From patchwork Wed Jul 7 02:43:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470901 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2FEEC07E9C for ; Wed, 7 Jul 2021 02:45:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8C38961CB2 for ; Wed, 7 Jul 2021 02:45:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229975AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:59838 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229894AbhGGCrw (ORCPT ); Tue, 6 Jul 2021 22:47:52 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aKj7004673; Wed, 7 Jul 2021 02:44:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=nW4aK3GUP382Wr3b5VoGn/3JiX+UF1jdEJ8cNrpydfTxiQ0k3pjVuDmlArXOdec2rQjC a3Rp19tKNE3rZD8jyPu1yij7K/I9g7D2vn7gr7qpYkmHbU7W1v6CDCNeQnDEhBqtJsiL 7/ZIV6rZhTIu25PEhsGmyAGFXDvM52J2yp+RnvEJkh/ZPAg9bTmweKL06Bvei6ZahD39 CgOvK51AhsclrYvYxFbAsWoxKUw9bjtI9fsU5I3v7UruHFZs3WPu37eVlqAvVcco7hfh xJzccyvWrjWAKHP0oL3N2fQWDPO77X8LTaitXQbEby0dIiOFc2YvHEzKXbxrmqJ43C3M sA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 39m3mhb2ud-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:32 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUVJ193064; Wed, 7 Jul 2021 02:44:30 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2172.outbound.protection.outlook.com [104.47.73.172]) by aserp3030.oracle.com with ESMTP id 39jdxjaahd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:30 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WUInn5ecEygorVzm2KJQ3Q5v78w3n9Y7EIBMf2VaEy2TC63UkP1qULQC0Zbs+HFMR7GoBs3wVUdcc0tb2hN5brCcdkcOgVjnVT0gcXZKEq7XEdByFBMoVRqAzh74ScWmOcJ/fmmiNi8q+qzl+COoQ4iX9HWlTeYN+InjZatJZA0KFe6DavenUKKrsropHDlQn81SgnXbWcTPrFCeG9ks0QWz9SvzITxmfyal7JZlecLSQPih744FmApjrJlc0KEqa5uWOUnV8U0q43Psnk8J/QlsRYXEKfU2UxgXP4H/SagRlm7CfuhpkLJuZb2hszbnwuXO4Bw9LJmI6/gKMRJROw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=UjC8N7KU/SlAn9a0ZlLF4h6s57Putqk3x9W8/ZkzZrPiwoqhuW9L3+cRhRRmu3yx6y/pm1wzPgkCF+43flDLyyF90smHt5TcHLfOybkpVfmGVc8a1wPIHhESeNH7Tr6M/HtEwjZdNFsb9UEJxuWpqhgT33+6Xhke0IU3o89JWCotSXLK9Gvp/JZwcNZ4mnKXnNIdPAEXG8nN2bhLb9mSHxHfBcaTdKgN3VFyveFr14V8shMUkXdudDHIXUkfZvE5N5IERcXx4fMx31nzveREV1a+0K0J8LXmUXEFrVoDT00749GbvCVdnYHnB81GKtnPrByh3HXDEy18v0WvK0votg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=arPQO0jL0TqLUk/9LWtm3AFzvEU6qiSb1JHt8J8pqDDf9LJbWeMexVcGMaI5lfkyfNnfmcDVOjQP6JkdOLecig52b0q0tzt+HR/NNhW7CAHOw6ZyGGrHqho6PR2xeRIaT/8/z932UlijDahxsYmZSlTgYrbh/ofqLEzMpFNKs2A= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:28 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:28 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring Date: Tue, 6 Jul 2021 22:43:53 -0400 Message-Id: <20210707024403.1083977-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d4f55a56-db4a-481d-500b-08d940f123c9 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SByp2sc3Pk6id8t38p8I6eeu0TsN+OgIvSQ+ZN71f5FBnO32jb75ZBcroMxSVG7MMGoGSnxxQN0YXkintDgh76d6lGSUpxw/1OAWYtTaCQ8kObeDswEQZz4xhF+uX9o03/ZQ4FS9iuHsDrWFG+tATKT0JXEks6lckt5glEv67WfCoUr6dZZ6/9Ksdox8H6LuKyqjHy8Sx25V4Z9iNzMoges34xxVqpABVqVVj6d85o21XDo7oaAKZ9Z9DVhgDZ425QVYf+Zy49i/frWse+b1RKY69PDf0Av8uTxt31r9NSd3tVuShn7vWojbniPPbS9d60nM3wNyGevGx6VUg00XfWihy6g/t25nsJHIgJarpeb03VpcjZq42Y1P9XDxXSMq4LnHZZ1QkxD4OhIHu0csaDxw9EEZ9N3SQWQgBagwd8kF52T8YXtYn9n1hLOSS0CQMM3j8Qzg6/mX+hXPCPUtc2M0ft78H3TPdFlRTdQNF2+aFEjJtGy0S6OBTB5VOMadJ4Ymbd5xdj02oUDCDBTnvDYAkFtFYQJVcre0hk7Zi8J0EocZv5AuNV+voU1EoOWEmA+mhQBSaWEaBoilpQu90/Cvgkc+brxHO28TNZBsLY4fEbbPwiqqmYl11QDPvTuBDsr/WxaY56IIVKwOG2MtUFthIYGZVOgB4XtlmCVAk6Tgs21b/WfzaFq1hkbl3nsHLBUFXbZOEKE06oWcoFNQEPfQBBDT/kUfydUIUH5YEyo= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: qzKPd+2GL7/0APMSH4Z/DojXVOamHwErvRtggDgmBPb/jSW2eBFQaUjzhG+7chEUMpAVf3nLC4MRn/ZYp/1B3fIggw2CYtRRmKWudsxsM/U/3Jl6ZfO+FuOvFz+7sdT1Ycf0uj653ETeeIHMgHLCCv5TIbwRNHHHLjoM0cCpcWWKACdPkFMvbC9sCPnZ9LWF0sOqV9305lqvOW4AwJUI/XIpFfQg+CCnnQxWorNh9L1NEVddo6JznpnzkYbNsc0Wh8iZ//Td7X9xxAE2U2+R8E4YXmbYh9gy2QavFAnUu2OWf1yzxwGDCHRvrHjvoVlbRiC4+c+CFF8xGZe1BKO5PIL87bNeyBY0sW0rzS9lqS6BehYzrusT1Jds+Gk1jB7qkTy7eO2ypLcPEIw6nz9vsLv0of0Fwiv6tMTtQ9Nn/HFnuJJ/cF/bxdnnZTk/GjoOY3zbGRYbo90XXEPcSmU7RPye31BowK4gaqA19+6Y50f0tC0OgKTsnFo9j4bYXASg+wKiDM90yp790Pd5HD9C12oozx3aCBHEq2bS7cUjXePXGrhjLjH5zpgtQ/9HsraiJyLM3Sl/YEfy9KPj0lWaSB2ZscDZ2q9O8eGN2io4NIuGlR6sRbXxxsaXb7+APwNG2gCMsNZStMNmNwNWS0pFkSe3W9y/Q+b9Idqdt90SM/y8oM/QbfY7/hh1YBdTx5oZq4PK4FvzYX+o5JdbtsZIxOiQP+ntITMEJBibBgq+EEGqoa6mgBPX41R53DpiUiuU+Byd1OBZhuLbyqb1vwnO0F1sH15WVZaHVFcWEejUmkk5Dyk210Mlue9Tv/S0sATHJ6c5IODS2bUsa3uqDaSg4v72NbGWBoNIA04FcEMIBiSXy2u7d3oj1ZvZ+8DniftqoekVDijGHqhD2Fd9Q8lwLwVMfnrP8iK3icggriHkntEXQ3ZZTl15GZtUsAk8GbPo72/IqCR/PMPoUOI9Lz82joQzt2SLeXKMa4xghpHRLfi8gEoXltxWQp6GD46bAjEWZ54ntQd+JSDSVy47GHDQh2RK+3Nk8KoaMgI59nc/s8nWwR+6BwWPwCijbaBEXW8eef7LxOOj76FXIKkSJoE4cf/TzkbWhp0KDFl9LPUsS9z4kJ/jrfQ3BuSQsZ6bNtR80MK2gkv/W2jPui1dyI4JceWa4pe1t772gq6bQmv2ffA0wSJTYloGFQe/3EESTfPrWy2BphSlO7cad+yfnXmKdSS/Gb8AhcF9vPGhDJOTA3RGYT0pVEV5pkY5hLA1kQKvETBK4X+DH6amLznUc56IWcB2M1pqNeZtoqG0xikRypIPn+8wY6wawzndpaUkHdps X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d4f55a56-db4a-481d-500b-08d940f123c9 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:28.3328 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fcHN3yTIp/gpZDt5NY8/dm+YNEG/mFc3p7Ry9xSqVSLsdXW3fVTuYXSpxxV74T7xUZ1sgfcZhxL0gBHF5Dl5lcrWF4OxKaMykJegednsCDM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: NG63G9Q4TQQM4Qz2RIm2cz838Jqzt2ME X-Proofpoint-ORIG-GUID: NG63G9Q4TQQM4Qz2RIm2cz838Jqzt2ME Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Allow keys to be moved into the secondary keyring without checking its trust chain. This is available only during kernel initialization. This will allow keys in the MOK list to be added during boot. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 25 +++++++++++++++++++++++++ include/keys/system_keyring.h | 7 +++++++ 2 files changed, 32 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..f02bc5832684 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -90,6 +90,31 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } + +/** + * move_to_trusted_secondary_keyring - Move to the secondary trusted + * keyring with no validation. + * @key: The key to add to the secondary trusted keyring + * @from_keyring: The keyring containing the key to move from + * + * Move key to the secondary keyring without checking its trust chain. This + * is available only during kernel initialization. + */ +__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring) +{ + int ret; + + ret = key_move(key, from_keyring, secondary_trusted_keys, + KEY_ALLOC_BYPASS_RESTRICTION); + + if (ret) + pr_err("Problem loading X.509 certificate %d\n", ret); + else + pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n", + key->description); + + return ret; +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..f40837026d6d 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,8 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern __init int move_to_trusted_secondary_keyring(struct key *key, + struct key *from_keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline __init int move_to_trusted_secondary_keyring(struct key *key, + struct key *from_keyring) +{ + return -EKEYREVOKED; +} #endif extern struct pkcs7_message *pkcs7; From patchwork Wed Jul 7 02:43:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470899 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2970C11F70 for ; Wed, 7 Jul 2021 02:45:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9DC6D61CC4 for ; Wed, 7 Jul 2021 02:45:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230127AbhGGCr6 (ORCPT ); Tue, 6 Jul 2021 22:47:58 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60896 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230020AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aFEK017231; Wed, 7 Jul 2021 02:44:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=V8oTlJP6lmHZiQSGT1l3Ld4zRcE+7R2d1WdRLwreGiaflWqxJWM34sH3ByhwkjFNwuIm NUmRywFDZQDclKmwDeoGS2Ij3Wr/RwllFFyUE+7UiWdoblxnMkpOmJHPKoW3Tenbz76X Zr7IpdWM379Lx4llTbkP2M1bRaagjqJyJkcEr8Kr04PNX24WDFx1xSYdiec8qlcsap32 Y2eXaA+F1m9qbAkxiYwj52OrvCfVp5Xje5JskQA8tZ4dfCP3SVvGm9IYKm2/0CKuPPOT u6QhjE0PqrFjxn/N1bvvF3dFy4lYrtGDxtsozrrWAbtPBXSgopezao8MaWz2g4GgPa5b Mw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:34 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUAJ070945; Wed, 7 Jul 2021 02:44:33 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2171.outbound.protection.outlook.com [104.47.73.171]) by userp3020.oracle.com with ESMTP id 39k1nw7pvg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V0gzmR+sksUeQkawTvpekX7H5hXpfElYMhjBJ7r3l+57HwIGVDiyLLFqbYesbxRfWqnHpFQWtH7V4kWz81nZQlzql0Mvwwb/3rwHjRQayz9a6BbhGfWL1YLRcmZeS2diSMXxGoJoXXJWQApr+KkZEOp7bz9QVSafoNLFj6Qo+XLmmY8AhGTUFKX5L1y8PJ5Y/iiA+/OmREpqjAnaBY3+Pasu7TrMxwN+m2kSASJ/1iE3dCaIZjtAkn8LIjJW/Dk0AaJuE2EuWzld3MxZWNbrKGXeD0r2N6e501/VHmQ4D76o4b8mJx+Mgl1caL5MCr11Ev0Qi5QZ4GisuUE1/cFaQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=mQdrrTUB134QIOZtmxhe4EJ/WQk8PJjXD+oCluqERZb+LejO0wn526H9U/pg0JygW/P0kcLK81YM+j2o4Li6Mp2CDgd1h6FmPQIo4fx7aneeICOlOZI9gmivofnnbcxj/yL+mU9PBr66tJF4/RS7DdCpRJdfQjXn0w1OzgPUVBEIpgj+9PEOTVemnpczWsTscRkwczNC+6eO2aGJrh36xmHmYAREW3avz0q8tma2nxCEr7IyubGEi2vpADsOdpithMqerOJIc4B54P/mFxOcasSF+ISmtXXgPx7VEHhWA07oy4FeeAmZ9R8ulT6+CSEQr3U/1+/Il0zXSbv3DxEEDg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=B3bKAUkOoedReMGQ8Rlw7Zsy2k540Oz4PNB8Csh8nHVski6AqLocOWSHGa+1svAHifql/r+JMn3M0W/U6Xo1jJUDqT9hiurlthXMYcwwRC9hNPlTgJX2AxFpXTQCj2AqppIDsuTOHlaQC5YHOeWc7cwxaAq2/e40IIngGsDGpBk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:30 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:30 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 03/12] KEYS: CA link restriction Date: Tue, 6 Jul 2021 22:43:54 -0400 Message-Id: <20210707024403.1083977-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ddbe8614-7ee7-4e7e-7d0e-08d940f1250f X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Cyk7ZOVQh2fnTcZYI0+iXW2M0kJZpGFLAHfDs3nt0BZfmjzZRmaPLd97edCM2X9GJBA/C9Ua7h/XPf54RYcagiua+zBCT76WwCtSNbVaSqvaedwuY/Je9/RH34U7O629W7EcT5TcPMtmZMlcv1ni6c8MHi/PKzScIQp6bDTrEeO6VKIgS1+jF/IRiDtv6rlaFmAc2USpEE/eP+5jaQ7TRZxLIESxT0+4k/ErlO3hs7679zCztiLDab5e9hlDPoqYzGC+Z6Q+rKKFYgmbynQU0t7aiqzcpjXha+XcW4QTdQM0zNCoH4jh9S79Zs9RfMLk3Hlxlvy2AQzcifzXYOz3pGAY0SL1DdJ32XJB8geeRZZKMcjKphf0KAePiI5UzhYZI9MJktLMfhgBTYZefcUscnOScDNRTvXRejtN0DMlDYvnbLZ4EOd/gU1e5eCTEqhHEgIX7GTIXHJ7khzPLj++I2Avm+nC+DhfHvn/i0I2ADvZk0/dlCbOnheO57qRhOj0yiqlqmIKfUDN+X3kaG4PnBlyTsnzyO+aGTtYmgGIuThrup9rmOqRjKBdmYCOHNwtwBDQS2qXv4VHwiBXFljKu61xsV6wz6o6oHwStpnefOtH7k9Muz9CL5b58gCIYAIkn1Bh9YX5m1N6gL9Z0dWotDE0q4cF66XquafhBNt/7MhXtpvUDLRUL1OcC388zi2+Zt+VEze6ZRoUYalIPqhHnlZzXvHOKkf67nEplS4Wu3I= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(45080400002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3rc61Hstpdozsp/DGXsxbFxEFI+hBSB+b9aqv3oxCFmdQ4kz1wj+yx8TbP1Y0l/SzAK7ULtp0yvauAt9ilF0JqO+htxJQ1fvwJjsdsV2JcZD3zpdb2jkLdx9j2PQbc3CGSqx50ITNVbb5X37eM/hxU4W1o1dd1WlIbnYJXlEMVpxrEkvChca6V8FQmDdvmVUIpctswHA0RLmBNo5/n5tLssVmDS21Oq0wpyrcOkyVVWxyUNcaHUowCnauaCGiuapEaFajze8iiWA3dr8qrVb5Pf0MZsIJAOZAmJiRWubHoXH9tVy0cvELOS5NJBW6fUQQSiAotQeYkhy/4SyZ4/aIaaHcj4xwu2Mq2jJODscPI+5KenQ+Cm+93AB/ENjMz2/5KmXfi57GmM4PHP0HyaytraETCkPxQ1cXF5rSswzAlyFURPlPX8lec6vYK+d8whDdgoF/AMw+PqEwsV9jR+Tow6aUUWKd9miM3fVY2n53JhABWW2nooR4wo3icdh59HJyVJ0B+MwK4+M9HaIaQ3Rfh5MuGIc3obljZYv00TMTdoRborG8od8pms+I/I0D0b4QjcQsLWU3tGoobbikJHrvvC8FuQGnzGKwyrUBuGPWU4BWNTHijrJyzVLSII8tsLBudgAtWKWTbWpQqtkFC6m175d4RIlg/AHe6MHd2ONZpG9/A3MHGNYIsCHDwnhma/Qj8lZPmjpBBfhZLPVkfWn1TCPLQYcmTn4fySx58Z0N0ShsNYNvFMWYrcG5RPeCUrw/nozuvJK8Sf1uAFiMksUv55wo9JAg/v1Rwxv6/0n3gvHoOHFnTVcaJYto9fvXELb1j4VofN6+6vHmcdR+n4mP5bq04fW4mZqQaoQhLCVv/6+MWHS6VkGM+Im5ZvsTmykHAMcYDi+cwESCrHgYekFam7eVd8msP95675ivKToYO5ZlSVs4fzUO0O4GR21EBVhMkhPJmuzVSilc9AhXqKiGZrHKYAjQ4oiXsQAKv7PVGMLFAFqKEKQtYm7R73Z77rFseCbPIqHe2rij51gLIBCT0tXJicMhJeponJVXbXwtGDePihhEQ7djiwhbrD1N2uQxBWHm2fTfCf3yOF/m5xf9FPqT1Lbi0O3ZdmHjwVC6lMKYbB58E1G4vkDCxXnhpuMsRbeNzuvwwmHLyvMfLcGEDV7JyRpIpSy5c+e9VuBuuVQOGB55pYcStjxtecDTzf6JgbjPUI5hJC/nuFsU6UTI5NlzsvKOWwktxzPl/n2aiCT94TMIZL71tm8fL06/3Qd3Psl3DocnOCk2XJtZcPcLhTy3aNMydh9L9lORGbPEOBoAun6UQ3b+EWq4/hJtWy3 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: ddbe8614-7ee7-4e7e-7d0e-08d940f1250f X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:30.4834 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +Bcq4RuzJCevXB2R82vBp76ciTcoP77vEtKhJkSZFRxv+ztiETeoHfaxref3KEcCmk7yhiHrfKJOtcL9O8xxUvQAGEhqiilRW38Lyq7pQVU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: n4gquWvlNTFZNQ9kvwQ2HTPWT7Lm1-d_ X-Proofpoint-ORIG-GUID: n4gquWvlNTFZNQ9kvwQ2HTPWT7Lm1-d_ Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed) or by being vouched for by a key in either the built-in or the secondary trusted keyrings. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++ crypto/asymmetric_keys/restrict.c | 60 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 +++ include/keys/system_keyring.h | 14 ++++++++ 4 files changed, 97 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index f02bc5832684..b4c82276bba5 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -73,6 +73,24 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_secondary_trusted_or_ca - Restrict keyring + * addition by being a CA or vouched by the secondary keyrings. + * + * Restrict the addition of keys in a keyring based on the key-to-be-added + * being a CA (self signed) or by being vouched for by a key in either + * the built-in or the secondary system keyrings. + */ +int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + return restrict_link_by_ca(dest_keyring, type, payload, + secondary_trusted_keys); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..75e4379226e8 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,66 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of public keys + * based on it being a CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: A key or ring of keys that can be used to vouch for the new cert. + * + * Check if the new certificate is a CA or if they key can be vouched for + * by keys already linked in the destination keyring or the trusted + * keyring. If one of those is the signing key or it is self signed, then + * mark the new certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + struct key *key; + int ret; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + ret = public_key_verify_signature(pkey, sig); + if (!ret) + return 0; + + if (!trust_keyring) + return -ENOKEY; + + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + false); + if (IS_ERR(key)) + return -ENOKEY; + + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index f40837026d6d..43c76fba9481 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,10 +34,24 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern __init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + return -ENOKEY; +} + static inline __init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring) { From patchwork Wed Jul 7 02:43:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470896 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50B31C11F70 for ; Wed, 7 Jul 2021 02:45:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3262561CB2 for ; Wed, 7 Jul 2021 02:45:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230214AbhGGCsG (ORCPT ); Tue, 6 Jul 2021 22:48:06 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:4542 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230103AbhGGCr5 (ORCPT ); Tue, 6 Jul 2021 22:47:57 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672Zp27001385; Wed, 7 Jul 2021 02:44:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=mCQa35unsKLCWjUAacOLLQhoferqUcqZZZCcQwGumcDx2m1pQH62jHGY1718fLJmAGVG UClLaWbPTn+gKU4r9E7yJQyvkYxT/8aPoki2hcH59RMNzwH40hBDzJQBLh+IzyoZ5ANJ m4VVnhuEQvQl++Z9BI/nW9AADt2p10YyRgYI+EE++VAUNZS7GHF/StQkDBInOtp7If4D BswMYtQ6Q4pwXEGFtJAOdAEXuyXMCpaF9i6cZeajS1OsWcZ0I/YvshDp7gsz6aJogPmG 9xsiMG4+5H3Xoii9M8HMg4c5LgmZ/r/557wfKyArfhzSsQRPV8zWCXXKrhhOmSpPMkxe 5g== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kw5k3w94-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:40 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTlL070901; Wed, 7 Jul 2021 02:44:38 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by userp3020.oracle.com with ESMTP id 39k1nw7pxf-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WSogeLoOLhilLj4jVDOgK5A6b/5Tgth6OeTYGsAkxl7geb5jd46RHCA12Y99Swr26uelpLZQVtMLKje/vPIHYyetsbMLFDJJPl+ggpmIau9O5bso92Nuh1zDp0EMcCclX7HpKgLDPRKRp66xuRE89lEeVZkIkUoZbA47iJ6a41VWBEo56h4nmEjBfZNvhOP0hCdFl8n3HDUFA0TQCy33lf/miV5wngD6xDFMEjfjIi3pMi3lo9TpHxG5GAUrtsnbOIFq+gRSpEEauIfXOmvUAm+mQeQcw1rUmeJp6zrvRkf2564kdgN05k+TK7Ot5MoIoIQvGtP9S67y38OnwkhoCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=kmUbRyNHLRbiV/4+4ISeESG+3B2Gp77xX2YR7xuoKTcF3i0Nm9RDxEM6oAuqGyPbHm4ub4XvYuPO6tLyuKQzl3RkYU7QwaI6dRQWyDs5UnEk1xcrmZV3yfmNgJEYrb/sem9An0lq1KqonhPEpHKgoX+ry8yxc4RJy/+2axwi4uNiROP/PQ6vXy1oecDyh0CI828BgyhpiBl2cxl1EMJA9vqj/MeVi8GGceEVE/YdSXZTqE9cnCbavzRBUuBueNvQYvMhbYVlmg0KqCu1oE4wyulvDWlKHjK+tLPldUCTpOcYMEQnAEBn+3NOe9p0VP8kS6szphYX2OICAhgHaOwRSg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=iSDwhHZCqAsKIKdJ6O1mkuHLg5RfjQ1DCmxCpnYyewT5O7V65apZht9i/vzLTUHQ1+tpU6NI3WhvMbATzDJIIcLroYglE3R9abbw8MfUM3FY+YVvoNTljUmV/pRs83xcxun1HuzwOUp5Q/Fj6/K1KakXPrvWSmZFhDLPuQCMl4M= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:37 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:37 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 06/12] integrity: Trust mok keys if MokListTrustedRT found Date: Tue, 6 Jul 2021 22:43:57 -0400 Message-Id: <20210707024403.1083977-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3dd4181d-75fd-4040-6f53-08d940f128eb X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dbeHlibev7Ct8z/Gg7dFZ7sZV6j1aXnrB0AXO24RB+q2+ytjIWgq0mbNPcOuc4AIjKCbZGc+xXMksHM0cdjxSv8B1QsTd7lTI24iMOtLmWJpHG5LuaMkvLuCTDDSQC1PL3Q5gU6jf3AMI6ZWX94EOE39sqH1Hp58dUJQdUKIlE9O2Ni7XxcGR5T0UHGZYwHJQ6eEnX8GNBu98MwMyve1a/yHH9VSus17PZYncRbu8M6ABuOs10kXa3dmBCPAVxlrzzfDkt5Zjf34GlgnAdSLQYI+gNhsp6KazemRWXFhAuRmdw7VIbIfHqSXFwhOVdv2o28pk33svHDEtKemaS/FyN0jL6+XoCUHwoCqPSole+dBJl7fP/SC0xEFfNKO5SsT0fR95RZEoRcQeoHR/mTql+61ys61PosA2NanoRdWXH1CWh1xTOavI+K8zYY3ZJLcwINcCmu6JyiB5eT7bFo7z2xrBMMMLz05JUj4jbkjj+MYcDvNcvWEiUiGOVdmRmgRAkvtU1N5VyCSGrqcv16GS6rOkD2PlLL2IUU79iAu3qLmPi8Lj/fPbukMfBwbwaYg1T5ETYpEJ0F5tkB2kSCjtTLkaRQkGqg+IOaPZk6UyrmiLOsMksSFdgQdLty3KcSArqlqQYTugIfNriGptNcdvl2nZ/suaQCCgOfpIOsz7CklsrlPoN41spsSJjmbN2/L1S7uJKIHKaDELhYlbcfJEaugkM1qDXzG8itnTPWa50s= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: RjJiqHqdL7fGzGa7p39gaUAys3K53J0xzJ6tmbXBdjEAeuj1gtkiFjRXv1wXHXSpswr1ZxDQRe85c5M9C3T+W3QxfuJwoHNZYon+HKRKCnIgrofTbC/MFQaNYKsglquVSUo9H0Y8NBz0xNKTmoznGAgkzcivwQNqrYbynCwycDuMXEQ2RRyCu1wKGjG8xzPEF97s6xAj3smN3UntRsMzFz6RP8yhzfVsexAgto05d/yCc9Ec0+HLxVXbXDpZwaaWqQHjPvzHBpXs8QS75eIO2W7PJLpYZTCLPBoN1R9enqsZ7DigA//jUBEeGFDCpVm4TU1oEndAuDQFqaNfuxDmnlJUX0E4GibfRBzs9YlTZaMugtUXR4lYkGU+1j3wPmhx/TbgIN3OyPN3I/rS+sOwxNpuc3bB8fiS7+4Vr1Rk9SbY2W/SeMWc2nJm0OIIeePTEvEr8E6mmCSpQing61y6FqndZ9sfFhoHOmE93k5rg1XdL+RBqCscGnLZ6Hw6ENNMXQMH1mwnQ9pZZvkepr+X07r4FfvaPGInVJIUFR6h+aOnhOiTLgg4zsesHp5jkCoNm/yzCEeRUO068Mu5Wc9nEMx1gGNJ0mIAAL7GWReCrPAsOjgKIxeOh79xNmppZpLUJomPDyvJR71asTVJZUMoeUFfWyYwKir6BBpxv1tqbAZ/HssmeHX/7BT0JvXYDGBNkpEt1hUhY8sz0CpIqRTDKrVmVGC/e8PiVnGajAUYpV3xCQ1b9bqZlokkTvk5Vajc5FyhWItcohaHKN3OS076sF8Vk0N1WUkldsNVCWMdNuRYe3RjeTQ37rIFopUG9k9tcc/TQ6OjzNQb/0dK69sPOyl9X5SxAFCyrSqmWicRQtYJ8Gubodw5+wkPsQGsg2LXkW94XGejRhz70aM4IYbtZ01KKM05A0C8ofPNgV+Sk+w4eKhyeNmoObpP09jR1NVBnPEf2H0hKcaG8EqOmymA+zCnIB2Jv7uIqcov0xNBfdTghQ7t0WX3SyfW+CJJcchcVA7g9io3zNsEgTQqv80x6SjAb+ZsWavnTVsaoY7NhQUuwWCD9jOatqHozCG45i8lfrlLh9QOi+HPtIqZ1FHRYNC5O7zO0WFZOKe1B2GpauqyX1jxeMQKzoVinl6E3erVdpneMg0ggPbmSMY7yWE0Qc4GuMAJSLGnZkUeElYfN/1KJxR/hgT6dM4SS9GIgbfLBpocUDGUG9CcN+v57OCKvSvE8kCWC2Rwnmb30pNAsCXf9fyXnHW8ug5N0/D+Id7TPBOwR9rUCbuh6oKRWxkVfpGZLsvTPge0Hi7vuyaOBugN41bfgJVu4WPWd+/nNYH7 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3dd4181d-75fd-4040-6f53-08d940f128eb X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:36.9411 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: epFX+w+uphI4hwk3AJiJO94XrDIHvCHu/9XqXTYUFzINRfX+mzEgdYLzaxvYlG9wuOg3eWJHvAmY7Pnor5dxZpsjFoubJp6UHtMH67b2Y3g= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: RLvYSHhy4ZAIuetnwdYWF6SFpqjg9wpb X-Proofpoint-ORIG-GUID: RLvYSHhy4ZAIuetnwdYWF6SFpqjg9wpb Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org A new MOK variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_mok_keys to return false. Signed-off-by: Eric Snowberg --- .../integrity/platform_certs/mok_keyring.c | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index 2b0d17caf8fd..666fa355996d 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -5,8 +5,11 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -24,3 +27,38 @@ void __init destroy_mok_keyring(void) { return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK); } + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the kernel. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} + +static __init int mok_keyring_trust_setup(void) +{ + if (uefi_check_trust_mok_keys()) + trust_mok = true; + return 0; +} + +late_initcall(mok_keyring_trust_setup); From patchwork Wed Jul 7 02:43:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58420C07E9E for ; Wed, 7 Jul 2021 02:45:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 41B1161CB6 for ; Wed, 7 Jul 2021 02:45:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229949AbhGGCsC (ORCPT ); Tue, 6 Jul 2021 22:48:02 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:63140 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230082AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672a9JZ017211; Wed, 7 Jul 2021 02:44:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=Hhg5l5h4YjII2HR52pfY8gC2MsBnYHGL4wGQtxVoOyoV1q+zNbKJjIN8NKGi0QFDcAmM j57s/y0RIU4eGd5z3/TaJWOwsRq66IbWh2cyug4Q8O9fUHhFpdX0F93AbQjG31Jivy7G +2iS1lL2chuqQ5nqHIr6zxdFbR+6c7G9ZSTjz/53F8NNX/N3YuXx82f8BKL/9dGBlKKQ 3+nrZUfiXU5psIHNjPScVhTRtpD42YuLQ5vFvUA02n2S7mTwU/6Rjl9bhn3FgLBOf6yn P1gsxbW5Vjml3GpzKn6YlqYdkHgQ8ASYfegXrbcGD7iAhtRh9wXsj8RxuFOoNxxfMSDU oA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4ys-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:45 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTGU070897; Wed, 7 Jul 2021 02:44:43 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by userp3020.oracle.com with ESMTP id 39k1nw7q21-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cf6Tilkp2eAGCVWrka0o5ZXHmTRkDqxJv/brySOTNOx2Y+kDJPXOHujg7Gw1b93BPEC93Huk0eF8/Ga/zt5V8U30H1H+T9QiDpO01NcHwdF72FsFu//i3MZwJ1oTLVP7PXCx9whjbiLB4ClOCfsdchXy+QyHWShF8hkpkJxs8zvolw03j8Ku7SUv5oJIDpGviMRBHhAgYBf570+x5MpH1DcddbYisur7/QeSGA49RJ7DPlAw5+6QNItHhNvl8hv13YfLPss+kkZgJC+6Upf5GWlSYhzUwu7mOYepXakcDhRcGOQpPFVOkF5k8EzvQ8SJv/gdnQM+YBQOIrTfzyWu3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=PNoEFEFp38BMbK7xqh1M1HuOnu/lOI1llC0AbXgT2eTsnHaI6AET/cfeKP2j3bsM5UySTxJoFoe8Yq628J+kAen6WTU7eJ21OT8zBXB1eLfZbigTZsj0wcSdEJQQgewq6jBDNlzh6b8iKOOg1iHUzQlTYjHBcBats7KpKxWEd2n7zuE2MB+QYrPrsBxG2zwMNGYUFSxLF3sEuxNQWn2bWJi1QOyzuCPjxEBXmy15M5rxFxWk/nxPCN31VuBwcBk7adi0+iqm4VM8xX+DLTGz/9nN+Yf5gpZpL/va6Pg0VS3NGt59514oqYFsxAsD6dLmuCVz9WF1G8yCW6hyXS/JQg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=E1aQ+j4yqf8EPFjtb8AKjCNcWz5vIUAdfCLtaEJhi6sxVhpsyCjWQt2kzREV0lJQj/HYgFjisCmnd8FuKXHIZe2zLKqhwGLuI9GNMOUZZlvnlIIitz7Uk7iEUwoBfLWC3wkYQ1VARZKdNyDzDRtHUOux3a7WMrchonaXaiqKOkc= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:41 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:41 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 08/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_secondary_trusted_or_ca Date: Tue, 6 Jul 2021 22:43:59 -0400 Message-Id: <20210707024403.1083977-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b3c61bb5-7168-4d1a-e659-08d940f12b74 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NspFxjNX3PbUyqjwgfki5BJOAa733riLWm3ciM00GeuOvxC7DglSgX6kopK+v7B7mS+r5d5NoMntlXW2aMwiRnYVGaUgeTMjHW0YQF0WT4L4IWWXrufoArvaRAUNmQx6l08e7eTu2lMZCikvhoKGSFOM/ftpZJw83Ver57hn3sT19ES7/x1FiFz9gH6sHbrxU6cz0wAKWO/oJ4I60j4pisrsihjQZXhQky+JAPWXSeZM2FrnhxhM6oa1+navBvnPNBik01Ge4FAE3MjsCHCkZiFkF9tE7mYXkPaQWZSmB4FlyNdIIoX0yaPctJfIfa0ieCFPyhEDbIStSKeLLRm7yHjYvawhzNViXcdxg+JvSQhbha2LLSThkFoVO0nfefrQ9bGn2tAUvf/nDpJm0HubVN0Ph+o03WeL8zF1NjAjvuLqHRTDLkD3wCQP8NzKpp+nPEa2u7fsO0mWVzwh4e+rmYKkkvxi96KTSGugfW6d2tGaWQXyhSXE3AHnYaef4CT7gOD2x5Px0i7LcnrgDkpuv/bLf+3LUNVB/BrQRP9gkoe656vTH/C/Pq4POGehkItND1xhAOmsfBEaQaqAvbyX1z/3o5o4xYQOYZhrjQ7XrwV7PZUV/4GHw7vMjSrsbGGwCoUjGvTig6YBcYkol9/obazI0do/UHscd/ayjtthFTJ+1wBD1wejZ4f/JKeL41svvl83VJ9sNduhLYuGxX2XXwDi5KN4hihKTs3YLFBvmhI= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(4744005)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: E+N1Bkt2sGMpa+A6lRcnEQuBFNWF9eSDOKH4omTJsRu95szzVLAlzv92+X3QGsuU34vlZovdGqR3S662WAON0cbOWaU7eM4uLHgtXezd/Nj+uFolKFj+dJ6+vLNmYAL69nklEPclfWHYgfEPFtEvJVRYdNFya17TnhnuH6XQWMXzyUQc25j2XypVEAJl2wVitZU/2wUoljucIX93hRJ/bKe3O9It16lYKSJGWssWeyCrzgj+B9RUqDErnb4Difv7DBAH4jW7UVh/KZRrHYd+ZlQAiE6EA0XFaYTaTYdFUWdeLQDT0Y+WI1EdmvncDGp1q9B9TI8YKsJxq1sCOcQAZLUD6pmbT5E8QKtQGk9MAn5wb3aBC8FaePRFPxZCdOMBEekwJOGn77CX2KZxm9cDJLWMIw7k2M7J+mojR9mXaD0uFTO2hgVmjPdIhEB5N/+LC9f39Y9rDmmPqtW/W3hjECiFIbgZlrdLwZ75GN0wKag3+CkWilPrnR/xwkW8ANJjL7+CirWZLqqdZwmKsMebU25Wgn0ExClRp6fo4OnC05/Nouk0YLDgfcwNNIfr66wS1clS8kGwNxJQA+T8QTUJUZRq/pnzd+DSp+H8PkilHhq3CJ0qnAAjULVKrmvRxEiz7eSqi0Ogk0OkARAPLO8wBpbZ53kdQTvKSmWgsC8URuTE45/OsSFEoaQWsqPIB1HUcl2J5xe8AwCB79VxtLIuivd8oIlHKw0CxiFlRNAJ/uhwa1hiwggHeS7j+Kxg8RyRVCWKxiXin9BzaPT2Dlunz8qYdooWmrXZYqE1VeUAKYOLJgOWzU7PxWm2j+g3Gmx+2jZFIRj2lcug23VNcmmI2juDW1eN5Q5TCu+MKjePeyeQdo1fVNDN02ACmzAR3X9tinX2DZhCQtR/gur6xxfGFlfQKEaeNJqO4GtBcgl/zCP994KGzNrWFlaEuw+C0XhOjyxHQetp1HHTudQNtU2IsP6doIAEj1JnVC10meryXPZETWHVwIhFM3f/3HLcy3kxBOUslUDBNl4q1DBY8syv0MwrkkDObpM864XBP6QWG1dXu8benwGs6EaHT3PCfMAVj9LXzbLhqXGQ3Dw55Ms6nujvgTZfEouYCGhyhoxjTk6HqISFuulVV1XAk5PEoIeOgHfy8p2XGC1hHLoODzmES8owLhDlN0QP60dw1wJrTugcmcPv22CnxGyhGXRyghg8dBBkGt9dD99DQoCWhco1bQyHiKj3Hv2fGuPb6T/h3drrzxhzEmuloXTyCEoTwRds7hqRVFZItVD0xZH7f9aXq281+fPXOAVxnz3XMOon5exof13NFIWjYp1bd10IRcDY X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b3c61bb5-7168-4d1a-e659-08d940f12b74 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:41.2472 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mZypqgWbnQGwpjqEpgq7pQDviAzut7632Toztt7GCL1i1A2darxhX+IXzdCMDUsG3DWShqKzAdTDG3JP4Z9I8KbAGn8HHjQhHw9MeFjoAnQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: rZiOoQNgqSdkCoAeZORh2voxyjOT2QFQ X-Proofpoint-ORIG-GUID: rZiOoQNgqSdkCoAeZORh2voxyjOT2QFQ Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_secondary_trusted_or_ca. This will only allow keys into the mok keyring that are either a CA or trusted by a key contained within the secondary trusted keyring. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 56800a5f1e10..07547f1a4806 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -140,6 +140,11 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_secondary_trusted_or_ca; + else + restriction->check = restrict_link_to_ima; + perm |= KEY_USR_WRITE; out: From patchwork Wed Jul 7 02:44:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470900 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69B7DC11F69 for ; Wed, 7 Jul 2021 02:45:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 536A361CB8 for ; Wed, 7 Jul 2021 02:45:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230087AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60546 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230012AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aFEM017231; Wed, 7 Jul 2021 02:44:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=twkBVUHpyjHTbcJgPfA5TZwP96HaqoCEdweCGC+OoFZ9DBQhAToJMEyyjAEW+Mhl4BnF NotS997jI18CLUkrnfT0FmssKe51xgEqLz1fePODPrnSy70E/Ep42B2CMeeR9cVFJpNG wALGL6cwjP8sMdR32akdxQVMrOnn5lmPD/Z97NI681s7vJb3UZE7tZ2Swghm241Vp/Ey xcXK1Cgx7KZdNTgk1YxgbML4Gfi1MiIXwcFDTWh60vnMcPQgFIi+1TQC7UJdEDQp0Y62 sQep5iMyjz+WeMuzC+5LZMb0hHbRbGeCladJdR52S2HoJa8lmTskNlBUVZrDgG4WK3ul fA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:47 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUMK070936; Wed, 7 Jul 2021 02:44:46 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by userp3020.oracle.com with ESMTP id 39k1nw7q2y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h6j4R6nv12kyKMS6zcX0nlWNxeVnoT3CnCgj+EG4aE53pd3wT+8nVdewGvuAxOjbAc0LafsWwEyhz6w+KEm+It7buGYHWR45lO5Ne8JBaeKe0Ykm4g3tSDPb5PR+CBpP/RzJjY/2nZKWTgvU4wiY821C8zwmUYbF9AmATyUzvON/TYmUF+kTVH4q30wEtqDHS+dhvH3WpqiO2lf43TMLBi6NF9rdVuUAcQUQWyCJwoiPrEOoWU3S4IJz72JzciWOdCwBuxuXmj/tfGTkduS5HhXdWbdXpb2oPEE1C9uWglRY/Sm1el0bon7+bqjoliHvNLZCKQ6S2ET8O1/Yp7G89A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=nC0kkU/PJ0aIsRsDJ0lZlc8ZOmYVtsLx6+k7DTL/4K0OCo3uZg/XVqSjNy9kHJ4cvtbAjS5pYBuLKTYIGgynbnkVb4+IINzaWaeG7t1/TU1iZoAFZkOppboyQgjd10gyJ6jhT9lFUJgCDUt8B3/WhBFYJTpIF1JUmkATnehgiXlDnV8gaDxZcJYBSQOEw8uvB0d6zE6bo6tw6/duDfogFHZkYKKC1p1bpXJkuFdGBbcZjHO5tQ7dw6xXzXd4unmk/OGU6AkW9AcmWpgBzzUKJXvAjZn9lfF7YgX63q0u+7/Bn/EtWa+NuSnnoVHgw206Px6m2gQwKlq3MG/K23V21Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=LBZz4j+QRW9paohVaJTR2YURB+BjGidN7z1PEityESUwYjom8b8KxBu++9uRYqR4J++NRfOkDKYQaShvubCaeH+q6trOd39VnT3Kd3/VFE59xmXrc+9rAcj0XXeGVzfir4nhi8YiCoLw/S4sX31kGBcTyXX1LKEKjL2f759GSJ4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:43 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:43 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 09/12] integrity: accessor function to get trust_moklist Date: Tue, 6 Jul 2021 22:44:00 -0400 Message-Id: <20210707024403.1083977-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 14cab4d6-af44-40f1-5155-08d940f12cc6 X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:499; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kI7eTrBrVzSionxSlWJU9v2zPUMPutCCTLqWuJs94uTLEaH8qVMLWww0CYeD1ObbbkFnp7WODhALWL6OdgVlvyIT4pxb0yt6OM1j/6VLXCPeTx+HBxnUv+gC8URaCKxiaW1SICLiVNAVusC7tiZL3cPbGAVX3x7R8Ccjr775Kh1ZrcAE/fqj1YNWBoRRVOoj/HM4Lbdi1pw7DVrs7xYySHX2EnwkIVhtH6134c25/AsRT7rjQODQYk6Dyvv9WThDi+Bw1bNpNZ2JotYEN9/jg2WZPxd+zjMWrgyFpMBPXk0f0j8gz3qAczTX9P5ig4lscFbwxGSCFI4dm6/Z4w2JGR+ixBVH9xaqyzJ2VPkIr78szUCdc51vsbkknaZ4PXwMQBKV55p1vBKSJ8ABEP/DdvPHxM18Ezxec0qcAxy4oDZxzYIN1tj3z2wDhqu4YAVZplckkbpMtSHpIYmzvbyKjjmAvhTEg/IU8RLNExBimLSGYiWqTgEImD6tzvSvwAIu2UR8uv26rm6b7vrDq25nGeKRQCDwWSoJ5noj8Xc49ALn3uxNf2utWnvpNk1uCkN0k8CWPSf57g1sQSbfh/Ll3j10/3QnYz4mLGXcHkh594d3Kfq2IBEK+fpgDoxwI7+dCnfBO/RBtbbvZHqHHdIJRSSGeaApxbmJlskTBlnXDdhDZX9iZc6fid0VsJfyOh3KfTk8Eq3rwg3Tt0RnehJdqAwfNYsnCIMyQFbxpZlMivM= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hQN5doBiYbco0AG0U1z30nN9VoNXM85w8g8bFE4xBhG8u9iH0qnVJdDljQD31G8RolIvtF81L94j0cCP2tu97gUCRtHUeY8VfvfxUguQ9vY/UuVQzr6KkLkboEG7wcyQ+AGLTNzsMykIyQ14pRUhxNPq1XtqMMrT97d48Z9h6hOLym7E+0NDZDLgKhLgFaln2ujaeH13dMt9HGfOSGKxaQLbEZhnSPVeHvZ5PKd0q+O08E4MnO/eRbc/2OWq72WUzDetL8uJ43qR7xkhd2SxdWfrGGzoT7CDAVMbavXIsGLgfojTX1oO6pZJ7DdG4FWIQeYreCF2Pb63gH7LXTF/NbhIs0dO/F9WWXm83c3HpP3J6+J1tJscg8zhsNLwn1vo8SD9eaGyPKIbXQslt/loaY1J8wS+omPh5XTibXgEizryfyFYpigqOtgUkVgB2APmFgyYrm0xtMMFjKyhE6A4M6eXWRF40fh06oSVsUEj5l7Hcug20vp4XVTjOfa1edNEllYxUl4cfV8PuK079eBJBgHhUmDyqJvJVLqB6ApZIn1kJ/oRoALGXbypNaXAKC8CkAQtgm9+6s/0qg7L3L17kaygfGt/LLVWGX9EnMoU7EfSN08DjPUhEvfnsk2Hs0mR7xY5X2IN7C5O7KrsaGPtvpTlfwCHtaVSbB7ZNM3svqPBfosqqXxYg37llmIwXfzRgLSHC3T8sB+9rN1UmLZNcibI/+XgqO9gIJBFg8RCy95i3hiA6VqQtg0G9ahgMPaNm04+nbMeNGahgjRR1hqhNWWJrg8c9Kk3dcTA4rjOMug4uZoI5/yWOO7NekIppa/1Lx0u7OJ2nVsVUF4qgCeY9ziv0AE4JJyzppjSZcIZTgNdqb6WJrcpB2XMf2rkDtrfnRcuE29IeTA84d1j5pBa64P6XKWjCwgiOOzi710sDvkfcg4EzBRoQlsiLLXgFLsyZkKyN/MUOSs+LiDUhRfX4PTWCtG92NwQIYpLR6nv4Es9GsVkJdqSw7uLMVCWmzwmOAy1dFNrFphPWPfmvqhg9TdlCiJS/d4nBF8giIAxisUQbhd4O8M2ghOSr1tgQgkOCDkurtAonnl8PBt/ed0Q5+yyJujTA9JO2FEt9dj95TTk7JnrYFU10a9H9Rv4Q0jNXWuekmG9adwtLd9yADiRmIkxtN4U6pylXkjuh++n6F+0HGt/diuW+53+r/4vOgaFr0odlEJgk1wsL6O4bh6XfBY6E2xJwDJk3fwbv41luqIW/AQOdHzR7dsVxQZqRZWF3qnANxPiujX2TOhXXFN4RVNC0Jao/RmmIGvOX8vIr5N3MHuYmkUJsJoycK2bvbtK X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 14cab4d6-af44-40f1-5155-08d940f12cc6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:43.4227 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: e41ouRDReub3cGX+KvVmiRlVTgiw0CAPso1qbCuwmLn7fXRcH+FovjbzQe4gjGDjAIDh9joBeOxxjsXYGJv3VB0x9A2Ye0csU+Msw4D+qv8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: WloLYm9LKETXjbV733TeDSigNq3Yfj2B X-Proofpoint-ORIG-GUID: WloLYm9LKETXjbV733TeDSigNq3Yfj2B Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add an accessor function to see if the mok list should be trusted. Signed-off-by: Eric Snowberg --- security/integrity/integrity.h | 5 +++++ security/integrity/platform_certs/mok_keyring.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 68720fa6454f..a5f7af825f9b 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -285,6 +285,7 @@ void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init destroy_mok_keyring(void); void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -296,4 +297,8 @@ static inline void __init destroy_mok_keyring(void) void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index a5644a8a834c..7d23772a1135 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -83,3 +83,8 @@ static __init int mok_keyring_trust_setup(void) } late_initcall(mok_keyring_trust_setup); + +bool __init trust_moklist(void) +{ + return trust_mok; +} From patchwork Wed Jul 7 02:44:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EDF1C11F76 for ; Wed, 7 Jul 2021 02:45:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 743C161CB7 for ; Wed, 7 Jul 2021 02:45:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230248AbhGGCsJ (ORCPT ); Tue, 6 Jul 2021 22:48:09 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:64340 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230120AbhGGCr6 (ORCPT ); Tue, 6 Jul 2021 22:47:58 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672a9Z7004644; Wed, 7 Jul 2021 02:44:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=CysHKMbG+OKP/uSvJ9Y3nbENuYsk+4Rjps2ef6KvQL7k0BXRpTEtwim0zDu7VMui7uoi 1cFxHx4mZrwheSb1c9Ik0uDVCfWxnRxxS5R6tnmqVoCEqdDfVROBiJ9toHmFDX3eBUzE zWaQec0RraMXUkZs7MWSdTnDTUmEDv3aPi4S0vauPC7kGeplRAw9o0dn+JhB6KU9DIJU ZgSkv2KrQ30OURnUct1AK7G61kHuyUMYBjMsZYqCKFrZdTTARXxjLcWDhmLXtSK3Nf9B 87PPNYe9i0/t9C7Qoh1DfxD6SY6hqQaxxoD1WGUfYPZv2+2ja8f5GcV4Bf/Qu4M1tUBR 5Q== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39m3mhb2un-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:48 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUML070936; Wed, 7 Jul 2021 02:44:46 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by userp3020.oracle.com with ESMTP id 39k1nw7q2y-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MS6QV5D5Ff6OFsT6OUxIRzNRGdV6c/vTiL9e4H4dvmcwxWx/hRqfnf6OFIvp7l+7eTRhCB7KIwcrOslnZmWKK708VZofX9pQioMj41y6znbsz3XUXxYcI56bdYjBWF+2O3om+Wi0h35PcM6ErIlFOTelf1x2OIMDFG3Qy44H6iLiHZtEnJSraUhteWCSxUsPfMPYYxe37dyglSLLJxV2kl+R3EmNCtB42J46ZTfUq1jyV6YCjtv4vKnH1tx6WylO+zjRUyGvo45h23TnVSNuW5rJdz0g/KXMcgL6j/SA6zaG4kdCSBwpmQOACTUzORmhs/jz271exl2zgcEDZcBu+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=dPjfic8aYi/ftU3OYy6PEsTEVp74S25TYNttSQAOH0DJ7pQ9NtBGi6Xn3HqblUctwtrrREIyp+p6J/6T+Ih7PBKPMThRnNwrbT4TbB/ypnNA30BBmlohlxi/NauTULxe9wPSia3EMHUhtrp/01lrWGJ6uEHru/bkCd+sN7Dg5trOsYwJzdgvfLcu6WzSPlJ2mpk422CTJ0rNiguhZ/d2Yi439WRCyco+u2lsPr1VNRNyww39DXwXu6Wx6+VJc99g70WYE4gIVTrvegiWv1JGMZf6r2e9pfCRNoG3qgqXN/SJSwBFFlnrSzAws7IsfP9iuR/HFOtgQvgyWyAOx0kGMQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=MOv66FxahqmC6wljsIOvo1YRscVzKekuVhWua6CYbx21IkxmrjjGTR/iRaRl6Lk7KORf+ZbuH4SgLR8koaO8qQUqObwDRKJOW7VgWDFBOV+qUiSywg7FTWluXwDz7x/2t/i659ccDY6c0qEZCmSC/11k4ZLc47GcrVxcegl6LN8= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:45 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:45 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 10/12] integrity: add new keyring handler Date: Tue, 6 Jul 2021 22:44:01 -0400 Message-Id: <20210707024403.1083977-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:43 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d5451e1d-cfbc-427a-a243-08d940f12e13 X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vvePDKK00UtEGmnTRvSgl2dhrvG/A+xpY6LE85dV1ri1rd7zyu/P65jF0JfqFoa35zNCCCXJSpm7C+6UFB40x7eUBygRtSDEmMY1iaygGNp34vgbgrplTm7P+QUMF5DK6KGy+hjN6ia07X1eIQNpBvrBTFRPFNLYdA4s+I8XLXzfzod5VfrgD4p97tZ+5YB3V4jz/ZJhYj1H51dIaTPyge3pYKuAcfcVsgXAmKlQEdRabopbLmInvVktCGzjRl/WMtgtebs9fvQnprhdv/BiRvX2Ntk7Gkh7C/KNddy+jIfr87rXIZJvSNy92gS7te1zJnPiSSOG5rFrPxENClFShMHqeOsuq3htzV0KuCpg/l5WAWALJcbHnHJg3nIO+iKpreRnMEISDlw6iEVb0bHh1dTRn0roSMy4eerWJwid60vKZqWv0GizDeULsr3sKza7VmyJmjzg2bM7+DjHKS47RDaq1vTtRgakaTylgBMZFJSqN4yJCKvrcHchQhhj0zx/ZdLjoTVgLxW8tMWmfjz2MA5WwNdYy0Zfy6Mjl1zDWI9nUNkSufGVztaTyRGOMTvDbTPqrZAxTeaIbJCFaR9aUqtFFqGh/1TC5k0udW1H0nZ232KFx6VQW5aAJIKx/LSX/EhdvIhNUf1ifRuivoCR4ZKoMMM/eEnfMrLWnGTAmYoicMe26SoT8QjakB82T5m+bkWxFVx8nBtnSLHJXYJ4ZEzxEiAPt2xKtoyl6uCi8Xk= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: utrF0dK81WLeg2nmUlyRWe8h0Mp22PubRD4M1kAQWHnF2ds8mtafRIaim+xxUEuAlSBqksBsUv6GNmYUGYbTDGksIAIGGp087iQdTiADvITfKCblOORvvWFVFZ4OiFQGFuqqxBaT7hXW+FSuU5SWw2tM9z5KD04u/whd+z9vFjcxuDGN9bNFrVZ4e2FSH09zMbwsp3fXpUuJMxgeLvC1XepYN92vWRS4eZgNvBD4BSzHH8F+xwGQWXUbb1e7wERhV8AipEDCv/4qrS0Pm/CKLjqwdPFVzYOt//tu8FlgqOAIaMFN0fUptq7kEOBI/dsNVM2zYJC9cg1BiPNZDEK8KuJH57zCFiFlX0cQYVkS1VkxcFvhwL56SqlaL7IUMd8rVY6684AxcAd0+M6YDH/Ni3YOY1RNDFF6Lowq4z432Q6lR+WKEFCvYXWO4fiSJlX0sP6AmmREHSxtwHGffsuTzgmgkJmLGCtOLRt0WkZRSALc2Rgn5tjtZpcVhVY0pucCsFHd96RDIxhBl1pKZcyftlLcJpJQSK7FtiQGi2X8SgGX1imPaMYqdw/dYs+fTLL9GuMdJw4xTRLBZsTDkXDDCvEpX84u1VkUi/98QBMw7Vq9UO3FLZSQ7GPbH1weijfSxCR9HhV6T/RkZuCjvjvKt/tDFVWJjJz+vjcnAtx4BFnEN1c/itg4ZNT7b0gaXIgNm6Xr8+Ca8O7AvWd7aBtTnstK3j+h443QAQOSUcWLFxOV7NYLeSaWXsFmddL2cPsr7qHPnpLvur8D6DV96Rz+kHFp1WTTd8WZsak3rdwlm2F6pVckx89ay0bia/rZqcfZAS6DBpZEhX7NuUVTzByTYNBZIC5bU+lVVXJRaldLCDkun65A4Jd7kFDiftVAHR+0PFwCm0Sq7wq2myEava8GAO5lSdz/swjVzhmY35WexfYFIyXRfy7k4pHzG68PT3VGZu8NL/xTxH6WDnfy5RC5PaQRurCY3XhVmNKYmxNh1pQtWYxL9Te1TPcsQhHrqPwPBxayUiVOti/gFH60D0mkduY8I42zjws63F4L5gXjZFyk7QNOK2Ip06JMCcfv0uORgBSNSriwVaWA17nYaNNSe0MAoA2sH1U5L7zs0OcWyWiBMSdA33yKVXNYSO37xTqz/WpgDCe2Jrk0pWpKEUTpW4z6LJUlZzWKH4KRXsQPEQu21dN+d/QRtr+dJSWFZqHUod9O+FDkJLphcorDqSEzW8ovlJeJ0P/h6p/e43ld9FG5M97j9EZpLkgY5I2B+MmYC2ZdqdT+erLwtFgrlFpgcHf8sYZO/ohl6zSZUO52PS+FWlGjJuE4RtrRkyULmQ1W X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d5451e1d-cfbc-427a-a243-08d940f12e13 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:45.5892 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9YmJfJivTlQyRImNkGRyepiz9OYtPr58vNN2gQ3yRFNVJr2+/dMnBiXzeAw46nCF+nxodHG7vjDGiCpDSe2a7KT3KDyJyzgEqxv8mAFBDjA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: KspeI3saG8Llww8fwGUJg2wr-jmO2a8H X-Proofpoint-ORIG-GUID: KspeI3saG8Llww8fwGUJg2wr-jmO2a8H Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add a new keyring handler for the mok keyring. If the Secondary trusted keyring is enabled and the end-user trusts the MOK keys, this new keyring handler is used. Signed-off-by: Eric Snowberg --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..b6daeb1e3de5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (IS_ENABLED(CONFIG_SECONDARY_TRUSTED_KEYRING) && trust_moklist()) + return add_to_mok_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 94faa4b32441..f021dd81f080 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Wed Jul 7 02:44:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 470898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5031AC11F6A for ; Wed, 7 Jul 2021 02:45:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3511361C81 for ; Wed, 7 Jul 2021 02:45:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230150AbhGGCsB (ORCPT ); Tue, 6 Jul 2021 22:48:01 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:62660 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230081AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aK8f015829; Wed, 7 Jul 2021 02:44:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=X8rRucTXFtoUwqPLMTqRdm6oacpfYr5l0ute6tWPE3xs0BNxuV52HGn3NZ6CY56phw0u dNO6VoN5xNflcZgQba5j6b5f658awj+Het4lpWqdndG3Cri74U4uzujYUz2QJ9cTAKFF aj4BT595BH/UX1JYvPTp+wNyZe7A3S6iBuUizaD+AIc8uF5R28dj4WVATkisp2vN9vcv jCO0wG+lLe+asMEqonruucu9ie3+z4bSQ9ztwZux4MPuzB/+ltATePZhS2OIsZRVFKG1 fkrzD0OtWOQxWxyFf8xyDkV+KLxmpMO0L5dxs5NorA4ESrp/HcMJ/xA8bdMD/WVRXB/l fA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 39m27hb657-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:52 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTIq192975; Wed, 7 Jul 2021 02:44:51 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by aserp3030.oracle.com with ESMTP id 39jdxjaard-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:51 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cSC7znJw+5BLshEgB3UM3DpIkWH3L8+Tjc2VMiKzzNrnzM0nlCiq1jarRtuFU1DAVpgLFu1iBWfIpEfly9ZWUlIVyxFeyXgn8Gr7zDm1HmViwYqcY/vxX+kuotQhdjBra9p8QRY8Yz29jlpnLXzYaAtYgTqZCXjW42tsPCNA/8ALyetcnBhAgab3GRofHxqpBi2ayzPtgDyMKuejQsqnANJAtRbedFy18NwlJ4SqlHFGPDnpn+2oE7fgJTWgaBqeyaclfpCvjWdENBNsa7uoDrDOHXa/NPXEc1qnhtqHHDx0BOtA2DKxbn4Z4PW1W4jYIO8ehEH3P/9xZ+PV39n36g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=BRDonWi0nxExAuWsOJGqCr8iMilKMEFnirZP93euJkCdY4BeLUVWXPFHo1gGVgGzUVtdnbnZlEbPIL5x6LnIeLL9RHIlg95VcnzGbkAIXqxvyqkntUMzeNrOqSnF0Hp0bYMZ7B5qe8puro88eG33MOGd+tCxodXcR72a3u9WsZ+xjMq8NYtyHBK87AE31hZNopLrBmc3OT0DGCWI/3BLxHG/YDnfe0sDqI17SiXa5WBW/YKCz4jnICthw72w31ynmmg32ZlJr8moJV8KI1/Xb6nEG0TQcA0HgdnkcWuv0eGttX4BqqRhpkGorYnmXHvOuvUl3mO/XFhPLk40GP7lIw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=cI2Awc0bpSStbut417J+PDCzNV+mfMCGT9QpPcPPqz62U8PP9uP13AiVVQaxU9bGFqROdzTAp5ORgW2AGeuM1kzbh+zXnK4Ont3DLGM0NC4VWASdiWkAseXFN6onukLml6YKT3yCEqiI54+J/PT171tihej5EH31gudRwH+msJI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:50 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:50 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 12/12] integrity: Suppress error message for keys added to the mok keyring Date: Tue, 6 Jul 2021 22:44:03 -0400 Message-Id: <20210707024403.1083977-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:47 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3240b108-3afb-41cf-2a01-08d940f130aa X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3968; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WllmmNFP7FydVnruQwBPu6vb9hq57CA7tq8/MHTDZfEQFZX56PX4TlahdANdjEnNdY/i+MyUA5MK3YGPM/9NqZFAGtHYNTq9SbvhjeZJXkMuVX1pWJovR5jbmFBfzit8k+GYMeusRyxL+W2x4vg6u5UOUR8Qdjw49dqjrph4VZkjZjexZ8A/4mcCiVNGuh0Yr/Tl6x/gCrY2zr3KK2i5RRWXy90xPSSHZAvVuxRpHsUqD7rAQNHX39JjeiJGz4Z4SaLMZU/aCf0U1vUXKBL9qHl00fhWgjtEiwr9RJ55nIR5QwOq9/7FIUUNAaAP2KI4rmdBpU/TjEup6ZFFepk9xJSB8nhAXJ4JkmhR3Dl+ZlSS9GuRwCxcItUGluvVF4ntxzcua43krDkj/Sf19m8aB7g8yvSekze2q56n4Kp3TDiR+sNw/Pdzz+g/HOTEUYY+wTxOzOcrg/P/hYti/0n8tEoV3c8PY/CCxGX1yClLmjMbNCofujuZi80Chnpf63Uuai/4paGDg4WF0yoo5rdRnIaHT4O4TYroQ66VJW8DRjSHkHss5068dsCKnH+HI/810m2icb9OTBBDngKUL4Zk5X5xlbbfrIZuSgUpA6t6tgTfwhvAoSWgw+JUvafTb9p7rVTYdlb8POEXvw9AAUSS9iG655w/oR0DlhwfMzBNJnIRvsZFsbXqrQYfoCvsK/vZoV5T3+TPxBY487lL2Hbyxy2NvZluI5l4UrB1mYI+K34= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(4744005)(15650500001)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: NgRjvr2yUPGSUPGLz7rDbc2IbKLMsTy/bRUHqmWkZjZAYFiwGbRAq7oji5jQgo8lQ2FyPsC4aoRX3EGQ+4PuU9rMFgQ7ZS8skKc5Z98es1N4tl1h+wtHLPv6NxpTsEeg1HEtA3TUkMoIiPXBIpA58beRIi91ifhrH3rt+3fKH26qcr90pXtydttWPwoUYBIp3Skv/XdSvE8yTwoE98Tf4NhzKPg2CUYWqrLyf2Ybkf/a4w5nxiiq9PFAHDx5GN20hy59ww4GzTHkpt4phbcAt/Enp1xH0RnGpBis0UfOlB5X1Ce1V7WP6/n74zP9cBObF34dMS11nR3SXMCA7WlFzM1WCOnMvk1VOp0gxxmHsqdrUXZK0wY5j8S8A2omoYem5Jhs8IwlHK29mFlP6sa8SrHG3vJjVOW3pctjb1yQlqaevBknYacmmO74Od8HHgLxG/B+BHn64puD2Tg5c6BdOzp3qEQ0nLRXA8T5rVdXKbfoynycxBymlI7z/51wGJoQJI2FPSDFCCYfMRxna6//2Q/nAhzfY4sZ30O83LIlriN0YLKFSEbMxLwHWO1hxFGiW0q4BomzOx7V++l+Hro8Xd6RNJFH/O9lH2K+5OZYUosykYK0bWqeZVJxfm4Zz44t0YIkRv6iEjWAkXH2iBHdr6GeGRiunzx00hgKrmJxjBfwZS39XpJ+vErzSdbMsgCp7S2lpm4cwqtHtymdXc99B3OR61IOBHahrfC6t9hJrrMOjkv0K8gnpMHe9kltYuFyviRARxXDTQDggxTm6yOJXutGqazEsYdOayVir2loKFhEiYqR/JrKUcpgz07pzXJfgGS5X7HDwpJKAHzs96QwlFWY0tWnnFFeL8vhO2Djo/NswnxNs6wFu8y+zZtlo2yVHOzSCA2J99n6gUndvkqHWcDCc5hdSHdkTgYcbsR3vx8vg2U7D4evE5HpP+RUIl6A155TeafDY13yOKMfvej6oKO4Jp0bVanQXSpOYhefhkL/DcSHNjkGfAvMnKLywaO0cuqf6O1krFxWMjlUMV28ru5fI0XmhJL0UWSUMk3IhPu8tXJTp4eorvReiErd4YUwbx+f1nGsRUm2oIqVQg+D4SN7FqImD6xs8Gj30EZOr+scVAihD902WPuuyMqJaIHlQHU/FMSs0RLZbcKXD9fN4lTxksBbMfrms0jid0SJLm5u1Nk41wrQrd/ZwhRKKu36m/LkvjFbQ+8PedGu01EGhSM5XU9aMs7ZsOn8R5GXaoMaEcAApamklnFD4JWGTKzxsZlsSkucqKMOGhAWvRNjsbFhaXqkDDsnNGZl9V+ut7i/+DAPLaaCvYfxeoP3YMin X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3240b108-3afb-41cf-2a01-08d940f130aa X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:49.9699 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: s2jS1ZB4nq0Vrjnwf+6p7qOokn46Os+CIsaFOHp6X/wHGVYuvwyUf8xIv9MAAIFoYAyDz3rbbKi0YhaU9FsbUNuGkHhqT9rQThM1LkPRZd0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-ORIG-GUID: JN4QKQ25D4XKEf5PHZjevqtW4Zc1FEIM X-Proofpoint-GUID: JN4QKQ25D4XKEf5PHZjevqtW4Zc1FEIM Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Suppress the error message for keys added to the mok keyring. If an error occurs, the key will be added to the platform keyring instead. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index e301cee037bf..50bdf839fa44 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -173,7 +173,8 @@ static int __init integrity_add_key(const unsigned int id, const void *data, KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); - pr_err("Problem loading X.509 certificate %d\n", rc); + if (id != INTEGRITY_KEYRING_MOK) + pr_err("Problem loading X.509 certificate %d\n", rc); } else { if (id == INTEGRITY_KEYRING_MOK) rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key),