From patchwork Thu Aug 19 00:20:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499858 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7650BC432BE for ; Thu, 19 Aug 2021 00:22:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5E5C7610E5 for ; Thu, 19 Aug 2021 00:22:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235328AbhHSAWy (ORCPT ); Wed, 18 Aug 2021 20:22:54 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:65062 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234824AbhHSAWm (ORCPT ); Wed, 18 Aug 2021 20:22:42 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0GV4h021872; Thu, 19 Aug 2021 00:21:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=4p1O2wfwy44YLrEzHdTBOqjhV/cFUxgl83N6w8GqY+0=; b=wkkBz03ciFx09zKO6tUHF+PWCGQ9Gaj+Vbm9uaKdeFeD4NZTBrep7g7XvyPl4am2YXAG eSupa0WPK/AFAf9vkuXYEPD28rUVDfEs6qdxQrjYf8PJS3lXIXHGiPzm61vGoeJ+OKLJ Qkug4iy38UMKwn1TFBXMgP2TQnZPjKUXijECIwNrCaYC8EZGeImGnEZz4nFquD25r+TP 9/W6KPO07SH8GjAMldmdojvO3ATKdxX3UNjEYk9ArrDCvJHAiVNK8bKWRXRxApz2TNbi lS5UH940WZSpNE2z8gfUtqKwGJTdrEjOtIszxTvbpOZHwgt1NnAh3kc/PAqGBLZUgNdT qg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=4p1O2wfwy44YLrEzHdTBOqjhV/cFUxgl83N6w8GqY+0=; b=f/+lFzAQRu4wFqNS5fX5lhXs5brerTAnPWjUDQWEPnJPyeSXXila6VE096x8ChklEH0r gUjBOSm8pMEGaIcJZJh5pWgkrJX1NNH8oGK5JXIUWVL38iJj6He57cbG759weLqunLSI nKJk6hvtm5FuYl50sbaIeDUXUccvvGLs8dd3dOAPjijm+ZhY1O2GOlRx99gz3HjpYZH6 FeyS2GkqGM+sDo3u48Ak03iKNQI63trdI3uihLTg4MaN8lbYVaG1sAvXixPm+aB4Hc0W s7NZb1MQI1dKBODrfzsl25vcrhFxLMPp48cCjj1YBatRq38wA/DvC3c5E9UJkqjselhG jw== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3agu24jghf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:32 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F9Zf040622; Thu, 19 Aug 2021 00:21:31 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) by userp3030.oracle.com with ESMTP id 3ae2y3947c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:31 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YFtaqjXgvzDO1pGnBjovAc4btZqjQwhbFngBpeCC9K4CPiU1UznywX/cGAeBVvxAXMzgL8lYXMTdeoND3JFLQDAf6oaGCM0D9PtmYM2Z7CvKMte2/FNlDzARaV7M+duXWor6uUxsRqI4DZffN/6w4vp/BVDy6JwVhU5c1xgftMkH+IrIL2afhA4vg/J4sWxGMBzdaJyy0sxfULzc8jNROXZ7OcU/pwjeyHRCFuxECYwZHI/vh6C1FNdRCgLyJlXfhIHVlLFEbtyfCgPERpX5Z8UtjjkcUbJg5aW4MqD3cta155fGmCX1XEGLIG6wrt7303/cHS/Cpe5hCAi90uN7Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4p1O2wfwy44YLrEzHdTBOqjhV/cFUxgl83N6w8GqY+0=; b=FeWHC8wGLgL7wT7o3vbbGIb7Lve52Xjzn7lMiK9hqmC5wdUXqUtij7hkHTkEppn90xtmyiqFPcn7yRwp2l1ypnSULMqq91/5cjBUgcc02HUAiDqz2BjZfpWOe9mF0n3C8fYhZsjP23oNiLLVJven0T94cJ9M/nSy61ym84QKVaMZD+5DQj2xPVJB9FKRR9m8VLw1fJa4mYZGhyc4fgKZXxvwQpYHUSZWYv2IP5mMGxz6WSNmT6fcgrMRo61BaLg8DP1QJK3sP7gxODwHg49ytf3JHE4S4zJjGbFgGqk1l1NCXaWTW+BGADzQVtJ2BMRQ6MGjqCTvzb6/pC5t7Q5o5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4p1O2wfwy44YLrEzHdTBOqjhV/cFUxgl83N6w8GqY+0=; b=vzTTX9IpsI4muje7jVm46T1Crw50BX3HCgVoW0m5G7p3LhIRQY1l27td8PCcMd8sZme4aeOBJKdSvogwHlIP7g207QeHVXGS/tMWDi0AY6JoCSnd7FaJqSZHlsTM585sV+Y3RO+vitqUI+7KEgUUEI6/Zm30igGNHFvaZ/rmDP4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:28 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:28 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 01/12] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) Date: Wed, 18 Aug 2021 20:20:58 -0400 Message-Id: <20210819002109.534600-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:25 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d5f61650-4cfa-4914-bb4f-08d962a74939 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wom9I2+PF6tgpjjECZ/zYAxa6z8D1SrMSNsNHkaU5D4H1P5p4xJcnYqTZwcMO3OWG8lyuNGxzduFQ7eyh92xbUJfjW31+XQLX2JH3R+z+NN4GLQOrqg7edU5DEUSHaTs6uBESjYereqbJTsRlx3CQy2fvaSFiY6oeC3VkndaYyxmAqCY9Y4VzuImmwmcKaExhx4v4PVkkpwJiK4twIYZfZPRkduVidMzEauuLn3V0i9/ZIEM91hIPBexstv/+VSB5dMShxT/fVvXJEyYgoPVw2ORLU/gGEoauxhYg7ufw9UC6vTAfcPtY4NykOwj5hBj7NxL0MvDDwqU9fBhE36WKFwwTiO9JjiJyL6kqbK1yvfpsLO7opRtgo0MatD6wDdDILQ5xiro0sdUZ/Hv3LbM/ZFGUUDEzuQejXViX4MhMGAeJJlOlIsJYHqgcliYbku9w1NMb1E4apxzW+pmMoxTxLaW7MckXrnU+DcBN/zk0E/Zr0YzyfHQb7onrCCcWPJO9poIuieLc+ROSYVHvYKVyO/37Ltto0JMNP+fj/8Wq/BFQ80kw1Uxuu4l7zKbn5BDCRfHIS0dDzNa77dEkB5vfbItSHBkUPSx8mnkAgaY4lI9VU3ThswHqO04kv2Kqm6j/o8jklwtrAN0uxx6sqR6RvAeOkxR3G/aGGEKAdJqquss0Qu9NcV4aBYUf4cBROqrDRT8thMlzHKaQ7pXVofrbFITsi6136Fc1pFeEyGYeXQ= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: CGoVKQRdyM/i8eFOvWMq6eIeX68gO0fgM4nSl3VL9bPMnlDiUitFY9AadYxAGs46r88fUfweYdPB0hAlEbhft5mCKhQGyP0mdLIll8xZYJMuPVPpxC63gIEAHbIVSdUPlF2oj0/aJs1u3CS4iR6JP6Mbnq86SAKVnopLhLE2i9e2Ojbws8PhvZVUL+pdMSUya54x5fEwl520ba8LIm5m9troDOxn988iY8TctPQiGnZxIEf9Y0bPDkgyi+btkLQHb2T6d6tIwf7vZLX0TGyOM9Tzlmzy8Al1ynx7oJlsZ8/TxmHxWrNGaVtstqzDcBiJxA/uiu0trMa4A6HDpiIqNCOK0DOgoVvwQdxDZhghdBd6A3IucsTS+xElgiL99IJDkjKXUC1RGLv9HOLCdBol5g5AXtPDQGxILNP0qA/NNYOVleWS5SORUj0uuXYy4i0JL2ZXLBJxDCoglAeCeFfzutgpO4sZxhbIduZCwnupyKRajRx8aZdkNjJCeOHcfCBMIFymDsr2kWR+pXMBiJIeor8nNJgncaNTK/Iz7oYPU25f4wI0elSfvRwVZEb8RLQbKWm2DVucQTwBDcOjss8LezVpKxOcDOVGPMyzr/9hqLIhunlW3E3FeukMtL4GfF0r9kOLhmYHU3b34V1oCzfvcy7XbGgolB9XjYy8HYXCixpszeHjbgjLTFN9lbf0H1L9AEuxlRnb+DIm8u6eyjE5gxu0n34M1pka2IDb4tWchIo/Hy1ENRVP824ftrja87n73yfZrRQtdLX+YonR3MUpFX1z+iLz5x+kI3AyIUllmiylEStna3n/qzCzIPQXXFcR2toFrXFuku3ERo0MPb+7UgoLH81D70Iwf75XHFnvYJ0jCs51vgN9QV5TZyX1uubfpJkRlUuACKIP8RHZ0N/RHqpjfXEUWoklp3xFA51UyZ4wnUc3frBq8FMxKvEfw0W4zbi/JIELZk97pHCXHsr8e+bC9A64ZsGhylC76ka77taEBLsjIVGWiXoXsBNC94bQ3F6Qys4hr60mX9cwOriWX9EvcZudmRxhcG3FSeBGT74JXmL2tkJAM8O/XpZKwPdU2btTXj5DxiY1ec9t7bZuIkcvSkr6IfKJvFRZFyDKtFDC3sNZB51Fi60IJ7mMHp7+oKqY5UNBEQnG6eIsWJGmDId558CvcFCzVlTll2GPkujztvhtrx/AO5FIPfXvWvhyLo7k7oMKtTmG+pel/2F4E1u4AbHnKNPCsi4w67vO+SxwycgLcPBd/bHrwub62F7qHdB0x25y4GFMR+p6ttIrHosAuvLq35c/e0722XSuEe4rLaLYoQKbTDPMHooZ/f9C X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d5f61650-4cfa-4914-bb4f-08d962a74939 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:27.9576 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xUmqqSXf3C2Q46Ig43i3EXDBTkC5DALD9kib3galKHxoj3Hue21fv5KuorVQwj5Nr2lLJPhdyY0HLaPk7uRb7LrMvtKB48zuje0jgjsEMXw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: t801xqDeL2gCeWs4wcBjvkdBlvGestFJ X-Proofpoint-ORIG-GUID: t801xqDeL2gCeWs4wcBjvkdBlvGestFJ Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Add a new Linux keyring called .mok. This keyring shall contain just MOK CA keys and not the remaining keys in the platform keyring. This new .mok keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the .mok keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed destory keyring code v3: Unmodified from v2 v4: Add Kconfig, merged in "integrity: add add_to_mok_keyring" --- security/integrity/Kconfig | 11 +++++ security/integrity/Makefile | 1 + security/integrity/digsig.c | 1 + security/integrity/integrity.h | 12 +++++- .../integrity/platform_certs/mok_keyring.c | 42 +++++++++++++++++++ 5 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 security/integrity/platform_certs/mok_keyring.c diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 71f0177e8716..7a69021e2d42 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -62,6 +62,17 @@ config INTEGRITY_PLATFORM_KEYRING provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. +config INTEGRITY_MOK_KEYRING + bool "Provide a keyring to which CA Machine Owner Keys may be added" + depends on SECONDARY_TRUSTED_KEYRING + depends on INTEGRITY_ASYMMETRIC_KEYS + depends on SYSTEM_BLACKLIST_KEYRING + help + If set, provide a keyring to which CA Machine Owner Keys (MOK) may + be added. This keyring shall contain just CA MOK keys. Unlike keys + in the platform keyring, keys contained in the .mok keyring will be + trusted within the kernel. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..e3f4588a069c 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -10,6 +10,7 @@ integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_MOK_KEYRING) += platform_certs/mok_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..e07334504ef1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".mok", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..be56ba49dc19 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MOK 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; @@ -283,3 +284,12 @@ static inline void __init add_to_platform_keyring(const char *source, { } #endif + +#ifdef CONFIG_INTEGRITY_MOK_KEYRING +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +#else +static inline void __init add_to_mok_keyring(const char *source, + const void *data, size_t len) +{ +} +#endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c new file mode 100644 index 000000000000..bcd9ac78ce3b --- /dev/null +++ b/security/integrity/platform_certs/mok_keyring.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * MOK keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int mok_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MOK); + if (rc) + return rc; + + pr_notice("MOK Keyring initialized\n"); + return 0; +} +device_initcall(mok_keyring_init); + +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); + + /* + * Some MOKList keys may not pass the mok keyring restrictions. + * If the restriction check does not pass and the platform keyring + * is configured, try to add it into that keyring instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to mok keyring %s\n", source); +} From patchwork Thu Aug 19 00:20:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFFC7C43214 for ; Thu, 19 Aug 2021 00:22:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CCEFC610E9 for ; Thu, 19 Aug 2021 00:22:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234970AbhHSAW6 (ORCPT ); Wed, 18 Aug 2021 20:22:58 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:64696 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234778AbhHSAWm (ORCPT ); Wed, 18 Aug 2021 20:22:42 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0GHdq021771; Thu, 19 Aug 2021 00:21:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=tvoUeSio7ghD09VVfUAsBLd9t55D58S+2MdTU+tWUpI=; b=0JQ6WlgOlf2ZY10qbSVrJY5lxHFxuh9G5eMCOYrk1+v7sgSTLcvu1STe5qrmPjaV1B6W bzadqNoHtzkwJQY95DGhZ9XLYVaRG1jB4HHwRLjhHE5X/3Njdqo9/ika6yL4/LMIyu6k 52Yl09/FJgWOs+3VPnu+8dNdcGuXDqIW4Ct/OxMUkULY+XFrCy8ljbaj0AyMdKgTnrI/ 0xlsGopTll8o17VyTAHnKW1fTDRgqiraItktYIVtYJKI/59bU5Jg1mHnbCuRKZF+DpKi xwKsglwfb5AlWAMUjstRqslWVhEBl1tnQSqyiZ4pSJEEVMh8aOeA9kKr6m3VnNc4953X /w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=tvoUeSio7ghD09VVfUAsBLd9t55D58S+2MdTU+tWUpI=; b=oRvyHYwfPaRZzxtjdcOj/7SSYbPJg/LBK1h1UNor+iFdnPdzBVluIZFH0BHeF6w2sHGk zQQavCjPJ+CVqrQMFgfnmB2VGzffHpzEsyzY/h6jJRoJcuA8HgQDH/goHGv5RQLSkKbv R4YpXAuGTxFxVMAgaOOaugaARyShK9i8KQJtIGGNkho9nzRcaPsn+IerzYwsNc4Jt+Iv yYUYU43hwAC+0YT8YOv+8MPki4F0wIoTSrWZM+oRNP9YNIO0BJlTZ8r1BOxPGhDdeCGs TngWE+ybyRBW1ABLmuJjrH438deaLhGNalQscBVb2GUx9e1mJfG1h2856l5T61mGRCNj Og== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3agu24jghg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:33 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F9Zg040622; Thu, 19 Aug 2021 00:21:31 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) by userp3030.oracle.com with ESMTP id 3ae2y3947c-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:31 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vci7Fk0LrIbAz02I/i9iSJJzHhdnjSPo6mkujYI4EwxcIX1iGufoD5jzW0AqW1muVnQypvjlxsAYjYqqQx/2T92NqgSihmJ0HWv1/U1b5oVT7djzxxx9gMHNP+A4sg3K4iC/G8g0yMBMuKsFxZMBRNTs2Ftr6pnW4ANemu92LANFVQWRoHL0eawmpEaQsN1S5MCbqLp+ih3+9d5CnkgZGm+18bYXdDBQbWFVJ0ve01lja4BxcfEDTmZJOji1pS3vTFjH/4cXw/Vw6UXvhmZGIg/WeuQmoLRYDU/oAbfsQLi31UZjHSIiJRS/YY63qxaxmbCL2nG4AlgRNN+gA127qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tvoUeSio7ghD09VVfUAsBLd9t55D58S+2MdTU+tWUpI=; b=hja0etd6Us9RXCNkBPFm87atK2XQ6m52rfwrqHgY93f1XokYN9TL4R83TzCEGkpZrLzGAqYOtAF7Ux2pLZH4nLzL2SogFvlhizMCS0288OmKHsDI7yb0vxqRorJdtQFcfmtCkXkaahd4cl7HETy0rDN2YKhNtejHtu4hQ3xygOU6RAJ1kmTx9V5JtNFMJZ4tG9ukWbqGHV8Mbfjbel+JEgknlcF0nX1toEPmRMoTakE+ODLayGfTODf39SSIGP/72uS6oHKiW9siqP7W53ZBiiBUGeGJGo1aOiMKYvBN0Bsnd37vkDtVESkJ3ZzJ7kM49YW+XviDc/j/YPssPv1F1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tvoUeSio7ghD09VVfUAsBLd9t55D58S+2MdTU+tWUpI=; b=viKSTS0XjWZxn7GaWKdy/yjE80KIsibWaOY6VUZL9orfzE3cBBx6LGTFb8HIdE+i/tByOKhow1+OAOEMCVG0WtXwxlc5+CBqoPs5Dm7dME9QqFLXEtpkrBCLBIg8U3lbBYQC4bAxRCCTeLxKciK25qgZpohWHUEIPGjB4mmjSuo= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:30 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:30 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 02/12] integrity: Do not allow mok keyring updates following init Date: Wed, 18 Aug 2021 20:20:59 -0400 Message-Id: <20210819002109.534600-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: dd6b72c6-f156-4224-058c-08d962a74ad8 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3173; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DzmEbDDfC01ME9C/VM4AoevjaMW/CUiQQedSgKJhJTPBynmR3f35Bm7pjBkBYq55hO4yZLmPGVnhWXc+vXromUHJzZPJ6VorxazO+Mt/gFBOxzvWf7mzYkEi3f0ynGT6CuxOk4NMWazMl7SFzFc1kZk2iNTAF7/1sQHWM6nPbcDq4ZPfX3CdnqouXQEEkzGiaiUYN/GWiXF3IAoA0x1ddJt2n4yKr/avyEvFFSlQhHn9U1wXylVl7bIRbbOZuJt9UrnGxIU0eqK4LaXhRhH9vvq9q8mtA5UPOQa2UU68CEIht3Ap7ZEZ//A0BzC+dWXRsu75qu1iAbvVvaqDPKQGLSJ+jY13UPLoJe0avUxfjZ5xtzW5x/KhzjqFg0deUJcs6tQebBB+FtW6n5r5o1j7vTGcHw1JNjGVzHP9ohNtvY23fncE0NNUBGGqp7Y246ABY9TGkQcosuixu6nFWRn+M/au2yzYGrVBF39P77jWQXE2v056p6EhLYsQFXmV+oxkyHIpFBzMOKF1rYfZb0IheKzYdDOFioGfxvH/0Pv9s8WDqM1/opMdOn/mRaO+LUseASGdK9scqkIDxhDtu+CaF1MgXsZcel4vGyW1ag7OKBErGKTZLjdr9bKJfZwsxwG5XaFJ6a4Bsw5bNO5wjHdMo39rx2UDRawKSMqfxbWNM2/PdsyjhEMuDcFBjN9jV//1iBI5ho0HtyjQjPTyY8jWyvSpRZk0istMWTiJ3YqL3HM= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(4744005)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(15650500001)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: h5JiC6mxp9gYbLwMA7V/qSAYwgs5vDwqdc2MA/eVBkI0RC0i0OlvuJjh0U5v6y3+HBUItwD6ZZxxZQL2LSH3OEFaiX0rNML8kl0/5qXQdyTLknjhsLkeHgdLQaoSFJE8d69ezZAoYUZCcryxCMAHFqsb4k/L8gYKOBcUHVRaw9W8MHlj8AGgiWRd0KDDRP+zvHtNDPSrXLxEOCbybBxNAHWgTjwkBoHwiEWcwhLHPAArRYZ8l0BZQiJmW5PxLys/BW3tpuVWcBLlVw5rONUbRzngTOgRtEdfYsxjNLGnOHDAA7tMiafT7AUgkZEoyHU19lERi/Uo8g1Lx9SB+wETzVAoF1uJ+jvXCSPaWVhkXgPWRUEv0Ppv/Ns1L2NkK1aFb60h/tDn5JD2g5dhLCJczNsRfszUsN5sQzH5YWdAaJ6nyTymXHQjTx7r5LZoBsuITi+G918dnZ2igzwrAuls3MfHXLxK4X0JSuK3XYdNKC6OzDIQ1FJdRVkf+XsLiuD/jf5opyvCRUKE3MJQpUke7KGejKhxWw2eqSVmkBCEzY/+b9PVZgN2l1pahbZ/ry1cAflL4D1oUbVjeszFdnmPMSwzlE2BAAX/9blQh3wuy0uVC7ZPY4223Aiwh60p9ogdeIuqO/smArxpd98syxoMgyw+D4NAHyIWQP7FXa26VvdgDaAeASb/LwNc0orDle4etnySoWPjspfppxKgSS2ucIxzBfMrW5DHnBMxQSwicgzXH9P1mA37LJnkqC2nCwb8QJn8fwscixdUan107Yrf+8QxIUkPdsOka55kqhCeM4mmZWtprBAieIbPfXIEeJUC+vd/rjEhPn8kEnRQPhEaN6rkRFLkVyYoueA/TAItyPZ4LwnmQZgBGbTl4GOw1dlsvwP4X7e9E/Dnqe6j9d/5U87iF2pxSJoLon2y99TSRF4ToTYRDfqMdZgVfGIoTKQ2ze1gX5FtU8BWEY5qfivxkjxBTh0QCVc+7qh3OfhsIOUTZwZRc3zU+oeRhyZwkqMQXNBGfc3mPAkJD1G+lsSUC50KRdNP4ZUQ2KbU3S/peaf69u//647Odq5h2kf75bjhzadDahS4+fDxCcMmh0MG9iyYxIVtHAj8qK1HTqLcELZCtKDjZ9L8wZXDxPxSMCOmfnQux1p932MbAdnyr2Hvnc8pkJgIiSCEogTqSV0KfwkTTCj4IpTHS1rYS67TgM6v0dAfbIF6vOqmOry3uXHZwR50R58HA1eiNkp0MWBleXqtWE+zk6+gCzP57SEZq8ZFrka+cS/sRlTCbUV4McBp2qDQ13u1+hxNdzU//ilgWDFplFAu8zQrpfBBb5o4NueC X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: dd6b72c6-f156-4224-058c-08d962a74ad8 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:30.6886 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1TuA2vjevEz5gFGqP2KX1g8j5pooenaSSwHtII/y8HW3MVbIPkIwEVXBJnpy6sGR0uqLTRTvy1/UYbqtidp7fYRD0yKpA+VtpWjXpNeNx80= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: Q6RsdIQ1QtOP1HUCLrgHYR_BnX3eRY6Z X-Proofpoint-ORIG-GUID: Q6RsdIQ1QtOP1HUCLrgHYR_BnX3eRY6Z Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The mok keyring is setup during init. No additional keys should be allowed to be added afterwards. Leave the permission as read only. Signed-off-by: Eric Snowberg --- v2: Initial version v4: Unmodified from v2 --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index e07334504ef1..5cad38e6f56a 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -140,7 +140,8 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; - perm |= KEY_USR_WRITE; + if (id != INTEGRITY_KEYRING_MOK) + perm |= KEY_USR_WRITE; out: return __integrity_init_keyring(id, perm, restriction); From patchwork Thu Aug 19 00:21:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 998B3C43214 for ; Thu, 19 Aug 2021 00:22:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 82546610D2 for ; Thu, 19 Aug 2021 00:22:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234659AbhHSAWl (ORCPT ); Wed, 18 Aug 2021 20:22:41 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:20166 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234294AbhHSAWk (ORCPT ); Wed, 18 Aug 2021 20:22:40 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0HWt3029121; Thu, 19 Aug 2021 00:21:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=w7cl9eJNKH/s3LOHkz1AXRNKQo/in367rltduGHTo84=; b=FfApzMS5BK5B5g4+vJRs2I6BWCp4r70/KbbgdecX4nJj/GNcPGaBalazomIKpz9D1EBF 323FmMX6AAz5RLoV8WKDSwa6270qWaOQiZTWJTJieEyUNkJtvqfG4Sv2OllHZQksADCx SukCDYlHovD6pF2rYG3AvlrPUiW+c60EXiKRqCXaqVOvjCW4/iE9bj6/A2nsKqgZSBQ2 SiqPezAeOJ/i0PHDOLTQ2jFceJ+6uas3hR4/JWFgAm5Eku2q8DVEwuMoL1T3/UOMP97b zrOZT5T4AiUYf77Cg+bGLHPbDw2lmLLvfVQH+IvABT6cKTQE4kbQefS+AxspAvbtCR4L 9w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=w7cl9eJNKH/s3LOHkz1AXRNKQo/in367rltduGHTo84=; b=EIv1KCo+wsYEClJoKillMs8tfHiVpIFqvP+RHU1tDj4tpTk9Uvm+fwnehIrBmFMMPdcV BIoLkqojvb9/vb0ngbUchlf5Iy/KwiaPAP1utzvib8Vy24vLsKv6JGcS3+uYzZZnfgvW tQWvweQtflQ/FYh/NjoNpdshQILxW+yWw4dU91sRMx+ymAu60gEnwAfOhWzOZKYekx6q yNnjd52Sh5afOCPYnoPJxADy1cQKOui5vmuEonfzw+CNJoPkD3pYHsLCOClyvd5smBdr pKO0I5pwE9MKUredP6lPaamzvoaGA1O0ISZPFXGBjLr1gjF+HGhD3DsYHlr1pCpoOVd4 Cg== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3agykmhwn9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:36 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0Ep4Q160248; Thu, 19 Aug 2021 00:21:35 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by aserp3020.oracle.com with ESMTP id 3ae5naf91u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:35 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M5PtkVf7DPUGzd3Rxg1yORDvHQuBENW5660wPjVo63FESbbpZ6m0LADNjJNdkefMy9n6OoQiQluhMfVcTcrdmIVxfw/6AgOunbBDRwSd6CnKQEbXhzCgkiH1OnmcSUyeiF6cXVHToSxuj7kN7cg8WFECt9nFWRvx4an11B3X3AMmfBP7DsutqtofJSYkpNj3sByZMfDAXE39TOissKrSmpsW4ZbhxljgRJgfKwFL3mjIwE78uwIz5ruVjcEBres0N9SomNAvuISFp1ustc2BRdkZqpB03JlsMHbFWakiKcjze6uEn6nfWOmDZQIlLFQg+ln62epa4OZ+ERZ8+INLoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=w7cl9eJNKH/s3LOHkz1AXRNKQo/in367rltduGHTo84=; b=NZX+zXJhe5KCiLBv2h/p/1BPwoQ8sYV+fBqbpYyMGpOG5+g235zm+UN34mzL7SbbVSkmDEfEkiAN2Dt7nGaW4T6iV65JVi20+CUIFoiZC+Krk+sZwOEwCKwhRApU4kL7zQSrItaWdyu0eqYtNGkjH57CyA6naPeak/YkqXy1T0LKH8dpkZYCCqWD5N7OnLKSVVRqPZ1EFtC/tyeXK5umcCCM79HxsTWizb+NMciEQL3y1TkaWRYVGNPTQHB0ysf9Y0DNo+NqjJGa0aeXB7/g/9q7Q0O8rQkU3CeKG6KCmx5Cl1ZKAUtjIqXkI4TT6ry8B9wQemt6g5Rr/N2J/aQJdg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=w7cl9eJNKH/s3LOHkz1AXRNKQo/in367rltduGHTo84=; b=RkMBxefU73IwsVbcmDK9zphL7MWdMVgK9QgBx7ToezyBBi2k9H2y7wIlxuDDRu8wPue4RkCckdKryQ2xN7gpwA4dYsc3FlM7+4IyvLWNDs3Q/Fs+9IrBOqzIbcklpQ4gb+CqvMgdzEhX7GeQUt3u/kLdTpPCKbVLVzNMSbMUssw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:33 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:33 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 03/12] KEYS: CA link restriction Date: Wed, 18 Aug 2021 20:21:00 -0400 Message-Id: <20210819002109.534600-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:30 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: eff55540-42d5-43b5-dea1-08d962a74c7a X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fyJeiGRHMSe/t26gYEk8Z2OFZ2pIi4wD4Jyf1LyEtez01PVPrwnz6Q2eIrUTcCOcoPWgo10b4aVpMzEs9DK2+UdRklSjCVE5p2itAo9DKCoqt3wROUPEmQGPrZm0m1aa7jItG+NBTlNxhcGAzgJkavtyEERtz0Binm9cVOj15qyHycddbKof/zw2kaWekztmEiR6ydBOwjKDNLioW71SB9lHwEW7UlVxWWpo+G+Q75ts3Gsix0AXdF2sy8UGt9IQSCjpU0fNzLjxRi1EeI9oDGsLfBAkxweQo1U4oSoHAY7UnUSgJzJ5vWuY3RYwQ/U5QJk5eCqKf6CsZ0XqOA3NNvMpT3h6IPKYjd8/CaUim0k269lw/QChzMXjzhHSTrPKJJ1o/vDuuB4Km6xFk0GJcEwZ/ZHsoX6O6yFNVwpBSBhvSMfI+wTbvjdhaxzO/ARDqWF2RgNvqTveNxCHW1aNYfDCiNc5otdgMA79YFxKm3OPwr1iY07QPLlzE1vcanS4Gn9Pz/TWg0qsUEq5atvDmdmj0qb/3uG3Ndv6JA6Ntoedv0N24ED8VObMkQgKexggS3FIfrlD5IPU6com8mgogeeJpY51y2vtogwvWF/4BN5iqdueQOvj5/Ur94UnSDR2GmCv+njifbs1h+pfQUiNOCNqqV1DU9W1TibQRHMQ4Htzbhm/2hVC5We16gGzE7WX61WrI8qHUAAFp8gnU/F74TjrjgNzdtayOnoQB4Po1zI= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: sDiKRRm6Nq9Ogk3fPM2g9bkxqJkX5r/k290dMfoZ4O2e6NE4fA5466VwDkodibhQf4y0Cxt1zalQXrwF7kXPHGiwO7abxHzY+qxZ8Sw323GGZXxdPSJvZyG4wF+IXadd2loJdeeZpEqN/axKsGF027JtDSmZ5jGsE0+x7zZ4xQ8AI4hF0jswJ9TcBZELaueJvbzYoy/M+B8S1yd6mOfLPvYYF1Jh+VGWn3fBE88kndNaDO4GrvvctJydzcUFITgI1xRGPM80w93jjDMfp7GhaR8qJBn+LDXMg3r8qwMKhJwqRxxy0ZWd/IJwq7g9q/1J5k0n+YBO99n+OhbZ8SaAiWYXRIn7t6KHGB6Iz/E+QEwS3DdQ2c3OfFTQKtbn5Gatqfm6FRD91Fa3Qm++8EN5VEjnQyd927RNmW6ysGjXRMaBl5KeO5IhdhyQ+YsrQ4Z4AD+j6baluiAKuRQksI2Avvshn8By0O076B3wATe2al8F3qMO/I9fdE0fcAryuX1FmNiemKML1M+12aPp7BevdNbH48QOIjG9tVcWmpQA0VDWu+kgFFYJE2wxx9ioZMgn5jd/BjzFEUi1x+byzX74qy6zAXOUA+4rsE4D0hxqXUAskZCCdB5Tl735VoqirSvISCJjq4/KGh0230JP2bRQ+TBdNFvvTO1Zv07mtC8nicrZv7HiY5jN1alBuHumArOx3F8UG5GmJupfnKX6LTLdikpiKGnDh4iynhwFLIvmZRNVZNbthSdax4t+YGDt+CdNSbwmm8B+xjH5c8Gb3yak3XjCHo6t9KAk7xiJSq2fYY8U60O01POJusxms50MsRD491zJq4pORWMk0WvSPCGxQOlQ9iKru9NP8P23dO/UImURsrkyca5rqcSbrH/qH1jefgD3SKhtiK8iqOh0QPY7yFW274r/LMnpl644+MQM7W6DoX8rvwRcgCQv8h5TIYE2LNOOypHdOiPo0qSMjTNXroupXWXVp68kJL/q4VIQrv/jBFbChkXGWLyRr9ZZLfSfgcJuFYPuwKa1XUwl5Axt+2lDXbWrkS9gBCOXx6v6rf2/TiQHCe8jfU0lkFXvfiaRDJI/bGtLjXvK7Hu/ptWCOsMKYDzJTeWq5raYj51pnMQV9q+gLNyEC8tce5cI9ng8Svi4F8X8Ao1v1HjWWZqkMM1ihobjZiMo6JHfaypI83QhojiVEu7D1o/r2XQI6mCtB3ayNjgYf4HR5+RHdhYCXbjGm1rbvO9iUw3GZHa5ke5L/OqRgEn6KYUB9RUNyN/p/UR69O0zXjy8M76Ux2u4XlVwHIe8cybG95qVZjbUg8pqGqQ9g+i730a86ZOmk2DX X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: eff55540-42d5-43b5-dea1-08d962a74c7a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:33.3738 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1ez+Ee/rX7gn/TsP9i3kcjLXrNqT9HlHrpXdxFegIlGrC8sNx4FBQH0GRPhFlOnaD7QdiEOJnmsAYdgwa5QH60pAJc+P8nvDrfA77Iij7kA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-ORIG-GUID: 8vGGVCdXrCPSKl19UNtRmkXPAAaBDCf_ X-Proofpoint-GUID: 8vGGVCdXrCPSKl19UNtRmkXPAAaBDCf_ Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed). Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed secondary keyring references v3: Removed restrict_link_by_system_trusted_or_ca Simplify restrict_link_by_ca - only see if the key is a CA Did not add __init in front of restrict_link_by_ca in case restriction could be resued in the future v4: Unmodified from v3 --- crypto/asymmetric_keys/restrict.c | 40 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ 2 files changed, 45 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..9ae43d3f862b 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + return public_key_verify_signature(pkey, sig); +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Thu Aug 19 00:21:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499857 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCDFEC43216 for ; Thu, 19 Aug 2021 00:22:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C5929610A5 for ; Thu, 19 Aug 2021 00:22:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235375AbhHSAW4 (ORCPT ); Wed, 18 Aug 2021 20:22:56 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:64680 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234748AbhHSAWm (ORCPT ); Wed, 18 Aug 2021 20:22:42 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0H5TD000821; Thu, 19 Aug 2021 00:21:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=FgBEqvoMlz7uexqJINhHi0sCZVKJam45klrZZQwKbt8=; b=YJfvg3SR9CaCJmdRyc+HrH7XI9D+xtqRKcc8yirckIwV2eAkc/+ollA7Dmd6oFGTLK0I mGvK4w+3vLh2xsGxyiJZ4Y4QC6mg3r0EEXsoZccWLM9yhRjsX8MbtQ3CgtC+RRd7qw2U 65x36ouCP98SZ0Qwro6juHHCsGFJfhBCUWQEURZtLpKtxdHpsxELWLzOo8w2+4Cupn21 AyJGibydqpsWLde75dT/4yVe3MOmhiKXOCIBvumicVOEtWuNrUFg2rElz5Wy/+aGFIVz LXRhavcHM4z50mc9xi60j6JiFm0VQmMJEv+LrTwqtm1Om4YqnzFYaGMoS3Yz07DhKDVV tw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=FgBEqvoMlz7uexqJINhHi0sCZVKJam45klrZZQwKbt8=; b=ON+AeuI6pgYQEjAwzECcdGcBZ6zmu9So8grgt/qMARUTvbbuH8imq75D+smumGtb7Vuu /1tObcvkSkt3hP8H/NiqyFXiYuWb4oFD9DE9hf3euzXka9llIdD0XrWi469buiyLRtjH WUG13KDOh1oFeexT4r2PLL6fBv5+5uVA1pz5NuMLy3hZrVhOKPVob5HpwxvOTbqBdX0/ Op83ijVVpqXVV9b507IcByS8Aysk7d6YjVSdl3AK+whIKyhEnb0i2sOlhHEDs9dY3obI 8+hGxeOJvnAK7sXgNf4lyoVqbfCvcoHFmE5aTBVtJn/+gOokMsrzYHbB5hzpUnnXv95L jg== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3agdnf4dm7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:39 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F8nL040503; Thu, 19 Aug 2021 00:21:38 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2173.outbound.protection.outlook.com [104.47.59.173]) by userp3030.oracle.com with ESMTP id 3ae2y394ak-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:37 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hzQio2Et5XdZQXA+18fu+nDn7EEjKnMedjj8DVyqgeaGGV2o/L23atGOW5KyR8f92tKBfftoGxigHXX9ZscBgktoo5nQYveceL0oxavXoCJdayMWTo1kLgtKaO7iETrZjPo/YAd5imTW4F8eHRhYAIsJMItwlro1Ue6pLlTAh9uc2tC7z/qbJLzWAFqir4EzBW5YFBLjJbq/i0LEvWKd3SMV6Ck6da8NhypTVf/vCGBUsvYnwlvf8CE8uIEbAxzPQkFod5cOMWDINUx5VjPRktNdLDSt7NtNJ6X28fNqlRmmhWj6bl5V/gIa6OGtq5IvclrI1Q6X7nH4w280E+C6Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgBEqvoMlz7uexqJINhHi0sCZVKJam45klrZZQwKbt8=; b=CI706sHhNGUXw/v9ClLmCa+cXrrM6s0Isap2qv8pLP5PaOt4DWIdXa3d8pJPA5y8b6B8uh9bSW0BZ4pxBcGH+A8Gdkcb1Wx8FSSDGMMbAnf9B87YLwNZq0VA95/ox7ohXpsc+qt6BqXFki3XQvlV3jAxnyx2bZEdTyi49VwikMSPbXp6UVrsY8GbCcvJffNAdtLdEnIffSJZX2RN+MLg3PaKQh0attIYkyJg5DmXTZqwY3CILFC2hgZUDNXSXXZ9EZTGpXdOgo34ovUOcda2QsuFb/QJltdKAnOyX2PCeMzWo0ZAPIX5vWDvdg/obiWLoGyknFY+Eo6JmXdM1wcGdg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FgBEqvoMlz7uexqJINhHi0sCZVKJam45klrZZQwKbt8=; b=ZkRepHzJAojQCc8X2G8QwC60/+cwGuqDkq//Jd1sgvZVGrKBnWXCJyWPPdAhixMD2PHbJPib6qSKwiQkdvBUd7+MH2SeeH+bqcKaxawaHysYWPInoc+ztKgBu9vWAvKquQEd3iva1ODPwGaXzM9KN5l+sGfnOXCl1FCmRv18/bI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:36 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:36 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 04/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca Date: Wed, 18 Aug 2021 20:21:01 -0400 Message-Id: <20210819002109.534600-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a81a0b68-b96c-4455-c118-08d962a74e14 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3383; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: QaND0lBfjRQ0lDMnxC75bgOVYOx1Wu1nee4PZnPvZp0sZyRuWbZxNCXvyXc3a8vDFRknO2UKG3JY3iGdhzSpSLskm15Fvx3Al0XdvAPCtGmtzHYi0x/FJFA1ZaAHP6BsYnj+O2/qJSdx09JLKG97kYs+/mRYFi0ozoT7BlhsWhyBn8nydt+BcUiqCLlvXypBVffQ9sEWtq/ajirGevjsKmRLcMwhfhO0C49X5d/KktVpJ1b+kuDi1tED57p0WCVYp7E3LdCFj6cBcGMB/gDFdtcFGtd1WAHiR+Njepnbf+7oNgo9HKK/QoYTM9Q3KwqJ8KA90JTwK7TAPyjU1eYBYRRP6r5ZTvDkUTLmM1AMLFkQ6AWL3WdOjbNwsLPKxqfoj18lyOj+wSOBmOni6oXMa/7P9iHU8+8v4mxOFra0nbEGMmFnSyfW19tUCzSs4DmzDcPjx0JUL+kZhKlAwNV0AiUFHWbPc03K5HPuo9go51yubWGBCI8rXoniQQK2Qnvwi1SJbbsQqXGTnAnkpIKGTmPj8FfJARZNC+uE+Adz/hc0Vq9FVYaJRy7kGD3YcXo8fezLpSH6/av8nX1p/jcS6q49v0bhzNzomV5XqGIAhURsGGXaJiF5E2stztvOEoOBBZHlLlp+TMYsh1O8QSThOJToUz8XP+1EwbRn5ivZTIvnuGhxIoXLppx3SC7Lcwv0BoEKeOrUVgT9q5gIsnjSYe3YWESZfnAlFPfrpWGkkxQ= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ZXVAR3R5CGdQRTfxgKQskZ6S887Cud21txGun1DqJXKRy2wS+lKxIGlhgrauCsA5BMwfICMeWWGjOE4XsgY9+9guONXxG5GslaYdSCb0T/zReaZttoA1uH9wOXPI6q8Y76Q1F74TSkVeyXA6mBh/THBSMNcPIgKS8vKLt8Wyioq9Kly+mTpZXemvUWIHTHpnqT3rJ0MoIOME9R1Ik39xGxlnrKxGYpzP/1pQwKlS4Rks2SoepKT1b6rXK6MO9GccJosW/KiGM7UiTOeaHHMQBlIGLMm6U4UCg/80QBhznIHgE4cH96Autq8z4jObAecB9PbxKft56QURNPC4sPr7ieHFREFlPOqfUbRwJjzythlEoCDAoibXztysAjbBlnADSPYwv0G4phGJ0JtNoRgkMWE73trRvXsYN/89naHq1rOWxXIZj6mD6HrSmnzIJeM7ziDxAb/O9ZgQnO7Ou1Jz+VdDmsPfN3sFqjzciNlmK7FoB2znl0cKSyd/SSMjbf9sB+hpVdE6wehLN1q3c9NQpN7X/wjuY9si75NF7wAkzWtH5svy0FDMniKnrnPcO8kOlDUYMSPMQ9xz98ILA+lpClV7jkrrzMyOIe77EABrKALWPpDI8utjow58pgpVnfz2K4GTGXC4Ve9SAPQGk4F9IG6SoxU2MnoeZICBWamvVdyJLMAzhiTu4QLtKLHGlz8mUz8Qi5G7FYduJRhrjscNsXqBtYs5QKWLLS5a4a7PZqqLaYeSQXwbbKdLzI92GFEIk2ceNK9bKBq4kR09J8mvgFKxrJluUOPV9SqquxwFB60Zn9wvD0s0IgdKUD7twKJ53w7Z3mDnV4gOeMo1oR3UyQGOL3q/80Zbu9IvJcEZDDGMThCJs7MNqaI3f/cJtweLusS/lZdIdsEunAjWBgMkC8b4NRExK1j+K+kE0WlgfjwFHqPvvY2OsDbW7sRK6Ub0lsTxS8VfoPNc9dL83d9rbTaNlQaNEn1gsGuskRRtkCCrNKgxpaRw+oEra/DC6WY9aBd39LaJwUAPyAdKeRl8tyLcVB4NrZYLCzIuCL/4Af91eiM9ICibXShTSg7vACv91dsqT0U4jRioqh6iPqrJahnxyK5acSrLSH4DmT52tSf1BBUX3d/wUKujegWDT8rxJPH8QL04uLQ5UpZOMmkUG4tIKazPjrnMqHYCnLtkR7HKVR5UzyqTGIlzHbHNDrMbt0eOV3gWs63H7Qh3Beikrcjggp9mKP+7DiIpjnsWANg4nX2Sj2qbxG0lj3Lf0+a7KuBqjQHHVlvptqWcot4+uD2TuJn27i9/tVHaUhz+8xMGtT56A3hXln4hOM8AiyhT X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a81a0b68-b96c-4455-c118-08d962a74e14 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:36.1477 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gAvsnkIZJ0utzQMFR1ntDOcy3VAObYHvihPlqQSCnB+ShiHgFMJjX/2DpQW7+0x31HWQTREztHFWShTRk0SxL3OIeQjRrGmUK+p5NVtcOak= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: JNYco7saO3_A1zbC-zPvYKpMgL6x-ste X-Proofpoint-ORIG-GUID: JNYco7saO3_A1zbC-zPvYKpMgL6x-ste Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_ca. This will only allow CA keys into the mok keyring. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok keyring gets created even when it isn't enabled v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca v4: removed unnecessary restriction->check set --- security/integrity/digsig.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 5cad38e6f56a..1f410242752c 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MOK) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; + if (id != INTEGRITY_KEYRING_MOK) perm |= KEY_USR_WRITE; From patchwork Thu Aug 19 00:21:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D0DAC43216 for ; Thu, 19 Aug 2021 00:22:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 23852610FD for ; Thu, 19 Aug 2021 00:22:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235265AbhHSAWx (ORCPT ); Wed, 18 Aug 2021 20:22:53 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:63190 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234404AbhHSAWk (ORCPT ); Wed, 18 Aug 2021 20:22:40 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0GIxj021777; Thu, 19 Aug 2021 00:21:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=wT10KcOVp+oYX6Qz9muM+t3vr4NXfzSU1Xt4wfjK9+Q=; b=dJsNJw1vMjg8ELuvnGiKaxpsABpx/G3DYy7XnF2YfBBZtftF3Oho8h9+7IUmADdX3SAa ygzOfIXC1md8i0af+9G08HqiyeKyp+CzifHax8pyOIVW7o4zFZhQ5ZGa2dOcQ6Q9c9A4 sIys8DTiim25pXFDxK21L001gWzVBl7eU6nvI2UHIJ+TAHHWBgm97Y8lTAlntVpor9o4 Vsa/xLUIHhPj/JSbtkii57hEjlNGI7J6+Ydx6tSMKSI+GC8IS58RKLyrbgwtK4T18Ozb VpE7jHq1fu0FB1J0XhzXytYovZtCE1gLIp3KDeTk1G37rwoiYcjO2hBjRC23xsGDQTg1 6A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=wT10KcOVp+oYX6Qz9muM+t3vr4NXfzSU1Xt4wfjK9+Q=; b=VZJnf76EzAiwG1VteH+SGIP1D79UrcFKf3zzcc/RceYK3GfuevAGmfRrva+9on2Euh9u CWLiFAzSANndHPapZ2GJMp2wRR8+c5yix4kDTus9dP8ZbmWmZ1ePRRcb6icXMl+UVW9R kOmgRyoQ0J4KcN4IRxzJ2ZB0gvb6bXhc6aEqW3v1ZZh6przBgJWrfFMhIvrOZGFDUYI5 jYZji+xNE7vLL0KPKdrC5c5pcnrsUdsPJunZ8xku/vS9mho/LeXn7Fzf8YJdth7DGcue p+OTu09JYM1JagDa1BiPJmTHrpy4FT3R2jqxUwuDe+D9gNKWdJTu9rHtJgPwVTgdpR/a OQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3agu24jghq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:42 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0Eq3a160347; Thu, 19 Aug 2021 00:21:41 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2171.outbound.protection.outlook.com [104.47.59.171]) by aserp3020.oracle.com with ESMTP id 3ae5naf93q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:40 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=STxbrlbMEw+9iP2nuuUPMRNW1tsCAIfAXVrCgGTl5v7UJ7rn9NewZXl3M6EVDZ5gkEctciqcpFhD4/eUvXfw3DXvk1H8Lf2z5F1Z1wsQd8WsB/nm6Wjj11Cv0DkaHiYB/13SW0J2N0wV/L8LB1hP5xpfvx1e8pcFcx9/QY9QK7Sp8yFhDNziQnaqfO/Jd55aUf5Yxv5WGlE4t6YYrwYn7DXJlVD1MY2H8NTSA8SrGquqzB0LeTy24TI5IbRQbRc8OcMYVTJWfAHhehnRYMQBXODRxyymKpXgGozwUezBD4VPkSbJgb5XTehOXRbRPDXNg9BuRcuuP3f8pB3CR+eQHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wT10KcOVp+oYX6Qz9muM+t3vr4NXfzSU1Xt4wfjK9+Q=; b=Duuxtpo3UzqdI5J5mhrHce6/emov0JBRHYiCKKxRPAFmNSS7hpiNi2P7tjECyA75Lx8LuMcVddjvEKLbPHPixdkJvq96C5v3k1SxTJkbUwN8CtYKIEmW2rDonCjn+xkL666uyUECm9pUtXz1AqiRGkHGCKmH1U0VK2sal9hJxMjq2lFVpwCnWWPYX4xpUvY0r55QDz8GjAHvku7CqXp2TuGQDhiQaIEURVrvI2vb+ndS/jVI2pNUiDzhGnEZcX2zV9KzOnUK2QLf5TywbWZsuUbRG4CqLy8Uk0BUDW9SevWhhNWRGYOj8wwvxTPZ6XY1TwmdZIHudJ5YnmK9+5TZjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wT10KcOVp+oYX6Qz9muM+t3vr4NXfzSU1Xt4wfjK9+Q=; b=iDvl8Piw7MbwYyfAzQfk9CLyt4W4HoJGNl+WWhNykYybUUAj3suJ4tL8LraXojGUBTkMBljl5FrJTplSsUje3EKtZrV4Y4JPDSfe5u4W9QhqD54VpoZfZJxOaTd88/44vSbAQxSlFrkmuhd4ZJjOviZepKvHHFksyzmiZBwvfj8= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:39 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:39 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 05/12] integrity: add new keyring handler for mok keys Date: Wed, 18 Aug 2021 20:21:02 -0400 Message-Id: <20210819002109.534600-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9d1358ad-13bb-460c-dc16-08d962a74fd3 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: cPVvrQEOTpKfJVKmrDZb8o9dAFl2cZOS5ZROk89o6FXdAYVVsIUzOtwmwVQ9NBPJXUuH44iMBeiALPv3bJe8ABXNZM/mC1Bvxo4c7pYge9+0k9LJ8UexF09FVZSDFT1HBq1f6nlVzMieaZbtQlhnp872V505Pz3xVx//GzRdpWF9XSO9WX4Bwyzvi2JB/UkKTjVWMwQqkIpC4+PZHPbUezPLl8EF6ZvRr/lkOKwhwBAfW2K8/NWvfwzkGv0v9LqlKqWxwPedxcCXy3VchtFlOXV511CMe1drE8gHsa8I2j/XpUe4jMfvDhofseZDasNYh/VZ60kSd1tyozWwYVynUs573iX4oMhv0uFVwk2ABmcRY8DHXhRZp4pSaRnqvLJCtNco8edIxYwwhFX7rUcoVAUnA6T/qRyxUYtpBXKABxQVajlem0ZbyUa03I+E1qE1rcgDyMiF8yJksVC5eHcE03F+vjcSgttwuws+2K4bCGOB5RkP1IKl+hFWcpNjCQ4K29LZEkAT/lvGoVtyixYVGbWDEFwpzUCffd7zTvBiQWbNV5ZCemVeVBjNN4FRqLmFUJv/f+Gzrk+9zNGktfvbV0sBWnQ6drXkhnBTbD7d65Y4fWsHUh/p6AE8Wru7Ff+twJ8lKvnFsogDQ1xyPlE5vd9JhO832NXdYEwuoYePIHFcHffAzO+d+gYpThW8eytGlPJ8H3G/Y39eoXHnpQIt8XweR4NF3wx5NmUCFyXBQDE= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: PO3Pg94hCnoaRY1hGzfhJlAURpIU5lnM/uDpYDUWQ3bYtQYNGtc1/PXr4dZloVtFmndP3/swimA5eghxMmeiEBavu/x8pGvtxaI8FZdo7bRJGXGJUoh1Xq6rprlHTLj0rk9vCePrXN7Az/usu6aL7NoDMTGzALZ3CL0wzPCBlb4LO8eLiwa1X/0FeuCe5CBUp5AWMivFJ85rgTI8OYkT0kMe+xYr+fgHF94afPD2u2XSt0xIXNbMRzVgCYnF9eyXXizsqV359QZ+0d9ZbFChyb9Smg+gCv/JHIMzxXqx74uaAsbrEzrna7UOALNU1oPuUyFva9+96nQG4iSzqjhtLg5KmO7uYobTdxAlewZ1vEJAj1+CSaYNJrMD4WpYFoA57H/AUTP71qGQe8+nj3Zx7BOpq2/bVphnxhbqgfnorOZpIGCD/24luyvkVkIkLVSp7PNKfxNoDNqZMem4Hj+7w1M7IXO9s2+szSLzHwCDj9k9aYjFOtKkH1ZfxpEy1peFVr2MkNx8WQEjrkakedMNTJ/UHQLejh/q/u6CWGfnF18jyE0XON7c/ZYNXkJA39N9fgU009LLHbwZsngK+LAUDk6GQLiMP5teU0JhYtCMooRyT8fOUQgPdTZ5I+F016mAmrER0vObEqmQnuqQK9KhVrTBVxDnHXaOrr/6AnQ1OZOn4ldHA+xIU2UDWL24uXq8rCUXris9x7TT7zbra3OdZtZRiv/iLQFSy4UQlZg2vj/dzV4lYoI50LWba3m5gKxYltRbPhT/OeYospNpkW1SUUc0cobTge3cJTTUCQX1TXHoblvo/jrlnk/MUrF5M6vsWWkeTNUZr7CWxtYHmbIG4eDEdDRiU9+JNAHgfyAWk2qkNA9rQ5y+IZA8oq9Xzn59gPlccxHI+wARZeY+efJP6+Qtg8YsA/iKcioELGj8kcIcjgMqa7JMuY1eKbvqVsONQl0VSzWw6q0cG1j9lJi6lBVA6eKlld8A7vkr2+TkC7Ma1cBckvEcOgPNqkjI1y5gQUE3dnE2IWHOb9yN3++VpbASTmgq1APMFwsetAbD8ywQRX0oZou7M3h7H6f/yTFcGu+IgqJ6/eHvbBQBOajaA+D5BQRBuakhxZPn8uAQc6WdU3WL72TURDe+a7/loTvgmdYwTuRNs3ZFWTv4/XWTmkK8SNMSlCb/JGMaj+oL4B6brlA//ZSTq4dvRaaAGRUtnUfZc9Q0w80ngldw9ZAaf8grWzCQUewSbynaf5NUxzbjcaAvs7hrXAL6A0ZvzC8MMtbQJnnM5Ahvl/HVFG2rLUAdGQ4HLPucxEjkWtEz6NbtWtWlvnNLqR7a41ymd4XX X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9d1358ad-13bb-460c-dc16-08d962a74fd3 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:39.0220 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jMAPsJIZSjcDlpYydHZKyZ/arcaCljcZ4UZxUnxIPbHS7O0JHmSt9R/cCJnFOuz04hQUX79afjpouky5Tno2jkeACst0GPaNbs6PSBogJxo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: V11UY-fmiDQNflO9-LUJNjTKFUZc7Nlh X-Proofpoint-ORIG-GUID: V11UY-fmiDQNflO9-LUJNjTKFUZc7Nlh Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Currently both Secure Boot DB and Machine Owner Keys (MOK) go through the same keyring handler (get_handler_for_db). With the addition of the new mok keyring, the end-user may choose to trust MOK keys. Introduce a new keyring handler specific for mok keys. If mok keys are trusted by the end-user, use the new keyring handler instead. Signed-off-by: Eric Snowberg --- v1: Initial version v3: Only change the keyring handler if the secondary is enabled v4: Removed trust_moklist check --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..fc4ad85d9223 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (IS_ENABLED(CONFIG_INTEGRITY_MOK_KEYRING)) + return add_to_mok_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..c1bfd1cd7cc3 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Thu Aug 19 00:21:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500522 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25A83C19F33 for ; Thu, 19 Aug 2021 00:22:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0948B610E9 for ; Thu, 19 Aug 2021 00:22:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235099AbhHSAWr (ORCPT ); Wed, 18 Aug 2021 20:22:47 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:63462 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234613AbhHSAWk (ORCPT ); Wed, 18 Aug 2021 20:22:40 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0GHdt021771; Thu, 19 Aug 2021 00:21:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=n2pBSxgYa6jeHvx1d8x3ULkkZ8Ct+nWMSHeQyv0xkcA=; b=NXt92w3xcx60d6APpBpT//HmRpUbt+gX5De8aYsPbwgBuABVwtp1s/uH6w8FVQQIAmIF aG4h4l+YQ5x1cf8aQEzfyuukpo4DAviugE0g7sODZh/3jd0oNYrGbsBkILu6n2BraHba O6BHtFCaBQMtQbm1E4RNoiEUVZS4+tZCRXovdk9kRBt6O9PzA9f5XXUBSQBRGoHQgu6v SmEElvv40DrK429mx29og2ORe6U9dqboSdxV9g7HQPBaYP93eGcjJSr8UXAHAG5K6au4 /Ti5SgiGeaJP7HoKN7uOjx7pVecdTbuOA+H0tgNDaHbArBx+EZ6cWU6+8ZCit1dUIuu8 GA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=n2pBSxgYa6jeHvx1d8x3ULkkZ8Ct+nWMSHeQyv0xkcA=; b=u8zFfXZtKFrUBLxFvLp532986isZ9Lry3fREAJ1pP1dwXC+JWiDulUgYsdKxSAm08g4R Kl0/4r2gX1I/NPbKjhPF8ibFUNH1tcST88Bl4qehpVC2tj8GJTPzy8/LsvT39Kv/nzJZ yB7JS0ZFTKVJ5L4dgfTLVSpl5CElyAvXku0TCbMelj8hrmp5RsdhbE9pY855CrSVUwds H/YG+P8DLnkMjGgMjSP8q/EnKRUrTRjr+mCJ3UIh2zQnWaapXLuHhYMwNaNFcghJQzXJ uAlJkDye8Hd1K4lB5A0xNsy5KaYViGJ8Je6x9npuQlbPItfL+avIuiqnQ4PfmGHo5xpp cQ== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3agu24jghs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:45 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F07w007586; Thu, 19 Aug 2021 00:21:44 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2176.outbound.protection.outlook.com [104.47.59.176]) by aserp3030.oracle.com with ESMTP id 3ae3vjf8bs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XcDaCewK/0b+5toinz2Ub0EucRBs28deV0QgFoau5wwS7FXBdny828V0OmPUaYNTV2UPNtBBMtFCMWpXZ8xP6owM4XYFF40ItAeaNZi5yh+PNzV9OyUNKLILrL58jSHL+ryTVcOz+skYJrzLxh6iCW/NiReUnILpJGL1fzh0JUaD5IjyttxP6M9/TGlKAFaHGy3YCXgb5/GIMbIc+872L3EeaMq9bFcj8N1MRtGlOK4vI5+OmQpp5/WmfkNuyvBHwoKND4xtrOcHFIQW+4hf5oR7u2DroID2gUI6QEJrOE71nT9yCsjV1Hl5L3a8UIBlNx78wd/Q6ugNTEKBVNfBYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n2pBSxgYa6jeHvx1d8x3ULkkZ8Ct+nWMSHeQyv0xkcA=; b=OQL/gEDnNTDPKHGWnBhAyjlI5zFzBKQw801itW/3Xw1FrEf1xq/j9ONAXVVyoFBK70niBVNyk/h3KFn4fpoKxQEAsVr/gen/An+HOV3DhLnxUwgPzoWwCry8kUTkSMHp+Kht7A7m9cuoHPR0wfLja+vOLA7rVYL/JQMCmdtuH6aaSnca5d9cnBneHjAa8sWrD9n4tX50Y2Wj3px74npHLBv98ULgXyz1AO6rv1MyhAUZDKOEu+chiG6GHaZvZ+HTKc6GkxyeS9ndO2i2QV2UBy1IcgQsTO7ERxHA1Q2BlbDYjxqFSZxmGUp1YhMIY47MwOJCLqppdGLzlvEY6zxLvA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n2pBSxgYa6jeHvx1d8x3ULkkZ8Ct+nWMSHeQyv0xkcA=; b=nTSlQOdAMZk2T8yvQXm8PRULX9nliIxsnolZCa1eEBeCR31odiEZn+SzxTL7K9MhKBiQurCG4To1dMveLSw/8qAD7XkjEO5bw8xsYIfge+QjmIThAxS/XfW8bo1yZubiod4gybPnXZBKQz4FD4nRdAEtGaR7B8p0qTtU5NFidTw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:42 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:42 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 06/12] KEYS: add a reference to mok keyring Date: Wed, 18 Aug 2021 20:21:03 -0400 Message-Id: <20210819002109.534600-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 28294694-38e9-4285-199c-08d962a75176 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3513; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3LCxSrBlfS4F8aqrl6JguduHgOmRQytmSRnxxb5ba+HS/Ypnrne6ZQuoFEXlOCO/EQWLVRvoNW3vmYNb1z/1fA0LosgKrQgeQKNpJWXvvTYrRDt8K3+ATKTqQWEFxO/7RxXG9B/FLu8JHneY8TYU4Gu3uqUg7JRD9Y7uCkLFVqvuI+9b3XuwCb1oqT12Jftzs2VGqWDYzESis8j6FEyeHCP+QC6IgKhFBwRYIxNJTIXQR9DYlGeVXv9m4h8GAALEnlNksURIyHuNnySFKYfG9YHpyQXXeRK7SAd3NKAWTrRjoLkUkVKjVBHeZ48iAB+N/VZ3oxrP1sQnHoaTW7OEtrtWKszdvsagJ7nQRoxRTsyDFjer00Mz9Is6Jg74Nv00bybJCsXtNnuzMc9AT+uWuWExpqxdikVH1lMJPHI0yhtJCD+IxIVQ9PPLIdYGTT+00FnXLh0ylISWYM7knsu49esJpgTCrmX2J0S/zRgoseN3irlHthyhzLEwl+vCgi21veO2G21ARScplO0PaXFTRf4mbGYB7ny8ZaFt6zCq2tyRvankNe/pWnnzg1eLYo+rNQHJ+RDZWX87VMJGilxGph7703YvycSjqpI/f2Ox87BqGDWtU2LeTYiMqMZcDU54JJu57Ga+EGisqODB7zCo53F0GrIC4oz+0QfZ5pISJaB6RIDuaRqOD91maGHLbGY5aG0Ehkdk30PKedpth7bZ2VLbV0edBbzqeTNAwmAP1VQ= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lQvWfEDvqNWq3XDzyIoiQ+skLT5Vg1T7T4lK+JX02RK0Ol/dMYHhaJoE3dEulqOfSQqEl/tqoiB8tGrwmuDwI3TwuNVIdmbqeKLQsNzIu1iD8ZDDAL5eMF2cCEwDEaBeVurQCa2CArx30k5tKbjVqugBrlwY96Rkepk9hem5Kilh/HuUvkyRqwLo/0ZQH6hmZRqhKbu52aY/GwN63KfFh5aZOB/G5CymhYzG5dnR45P7irAFIDjhbt1VxWHqcahV7/jewQPPCoBVL+DrSv5IRn+v9RguH4lH1QBaU2hjfUtKxIjOMe0b2cTH6pg0QK/v2+LxdX7hdvnGob8UbbdCxaijgoCprGf56k0YLMmRflaEmpLjx/ZbF9CWim7ILDRxvBPGGXvSQiP5D5bYFne6Mu5C/pRM6dKgUNNLRNqMPJrr3AuwQsraYL5asG6sqqJ49dgGR2V6h2HtCHVTrXb0CPXbFXq0BcqBB6ortqhKv250ST8gChJVyRBtQy1eC1+ETQWis5OkSTuJ08OkdRZUmnYS6MDKOS1dk1/SWxNUJV06vlcXL45NvAxCNCdxbQU9nn3fnafCLc2lsrw162zOXuGxrJBVj/N0yW6VmrZ/U64Ri0poCn4e8Gr4vuN66S93xs0TIgBkAwoMlveUXrUVujb+BkEMYqPV2Xagz/wmGZXuQF7g/cYcnuSKq2Q71F8a2uobgmVJuuQgimW1et2rI1ua8iTposD9k5FYLHumHeHFDLnhvgTIUPXIN2ucZp6aPmMzhEI6TGrkqVdGA6RW0uzy3Lu2OiEpgi9XRg93cXHbM4q7Jj6f0Cii3MDDZRpcvpTrXf8CuffTR6Gkq2Lzp4wRWK8oz4qI8FpBrLmtXPrNnfTK8T8eDHmaOwLDYSZg5jDJ3ELqEdWx58v2AvVVvtJ3jXC8Ynupkdr0auJILFkF8UOl8RY0IB0cqVLGX+yqN+h1FPbxYqxcBd0fwUSAQX8ooM0TP5DcMMD0Y+kY1ixh/SkRnecdcP9FnnKxVcvIaSN36yxZ4sjUxDLsN1Iwo40sfwqtjPnQJLM0tDL443ON24NN3bYa2uwiyTmF5C+suenx26mnZQ6gMZwTGc9JfmbhRwVNqN2yiHe/eAulDGcDiZieiXJ1fW+ixxAanJ96T1r8au0YW93xOq1pK5jRRcBEasBuIqyH1yxw8DFIwjTkYkCrNo+gNKGGaQlWJqC6GbtToChkJ02FSoKj+FcGJ+iPQv7fXWzqujpcDF1lPUsSf+BVqNsd/8xVASmbGpGF3ELyBbGbvYsIXcanpCDg/xOkH3Yw0Pe74vW/GkaRjcHxS7D9Jp1JhWQWXTZmfJpI X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 28294694-38e9-4285-199c-08d962a75176 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:41.8805 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ov4DucADwmDYW/hF8q8eTf86/G4JfyREOaFA41zI8le6wbiMmkpv7AnVrLENDhrtHe3+hI7jLAMeJPQBpzsqeox1iOZYcuv1QmkIgLRh0oc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: 0Ix4MZGrVnvKg3Vwrg6TztfOTEi3PHj7 X-Proofpoint-ORIG-GUID: 0Ix4MZGrVnvKg3Vwrg6TztfOTEi3PHj7 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Expose the .mok keyring created in integrity code by adding a reference. This makes the mok keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg --- v2: Initial version v3: set_mok_trusted_keys only available when secondary is enabled v4: Moved code under CONFIG_INTEGRITY_MOK_KEYRING --- certs/system_keyring.c | 9 +++++++++ include/keys/system_keyring.h | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..94af3fe107b4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_MOK_KEYRING +static struct key *mok_trusted_keys; +#endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; #endif @@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } #endif +#ifdef CONFIG_INTEGRITY_MOK_KEYRING +void __init set_mok_trusted_keys(struct key *keyring) +{ + mok_trusted_keys = keyring; +} +#endif /* * Create the trusted keyrings diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..059e32e36b3a 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_INTEGRITY_MOK_KEYRING +extern void __init set_mok_trusted_keys(struct key *keyring); +#else +static inline void __init set_mok_trusted_keys(struct key *keyring) +{ +} +#endif + extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); From patchwork Thu Aug 19 00:21:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499859 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AB7BC4320A for ; Thu, 19 Aug 2021 00:22:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0394B610A5 for ; Thu, 19 Aug 2021 00:22:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235217AbhHSAWt (ORCPT ); Wed, 18 Aug 2021 20:22:49 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:20958 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234379AbhHSAWk (ORCPT ); Wed, 18 Aug 2021 20:22:40 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0Hw0K013440; Thu, 19 Aug 2021 00:21:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=pIOViR2EoAM6piKmGaHAzYU+ny3O5zllkU4pL+mSOlw=; b=A7qujnASp4N2knKnXBvggcu1f99FRepwtOOGyDe7+I5MdvP8wfWzK051xXfIn3FkeMyb zT/hqA7V0msmUeW/GIDXqWfKMNC40wf1I/B8wj8LzVwtq7Q6aRsf0WC2kkXGJ5YDCqVC L4ATLdVAaxtGRNrxgNBWguFe5VffMcMl2DBBUm6PhONHoj6ffXJyzpelUjBhd5ExUj9p yNRv02opcPf/6OfIr05GDhIk2IOFkeuecUBtz8JfXx5U7+kGuYF4u4+/pUsDqgPWZ3Ey JxmOUzje3yG5rV5CGm2H+XE00G3cFwVO4H5Gf6FpfqgpSZeeBGSX0JzDcV0x2FbTCAgy UQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=pIOViR2EoAM6piKmGaHAzYU+ny3O5zllkU4pL+mSOlw=; b=VxoLteyc0LMxk0ElpCIOG500MrBxtfZoqNGUub16tpsNVnLVjKMR4k9CGJGCHmn3wTew Q+8Fj/qewvUcow8SUmDAdrxx6BveV9Qfto/Z0x67jpo498w3iSJh4tAeYhq1FDkzkky4 zN6IOL7SkIz+PUTrEtxpfFL+6LsLvhzRpVVepwPHvUqgbKDsRS1FWMQwVDArsWX0XjET jG2KDoJ5UhJzX5oOFlclm5RrghFr02LBF1AIQVDWJMS6B7CYEAQiSHgXDQZHG/A5dupl 6YjC8UcHn5cADM2e8n6cAFhuRZhpOsTMfc7Vv/ITR58PfvoJf3+peGlK8vKez/lu0ock Cw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3agw7t2adu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:47 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F6Fp196129; Thu, 19 Aug 2021 00:21:46 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2176.outbound.protection.outlook.com [104.47.59.176]) by userp3020.oracle.com with ESMTP id 3aeqkxan3b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MKgAhKNl7Y7/PHzksXm93PaVaMX8VQfix/mpOVC1hF6XcL/Xo/aEzYWfPWfUTzKeoA2PP1b0JX4MWQ6YO5wlsmnNv756jP6gwsdbsFSZqz+uz3zb37vZQ85xDMLYjlyTc4eswbq4cKpEvHs7ePHOl1M+RCUrZ6NxXlzwLmjN/A5/kf2g5jqax7FyCs+iF1G3QuJFGtwC6XQsmQ1nDzHLOFU7o6DqQMmSEN6fEc+WzHl+dtCDpU0YkiaO708S7gtu1WF4sdKTxcBLnU28H8KBVJKqWjPWukjO9rmGrsUlQOk3aV1pJ7UA0fIE0KzGaEaomJj6hOcL1Rhprc/i6LZDdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pIOViR2EoAM6piKmGaHAzYU+ny3O5zllkU4pL+mSOlw=; b=SGBt7nCkv1pNXGYVgzjXVYSgSAAS4cSzfdR1sUU6vGyUxJMZR/5ZKg/m3Tlhxt8HIqQmIVC8CAIln5CWyAis+Rn292MYAPvcfdTkw5uMkp5YNNInz1aT0CwOxHdN+uI7IRrGlGsyRT33xBWuGSizIXLIQ9vA19bpia4m5R5Z1t7iVWCdW+24goA82NjW1wxWYszraQfeSqbxhyfN5V8+85XQrKYGwfvqJpboDsp7yqbg2f1ITaWkEYYG7uCk2kn0yF1YWqarlB24Qbsh3iCXqoEAIbziXz1uFPpi/iKiym5x8Uc0PEJgRnVn5WPGBr8lSnMDmL5P8N96E1lvULtNVg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pIOViR2EoAM6piKmGaHAzYU+ny3O5zllkU4pL+mSOlw=; b=CqqV17uonii7wKOmcY+pSnwcHDWvIcd2DWkWNooF1CfIbNWenmp3kj1SRHS12dE+oLtpmZxMtpBFUEzzT5++KuNC0hIwyIGEadQHCIzEyrYWYVCuL3STB2fDDRPcAUNA9RCHzZW8aughW+hQdz8GweAkRoj64CJn8dQf8q6UNCM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:44 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:44 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 07/12] KEYS: Introduce link restriction to include builtin, secondary and mok keys Date: Wed, 18 Aug 2021 20:21:04 -0400 Message-Id: <20210819002109.534600-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0883c7b8-5bdd-4799-dc8b-08d962a75325 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 74qFgbNekS0kkecDlL8UI1nDUmD46JGW3G+2Upl3UOmq0A16/bKze3T4ctNZvUe3ZkfUw0UscN7Z0M/ra3mA9mhdvHqc6aqR8w7O8zoyq7CeFlL4T8jcMGgZySMYoUv3BeZRklmd8tYLUkNRY7n9lv8BrxgmRo8qDMCq+xt7uXJ3ZMLzyZH1ZCNUU50hRLXFMQmNz+kPLeomdZqYP6h5yxmX5Ky+O034U2ei0oTMZ2hE2KqtqeXmbxwZCEqsk+uR0xaPSIFCQ1Tvt6yM2QgbMR6FMHJULJ/56utmMd1QZ39BMrWLhvyqCcoIiJEHKi+Yuh4eK7iXkcRx1fDXigeeQPO/1gsKxfdbWLrH2J5LDCz9B22D/5PKhCbeA1PbwgKMf018M1mHDpxC8OPhiJynyS0GTmj0ghR3S60lUYipD6Za0PsB68vpSVx38b1mX8i8nGlGYcwmjXbQuCrWgdHRRf5CXWxKiYNcUvZLnRwAiV8SwvJQ0pRveAQ3oQE8KABiqXczcy0PNMW1QDtdsb3kfccNU2Gx4JnJGGVnWL72uWZ/06nyCCC0gp2YbZmvgpucbw25dz6B1ZsNrQMWkqwyTvTu0r+tVRfdYnkxubgQNOK0CB/Dx3dchj8O0IB9A0p7x3NPd/Cr/r+N9YlGpjX3ERSh9VnABDo0XVLNBv1wAYbJTZ+nFleI0euO1mCD2uKcH2UvRmPLleHDfzXFCFvkGqTh0rLV8bZKCgBrEXKFmEk= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lNhD0DOEn0iY2gm1w0y8jj4S5O7GjijhGDjKQXVBtUDvFSus/NqZTeHgnt0Lkzaqb0p+qG+auqW3Ym6/qndrHCjviMFWOtERuvBS3MkXB5BPDpOuWM4yxkO55NRi7Uh2WV8C2ifyTq6eqHStl6zYnUnTPuO7CQ9RL31gA428zgkQTtMIvtL4gZiHA73x0eXocIznwvc2p3uwXrM4VdmidTc3iGyiUSez3p6spywwiaZdwCU87XydsWrWDm8tQkep/33LsHu4pb8Vm4SYuotGiHtXeOGgHAM1p8BaMi8aeDXIikIVBnops3qyHGti5Pq2bt5iBGRN9F3xLJkKDYLMcZdEAhrcdfwhhgVhc+mVnSoaabTeuqG/MII1h0Ck6vX9uTC42/tFjFW3YhRjzriSegRr4tvMyoQ+YuEtZzqWBTgNLMNO6ehNOI4Oe4122usw+vhXSx4uOH6w3/Q+U3JSufp+dSe/aKwdBjyrojH50xqOvdgOMnlDsQKlOL6sANggEqxSIdkFhyfCtlI4gYOJtalju7yGVAC2eH7VBL5LjV0/BRUZhggR3+o9kmVnmel5R6Mek/LSM9jU8VT091akbhiOz+m5bCwRNr02+8y5lD8CYOF1JuCv7H4MRP1g1+/pJwvTAFMbT10YiWgij49iUqhOptDhWwBNgEh9VsGWORUeB0nshLcLSFCz0voCvJV9gCTG6lZgC89SYmyxBsxXKq4DNtcH0ETicJiV88vHw2ZPvexOmLYpR/DvKo+I5ekC2YkvmfD8jv8jydQ9LEeM5hESVwLrkIt0m4jiMsGbgwg/tkdWP+CVDxN9dfewQ6XplEPulwemrXe+qzZAdBdbW391xLOI8Yf2ISvGXrqqurrjQ2Bxjh4NNbibPclGOlIpFaa9iBrWRBzHkCDgqNT/+YitM8gJmKz175I2RoN8J4/7vdjkvkhzFzZWNuyfhEYDsTdNu51dKmJN7K2zZCMTDiIBYBlRwpXzkeUtP+uuEXvTRxIJ4G2K1Ly2arjWsBEOQhtuknjKZ8C++lSCtLUsxDc0A3OIfbQWcACd6kckXUZ5NaraGpmt+08P7Co/BNOv377BslpRpwPlnalDzu2bTw7HaaWaSWelWFtZxDVTV1EMd8S+gxMtabH3ugRxN6DS82e3rVvH97qTm/jCnoFzf38N6tLnkey354uTcxNq3hxbdKSr0X0RMRogXzSZazqb27uAbdtN0bDmfqLIWNvyIR46mGlEPSICTwXmXU61JrrqT1n96mKJ9bl+vPoH9YGGZjniiVfLrhv/8rGbjANaW8igVHQMo9DdzmfJYh+25xvWP8dD8LE1Y4jSlcNyxUwH X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0883c7b8-5bdd-4799-dc8b-08d962a75325 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:44.5717 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aCfCRv6pn81vZJd1+HRYH1ZeJgUd470TfjAh4LSvCGXUjqmxGYljgf2dgGP5yggH4cE/VzvpH7nGmvIYvdlbQCEh9FADtK3LN4uJRIZK39Y= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 malwarescore=0 mlxscore=0 spamscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-ORIG-GUID: gudxaGBEViv5wI8w4v5OmBfvwnYBbSLR X-Proofpoint-GUID: gudxaGBEViv5wI8w4v5OmBfvwnYBbSLR Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Introduce a new link restriction that includes the trusted builtin, secondary and mok keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar Signed-off-by: Eric Snowberg --- v3: Initial version v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 94af3fe107b4..a75c815a42c8 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -99,6 +99,29 @@ void __init set_mok_trusted_keys(struct key *keyring) { mok_trusted_keys = keyring; } + +/** + * restrict_link_by_builtin_secondary_and_ca_trusted + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the mok keyrings. + */ +int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (mok_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &mok_trusted_keys->payload) + /* Allow the mok keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 059e32e36b3a..8cc9606a6cab 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_INTEGRITY_MOK_KEYRING +extern int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_mok_trusted_keys(struct key *keyring); #else +#define restrict_link_by_builtin_secondary_and_ca_trusted restrict_link_by_builtin_trusted static inline void __init set_mok_trusted_keys(struct key *keyring) { } From patchwork Thu Aug 19 00:21:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F100C4320A for ; Thu, 19 Aug 2021 00:22:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 64DBD610A5 for ; Thu, 19 Aug 2021 00:22:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235362AbhHSAW4 (ORCPT ); Wed, 18 Aug 2021 20:22:56 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:4870 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235068AbhHSAWq (ORCPT ); Wed, 18 Aug 2021 20:22:46 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0GV4k021872; Thu, 19 Aug 2021 00:21:51 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=z9nmARSvIbc+6MEia4U0BG9UgBzB+H+F5UJsJAG0J94=; b=SxpSAGz4FwAeUQXPKsVCyRU/MZtF+WYy1GxrbIBPbnEAKgSPE9H5/Ry4mWa8c6tZL+i4 Z1+cuLk5DythhI3pHDsIvTtrUVeqGis94upKZfoycx3VoRcHgqySHxsp73eOMTetX+BQ ArdxEKsmPhZa4NekSXxBdOgfbROIVO9w6Jc2XFNfhkYqJW9YWa4GcshAWzyjDkP/W081 ER9pfmbFBQFcKtozfl1JdPsdP4ZUu1y7tuTc7ANsj1WJVBXZEgXOudLL5S4ztQNQWWY4 6onYzB4WXWKe6NSjjmnvoLQWQhxNFtLpIKAfT7BdiDSjwc1nO3ePz9DQvDPeTB25eiMn AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=z9nmARSvIbc+6MEia4U0BG9UgBzB+H+F5UJsJAG0J94=; b=LS+2L6YSYOWnFDets4zmklBiAixAy6FtmNOo50pyL4QzQLO6KwtbJp/f872U8vwxO88z j9jO6iK57jODNHOYT2jTkHO/JlFu+rcHqPw5o7TVWJ5CuYR3VfRvM+bV1Reu8pn9oJ2v Hj56LP176pFJ9qsx0zzbyBYwzNoQ54cDIUD/QWh/D/VQu/Bxvi42EKOMBvsvjCHCorbH 8KPf8Slvl9AzBKUMOZJ+IGSN6/18fEJoDfoVMmaEFTEe1pvgcysczAQulVXbtC838usP /BpojgQSeUqbPfLEJXDfp72um1cF/fTBDklgzTfszHw9LqWZZea2tNMQrcRpbEnwSsWg sA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3agu24jghx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:51 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0F0G8007664; Thu, 19 Aug 2021 00:21:49 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) by aserp3030.oracle.com with ESMTP id 3ae3vjf8g3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:49 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IzUM1PFPkwPZaOj9IM7VIMw8NX0636Z/BReVSliI2Vc3oDd5NBtfQQ07QTHpCxBVXUtw/OJdevild+1KGMjrmTFTog59qSJf9Pvk7k/UIk+iPkZBkC09Ht0R/Vx8mV9bIb9RiB3Ye43o3W4IjzhQ5HlWy9tyYUj/M/dEuCSzkCpg0CP+pPJ14HoOvrpCL3zsqwAO/geDeYat411io3TT6NJPPRFF3pUC3af1Eya6KlCGxIf6RyD9rB7uF3WypANOtYJNl3Ds1j6vYqe+sfp7orIM6MjqJhtMXnBnHFP2zAbJr3uEam8FSX3OrcoQ0ENyHFbteN9bjYLVlEkE1ky3Tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z9nmARSvIbc+6MEia4U0BG9UgBzB+H+F5UJsJAG0J94=; b=WxZK2s38Ts5/90X2ZV2aFruYCyPtVPJ+5OziSATtYbAihpUKjb/FYxDReFZfRDD05RlLU/qSwy48WxrUIPbVmFCHC/CDyaxS+xD8owLYybgFUPTfAECiLPdcsHsi4gAAVdOFd3VFGWBGPF0zIedNY/Ssmd4c3NC/Rvoa7n1ASYtRTzUT42ddsjB+qcoZtoAVsxfRVKpd1e9F3Ei3P7WzBkCxZmTIWzA9TI6nkUGWymiGgA82FMUgviMPqeMWOwzTcAJaNYOJJmzkc499GnVkzLrOSF7iWwZlFftjNUkgPNLtAOQq9FucKjby+qX3MASNx2CJo54FX6sU9IwAMCxatw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z9nmARSvIbc+6MEia4U0BG9UgBzB+H+F5UJsJAG0J94=; b=xEzPbIAfoFXfzEdFxuQT7aH8deJozmFWQrvEZTFM/ReQSvZi/R9UDLRSgiVZEkdhTeJ3KJAFzd9Kp6F6mZe4JDEnT7OyXJh8YChDu0vHl5h3lBTePb6LmaQE7cXTlSWiRxHWsqhZGvsANRa/Q1z7CAlImoDMXJ/WfkH3mRFfJsw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:47 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:47 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 08/12] KEYS: integrity: change link restriction to trust the mok keyring Date: Wed, 18 Aug 2021 20:21:05 -0400 Message-Id: <20210819002109.534600-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:44 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: cade36c2-139e-4332-29d3-08d962a754bd X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1468; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Sg/ETLqVYL5R3gMS254w4HVk8W1pJPTYJDsgbRncWf02cSYcHAtNob+Il0u79XB5pFVyMouReHqtx2yegqXEovzynJnWx6Dr+et0zXUcfyDy8oHBHIY3uk3VAHpYJAqlbm4+IRQ/EcEyW8rqZeFGsneMRtbdz3okmFmedndIYap9EN7gLawz6YzIgEQqppltvubreyGLSCDZlHEr/ADizyJ4DnaThBr6QwKp9723FfmrKl9DADrezIwN82WBZiCN/VAN7kMWFLK+YuwIN8S+8nRZSK78syakhi8pRLbQnSHy5YRirP38WIX9/zCANvxo3eAMiL3HpN5v14OGJgPjvzkWjvlRxg46eNQW/u0VV4rNcnrLZrJQ9uVciQD3tUR5I//gPRUCSHrUiOOWHymUt0hslRU15oBMWsPPf8NARJn94C2ljTfkFEkyKlJfoNfpQoVJfUEcLlk2UTnPfbPzVypE6hySDIv9XI2CWQ5NGR9DTgdie10ieqPcJEyxFk7lucJouuBVVXV4YR8BWOz4/HHCGkhk/O6HdBgWbwe3o+n84E+IRylyzjjat/dshh7JB0Z9FKKGSK5qQEs9kZ7ukbgP9Hdkhmx7jEFWioc8hGjbCdjSpDqm74vOof0KFaxY0z5vw47D1G6a99SNv1seWxFBb6kMQzsvc9CsBEt3D5/mfJUVk2BDe0ays7zApTy2H5LPiExMQVUAH1yKLv9oE/rBpqggUrzvIW0IAQuLX+U= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: D9EhAL+AQ1EzRptnsOVXZUrAV27VrcOvtkFSZkW5xFKiE2QYl2xJBSiPJnPxSrmzwydxQXNwmqkPv+cxkZSss9VT2caezfB1P+XYW7rgYseab5CaadLuKgB3749MI1om3Kr3eaZBkf4hzzR2XZ0gWETdE4UBYCgO4AAiACy2GcskZUMDJ25edZF2lllx9TmNDpN5JTkj52JlW9Kgq0CtoMXbLMRw7aefMYzfr6YEuV4aKaUlQAO6fRXTZ0sjYGR6bBAwZP/bActCzbr4LwhvXum9qnyN2h2GwreVH3euDz9cTu1cnWXmKD3/cKNOJMpF+HE2SvjbZ3YHNa8qPEP0oVkEdzuhx69iHNiDIAcIz1CAO6ic+K7ZmH7FfVW0W/7gYi9+pDEztbX2IzIKxI9MzFTG5V7cJyWRD3Q/wMLBGqszDs9iqgkcxfp541ILYCCnoSXXxO9nCNzGgEFyivtcipdXy+28A08azoATpsIAwKxsw4nlmQ8nMKqdlUy4vhxTpKzBhl6ONRqGnEL5OZ8bYENGsx+Da55Zp0/AtyBf1JlRIeCYqyLr5o9XHM01jziBOzGwmHnXhgn1xqEn9W6wgrP/rcCw2bwBQXZuCmNpVCzZZrTuXdH/oPvj4cFK6DlRyMcEV2peo/83ToSaWkOx7cr6UWliaWhNBrznTrEtKSZHpIBR9Qp6jMwHzzJqBbXrqpffsVpxhymEZz5GiHzi9h6vDo1gowr/lwLFGjjXNE7bkTITOcL54hwIzM1G6VyZRug4HmKov9OlRLv5uuSHzCcX1iGOes7NVkqg6nS7n7DtGsmp6vvznmqRm2Zs69Ttt3l05EBz4H3DSUBgK1N1ylh/88mz2hx9XEvVdlxXzffUY/hQ1XBpMW7C8jrT9xSfcUbu86BGIwZ/oF113FyojnfON5/bBdeE0w0j/Lx33j5C2w+5ZkhlBj3DBATERxmTQBY4KIk5DGgW9O553P+B4PSK98xIxsp1+mfsxYw1KUXLZ8HZMYko/ByjOvDb+E0t08CHOVkva77unOQT8sn/GsW3AgjftxKLSpzE/FkuN31AOvubHvFn2tst2o/5SXl0S76qaxWSS4XnqM7RqvtrMD+fB5oqfK3vj4ZPRdE8SiaF6Dp2pm47QS6gE1Q0FNV09CYNyj/L+sg+IxjkPie4DRr24A8uEpGFCWrtjkEnK6CeBlloYMz1DFp3Jy6zAAaEs1YlSYbQuy59LGD181pm7B/OPA6GAlNOvGibuLt4VhP1FbUxAPQUAHCTNSh8V2tTnWGDszUWl/ypks5VlMK22H2r90/3w6k+EV+ON5RKfGXAFgD1/mo5vF5a9gMBn9v0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: cade36c2-139e-4332-29d3-08d962a754bd X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:47.2639 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qVJaVNqX3a5IC4i9L9sDc18Dk7G2C1M2CjEoVGjHQiyT3zbkV8iSphiVgmaAojujvPms++N13R1KlqVQgSwmIHtKwGoUdfy+v0qoX+ryTFg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: yRTuJ5axHSzKyhtk9n-GlwAjY8EpgdQM X-Proofpoint-ORIG-GUID: yRTuJ5axHSzKyhtk9n-GlwAjY8EpgdQM Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org With the introduction of the mok keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .mok keyring will contain these keys. If not, the mok keyring will always be empty. Update the restriction check to allow the secondary trusted keyring and ima keyring to also trust mok keys. Signed-off-by: Eric Snowberg --- v4: Initial version (consolidated two previous patches) --- certs/system_keyring.c | 5 ++++- security/integrity/digsig.c | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a75c815a42c8..1c39af137cf1 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void if (!restriction) panic("Can't allocate secondary trusted keyring restriction\n"); - restriction->check = restrict_link_by_builtin_and_secondary_trusted; + if (IS_ENABLED(CONFIG_INTEGRITY_MOK_KEYRING)) + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted; + else + restriction->check = restrict_link_by_builtin_and_secondary_trusted; return restriction; } diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 1f410242752c..a93d558b795b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,7 +34,11 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#ifdef CONFIG_INTEGRITY_MOK_KEYRING +#define restrict_link_to_ima restrict_link_by_builtin_secondary_and_ca_trusted +#else #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#endif #else #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif From patchwork Thu Aug 19 00:21:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499856 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5737C432BE for ; Thu, 19 Aug 2021 00:22:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B29A7610A5 for ; Thu, 19 Aug 2021 00:22:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235449AbhHSAXG (ORCPT ); Wed, 18 Aug 2021 20:23:06 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:28368 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235080AbhHSAWs (ORCPT ); Wed, 18 Aug 2021 20:22:48 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0HWt7029121; Thu, 19 Aug 2021 00:21:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=r5Q8wg3a9TlFXP/VHCrn3rzKthCgL1UnFvFQwZwILXU=; b=ICMF9u3DVfYc1PGH/y/CgCs1Ro2x5e9U/smlhI+Zp4xZwy1hpktJz4U9BR6PDiBVDjS1 c5b326f3sK2+VcEqz4Ghrj+otSKwWvpF5QJMdZ6oHdgt0VqO6erBCHrNa94GwvL+Rs6G Exeg1iH8fFQ+MCk2pvVSkn7iYRGkv4RDwpqrW7pkCRMQErREST93+MEmhgxhM7mlxh6d 6Nb2pZ315fIk5mJrCNH6W/YJAw3My3QiZgf5PzqOxi4S/byivVIMdukaT5680CJqmNmG hD2vondH9jZFD8b2UiSEVV6xJdd5DVoN/0TqZ3u7RwX57+RJ/qRmyl/keporuFOfpfPf 0Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=r5Q8wg3a9TlFXP/VHCrn3rzKthCgL1UnFvFQwZwILXU=; b=c9uj/CYVF8TnsqLY1N7f1bGthrOHvsg/lcbvxqzIQMYcCzo1MsugmZRJKU5ZXCkkfcZL N88wHXN3ag5TChCCKHaw2xUNi2MLeiuaSZOt6HEJoPLe2cc0Kno/pua1Fprhg2i/93ux Hmd4Xs9SD0dsNqyFT6AXOf2CV1uCUSov9Y0PIi5KuGES7merVJVkoIvyCSweJOUOfhQs i4HnVrjJEEiVLEHQe5FTxlnu1cPyjKoRqffN8LTl/tVPff8bbjvnSFRcIDOLdlzeZLE9 9uC1dUsZ+XXxkLMiI3O5MUgum930JmmR5B1Ijt5I6D1MHVqQ4L111gtslZkXYINKfg5n Qg== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3agykmhwnk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:52 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0ExTi007546; Thu, 19 Aug 2021 00:21:52 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2176.outbound.protection.outlook.com [104.47.59.176]) by aserp3030.oracle.com with ESMTP id 3ae3vjf8j4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:52 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d+aLz09yK7Q27QOISH2XCD0SrL2QYkjAXA4eThEpGpJN0rKjePQPtSYedJdTSnElnvefKT/olXUipY/mtEymgoVrV+9t+h7j0rEmG7LkCtO6IVZPWE4KSmyd3fQTILvUnEeQJe4RBo9m7FwfX+LvsdgHZpo9JOJb+irLUwhi+GwiyOvBxTV1iAud+SzhUI+wUPgJWJyVg/2y8sSJ02f7jKSo92tWXaLcImcJsrx2wHOXzaaEJRbr1ZYoX4GbI1oOCLlnlWe1FnE0Hbx0fHDtNRhPnfnQetaB1aBGMMbM+q9Zwpn5KgSHsGek1D53S2iq9eES63VG/dIP2QRNFEzkuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r5Q8wg3a9TlFXP/VHCrn3rzKthCgL1UnFvFQwZwILXU=; b=ma3UldG80nGGYOYIh817FcC+DlWn6mEV8naxNaSZi/hBuLVIpw6dNmat/x4Lvq/6IrEP9hXUDH1VWvb0hFr6XYV9rf+/amiulnByRcED/Nm+zRhTq+wNav04OYwC9tbN/ofgWoQN0hUreBID6byxmDnjFiHTEPLG54NsWURzfbss3ghsGJFXEra7FrjtwImooAtH29ZxLzdQKj8WyJrk5qTANXNKGLtgeJEtdN+gvjtKUgNugBkpBWLqqsOYb7cy8zEGUeAgjOzlSaEQG6rn+si3vQ2BmWJ6OUw17dwnqOVqTKZZQjCqbLU0wdJMShlGc6v567dWQfP89cXSBThcCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r5Q8wg3a9TlFXP/VHCrn3rzKthCgL1UnFvFQwZwILXU=; b=lT+8MsF6vYV1YGdscLxuTZ8FMMXanzNJDK7daETiXrUTI8SBY1bs59XooPrMWc+9TQH8ouYmySEfklBzFcsQgGbe1KfzTvnDv0ozNVBHa9hNQzriVNOmNO4L2JHT4ByUGt4Me34JROPwwtatH1dHgwn818f4ePyz3WU1ekSpmuk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:50 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:50 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 09/12] KEYS: link secondary_trusted_keys to mok trusted keys Date: Wed, 18 Aug 2021 20:21:06 -0400 Message-Id: <20210819002109.534600-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:47 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 696857c3-f758-4d65-cec2-08d962a75657 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 12wTjsD+xhetaxvPtfmlz5ZAjZ5ytvXPxILoqkWVvGCzn3g6M3skyTO6Y5ivVdjvdQJuyXGOv9yeq0oA+JD3bJMzmayK+Ir2an1FeO7y41vQR13/+mMsh/lhOVgYIE9fCPep54L7scR/S5P7x7P5pnGVx7A3DJMzJeUVfCUaWBmf+z7GoTVLM6lPYVVXCjJlZlDmxoeNU/ZyhL+0GxSFATb+L+5ppTOJTVICuhaswhk6GoywIxybGpp6dAzKHNUFIMGxOaFDYwziRXhk8XHTP9ir9IwshRwg8xZOlXnFQT4E2Tclwx0NGKlP4UZcc79Xq8Kktbx5XohazxB6Df9qg6ZaQv64b5WDGFl/2F2tJ1AtHqr0TFJ89iWgPsks/lZEM/SBDyfAb0BZwQQPic8zmbic3rXDhhGz/2EHq0eOgSqxjAR0h2RwT4KKY8q1EtjjZVJVMtcignn0ufutxNUYcnodwevA/Nc5+lwhsWG5kP6zh65ACBGBMLhCmDEa20qH7gYHNaiMGQWAS0+OtFIjlMYa9M9AwbUPMIePQMWMBAq3AqZI2gA91YMX0dwBAshYp0ePT2hmqS+NnDS529cVe/EJ9RBM3CzG4wa79GFE9yZWcjoGzNax43vUU7I/cYe9B1LKO/jrmQ9ElSXhIYgUyTq4DMj70gurtShfCDv8zWSyYbedJwv+L5q5frnp9d8lYr7t7ztFRT7fr0O+0ZaikdCfMCn5HD6qVvUfrqRXuaY= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(4744005)(478600001)(6666004)(6486002)(66556008)(66476007)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: go38oO2/wL2W9HZdwpM2v0qEIlAiQquiyojpFRJWMljRCKXkM7sB7GRJyNW4Vx2wxVhiGB8I/8sb252ZuwWZusmStM1SXQPFuOQyvXXIDvmrrygTJyxIOepekVk9tvlUyL70MG3aOFRZvAiB8xWM98b76HUO3uPwnnx7JcS/WCF1dcEmBmzTaBvPNigpm/4RFc6I2WAkDJHqR/jQLlBK9GLJ+CJWSlF10UM+FgzSviDTsceG2b0y+WSmMoujSK74QsVXfcKB6FPQxkWLxMyBTJu7cCcqN0wtfukNWwRbnadwe9XVAfpAm8SumdmqGevq331TR4ISTDZX9LMu9VcdOSpd5JL3Dx/7cP6M4Sb92xKWhBll3ICqkIphJQhOHlNrnCvPCvr827MAzLU9jET4Pka2qfaxlDN2JyOa8GmSrQR4pSQ5fUD2ahq1dXWk4LpFUQbAmH7jI6+SRYT0iLfIw6XKdM8ZfIPWls3RnexluQuVBVCuWVehMo+iNlOonq3MWYNYk9TYJNlA7DvSabN+VPK1TvMS82gIciFDc8cM9Y+4wkWvdiGY9sSznN2UXvAgnp1QtPozZRkbNRggx97YlU6CVM/F09zJltReH18+blSHU5bY5dKRqc/xZHfaXDFr81FuDam+DEE9XItgbHNpdU+XC8V1bpdJu1aCrOjIckXaPIunMreHAgNKL8WNMoQuUPKvjOvwFbg9IVKegGEaVek6UfTDNSWHM+1agasWKVf27YIF3lzfmRHjmxcf0AA6X4y5xPH6Xzgq9fLQegBASH3uqmzh0Yv3cR7WcizRuOPRaLjpPTpYAY3+skpcwLUXqwVDz3yKvuPHDE6WqNaBKoUJ5sYxZfvDjSTcXDGpXCy+8Y8+vEq/Wo1McJj0GZvfDUiR9VC7NxT4xlUXo/u7nPmOPO0LNxMtS/JacP2j/fRkTweZwt6THxC2NqC+5FRRKQxUqLsiubFA/NbN57FwfqCzVlvBgztxzdS16RW6nccyMFva8ktFpumLyl+lrEIZU/JUzprp8w6G5aC8YEKb35dVhBZ6GSOZaQHVstvkSw28KapOGM3spwzM6etXI/WsacM+hiAQ0roxI1cGDo8jqroK5xhvABV1StYPKxksZdmUsBmmotclkiTXZ2mKzDrmsWKkGXhMTR+ymCM0lELSeG4LXhUiF1KFRlDzgkDSotveCjm6zhh9o0s1jctanKzPfut7ZoVKlP3aDCbJxq0LKY9IsBQ9gO3wdvO6MhbwltwQ3rlE018CeCuFfvQfD22uP8G9TgeNEuhWTTSYBauMNc3NQ7KVCFdXp8T0HOODwZ6McLV3uop/l+g6nfS99eLl X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 696857c3-f758-4d65-cec2-08d962a75657 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:50.1722 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Er4aKOSm172D6dWniVh1wHm8Y6IaFXdSUAkZQKiFDgHHVSgOUsKps5ZiYtbBde/r2zU4Xguzqj8Klg/A6YE5BHFR8HfJIqH9lwvxdwwjdqc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-ORIG-GUID: a2GOw5ImTmgPyod7VrPfG-j6Um87FHUr X-Proofpoint-GUID: a2GOw5ImTmgPyod7VrPfG-j6Um87FHUr Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Allow the .mok keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .mok keyring will automatically be searched when searching secondary_trusted_keys. Signed-off-by: Eric Snowberg --- v3: Initial version v4: Unmodified from v3 --- certs/system_keyring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 1c39af137cf1..4ce39b4ccc04 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -101,6 +101,9 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void void __init set_mok_trusted_keys(struct key *keyring) { mok_trusted_keys = keyring; + + if (key_link(secondary_trusted_keys, mok_trusted_keys) < 0) + panic("Can't link (mok) trusted keyrings\n"); } /** From patchwork Thu Aug 19 00:21:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500518 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FA6DC4320A for ; Thu, 19 Aug 2021 00:22:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 678ED61103 for ; Thu, 19 Aug 2021 00:22:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235514AbhHSAXK (ORCPT ); Wed, 18 Aug 2021 20:23:10 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:11954 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235258AbhHSAWx (ORCPT ); Wed, 18 Aug 2021 20:22:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0Fwx2000473; Thu, 19 Aug 2021 00:21:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=1SUwqIAtgVwTvQrlM69Hzfm7S6Uke8xbxje+kqS8kPU=; b=nA/u5NmNqoW12EyoSML+JdjOHhMoV/8Yg4+ZLjdFGOTtzvTcwrbwuomK4a8b2sfSIfOn 4qtvS1GInjT+3r4vHCuu/lqr3NxRnZwa2HII+sbR7cRRHvwRvgndIUjDgyMhSYn/NqQw LRziOI0tGqiLBlXJw8N6jBsi7uhETVptDfy4JIE6k4HE8bsQ+oag1dC0XEw+X3TAatyx CLKLkNhCWm/H2Q1HrJBz0+ZHTPEz6qnyhv7YjxTxrTEmtkyHB/NY/pE80RSMG10xQKLc GueGhjm6XIOxFYpJcxtJtqTQ+uKPGPiUihT4/saU+F2Onu1Hx7BkKqjDbxxhxFC6UuUD Zg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=1SUwqIAtgVwTvQrlM69Hzfm7S6Uke8xbxje+kqS8kPU=; b=xYGJT14nHo6dvBK3/47/T7eBqSgupCy3ReBncgDhRTCteRMKQdJWNCjeYvXQTNePy6Er goIlxXISy8tzan7BVweudCrt/ErvkFXak9gxw/GKkKH+uVvHFt0s0dzc7GqcbQcYRW4f N2I55fw+86PVEtDH2WpkMUP34paw6Jna2vSXFshmkv9TOKCb/34cxnBUqloOuaaiWJA0 0m4LshlPMDe89URxnG7sRP5PAceHlOxgNfWstVn5trqrafkToR1/NurUkEzcxLQhraD6 vQ8wyFZxEpgbhcAD5fV5QAfu0UCknLkHLyxHY3piOdgY4U4M09lW50Nqb28/UGxGCvOz Zw== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3age7dc321-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:55 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0ExVq007566; Thu, 19 Aug 2021 00:21:54 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2177.outbound.protection.outlook.com [104.47.59.177]) by aserp3030.oracle.com with ESMTP id 3ae3vjf8mj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MUBSt4xejlo/AUXDIZcbgAj61E0x8+JaGvpa3pwbwR2imYhDkG8wFVsA9o6KIven8AmUDET6BOGCXiPXEjouQ3+xHeslinZtbYLcIoMPLVfxhtDTtRSD99QyT2Sbs94ZVRuTehEgJl00ZFl2SdmsvVrtKlX/UDSPO5cI1G6jj0ZGqMfNu18rOsZwpqMa2B6uDnkfI0tblrvhgG14E1B9lRVM+7sejximFzTJynFyr8lgy7CVk/AK8w6029vL9OeItZRYD5kwvuPv+j+CRBxvNBSjrjX61NBr/lc5Hw7ZIdDJOGu1OAr4+mVv3YR8+Ov4XteAGStTEebqVjKhwZ9jQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1SUwqIAtgVwTvQrlM69Hzfm7S6Uke8xbxje+kqS8kPU=; b=DMvbhQGUllicqupUvToc2ZHcj1e2a4++iMdtI+saxk/19THboH7OGbeRMyMiGguc3EK6vJsAZgeJJg1dxlun00y/FlLVxKHqzDDuPi3+lpwk+4dy7OBh62/XEVlCMrZE39Wbx46R34K1PBlJmXAfLKkm2jCyP/Qw1g11e8uf0qTOIplB9vuTjd0vESf6RtegWMJKQUcmgZ8seMINr8z37pBQ1ihrVCZ+gIFivvoKf8u7Hp4VThE9B7kKSUHUfJrc8cTpo0ho+w/K3CAUO7+jU1xjca9Dh72wf2dSC9ck8bvjb3JSynOWhxzqXJsGMBG2Ac9/iKiUWLCm2h1B+bqkuw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1SUwqIAtgVwTvQrlM69Hzfm7S6Uke8xbxje+kqS8kPU=; b=qFEJoDOM/RyHQaAXubg8pgy11NJe3bsCHwzJnkF6bOPZAKPjcCODSwFdVQOtK3fRsrHGkzkJ4zV70gckWPkx3DDfLWKEj0GPGiHWey/EE1E94lePiRvDmOezshW4qCV6iuyOqpSgUmWJO9VAUcexCcaleHpVYyTMFbfgnYBEags= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:53 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:52 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 10/12] integrity: store reference to mok keyring Date: Wed, 18 Aug 2021 20:21:07 -0400 Message-Id: <20210819002109.534600-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f7bd81f9-5ff1-4039-9217-08d962a75813 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0BXPHTwZYhbrWyZmckKXyhGNCXa2DbXWr2GToR5DskppfMNekPFoUi9m1HyLN8hUucIKbwcWkh+yu8MZjeDyVCezvqyO8F4r2znEtVtZoQCkIpuFxF5l/sdWwGpzMMtaZx9rDmcUc/P1NmPwITPXSMae2oY6os7VDoYAfUTFJfYCFyOhIGucSFe6uJcJXiNtj7PeFucBdKoYepB/suvzOOgDjf+U9rFvqsmQl3O7RyPsTdFw6qb1+HA3rQ2miqqAsCFZszeugMnEUuuUeygkx+OcP1F7TsFcAeBnv5ghGCoipmSZmO2cvI0RjxwfusZv7HOZrrK0btyYHhgogqjceqy1phb/00xMiM1bfx02G91ZzLht1KQxbPPYpccAnJZcmEpuvlZXbwei1MwIZdEXLSc6rRo7SrzvLhlXRohowjKCb6aCYiYMVUR4/WTpwHUPAr7mxnq2ecdy6mrmrvE0gx+9OZ1khB1l1AGLoPAf0O5l/2SGNQXsWbyv2FLmecoFGNvNtUtV+vI3n9a6e3kufnTIsH7RP8RufmSx4ppExO0Tem6UWSUxH78bXJVzxV2X/60ji33Q1SC5CiBSrnxiINQJ2fxvaw4g6nxAOwDJDbmL4uMiuU/BXsy16rA+PE0OorUpbGdUdmfWutweooEAkT69XiWH0S0EbOT1tqLssbfDSC6S+IQCx/IrjbYoZfe2JVzpU5QBH0fh+s0rUU6I/kdMXlM+8jwRWr7iDgyaGWE= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(4744005)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8HF3MFYznd6mfx+VmipAK6GO4cyU6jGmV4wjXq605iY5IJ04+m1txI+cJu8/o1CtPmcVfix8eu31f95pHfx9ExqIQkp/TttYs9pPvOle8EA1c6F/xijK+jilAGxCtW7F/8k9oi7Rqlsn/PnazjZ11WY3lvWkEATr8h7DewKJ7KoVP+aBQ3MYWaKTkqY+M+VtxHBH6vAK+2wLqU2SvdVrrbkmXnbmMCkxEmZ2FZKsBo2+0BoDWxWK+jaVe3nlJDYq+1G4iIM0Q8xvj4CrmUUkoahQD2t6d/vGQ3rSIXu173SV1X6fJFR+VIDZv0cYXPjECp8dKhSjVUwetY1VUhs/Q4hI6ZiEFslfPUne3wr2NUI8+R6087iAAFJCVlhzHmSOyAwQPoxSaDbSYFsRd3IasEFUsofCiqOLI25tiVTNSABgk8gdE9HYMAbN8e0l3QiEbmK/6qUuar/GEHchgRNF811Ep+kXkoJjQ+R/6K6g6f0LRamhbmVwg03aLb1IP5E/YAxBw2rdIJIMHRedS55FnM/ssK9EKt7w3WLQBmMvcM14pqtgsvjV31KaLhOzTmN+Wp2HFGU2WxaSTw/6oOx7DGmy7PIajPzCqbiQEyyPRrz1JA7GtQkBAvvyfsLExAp/FfNxMXzqoEg3A79fX7PbZHRThRNVdlo2LrAV7tG604j2g/6j5gXrnGdkGixOgfvhCRDJlDcnZQ+4aHhez+SUQPyJC1w6bEXdyylSkLcYtiWeswKnVlxp/kFg5+is0yQA0/ubcbAXnZRecVSaWzO0g3/47x0EU/olSky90JjnmgWiE8Y3w7hJ38qwuNUociqj8rkcyJ0kVo2RZpS4sFPuSN9pQbiPR8KpzSnVkQS1DO5QAVSXiCQmpXV9TziuhWppTRXEWD1la+zvZc1MMB+9a0vBu75ro2a3UYe7Y6kk4WEEENYaTnxUaAq+VBzcp3xwua/nFM9c/RLg7uCZ76kWyEuLoMjY7Gc4CCIRHmkp6u/2BvH0vB0wP8SixqzzdMCCQcuBWi2FeQ57BgIqmmUHoqCz7bbmARo/rLJL5FEqciPcyqWDMPeiAXk0j0TAR0lNKy6J6JTXINY+STU25wCPJZxXLMU0T18n67/yWSune1QVXtVgqp1bBtbeVW7gZfWPEMdO0zwJEgEptb3L2ceYMv5bRN1aG3juOIELgNc0IbpaplQLD8SqGp8X+XVH+sNVPuaqifm64juUEw9j8tYkkEVAQAsjey9kv/tUPzkPPAkmKTaJbpXNAwSG7gyGdGHLc3F55yKb4OWhhKXFgZ0hIIsf/xKs5Fn68RFwhyZSwx3YSwktfVh2DF7y4eW6MRjN X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f7bd81f9-5ff1-4039-9217-08d962a75813 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:52.8713 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GoqZ4tRsgaY7isume06RTeLPnKzJWcpIKHdtytJElYQrxaNdfug0a4ixqJdU/R6bzUu5wuUzkaXMiUzceer1mpagpJaJ5dV4E4PYseDm2HE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: hSn5lnQetJ5Dewd23aCiHP_NhKXs1w9_ X-Proofpoint-ORIG-GUID: hSn5lnQetJ5Dewd23aCiHP_NhKXs1w9_ Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Store a reference to the mok keyring in system keyring code. The system keyring code needs this to complete the keyring link to to mok keyring. Signed-off-by: Eric Snowberg --- v2: Initial version v3: Unmodified from v2 v4: Removed trust_moklist check --- security/integrity/digsig.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index a93d558b795b..0f14ffef9c43 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -116,6 +116,8 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_MOK) + set_mok_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); } From patchwork Thu Aug 19 00:21:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 499855 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A54BC4320E for ; Thu, 19 Aug 2021 00:22:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 88B6D610E8 for ; Thu, 19 Aug 2021 00:22:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235531AbhHSAXM (ORCPT ); Wed, 18 Aug 2021 20:23:12 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:13082 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235320AbhHSAWy (ORCPT ); Wed, 18 Aug 2021 20:22:54 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0H5TJ000821; Thu, 19 Aug 2021 00:21:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=Q8zi09uI7QI1gkaI7EQikB/FMskiYWbFQjQxjvGC3fA=; b=dLC3Ps5KE4fwrKIWSxoI0lLhbekiKSz12n4TlZ/YtTz5L3xppWQxW4yAqeqs3X6CuMD6 eunVsxEOs/qRpBV01oyFmJJ28NG73EVwG4YVETa7yNSOImjpvS0sNW/kmler123JCgE0 RIqTplK4ayC6nTI8Xs8V0rTFFjK3k71shB9JHjQ4wVaLzerfVoAACYA+mvj7H7tjkjRV Au/WGcYfdTeEcH8nfd4mmjUOSlBgAnHXFd5LBRciW1n0b/Cdn70H2eEeB3pZtTuEhfSB 1BjQHGahkMcMtPH6cohmIAh/N2ClOtPgXKuglGE0tbZotEHTXh6AtRTGZL40au9XyRPP bw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=Q8zi09uI7QI1gkaI7EQikB/FMskiYWbFQjQxjvGC3fA=; b=vVeHBfa/iQFSwnRo2uAKQmkCsg6h9MK1mNUfE31Nk78PmkzzdDhgp/RZWTNxE6t2hp7B 0p1DFlhImx69rSao74uufdVqy97IYb9pdXMhtSjvHtONxzrq/weqz/rNJ5zzSBOY/xJs bFuQyeyyPKfrvIKEcaGJ2rtYF11HGP+b0ANDSAJdKR38rU4oWO2984iIf6t1Lre5K4oS iSKDWdXfQ8/1CJQ0faIu2Gxtdcrre9UdSqoWgxxTECOYjqmTfT4z8KVIebU9tTsc4Gpb 5BAhiSKgrZAZWhr1Bf85ff1Uv36Kr1v3j/jxetTD42/UB9EYqIGkInecJqfONvV7vOLj Ig== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3agdnf4dmy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:59 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0FBgh040857; Thu, 19 Aug 2021 00:21:58 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by userp3030.oracle.com with ESMTP id 3ae2y394jq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:21:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HwUsr++xdJqQ/K/Lg432Xr8IyzPDCOEmylarbSLk8AJgB+5/4I77blaPUSDhznq3QmfyQvxLa2OHZejlchyuVW3iQOY4yAr1ByZ383I0d6BgNFfT3vmbzEwNBZ6DGuktS0GJpDx781uj/VHAnpwO5aCSKHzXU5hlmTHbKC5M+4b2aSDmOhpbelnosRcVBxyehhOxnER5tc0K5u9ObVRQl11zw6HnXGOJS1hLKZbiKcf3tsZMD0V4LZ8xGaDc28UZgoQB64OSP7YhDEPgxt5V61G+zqy2HRBLu3FGgcNa+NRAnq+dGG2o/X5a8FCR1k3q9kLDHGhH+RGPN7thp6PmWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q8zi09uI7QI1gkaI7EQikB/FMskiYWbFQjQxjvGC3fA=; b=Tc5mj+yIR6hPkuc411q+DhdSpfvThIimqiJZatIeCtkeBZX7Wsn41fZzImi0gBX2i+p88ZS7Sev1T1rjUHXwOSLRToB+29HsUxcwsYtkOqYmcRindgbHrMO2App6tamavn+rgyqZjtpFjwv8+HLL4gnzwe7v3Fc08nHcVfT+wsZX/pZj1e4R/ZAeDjAZsOA7xrljwg/Ey/WGP7Wgp+/9RPsQu3e2XyIywcCy4pd0nZdyeNnSzuyt8OShaId2CVYT2xWRptSSEKhmSbLwJ17tX5/+l4y17MkQOXF9koQ2/6stdDJidEVHqXOrkcpE1HQo8oE6Lc4E6PuSiyi5lT3N6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q8zi09uI7QI1gkaI7EQikB/FMskiYWbFQjQxjvGC3fA=; b=U9Zsazx8eq2CgogAfp7i+5XnoMUIlTxLgaJ06tv0klD5X2ryJa2gTNlwylX5jQ9tO3A88aL7oFlBDacdRwUhZbcodwsrvS4JXe6do93RlqApBMJyE+ewLPhRGMes7THymh+lDx0qW6c8F15fqb0hrTm9tYEM3Yb4BrrKbad6z5E= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:55 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:55 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 11/12] integrity: Trust MOK keys if MokListTrustedRT found Date: Wed, 18 Aug 2021 20:21:08 -0400 Message-Id: <20210819002109.534600-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:53 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 94dd7d35-47d8-4f3e-b58a-08d962a759b1 X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VMnm92QF2B26tbqufBy39HtbaDxCJqSJRZvw9SE4zskOHKBRvOU3OzysqhdQW4rtmL9Aif5NVIwwWWiHvvd6w2D98W20ulQzQdijUPwUJYdMM8CRXLD7btk/DU6Y2AJUR6MJfl0b7yf7TT7F5ugmFi7RCuhFarm7AC2VCu9xEnpJABguNxNdBNYYrh0o5owgnOFeGR8cAD+s3o4vCZgKO0V+cjgHd3voZX6+jkxMozynpWBZVSho+CgKEU+K4qUlJ14bMvEPSMTZJeKxvACJso3r+uFK/FUoGRKe+lfbe0efu8aPEE23pBVW/hlhbIX7pY9segdbeNujKUzJ78yrpAH3H+Cgrt9V5/nKa6VX4xvYg+OTTQCcJjIfr7QmFcTugCvNossP4J6sAWPYppOgJ5oOvPv3hN+fUcY67BEVagBxI1huknKQXLKBqvbKvOy+Ox7TXp4dxoGa01gSjTKooU9UZjEHto3FQITz0OAVL4mij7Pgmnbh0cLnACMXx8EV24dMq0V3y/RiTblaHlJgKc1oqFMmtm1x251kk8DrLJC1ox2AHzipS9Ht6nX2EVm1lojr7ZkAdqDR02DLFc0lhvNPJqkxWPymABwVJylfEhTKB/wTJNX00SO9EHDc9/4nHAuLsZY1WsNk5au2RQWpQCVtKugcsmywwiY4C3/8Avwge/XrHdSYO5y4EFa9Q2DYhEQKW6XXk+lN6D7ULGTsEHc4BqduuHQUFwLn0TKxl6Y= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: q/xUSUDTcXWsrr8v0GJABUUpfoBZQkanUsn3v4gaJLsLnagKhVegGo4WRDrW3vR6Bfri+5SVTdaT2hqPJaTSDy5RJSxvGxD8+oN1KZzsltSuObGidibRp2/YYHFGXhNR/BhbehM+Kh1Itf4C8rW0/P6xuFmTuyknZ7O9QswdE4YXrwYfq/lhdoKv8Rik1W7ZNIqp3fz2kG+dm1FKt/8E8lgxu0Vr0f6X/AYKABXsTZEl9Ly/g6TjXUSIAyOwRvfK0ABtXrj6qb7Nud6BsivHjWnBTnBtxyRnioQUOxOg1nFiKJhLLDayPzCVRCYqZcxaFhCyKyu7lS4qw7I86kOPWqeGWHdTMw8Mwk7ba3ciMKbxZHY60KpWufHJcaDNBS6PptEPPlP5NHrXhQOeiIxiTNNAY6SzsrlB1skzEHfnQCQkJk6Pbxo1H0y3XLhLY67HhK7uKAhkbPRh22I2drKULXDKoNUjIx1OEY07PeHqbvDjqsu9T421yL0L8gk/bMrVbodxgI+5IVMVelw3daHuwy8ukThR4mstwRZlswrhDe3uAJuCc8v0mqTHhmCUkOncTL+Fs+sQoh6mC578S6oXkXHUA55YwbpWFsfLIfS+3p6NcRPKGJkBvpxkpLl3PGaLn6WAreAxvjjXw2AAP+tFenkJHb1lPjIeaRdFpKyTFM2hxXeEhEIaZh1/y/rA2c0u4XrC3fhXslBkqwa1quCJzhg5nG7EicixN2yQjt5hVxxtTXJ0tvkCiYr+Wjp7DJGEz+HMr+HqBKz/IeaNa440U/NRBxCHIhOsLrG9ue6dkpKDtQkKC8uIdOxuIM28Qq67OlyiZGyRIwOxxqNaDRgLqLsxkozzZiqy5JMgJSkWq2OHryzbrmwFu3+2hcxSQyzZujJ3hq6ebieqlKmmLRS7pq9vTdwIRLXSLTQ3qmR00aL6yxdcrwel7HSHmla2xT+PfNhepR/IIVSDVUbLoiZVBgWyRwBYbS7GH/1dod5wvh6kQOI3KATbzI3ngUm9WYedvluPcUyZDIdu8+dro9mKTOa7s1VC92QTnQtAk+GHcD0FVkCtSNZQXI0Isfsk/KAoACEK6oKDS6UjOOgf+RLXHQRizvamUQ7RpdSeYcMB2SbUV9JLrGBdnE8VBJEjY2j0eLEJWzzdpCgRzWxxtv4OwWOcO35yqX8akBlxq/9KXHzdU2lNq4utGuRlZ/B+GBw1D0nouL3e2AF46tYKqIPfPn88I/3EPnXnJuyQo3G6R/zLXNvFFB1t0sU8egVT70kNxa8XqZWP8ecpHZS7zHPb4FC+CbGpfT8urlqWhvNCyIXmuuSfOFoSOXLKjTPHfh64 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 94dd7d35-47d8-4f3e-b58a-08d962a759b1 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:55.6302 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8gpm0Vmt853yjml4wKo5R1mqs1Q20ACmBnTXU4vjFBK/XQKqGQggS53Wq6cS6CSPciQOpgOmXYCUuW/fF8hH15QAW4QXhqx8hOD/CI0Kv1E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: 8xD-RxrdYbg5AJmQ0HUZrpcd3M2GFAue X-Proofpoint-ORIG-GUID: 8xD-RxrdYbg5AJmQ0HUZrpcd3M2GFAue Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_mok_keys to return false. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed mok_keyring_trust_setup function v4: Unmodified from v2 --- .../integrity/platform_certs/mok_keyring.c | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index bcd9ac78ce3b..bcfab894a9dc 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -5,6 +5,7 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" static __init int mok_keyring_init(void) @@ -40,3 +41,29 @@ void __init add_to_mok_keyring(const char *source, const void *data, size_t len) if (rc) pr_info("Error adding keys to mok keyring %s\n", source); } + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the kernel. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} From patchwork Thu Aug 19 00:21:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 500517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A1E4C432BE for ; Thu, 19 Aug 2021 00:25:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4B0DB610E5 for ; Thu, 19 Aug 2021 00:25:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235150AbhHSA0F (ORCPT ); Wed, 18 Aug 2021 20:26:05 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:30906 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234885AbhHSA0D (ORCPT ); Wed, 18 Aug 2021 20:26:03 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17J0H5bp000812; Thu, 19 Aug 2021 00:22:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=2PJXkU1Y/Q24V+ECHBvDEgrn+MvquS6EKmsdYwwVkV4=; b=vm8rtFTerNXq2HM4ESfHYtIhFnNT+lWLHL3tcmKmIddNO/4kF/ocxqeCdiIvFZaw50TG 0UwojLlLyB1K3i5dLUd6RxukT/1vsuHJ+AiuNSRe0E8Wv4n2zjmhkJ0RByR7i9ngitO9 ZmLqv28r7yK6aKttuGftmL6P5meDfJpQVF26pQ0EgooZJ9Q13VhPQ5xXhZ8VVNTQ+ZL7 zymZsar5Kj4t+16/Fpb4r9bGIi1eAE3NAWTFot2m/20ztY/Nv7H3nO0nrffS34cCkqNN r96yWxkle7fTMbK/xpA4tZimdSXfi22ysB2OonHEYG9AmRmW+hXMahChCBO1PyLCX+fC Rg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=2PJXkU1Y/Q24V+ECHBvDEgrn+MvquS6EKmsdYwwVkV4=; b=gx7zeQ1zevpgK8caIiNenacg+q/0Lsidh6RyKNXqa4ipLGWDWW54wQR4fL0VzJxMddgH EwEA3kwVqgMSKsh0rkLq5D3vJeML/PUBqGd82ry8qLS5TFD2WOUv7vnrgKX9dNtUox7e y3FM7KMvhxh6oQ7tMd9jwHwcvEuyZ2BMwXbRcrvy4KGpILi6XcUiiWMtT3RgV8WVAibo 9wCNMkBBKdcBVruyAuajps+azCTjCvr54IhBSEgxvhIe3fb6pChUlrY22Vqkio/DXFp5 SATI+WUlUXvMhAjB8lhLxxLPsiFLXWO2ENq52/i/OunpHRkcIK3mVstq9klTJCDk9f46 LQ== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3agdnf4dn4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:22:01 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17J0Exbg007560; Thu, 19 Aug 2021 00:22:00 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2176.outbound.protection.outlook.com [104.47.59.176]) by aserp3030.oracle.com with ESMTP id 3ae3vjf8rn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 Aug 2021 00:22:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PU3TrF3P9oJsziGwKZNQsPKACWKcrMiRxoR+HLv2l7bzwQg5VEbRkI3rdJsP4MbP8+sYsw0aPZIfbHP0KmVyzb6w9+0iywU2jtsPWiTI6pSjPPnxXs9JEH4i0Teyf3jtWeQe5rVbYMVnQDxxRU1ZIYPVjPZB884/L5D0co64/MmW6ty3oHmeVf22GX4CgTb5iC5vss2nWZ8K4MuT7BNgKnxYFYzi+Wx63rDfhkVEMi7UGl2LAmkHtTpzmkdWCaRb927P81KAMTi2+hB+IZmVhJgi3O/tlbIlMqX7jdPEmz+nWYshr3+NOcdkOVV93yckbvvo2250Qe2szDSZOd7UtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2PJXkU1Y/Q24V+ECHBvDEgrn+MvquS6EKmsdYwwVkV4=; b=F7H+AYNnmfdVWVQbOGDpF4l9vpOiw4kesGHH0veehi/IRgPqI06cp7QoxpnNpN0AXlZpqGEQYB5tN09GgC1vZ2DgNw9nqgrGRsBLxnCWpZsXEfGpKXI5iJbesrOb2AzSME0N2mK+M9Ne72AcBSAc8sj2b6xEELMJCN5SGRDcms8XalcueCeCyHWeQ414w552RFYnG66l9QDVQljhbw9QA99IPyJDHw7b+IcLvvEFxObuTDs4EvRR1ARN5ksU0rHVokaFBb/LN7cczuY1gLlgo2nBeisrpcghLwhfIofK/fbnM2iBAAW2p/sAwWZnmMv6LezoxXnNEEMz1IHvXPSVXg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2PJXkU1Y/Q24V+ECHBvDEgrn+MvquS6EKmsdYwwVkV4=; b=zUosXViWkeY8zuKcC63AU019vZ0hMZ7lfwz7jKtqWLAjCkQvJvR153U9A4bvrogS1sBFBZIugmW/O3IUDXYGHKfq8eCoVG7YtQT6mQ6IAw0aVCdH5+kHHZHOj0rgqYGpAARCevEccF5JFt1k32CPJ/5LjGMXnL2mBXBN7BRvjUk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5116.namprd10.prod.outlook.com (2603:10b6:610:d9::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 19 Aug 2021 00:21:58 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4415.024; Thu, 19 Aug 2021 00:21:58 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v4 12/12] integrity: Only use mok keyring when uefi_check_trust_mok_keys is true Date: Wed, 18 Aug 2021 20:21:09 -0400 Message-Id: <20210819002109.534600-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210819002109.534600-1-eric.snowberg@oracle.com> References: <20210819002109.534600-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.4) by SN4PR0401CA0025.namprd04.prod.outlook.com (2603:10b6:803:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.19 via Frontend Transport; Thu, 19 Aug 2021 00:21:55 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fe690262-425a-4a03-bc68-08d962a75b5e X-MS-TrafficTypeDiagnostic: CH0PR10MB5116: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xQroZiACK2JTqF3CeNJ6IHyCVkoqAt06oISfuBK6AC6doDZya18AV4ihqpiFjMLdI0JvWCmXXIVEPakiswSYqFlzliw23elIEGX3OeMYo8Xb/GJrfeuVQs2WWbD7VjXOhGUXnI/Om1/tp6VtR21NrjCI4fDrET8trnJ6UPSkJQBBBnIJ5+SbZ/XIt3dzzPvf4ke3s869FGvxd0djhvjZJ/hQSE0LNNOh/btcFZdKfS3ai2XBqYU7CRfXwhNfn8MLcN+Jg25nKLGWZSmuabKEFaEgicpuCv69N3x1GGSWSK3qS4bacvluH4XLLuJqOGexBPJTa8Tr6QGcwfv49QwnhEc3Zaie+16lesJMos0yHdWWJnBoXtCDPEgaPDew9OcSMFowQgZ++BCYJlYYL/n/Zn9KEGZF3f1ekzlqUQI4nMbgOBKVcdK3JbxJ5jiHv3AeoVSZn6yes7IxyFIfoR1aClOmjj/fr/ntN1GWWlHYt57MkOxKmyQ9IVA+043DvJ0Z0Jql3LwtB1v8gypK3Zm9ne4OoxAPBYJgE6Oabqz/h3RTBMD0zosL/dP3qNYDr1JSuNKZO5nztJM8CqtSKfdG2+RuwX/FBMnVBw3JJRHqeshr6zEGaYILQBf1raqzpq4OjLY2j/IQRs7AGaHzvqiPGUaEpTIwxS1GFHOIMQrldS9MVYROgmveLivWeip2G2dXmXIZxkQ9Ydhu3SgKworfkIz6Is7vjpCYFL/7ohWppP8= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(39860400002)(366004)(396003)(376002)(5660300002)(478600001)(6666004)(6486002)(66556008)(66476007)(83380400001)(86362001)(316002)(956004)(2616005)(38350700002)(66946007)(186003)(107886003)(38100700002)(52116002)(44832011)(7696005)(2906002)(26005)(36756003)(7416002)(921005)(8676002)(4326008)(1076003)(8936002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: qSgrN2G+f8nwQzDoummF/tb+x/wH0xeJwoIn70qb7r3xe9AIeJQd51bIsgotUR6dH+LE2J9SZMRtTVgszAu4uzr8NF1v/O5+9fSamJiMR+WbmvK980dKjnn/iyEXb5OoVYD9gsedu/VgMsOzGRxc3oPAkJJPzBg621dxnLi3lFjOoXVC8r8l6Zigv5RGK/EBlrbJqO5Flg2KmcAJk3yhQDn7YjnlGvmp0mjAMrNtOHBhBL1UBX7x3O4Ka9nqkcKV4GIudgmbKS8DWYmL8EsSduMfWoNQRp7706IP51+TUEaOtUyWflZHgMvCgyDpIvz/EZkNQlZi/Ayx2wYeryIuMMK6kNAcaA3ZxpRKkTLzrDWg0wCjb2PkOqddZO3tWwRmp30fewo0fXaNpQtOfTmWmsg69FMxDz62pueWIiPp9XhOJDruOw7HR4m6usX0V697mtuMmB+IxKUYwR03FAg9V1EMjwAcGEUPuCm59Y/sXodqYtCLR6bTG4th0wJJJpvfIIV0suHI7iSrT8yVkQW0G00Co/VfH7RCBODNKPPFEL2Noe/Uj/bMChs8S+isv9nxnYwJyT26myYW6uvrEM+TwnUZDLPTkFSM9Wfvw18MCriLkFQQS0M1+c49/5+JeO3D3Hn+Um62AJTtAsjeYJNbpHff4HFWltsc5OHOKL4FQRYdASzDLEVO6YV73+GuCuoVZ/E9x7Ikqmp66aJsrpu22OBSnlTvZwLg54HkYNeVZMekSDmflHkab/jsle6K+Jz6J6iTQxAz5SrzasJWMDdqh2IXGN9u2v7OLR0Gs2e6vYgMCmdrIOXpx3HuESpc7dt5Y2lQq0wLpN0FNgOt1//HECnGNBAIVGOige3qTAvJMcN27sThsWo9g4ARLdTkGsz7ba1s088m3A9Vn2pq7vR6L5g6hA5h3+larSVjfvWQ35++BHSz/rxixyRIfnoRuqPUC8RQq/v0AkfHbRiV38KhMc6a/iIly0M/9mZr5ZR+8u4BHqmypOJoWfYYgJLZ9y34X1XjOLvYA8NuJXFI5W4xowCibrLs/ALtK6O/2mNVHJasjZIQE74x96dowF5SUE0bl081nQ5Iee/ydC/qO6sRaFjm+LUXuAXM0JFPDdC3vBjifbmG/4HlAxdIM+8NGqVxJHl/vLSA16dUxeoNAmWZ3WaEGORHPN60g/poF+aDUxbvjmfWshIg7+mC0hj1nHN0WZbB0pMLMQqd+01Cdq2DfbWn+khwwlvhoJnEIblepJ+QgkrKkM+945/HfvTLi0/kjV7A6La/xU2gHJsasJu10daAE2KRzc37woZ1BB3FIkihzKrp6v+74rE3grey/+PA X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: fe690262-425a-4a03-bc68-08d962a75b5e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2021 00:21:58.4469 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XbhlwtzHnSsO3IHDasEpmNZKXfEHGIWxeFjC8xyAF+cf8MHjotN/MReGZzqTSfQZJk0xAD2F4zRNIscJZ92Q03z8LbPyEXN0aD9ceQPL6A0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5116 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10080 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108190000 X-Proofpoint-GUID: tswGBWOpeM21cxCuussnMHYJMnPApMQ6 X-Proofpoint-ORIG-GUID: tswGBWOpeM21cxCuussnMHYJMnPApMQ6 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the mok keyring as trusted keys. If they have chosen to trust the mok keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the mok keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg --- v4: Initial version --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++++ .../integrity/platform_certs/keyring_handler.c | 2 +- security/integrity/platform_certs/mok_keyring.c | 16 ++++++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0f14ffef9c43..fd255e5b6293 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -116,7 +116,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MOK) + if (id == INTEGRITY_KEYRING_MOK && trust_moklist()) set_mok_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index be56ba49dc19..57683fdea2af 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MOK_KEYRING void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index fc4ad85d9223..471bf103b444 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -82,7 +82,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MOK_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MOK_KEYRING) && trust_moklist()) return add_to_mok_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index bcfab894a9dc..3dbb6d17e17d 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -8,6 +8,8 @@ #include #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +}