| Message ID | 20210907160110.2699645-5-eric.snowberg@oracle.com |
|---|---|
| State | New |
| Headers | show |
| Series | Enroll kernel keys thru MOK | expand |
On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to > restrict_link_by_ca. This will only allow CA keys into the machine > keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > v1: Initial version > v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok > keyring gets created even when it isn't enabled > v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca > v4: removed unnecessary restriction->check set > v5: Rename to machine keyring > --- > security/integrity/digsig.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 5a75ac2c4dbe..2b75bbbd9e0e 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) > goto out; > } > > - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) > + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) > return 0; > > restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); > if (!restriction) > return -ENOMEM; > > - restriction->check = restrict_link_to_ima; > + if (id == INTEGRITY_KEYRING_MACHINE) > + restriction->check = restrict_link_by_ca; > + else > + restriction->check = restrict_link_to_ima; > + > if (id != INTEGRITY_KEYRING_MACHINE) > perm |= KEY_USR_WRITE; > 03 and 04 look sane. As said, the patches seem to be already in nice shape. /Jarkko
On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to > restrict_link_by_ca. This will only allow CA keys into the machine > keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Normally the new function, in this case the restriction, and usage should be defined together. Any reason why 3/12 and 4/12 are two separate patches? I would squash them together. > --- > v1: Initial version > v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok > keyring gets created even when it isn't enabled > v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca > v4: removed unnecessary restriction->check set > v5: Rename to machine keyring > --- > security/integrity/digsig.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 5a75ac2c4dbe..2b75bbbd9e0e 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) > goto out; > } > > - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) > + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) Over 80 chars, please split the line. thanks, Mimi > return 0; > > restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); > if (!restriction) > return -ENOMEM; > > - restriction->check = restrict_link_to_ima; > + if (id == INTEGRITY_KEYRING_MACHINE) > + restriction->check = restrict_link_by_ca; > + else > + restriction->check = restrict_link_to_ima; > + > if (id != INTEGRITY_KEYRING_MACHINE) > perm |= KEY_USR_WRITE; >
> On Sep 9, 2021, at 11:25 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: >> Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to >> restrict_link_by_ca. This will only allow CA keys into the machine >> keyring. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > Normally the new function, in this case the restriction, and usage > should be defined together. Any reason why 3/12 and 4/12 are two > separate patches? I split them since they cross subsystems. > I would squash them together. But I can squash them together in the next round. > >> --- >> v1: Initial version >> v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok >> keyring gets created even when it isn't enabled >> v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca >> v4: removed unnecessary restriction->check set >> v5: Rename to machine keyring >> --- >> security/integrity/digsig.c | 8 ++++++-- >> 1 file changed, 6 insertions(+), 2 deletions(-) >> >> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c >> index 5a75ac2c4dbe..2b75bbbd9e0e 100644 >> --- a/security/integrity/digsig.c >> +++ b/security/integrity/digsig.c >> @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) >> goto out; >> } >> >> - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) >> + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) > > Over 80 chars, please split the line I thought the 80 char limit was relaxed? But if it hasn’t I can change this too. Thanks.
On Thu, 2021-09-09 at 11:53 -0600, Eric Snowberg wrote: > > On Sep 9, 2021, at 11:25 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > >> Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to > >> restrict_link_by_ca. This will only allow CA keys into the machine > >> keyring. > >> > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > > Normally the new function, in this case the restriction, and usage > > should be defined together. Any reason why 3/12 and 4/12 are two > > separate patches? > > I split them since they cross subsystems. That makes sense. thanks, Mimi
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 5a75ac2c4dbe..2b75bbbd9e0e 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MACHINE) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; + if (id != INTEGRITY_KEYRING_MACHINE) perm |= KEY_USR_WRITE;
Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v1: Initial version v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok keyring gets created even when it isn't enabled v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca v4: removed unnecessary restriction->check set v5: Rename to machine keyring --- security/integrity/digsig.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)