From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com,
dwmw2@infradead.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
tadeusz.struk@intel.com, eric.snowberg@oracle.com,
kanth.ghatraju@oracle.com, konrad.wilk@oracle.com,
erpalmer@linux.vnet.ibm.com, coxu@redhat.com,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v4 6/6] integrity: machine keyring CA configuration
Date: Mon, 6 Feb 2023 21:59:58 -0500 [thread overview]
Message-ID: <20230207025958.974056-7-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com>
Add a machine keyring CA restriction menu option to control the type of
keys that may be added to it. The options include none, min and max
restrictions.
When no restrictions are selected, all Machine Owner Keys (MOK) are added
to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is
selected, the CA bit must be true. Also the key usage must contain
keyCertSign, any other usage field may be set as well.
When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
be true. Also the key usage must contain keyCertSign and the
digitialSignature usage may not be set.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
crypto/asymmetric_keys/restrict.c | 2 ++
security/integrity/Kconfig | 39 ++++++++++++++++++++++++++++++-
security/integrity/digsig.c | 8 +++++--
3 files changed, 46 insertions(+), 3 deletions(-)
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 48457c6f33f9..633021ea7901 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -140,6 +140,8 @@ int restrict_link_by_ca(struct key *dest_keyring,
return -ENOKEY;
if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
return -ENOKEY;
+ if (IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN))
+ return 0;
if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
return -ENOKEY;
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 599429f99f99..eba6fd59fd16 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -68,13 +68,50 @@ config INTEGRITY_MACHINE_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
depends on SYSTEM_BLACKLIST_KEYRING
depends on LOAD_UEFI_KEYS
- depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
help
If set, provide a keyring to which Machine Owner Keys (MOK) may
be added. This keyring shall contain just MOK keys. Unlike keys
in the platform keyring, keys contained in the .machine keyring will
be trusted within the kernel.
+choice
+ prompt "Enforce Machine Keyring CA Restrictions"
+ default INTEGRITY_CA_MACHINE_KEYRING_NONE
+ depends on INTEGRITY_MACHINE_KEYRING
+ help
+ The .machine keyring can be configured to enforce CA restriction
+ on any key added to it. The options include none, min and max
+ restrictions. By default no restrictions are in place and all
+ Machine Owner Keys (MOK) are added to the machine keyring.
+
+config INTEGRITY_CA_MACHINE_KEYRING_NONE
+ bool "No restrictions"
+ help
+ When no restrictions are selected, all Machine Owner Keys (MOK)
+ are added to the machine keyring. MOK keys do not require the
+ CA bit to be set. The key usage field is ignored. This is the
+ default setting.
+
+config INTEGRITY_CA_MACHINE_KEYRING_MIN
+ bool "Only CA keys (with or without DigitialSignature usage set)"
+ help
+ When min is selected, only load CA keys into the machine keyring.
+ The CA bit must be set along with the keyCertSign Usage field.
+ Keys containing the digitialSignature Usage field will also be
+ loaded. The remaining MOK keys are loaded into the .platform
+ keyring.
+
+config INTEGRITY_CA_MACHINE_KEYRING_MAX
+ bool "Only CA keys"
+ help
+ When max is selected, only load CA keys into the machine keyring.
+ The CA bit must be set along with the keyCertSign Usage field.
+ Keys containing the digitialSignature Usage field will not be
+ loaded. The remaining MOK keys are loaded into the .platform
+ keyring.
+
+endchoice
+
config LOAD_UEFI_KEYS
depends on INTEGRITY_PLATFORM_KEYRING
depends on EFI
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f2193c531f4a..3385f534f1da 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id)
| KEY_USR_READ | KEY_USR_SEARCH;
if (id == INTEGRITY_KEYRING_PLATFORM ||
- id == INTEGRITY_KEYRING_MACHINE) {
+ (id == INTEGRITY_KEYRING_MACHINE &&
+ IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE))) {
restriction = NULL;
goto out;
}
@@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id)
if (!restriction)
return -ENOMEM;
- restriction->check = restrict_link_to_ima;
+ if (id == INTEGRITY_KEYRING_MACHINE)
+ restriction->check = restrict_link_by_ca;
+ else
+ restriction->check = restrict_link_to_ima;
/*
* MOK keys can only be added through a read-only runtime services
--
2.27.0
next prev parent reply other threads:[~2023-02-07 3:01 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-07 2:59 [PATCH v4 0/6] Add CA enforcement keyring restrictions Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2023-02-10 3:39 ` Jarkko Sakkinen
2023-02-10 22:38 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 2/6] KEYS: Add missing function documentation Eric Snowberg
2023-02-08 21:48 ` Mimi Zohar
2023-02-10 3:40 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2023-02-08 21:01 ` Mimi Zohar
2023-02-10 3:46 ` Jarkko Sakkinen
2023-02-07 2:59 ` [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Eric Snowberg
2023-02-08 21:02 ` Mimi Zohar
2023-02-10 3:48 ` Jarkko Sakkinen
2023-02-10 22:39 ` Eric Snowberg
2023-02-07 2:59 ` [PATCH v4 5/6] KEYS: CA link restriction Eric Snowberg
2023-02-09 2:55 ` Mimi Zohar
2023-02-07 2:59 ` Eric Snowberg [this message]
2023-02-10 13:05 ` [PATCH v4 6/6] integrity: machine keyring CA configuration Mimi Zohar
2023-02-10 22:42 ` Eric Snowberg
2023-02-13 7:54 ` Jarkko Sakkinen
2023-02-14 21:24 ` Eric Snowberg
2023-02-08 12:38 ` [PATCH v4 0/6] Add CA enforcement keyring restrictions Mimi Zohar
2023-02-08 23:26 ` Eric Snowberg
2023-02-09 2:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230207025958.974056-7-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tadeusz.struk@intel.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).