* Re: [PATCH] cert: Add kconfig dependency for validate_trust
2021-02-24 10:51 ` David Howells
@ 2021-02-24 11:56 ` Mickaël Salaün
2021-02-24 12:40 ` David Howells
` (2 subsequent siblings)
3 siblings, 0 replies; 8+ messages in thread
From: Mickaël Salaün @ 2021-02-24 11:56 UTC (permalink / raw)
To: David Howells, Eric Snowberg
Cc: Jarkko Sakkinen, Mickaël Salaün, David Woodhouse,
keyrings, linux-kernel
On 24/02/2021 11:51, David Howells wrote:
> How about these changes?
>
> I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
>
> I've also added kerneldoc comments and moved the functions so that they're not
> in the middle of the blacklist-specific stuff.
>
> I'm not sure uefi_revocation_list_x509() needs conditionalising as the
> optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
> doesn't disable inlining).
>
> David
> ---
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..76e469b56a77 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
> wrapper to incorporate the list into the kernel. Each <hash> should
> be a string of hex digits.
>
> +config SYSTEM_REVOCATION_LIST
> + bool "Provide system-wide ring of revocation certificates"
> + depends on SYSTEM_BLACKLIST_KEYRING
> + depends on PKCS7_MESSAGE_PARSER=y
The function verify_pkcs7_message_sig() (which is patched) is only
available if CONFIG_SYSTEM_DATA_VERIFICATION is defined. I suggest to
use the same dependencies as for my dynamic authenticated blacklist
keyring patchset.
> + help
> + If set, this allows revocation certificates to be stored in the
> + blacklist keyring and implements a hook whereby a PKCS#7 message can
> + be checked to see if it matches such a certificate.
> +
> endmenu
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index e9f5fc632f0d..2b8644123d5f 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
> return 0;
> }
>
> -int add_key_to_revocation_list(const char *data, size_t size)
> -{
> - key_ref_t key;
> -
> - key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> - "asymmetric",
> - NULL,
> - data,
> - size,
> - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> -
> - if (IS_ERR(key)) {
> - pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> - return PTR_ERR(key);
> - }
> -
> - return 0;
> -}
> -
> -int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> -{
> - int ret;
> -
> - ret = validate_trust(pkcs7, blacklist_keyring);
> -
> - if (ret == 0)
> - return -EKEYREJECTED;
> -
> - return -ENOKEY;
> -}
> -
> /**
> * is_hash_blacklisted - Determine if a hash is blacklisted
> * @hash: The hash to be checked as a binary blob
Could you please not move those functions? It makes the patch more
readable and avoids merge conflicts (e.g. with the dynamic authenticated
blacklist keyring patchset). Thanks.
> @@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> }
> EXPORT_SYMBOL_GPL(is_binary_blacklisted);
>
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +/**
> + * add_key_to_revocation_list - Add a revocation certificate to the blacklist
> + * @data: The data blob containing the certificate
> + * @size: The size of data blob
> + */
> +int add_key_to_revocation_list(const char *data, size_t size)
> +{
> + key_ref_t key;
> +
> + key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> + "asymmetric",
> + NULL,
> + data,
> + size,
> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> +
> + if (IS_ERR(key)) {
> + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> + return PTR_ERR(key);
> + }
> +
> + return 0;
> +}
> +
> +/**
> + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
> + * @pkcs7: The PKCS#7 message to check
> + */
> +int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> +{
> + int ret;
> +
> + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
> +
> + if (ret == 0)
> + return -EKEYREJECTED;
> +
> + return -ENOKEY;
> +}
> +#endif
> +
> /*
> * Initialise the blacklist
> */
> diff --git a/certs/blacklist.h b/certs/blacklist.h
> index 420bb7c86e07..51b320cf8574 100644
> --- a/certs/blacklist.h
> +++ b/certs/blacklist.h
> @@ -3,13 +3,3 @@
> #include <crypto/pkcs7.h>
>
> extern const char __initconst *const blacklist_hashes[];
> -
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> -#define validate_trust pkcs7_validate_trust
> -#else
> -static inline int validate_trust(struct pkcs7_message *pkcs7,
> - struct key *trust_keyring)
> -{
> - return -ENOKEY;
> -}
> -#endif
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 61f98739e8b1..875e002a4180 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern struct pkcs7_message *pkcs7;
> #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
> extern int mark_hash_blacklisted(const char *hash);
> -extern int add_key_to_revocation_list(const char *data, size_t size);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type);
> extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type)
> @@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> {
> return 0;
> }
> +#endif
> +
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +extern int add_key_to_revocation_list(const char *data, size_t size);
> +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> +#else
> static inline int add_key_to_revocation_list(const char *data, size_t size)
> {
> return 0;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] cert: Add kconfig dependency for validate_trust
2021-02-24 10:51 ` David Howells
2021-02-24 11:56 ` Mickaël Salaün
@ 2021-02-24 12:40 ` David Howells
2021-02-25 4:03 ` Eric Snowberg
2021-02-25 14:43 ` David Howells
3 siblings, 0 replies; 8+ messages in thread
From: David Howells @ 2021-02-24 12:40 UTC (permalink / raw)
To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?=
Cc: dhowells, Eric Snowberg, Jarkko Sakkinen,
=?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?=,
David Woodhouse, keyrings, linux-kernel
Mickaël Salaün <mic@digikod.net> wrote:
> > +config SYSTEM_REVOCATION_LIST
> > + bool "Provide system-wide ring of revocation certificates"
> > + depends on SYSTEM_BLACKLIST_KEYRING
> > + depends on PKCS7_MESSAGE_PARSER=y
>
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.
That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST. Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.
> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.
This, you mean?
config SYSTEM_BLACKLIST_AUTH_UPDATE
bool "Allow root to add signed blacklist keys"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
I.e.:
config SYSTEM_REVOCATION_LIST
bool "Provide system-wide ring of revocation certificates"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
depends on PKCS7_MESSAGE_PARSER=y
I suppose you could argue the it that way since it's only used for that
purpose. Note that it does need the PKCS7 dep since it explicitly uses that
code.
> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.
I would suggest merging these changes in so that the error is not found by
bisection. But the functions really are mislocated:-/
David
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] cert: Add kconfig dependency for validate_trust
2021-02-24 10:51 ` David Howells
2021-02-24 11:56 ` Mickaël Salaün
2021-02-24 12:40 ` David Howells
@ 2021-02-25 4:03 ` Eric Snowberg
2021-02-25 14:43 ` David Howells
3 siblings, 0 replies; 8+ messages in thread
From: Eric Snowberg @ 2021-02-25 4:03 UTC (permalink / raw)
To: David Howells
Cc: Jarkko Sakkinen, Mickaël Salaün, David Woodhouse,
keyrings, linux-kernel
> On Feb 24, 2021, at 3:51 AM, David Howells <dhowells@redhat.com> wrote:
>
> How about these changes?
>
> I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
I believe this is ok. However currently, whenever the kernel finds either a
EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads
it into the blacklist keyring. Then anytime signature validation takes place,
these entries are referenced. If there is a match, the signature check fails.
Now with the inclusion of EFI_CERT_X509_GUID, I question why we want to enable
it thru a Kconfig option, when we don’t for the other two types.
> I've also added kerneldoc comments
Thanks
> and moved the functions so that they're not
> in the middle of the blacklist-specific stuff.
>
> I'm not sure uefi_revocation_list_x509() needs conditionalising as the
> optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
> doesn't disable inlining).
>
> David
> ---
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..76e469b56a77 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
> wrapper to incorporate the list into the kernel. Each <hash> should
> be a string of hex digits.
>
> +config SYSTEM_REVOCATION_LIST
> + bool "Provide system-wide ring of revocation certificates”
> + depends on SYSTEM_BLACKLIST_KEYRING
> + depends on PKCS7_MESSAGE_PARSER=y
> + help
> + If set, this allows revocation certificates to be stored in the
> + blacklist keyring and implements a hook whereby a PKCS#7 message can
> + be checked to see if it matches such a certificate.
> +
> endmenu
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index e9f5fc632f0d..2b8644123d5f 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
> return 0;
> }
>
> -int add_key_to_revocation_list(const char *data, size_t size)
> -{
> - key_ref_t key;
> -
> - key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> - "asymmetric",
> - NULL,
> - data,
> - size,
> - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> -
> - if (IS_ERR(key)) {
> - pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> - return PTR_ERR(key);
> - }
> -
> - return 0;
> -}
> -
> -int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> -{
> - int ret;
> -
> - ret = validate_trust(pkcs7, blacklist_keyring);
> -
> - if (ret == 0)
> - return -EKEYREJECTED;
> -
> - return -ENOKEY;
> -}
> -
> /**
> * is_hash_blacklisted - Determine if a hash is blacklisted
> * @hash: The hash to be checked as a binary blob
> @@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> }
> EXPORT_SYMBOL_GPL(is_binary_blacklisted);
>
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +/**
> + * add_key_to_revocation_list - Add a revocation certificate to the blacklist
> + * @data: The data blob containing the certificate
> + * @size: The size of data blob
> + */
> +int add_key_to_revocation_list(const char *data, size_t size)
> +{
> + key_ref_t key;
> +
> + key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> + "asymmetric",
> + NULL,
> + data,
> + size,
> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> +
> + if (IS_ERR(key)) {
> + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> + return PTR_ERR(key);
> + }
> +
> + return 0;
> +}
> +
> +/**
> + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
> + * @pkcs7: The PKCS#7 message to check
> + */
> +int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> +{
> + int ret;
> +
> + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
> +
> + if (ret == 0)
> + return -EKEYREJECTED;
> +
> + return -ENOKEY;
> +}
> +#endif
> +
> /*
> * Initialise the blacklist
> */
> diff --git a/certs/blacklist.h b/certs/blacklist.h
> index 420bb7c86e07..51b320cf8574 100644
> --- a/certs/blacklist.h
> +++ b/certs/blacklist.h
> @@ -3,13 +3,3 @@
> #include <crypto/pkcs7.h>
>
> extern const char __initconst *const blacklist_hashes[];
> -
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> -#define validate_trust pkcs7_validate_trust
> -#else
> -static inline int validate_trust(struct pkcs7_message *pkcs7,
> - struct key *trust_keyring)
> -{
> - return -ENOKEY;
> -}
> -#endif
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 61f98739e8b1..875e002a4180 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern struct pkcs7_message *pkcs7;
> #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
> extern int mark_hash_blacklisted(const char *hash);
> -extern int add_key_to_revocation_list(const char *data, size_t size);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type);
> extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type)
> @@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> {
> return 0;
> }
> +#endif
> +
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +extern int add_key_to_revocation_list(const char *data, size_t size);
> +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> +#else
> static inline int add_key_to_revocation_list(const char *data, size_t size)
> {
> return 0;
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] cert: Add kconfig dependency for validate_trust
2021-02-24 10:51 ` David Howells
` (2 preceding siblings ...)
2021-02-25 4:03 ` Eric Snowberg
@ 2021-02-25 14:43 ` David Howells
3 siblings, 0 replies; 8+ messages in thread
From: David Howells @ 2021-02-25 14:43 UTC (permalink / raw)
To: Eric Snowberg
Cc: dhowells, Jarkko Sakkinen, =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?=,
David Woodhouse, keyrings, linux-kernel
Eric Snowberg <eric.snowberg@oracle.com> wrote:
> > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
>
> I believe this is ok. However currently, whenever the kernel finds either a
> EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads
> it into the blacklist keyring. Then anytime signature validation takes
> place, these entries are referenced. If there is a match, the signature
> check fails. Now with the inclusion of EFI_CERT_X509_GUID, I question why
> we want to enable it thru a Kconfig option, when we don’t for the other two
> types.
But we do.
mark_hash_blacklisted(), is_hash_blacklisted() and is_binary_blacklisted() do
nothing if CONFIG_SYSTEM_BLACKLIST_KEYRING=n.
David
^ permalink raw reply [flat|nested] 8+ messages in thread