28 +++++++++++++
 security/integrity/Kconfig                | 39 +++++++++++++++++-
 security/integrity/digsig.c               |  8 +++-
 6 files changed, 173 insertions(+), 6 deletions(-)


base-commit: 4ec5183ec48656cec489c49f989c508b68b518e3
-- 
2.27.0


             reply	other threads:[~2023-02-07  3:01 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-07  2:59 Eric Snowberg [this message]
2023-02-07  2:59 ` [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2023-02-10  3:39   ` Jarkko Sakkinen
2023-02-10 22:38     ` Eric Snowberg
2023-02-07  2:59 ` [PATCH v4 2/6] KEYS: Add missing function documentation Eric Snowberg
2023-02-08 21:48   ` Mimi Zohar
2023-02-10  3:40   ` Jarkko Sakkinen
2023-02-07  2:59 ` [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2023-02-08 21:01   ` Mimi Zohar
2023-02-10  3:46   ` Jarkko Sakkinen
2023-02-07  2:59 ` [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Eric Snowberg
2023-02-08 21:02   ` Mimi Zohar
2023-02-10  3:48   ` Jarkko Sakkinen
2023-02-10 22:39     ` Eric Snowberg
2023-02-07  2:59 ` [PATCH v4 5/6] KEYS: CA link restriction Eric Snowberg
2023-02-09  2:55   ` Mimi Zohar
2023-02-07  2:59 ` [PATCH v4 6/6] integrity: machine keyring CA configuration Eric Snowberg
2023-02-10 13:05   ` Mimi Zohar
2023-02-10 22:42     ` Eric Snowberg
2023-02-13  7:54     ` Jarkko Sakkinen
2023-02-14 21:24       ` Eric Snowberg
2023-02-08 12:38 ` [PATCH v4 0/6] Add CA enforcement keyring restrictions Mimi Zohar
2023-02-08 23:26   ` Eric Snowberg
2023-02-09  2:54     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230207025958.974056-1-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=coxu@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=erpalmer@linux.vnet.ibm.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=kanth.ghatraju@oracle.com \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=pvorel@suse.cz \
    --cc=serge@hallyn.com \
    --cc=tadeusz.struk@intel.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).