[v3,09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys

From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
	gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
	scott.branden@broadcom.com, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com,
	glin@suse.com, konrad.wilk@oracle.com
Subject: [PATCH v3 09/14] KEYS: Introduce link restriction to include
	builtin, secondary and mok keys
Date: Wed, 11 Aug 2021 22:18:50 -0400
Message-Id: <20210812021855.3083178-10-eric.snowberg@oracle.com>
In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com>
References: <20210812021855.3083178-1-eric.snowberg@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.us.oracle.com (148.87.23.9) by
	BYAPR05CA0062.namprd05.prod.outlook.com
	(2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9
	via Frontend Transport; Thu, 12 Aug 2021 02:19:33 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a22d067c-5fdd-4e80-d289-08d95d37a155
X-MS-TrafficTypeDiagnostic: CH2PR10MB3960:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <CH2PR10MB39603BA2E2BD93A76532A4E687F99@CH2PR10MB3960.namprd10.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: roGCUC38FLHWeQWXtVmf2WvQdg183Mj5C3Iwvr5KSaxZ8enne2WClMq4ECu0zRSm//pMZKWT81Lu01js/T+SrBBxmmK41dFL718347zPccBt6X8X1dDB16MUB/MPTGidRtICNJ/rIuKiOxA+aVpOmIl4QM/VGxWBABMbUK44U48m93thQFMTd53JxZjWkNGlPNn5i1S2RkrmLoYohWfpTb6c5wOzLizMAPsPTLwG8p03tyLK7+/Lcysy0326R9mBvvyC8/eSLHsvfR+58vO27I5aeuj4RkXD4W60DRlxDBRf/l6nVZChbggj2+B0SVVvTYPhWw+Swkd2O8BDa+bimaI4+gLO4X+4fhtRrvvWBxWRl3ZNVRhxInlw5SvxvWLNgeWPSAbTl4LNpukctbD6Wiu33PPhH1ajpl6jboH4X49uZmioy7WbDoynZMFTrWCcFTBj0ImqGbxb6DBpaDyCZQ/u19uU+MX1K/y/fb9bcYO/5kC3o9v7xU/PxDKmOifpco/rY2GLRzJUCsSvqh4WcRbT8wyHxbTGS7sW7iLVYxnYAt+EvrpwCR7Qh1c9XWeUfH2O/jVxUKeHJ8HsdDFUJCjKvD39zOtS2K/H6rc0HPe59H806cwK7eBjd3Dmv1ap+gBTExhOl7s0BgU43LIyOZ/i6khMO+iemyuH34rcomBY66MB2zB4MlbsehjZf21ks7toOR13zLRZx5WRv+V8ZNc+mhf/+NHITTL6acS8kLA=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);
	DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Q5A7R1knFIUGEreRcMa2P8Wjo7mEmHC7nYwjsQjBYmdXVuOv2ZG2K/cipoerxiWLLepTRz4whQoMhXX5AAphwm81LbSDAM7/OxHLEgIIu7S6eSyUgiPbACtQMuQYiuxM2pYlfVzdGQJ7Ge7QoN69Tqj66p/+iLb7ounSr5x51tnozl0jodyy+oYmilDlrR5/KavgbJMVYZgsDOOlv6Ad+ESmy3BssuZ+1waEGXmglZ4VTDYhBQ/6UjNHvfdc6GAdAN+1SbqQZ6cDBBtBI2MeWQEZMA6/q3VUzb32Cw243iLO36LzFQExVhqZZmG9o5ZFVSziZb5VU0smNYODv0/4nLpuweVO7GDvk2IL5d9KakQXOayyjysT66yRv6CGl2JVjEHyLutxJ98J51KSfbBO9BAtj/wF93hp6osjP+cGLzrHiC+UHmb4NVQeiifwEF3nNECV0UaeVAPpBEQzjea6AWcVHLYEYD0yiBAgJYDDPjbCNJRHzj0QHUE6s6iSypuZlw9w1rDIJIlHiAcQFMsSjxo4UNQ2ZVj3DwIIpg/PnS/RyEa5g5sUw4tvnjZ8HJJoNVYLeAfhbQOVMnmGOeqOs2+BHD/6VoO5kIxZC31whjDkrsOwJfsCTf3mC8fG2/HNDcBkPyntS/+vYJ4cDwyVW+l1OO3JqbJVP2lxEXtovVyAqKygxUDuyMY213sahokq0gdEQ15l22hOUnIgQA9XFuYg385IaH8D1eUzUNfEkmXsMjsOzHfL1He4tRYto4Pi7Iouv0WVi0DX2XXYITEbyPBVzrHH3f6ihekqy3+4qrIRD89VJu0XFA9rdyV3P4SC0RTvszMimBDkvkhjGX/CTG4j/tBw51OhHNhCtqCASi/sLHxONE0ke93CFjGPbA/9fBaEiEi9gornDwE2B8fcvbSeEyeyakjo6tTnm+F6C/lGbkAdT4v69clZTyaiPzrpk1kcrkt7G8+6noMImG7OXOvvG0YMTBb+fCYAbVlnwXRxgQCaU2Zh5+Jiee4jFx7G/4wtvPsmHJARaEZhnHax3qNVl7fVex5m6eMUy/qKXp6DF6+DPMmrKIXs98rQKaGwB3C/iTeIJIr42Bab7pS0STnvxiz80R9KSjjRoPo+UnomrQox89+MLs45oBEGY4vmVh+FCJL9ZDO0n8ncCmosYmq5hQKgQHqsVMCGuVtXPmCPwlbu/CYKKdOBxheiZ7rKx84X1MeSTtFujdFtB4VcXUpao0WVzfXTmBJcJdWNRZiRAjBBKugpmbdfm3iS9UZszfuTFidwChCuoo5fE2+HiQ4jrBa3H/zgSB+AZ7I94nNi0cXWF57T39vlcNTxKMc0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a22d067c-5fdd-4e80-d289-08d95d37a155
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:36.2649
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 334pX9rBGg+IuUGrQ8YdGR15N6/cxQz7gEMkZ2FVwveXlWpCBmZUtm2hU9qafXgtuA3fEknKiLkqmac+iU5WmTFsA3kNs5Ookp9wN5ejDtg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073
	signatures=668682
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0
	mlxscore=0 bulkscore=0
	spamscore=0 phishscore=0 mlxlogscore=999 suspectscore=0
	malwarescore=0
	classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.12.0-2107140000
	definitions=main-2108120013
X-Proofpoint-ORIG-GUID: TYB8AbZy1RZJ2A5ZXWhTsE_5XrbUWuoz
X-Proofpoint-GUID: TYB8AbZy1RZJ2A5ZXWhTsE_5XrbUWuoz
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Message ID	20210812021855.3083178-10-eric.snowberg@oracle.com
State	New
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Eric Snowberg <eric.snowberg@oracle.com> To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys Date: Wed, 11 Aug 2021 22:18:50 -0400 Message-Id: <20210812021855.3083178-10-eric.snowberg@oracle.com> In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> Content-Type: text/plain MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Precedence: bulk
Series	Enroll kernel keys thru MOK \| expand [v3,00/14] Enroll kernel keys thru MOK [v3,01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) [v3,02/14] KEYS: CA link restriction [v3,03/14] integrity: Trust MOK keys if MokListTrustedRT found [v3,04/14] integrity: add add_to_mok_keyring [v3,05/14] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca [v3,06/14] integrity: accessor function to get trust_moklist [v3,07/14] integrity: add new keyring handler for mok keys [v3,08/14] KEYS: add a reference to mok keyring [v3,09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys [v3,10/14] KEYS: change link restriction for secondary to also trust mok [v3,11/14] KEYS: link secondary_trusted_keys to mok trusted keys [v3,12/14] integrity: Do not allow mok keyring updates following init [v3,13/14] integrity: store reference to mok keyring [v3,14/14] integrity: change ima link restriction to include mok keys

[v3,09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys

Commit Message

Patch