[v8,06/17] KEYS: CA link restriction

From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
        zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
        herbert@gondor.apana.org.au, davem@davemloft.net,
        jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
        torvalds@linux-foundation.org, weiyongjun1@huawei.com,
        nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
        nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
        linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
        linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
        James.Bottomley@HansenPartnership.com, pjones@redhat.com,
        konrad.wilk@oracle.com
Subject: [PATCH v8 06/17] KEYS: CA link restriction
Date: Tue, 23 Nov 2021 23:41:13 -0500
Message-Id: <20211124044124.998170-7-eric.snowberg@oracle.com>
In-Reply-To: <20211124044124.998170-1-eric.snowberg@oracle.com>
References: <20211124044124.998170-1-eric.snowberg@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 zl8CPIHU86XDwPJrATuCcAQnXIJFJLlNnvQVn0r96F5KR4djx+izoj0mdq9Uyq11geLdv2BAT97PtY8EJC9b7Vx6khJmAGgsVqPljSOOEv+rGREkReYP2Lr4euNbStJZgVdoX870IMwRpk7amzlO3os9Me5HjmqD+WJshBYb8eqbU0OBQuprNytgmkwHeo7xbCzSNgcS9tZUBc6g3zwRVaPeOi60lOfP1ibqVhEipy/nkTj4ZH6LUPSIWV91E2t7Ti4hVpeWk30/8HjdA7hf20rZ+ZJ5pJjriD5IVCcOGstVNHTDBvgT8HGNUG6M1VP+yBZZTuP+PHw20MFW7kalLojrJuoHq/XwqUKgjOCNUFvAhzm6MWITXydgRKoqIY+I4l9HjonqW73SmkhNKuvI18mLHLxUrHHoW9vAiVME70P44v9nGiDh5ccmtW6e3gu0GndhNNqiz3chR6+wZcuwW2p/pyhiZwtQMFKkmi3WfNHBn/dAIkxF3LmnZ1IHD2vIW/GSROtTp4jXzRoKky+CeEnyQU1N/s8sKiZe4NLN1Wl3hio3vz1IrDYzS/tUKoa7AZ+DJX1pyvl9pclqVtUyfDgrVS8MqUBVu2ybSnOYRohK8UnTfA6AzTha2P1t4D785bP8wp3znsFewSy6hJMrN7uHbNnLMFDyN6Ex82pzaYvFCSbnOqEs2Agq9IQfvj6cnYMiLduNpdvFToqam2RzXfZwGBKLgblUClPYfsg0jllZYOTx8bBxEwQNuBD0hUkYTjhW6kW8Bsc8GKtNUcudwEUNJn/AoHwHW8lbms/mYgdovhy6fHBN+xUCoTE8UhQ1A9UcvapOSch0275I+946B7LM9fplxENObGulcFi3BVCOWmFuh4pGAVAGeYurETLf4wSrmdN7KY08sN3eQ101NKw839Us1HBjH/H1YyWUbqjh6hBh/xufzc98lcXIXk/nreSc+YTR3Fde5qyXfcHW4RAY41mVUzHlyQ4t8cK/j9drToGfZyYJby083656jjsh3XX2jEmaoDXY3iyGdnmd/nCP93FmBBE0T2t2cYNx8uB7n8oigXqIM9KF50WnXfxltC+8Zgh4Abo7neaa1x3x1RHysHo90eq51BHtfyky/mkYFlMAWrH4vsfp4kz4a54I6MDauKUvkNZaGburT8eL6wx2UIj8ecbGzFIEYiqrQmh/1FfORkQvQUzIQ19XnTQv12wbl1z9n0eF6QoviXQ4Fg1DXVnmpDlm6LIzBifZ4OA2iA2CyIfJRe/XTO9EmfKVJ7uND2TIPJovIcN439CZaTTzIsJJvuqWi1y2/GL1a8sBCId4v845kuVFXk1+sGhu24uh0MA3330Q4wuMNj18hcGM8ozzW5wppuZ6ygjDxD+4RxrDPpaQe8ChbLcyzBQ0Bx5CEeS0uLz1lV+sr7CuoSlrgv96Vfnuiyys45kgfZSm+1rKoo5DK5vPu/IvS8rNQExR8yyzoOca6WrDHlXFXe44JbIIOV2Mz0PKo3bkx3MtoVxvfjexoYhCiNMn2Cdlcg2ezdhQmCieV78RZBXicRig3O6d8JmqduhbxI/dgS2ne+4sRjHhBpBaRwJtIRDhXQMCBNY2P3e8LkScg508u0mdKAt5b5O891SMSV2A2UByRTFo89hfQJJgTLlz3tROA0MFKKtJJuupgXnfwEZtQA==
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 03347e19-07b4-4a97-7783-08d9af04c6d7
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2021 04:42:10.2535
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 pVTrawcshi82ZXvqc0HqX0WmsTJcw7xvic1VOxvf0Po66HOpjd5WlbMLPmiR3LQPSbjmtNZdadfy+cyrDBgeM0Sj9sFfjSXzUTwtVoVda6g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3957
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10177
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 phishscore=0 malwarescore=0
 mlxlogscore=999 bulkscore=0 mlxscore=0 suspectscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000
 definitions=main-2111240026
X-Proofpoint-GUID: 9ZIcgZvZ1sto9nTS8Q3jghwjasXoP6Id
X-Proofpoint-ORIG-GUID: 9ZIcgZvZ1sto9nTS8Q3jghwjasXoP6Id
Precedence: bulk
List-ID: <linux-efi.vger.kernel.org>
X-Mailing-List: linux-efi@vger.kernel.org

Message ID	20211124044124.998170-7-eric.snowberg@oracle.com
State	New
Headers	show Return-Path: <linux-efi-owner@kernel.org> From: Eric Snowberg <eric.snowberg@oracle.com> To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, torvalds@linux-foundation.org, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v8 06/17] KEYS: CA link restriction Date: Tue, 23 Nov 2021 23:41:13 -0500 Message-Id: <20211124044124.998170-7-eric.snowberg@oracle.com> In-Reply-To: <20211124044124.998170-1-eric.snowberg@oracle.com> References: <20211124044124.998170-1-eric.snowberg@oracle.com> Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	Enroll kernel keys thru MOK \| expand [v8,00/17] Enroll kernel keys thru MOK [v8,01/17] KEYS: Create static version of public_key_verify_signature [v8,02/17] integrity: Fix warning about missing prototypes [v8,03/17] integrity: Introduce a Linux keyring called machine [v8,04/17] integrity: Do not allow machine keyring updates following init [v8,05/17] X.509: Parse Basic Constraints for CA [v8,06/17] KEYS: CA link restriction [v8,07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca [v8,08/17] integrity: add new keyring handler for mok keys [v8,09/17] KEYS: Rename get_builtin_and_secondary_restriction [v8,10/17] KEYS: add a reference to machine keyring [v8,11/17] KEYS: Introduce link restriction for machine keys [v8,12/17] KEYS: integrity: change link restriction to trust the machine keyring [v8,13/17] integrity: store reference to machine keyring [v8,14/17] KEYS: link machine trusted keys to secondary_trusted_keys [v8,15/17] efi/mokvar: move up init order [v8,16/17] integrity: Trust MOK keys if MokListTrustedRT found [v8,17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

[v8,06/17] KEYS: CA link restriction

Commit Message

Patch