From patchwork Wed Dec 14 00:33:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 633966 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80783C4167B for ; Wed, 14 Dec 2022 00:34:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237753AbiLNAec (ORCPT ); Tue, 13 Dec 2022 19:34:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237741AbiLNAeb (ORCPT ); Tue, 13 Dec 2022 19:34:31 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C47E1D66C; Tue, 13 Dec 2022 16:34:30 -0800 (PST) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOC2F017254; Wed, 14 Dec 2022 00:34:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=kEzPBqlSeJ8p4QZs9qLxhspdgWTwXYfVKF/NlG7+09JcFZZ4Hsy6FlOp4qhmjP6oX7I6 cQ/JXKfhfht02KsWk3d+lZ3XCBdHmfOyN/HUr+lzNMCh86afc9gUbyTSB4rPuSybIDT3 lfiqsW9ecwhxZsytXqMjw4GjDkpPc5yKCuJQ5K6Iz97XKemI+rvjOnAiTF8+XFxRlT+o 2Zu2IyDLU49jsGI3KSwB1nXMWU/FVGx3LSpG8aOhfN409s8/stn6G+jZW/DBYBuaxPXG 0SgOyVeo4bTHkx+ph2GciKShVOHh8bXC3CNM4ZYPJRc33HT336J0JlAqR5Djy/uWz67x 3A== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyex0p17-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:04 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE0067I012240; Wed, 14 Dec 2022 00:34:03 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyev4set-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FrVrUPTX7YDJoOVyb5BI7IdlGvOCzGM1CHEbMdNrY10LJYJhjGv86xloMZBKEytWbIWwCSQ8YuM5+A8qhkJyt+ZNQfswwQPYP8Hbf21/3FcLC5fgynqQQUCEB5TygpRRGvSui31I0ipBXOaTeLtWwQsJCxVUUosoUi+JwdYY/Ea/RE3qfYzs3bgDOyclHfWy228gCWAMJn4PrMXUc6UH8545oGhMifZEvYKv5YasS5tbA28YouHf7pAmkMMAHkKeVuJDIe2GIeoMgIwdm6n58c/gQB2BXvW3zvZ2al7ahOZhKKZA0EIFf6QPJ/YrD7gmv9I/YYMcbnCPIzH2UCRHBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=mWM5qso4kZF6mFzfk12H/JYKXSizLkYCG2t9aUIrk382vonzBRZVMAJoPpYaCJKb/LGXC2AAsl50ZwiBoaOPa/7j2Pda4UnCDZ6NYzMM2xX8pv9Wk4kY+CPOFWHTsVTSrKOFKC9UwE0npemc4x4yMff+kazdj/lbvdeyZTSyzesc1yZmianqG59p60Nz3726ajtlwGQCnjzhtQ6amliaNvBEOQBa73JPhZB4NE9xYQdhqDdrNXI8Serb5NuAe7AqMmIwemv5rkWHMmpxUy74tAIUb0CgPPqLOIlGlHbZJqsAm+D4w35js7FlA3nVC3grETtLaLZx9k0Is1Xz5JiE2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=zlPhtcxt/DiquEf3dTGWgEjB0Tm8RU5RM2Gp54uVqMlOp6F9nUF/os9gznYa+txK4hALIoN5bhOGt1EORDqrPLwaY6CtXcXPmRXNOR+L6AmIQjsxRdy2Tszn7O3hnbkw+5RaOEUvGd6LwrKVwwjdnu6fjS42+2DLg9Mx+6QG8gc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:01 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:01 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 01/10] KEYS: Create static version of public_key_verify_signature Date: Tue, 13 Dec 2022 19:33:52 -0500 Message-Id: <20221214003401.4086781-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0033.namprd06.prod.outlook.com (2603:10b6:8:54::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 26569603-dbaf-4782-671d-08dadd6ae56a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KxSOWh1XVpR9WI7LholYkmzojdnr9/IBy4xaxoySOBBPD1jS2KjA3qXhjgYzNzME1X2JBv39Fixd0x2Ck9gLUP6vXnQ6usPz7Bxt49fF5QPRT3pY4ptyFNJOmzkzzpcByFaHx99oQGRoNdUq0v/MjA6FZ3FGF0hAORqR3lwrbdLOec/9M391E+QdZCebONYNtr44X80XrFYVkvYhaoU5Gn1+97Ls+0UtxRdjdBSl3IwSkpPrWv9Ds0o+K1UblzBQchxynO8bJGNzcqqUn5pGrs37M1R55LNo85Rl/rTd8UC0lFRUGq4pfKZO4O2+B/wIANSGq27z4jtqCauKGUxBz84fa9ZoR9IIffXWMhxLzlz1Jpi4JDXVYDr9Y0C5YOt2qJ5+1AJjISCry5GPfLw6KdFrmvYCdHix64pW50NfGnfqoeWjvbYOrADJmYEobwlBfozStbNz+iDE+c7bgdC2Fbu6UjzxjoF+etCRT/Fdbtf3TcmGpUwrmyKbcSMJAPN4Vmb9g3GQaMNT8RWfqKIUnIuuNIvgCey54iX5ccnsXmRhLApi/gY3ymABSNBZTHBySWrSmfPrkAz4+78fM8TWav11XFnHS/ibZa/b5dmUQ4GlLfRKG1t8hrdK+FrVkXrdTzsUO6+G2wkt8D6UlszF5A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: WPS5QlTMun6Brfa+/mg1acqqSAENu1snNQjH5/GZW+qj3LD4fzIU2dWN4x9OdZkVeaifLs+J2XLfccFlCff5v3JiPEG3gmPDfxE4sTkvyGVREh4UJG7xSESZQXYEc6VjBvJOHBJawJPL5xluKg7XQCmgWd+PTwSUpcUfY6AG43qZE6TNGfSoDehpX+vRTWfA5NqnNLO7fbRKEJp7oceycZ2UXB/qoYkj5yhp3aepASl+5DVzJSEm/Y3bq6omhBgk6qUY0bI6Ksrv5TuDyMr+CMDt9eUKqROJwvqYHnGloMip5OeB1+soieL0MpJIjNnzdEoxD+vqV8KMF5y9vLx53mySwTSFPoKPrQh9M+xlMascLH3lrCzblh1Q26QTYCowB4tH5zjxH92arqFldgalpdhA9D9rz8i1H5iVMYONBag9l6GLBCluwARA7uwtC3rQJ354XanbHVDYbGkbIYCrFLVnzsyQUEyv2DJ65qdRQkNAf57ErFqm0RHMAEk51GQlI9YVLdLOjM9aX/KAFSvyydEIh2ho7iNmA48+tO5nzm5rhb37Ke3ZMQRV9lnWSBpDwXKHOU4olFpcwlj7rC65frp3kH+OAiD2JCAM3geO7atJxzCrjXuM5dTvTdjy5h9/yviGVUtfj4lCysb7EeXY/bZyudv9CdsaeaqRrIzKWpZ38VJFaPVjv+VkVRJdTXfVK68p14R1e7aiYKWF5F/jK7a1wJeafEsbt+6tjtmbR6t3jEy3bdFPyoZwM+fS8wOjILnblvkFS3dT6rgxApNaowveRTgdVcwgy98mZkSYS2H52VxjeiqSN3sCIKkv0DUdWo/ZraH/GBQ6kVWMmeEWMPF0+FFQWB/lfijglKawjXzCVCMXkO1APFqOVYj136llJLm58uBZfUdirgJO/DHi1SnFxD6fog1ZJVEKkN/lzxokfK3pS+jYesEjH2FYzIGfhZG9xQ2ZZtOr1E4Ln+bHGmlfy3Vs3bY3XNydEaKQwDQm8LPEuDiU4XTLm2HRoCovH7RRW5clGauRv0XKveZdbhCYn7fM6Fwm06ZAx88/7gB2YQyTD/7Y7M1A9N0Mjh2GsgtqAv3xJ1cFFJWcUkOSbTLzNzLqG/ArIxDYztUn2vmVi3t4+9leX0JjNIdvl8qKFWGkndhUiFf5K/deIrjv1S+kpxblNFGk9V8lJUczCdksxM/DQRBilbqOem5m1zYBWPFKcxYGI0UKLdau1hhKZna/lSyNMxnnGyHvPhwM5lEodXeepn65v/ixKVQD7r4bfCFibxsLPffW8fHIswOhuMH6RtPO7u5cB9MsoQJVnTcByjnCc0TYK8FL1sAZbVTLZI1Yrlmcgh+gq03uRYO78Gu47IzdtuRBvlTXsd4hC9Co/9syuhKQHExilZ0ry0mRui3YPGog3ND4d/C1ImqjIfkR3RrXbVCX/VI0HWv0QguJcjDelT36/X+H/cKVL5nuulIOawuao9LtO0cDP8XiR8K0Mdfy6ZPUVjvITE3T0bbhvu5mPFdYb5aTNLUYum5OmA0Rt2FVxEShM1YjIkvrd9ite9gMKDpx1Vg4mCDuisEv6m/HRxaaWEyNJSJ0cRx8XV+Q/vRy+MLLvctoquZnkVHKhkfKDE1zKqOVSjKOtKs= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 26569603-dbaf-4782-671d-08dadd6ae56a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:01.3137 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +3JyZCuGGREq0haF48Z6ZCaTg4IXYLPxgeyQrhFN6HN1UfFPx69vQFjgWr+dEyQmpsabgx9WdAP3ACN91jwZCSifCBo7phfaK9pN2JY68F8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: I1za-0DgIyP4bhj5j8_4ocivw7I0gQjb X-Proofpoint-ORIG-GUID: I1za-0DgIyP4bhj5j8_4ocivw7I0gQjb Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Dec 14 00:33:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 633963 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76A5CC4332F for ; Wed, 14 Dec 2022 00:34:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237808AbiLNAel (ORCPT ); Tue, 13 Dec 2022 19:34:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237783AbiLNAeh (ORCPT ); Tue, 13 Dec 2022 19:34:37 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C42361DA79; Tue, 13 Dec 2022 16:34:36 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNrUm028189; Wed, 14 Dec 2022 00:34:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=klcPyIIClZucSom2R7BEAPIXxkfz6JldzSW4wSK40uNvguy/MvRhu5aGtjOQrdBds4DR qbySHvN7yUrFmEik7rvc2jPiR6MK7inYmf8ZZcC2D4f5woMU7HaviMkOFvAgYFvu4bH+ SOVxmV1ZijvrpDbhLFvWfFbTYShfo07xCItzw8e5G48ORgxH0FWu9aJvIYpyoqsbs6Fm Fn+JS942U2vgmwwr4kHoVf/D4hGDsWoHqCNExVvSBcVZEIcDmXKxkeeEwDbocp0D8oZA waUbS6gR/aJ/SrdBaJwu35XJAum7RFvGwj8+HMFff2EHow5LsMxFy2fHqjtI1G3E7RA6 WA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyeu0p8b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:07 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE01HTi012437; Wed, 14 Dec 2022 00:34:06 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyev4sg2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e4N+uAnj3cbdo0Mgj5t9+IkeTkoVvjLuTcZMkvpkSpbVF1FVNs6yL2oC3UTipofkXLQpOpH573lkfUEpfwm4+wA1Ut42lQvBUlSVJyyELpcEAkURFn+8mxf0RrpZnCclX/ZAWpAtLCb325NN/vm8rg+vTY89PNx5Q8XpQfetQosgLbLZk00KCkSCA0dljy/qpgdJsoEwBntks2bhkyXgKOZk4cctHMcPkh08ShgdqEBhcN+zE2Vnx+Z2MwUN4JT9cnNHwTsAGIjAenCvLXb58E//MxwaK9xPQ9H+g4QB6S3pKjaJ2eDCJWkUNqMYb41WWP6A7nfqkauTZswh8IPemg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=JdnFnenPfc63v8MQeXR6DQbg4ZRIDcZo6EcbwFwIBelA100Tn4nBhixdM4hUv1NnXto4ZiRrCUwuebO2OKwU+p6k58oHXUUlitsReC6Ym5cMyRXmELCd08Hko7XHu6KDthM5/LsUDC/8W8JrHFaSD1PCNq4n044v4qX2KVcoOKFoYLfdJpUjGJM1oW7SmDU62Cwpg5HPl6XIrPe70oEOGI+Zlle26tTU3P4BiKQy2I+JRsYO/cirpS3dq/D/0eLrJge3IEca/IPU1lg7eo20O81Tnk70GciCA/3WRbqCm7TmD+3FNZ1PRmZJ0B3IxvMksYyxDjqbebwtGQMO1AAOZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=UP+/jRPQkSuTf2fGFRMAlISgAEIExiDeA3JtUWXku1BWg0Qn9XoiweVQFUHa+XwxEF9Q9jt04c1EHfxbnCyJMZ7kf3d/1Y/LnjKN93VJPb2PvJXQnuXZml/sUVDt17P88yOpuF15Vcy3wRmIc991IXEAk9myxaVGVXrvaJBqqzk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:05 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:04 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 03/10] KEYS: X.509: Parse Basic Constraints for CA Date: Tue, 13 Dec 2022 19:33:54 -0500 Message-Id: <20221214003401.4086781-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0027.namprd06.prod.outlook.com (2603:10b6:8:54::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 2a47f8bb-17f3-468f-0416-08dadd6ae785 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nK6Navt0iZJiJaIZdSxMWkWIS0nEyN3R5dSphWwODnUflmkdrTtqnKA2L1EfxlWNNducjVuAjTEWbDaIHQw+zqzPse5E2haFEPj+1UXXbRW3R3CC/g7niqB0V3APCJXvFMbyL7vh35IAu4Kf5ZlcEjUMQqhK21xjN++L9rOCXIxZFHMEGY/brP+vD/EJLHUS1kot6UML5ORfOnxGmfD31xqmIWXIjPhRuyRyz8DNvuKRca9SZLYjlp0mdJ0nXJFQWnjl3N5dplW+pNGdIra1i7Myuoy/vTdEMJgImU21ZM9s8hBXoNKztavBBulVVanAqM16zjFp4/QtRtZuAOdyD9xHXsiHWZRpwI+xY53Vqx7S4lNGIycPhGflE4CvBWeMcu1KKruc6gtBlNBagmj915hUptBwr4pzyfKt1IcTQA/f95LkXQElGvEGCTfCICOM9jlny6eJo/p/wKG/ryTQShaKfpBbmuboK2RwcBjJPcnJEM2jBILr+RZ2Bkt7zutoNS+TGb25uiNAba2nEWi9nIff+/t9UJICH7DCHAqkD2JRIAcVWzIHNeGG/h09Lr+jUI/b3GKK40gCCuO5nfcsM/vtK1C27mQyNIrOMRalm8XgU2CZWUxshVpRj1ayk3ANvST3VQVC96/QXq+bKjmIWg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iMM+MECEqXgIJgwuWUTKV168Rd7q1Q9SGWVIoRxpLSo5OLjOVjzTRRWpCBdvLJJgn7LGP7DE4kw7vzGZRLqWYSlMTmadgrjy02wohHrX+ixIlOBm/+Z3rjKMjO+a7LNcFEnI9u9DkAkhKVs9jQdF/qmnwmoGWPM4OnuxE65nvd9L7FfFma44rq7dJAbNhUOevdHNS767B7ROQil5TCAcp8UhRqUlZaOuHJFz39iMXbZhAJDXW34O3CREtUEKl6Xd4mq5U0Ien74uXORDVnA8gjD88XeNkd3WFDRaFKHM0/uv1J1TkFujnDS4OcxS2go5DgDnUmzgAKnIGKUZObxtppb0tviRLTR4+6Nn3G1i7qWXwz9t7Nzo4HZk6IpSlIaAPQhTCj5OGXNfh0xBEw53VpNrPvnxnL6r/1iHzHXXm+vLvdj6FTB6HAzSm6L5yC3KBpZLCFoGRP0/qPubPPY2jAbcq6gixt75nsv2WOYN0UFHJtllUnILhKMzrKB10FL/zjYXQpJoxveCdQgHu6jhOTDxGd2R4QKEVXsEUsrkoC3MKZSH1dgCpyEbxtRZgcx/7d9wCME8qB7IfGN5jhmBJ9nyPgCTzSw0n4vRKfRA2oY2aKAxn7L9HW219xug6Ezv/rPmJpkDrsbpdzI2yB3ot+o5V5Wccr3jqL1ZA3vx9oz74+mDz4m0/XfNBXgfYw8Zcz8pzEERQLG2Fg9GYSsLwnokTvnXDKxs2mJbs8CCrfAhhej8p+PhxEdWm3wQzqoN3VOSeKIk47qxY2rpjUgw95/+C8xT4/8kGdJcvmrsgT4xtRor4Nt49uT7StSAyEkVXJBCo2EgH1s61wpxctXxeI7HqctxWFb5kbAipyvPbKqy739hrZHVh0optlyr2TveRqc2PPtsze+7SkORXZhg/T/S+PBV37IjGtZJWVITvEfuHavosYnhVw3yR0eSMfJ3F1LhM+8IGHSBT2SA70kNDYEPgXlCMfRBPJuCEyDRernjsrvP0sCgzJHtReTehYx5GZEpYXjQpS+TpK7pcIRxNgvjGDKgfpTRVWJ/HsVdDs1klWUKptA4voi0NqzUznEq65kwGczXXuhkGsNLbU2Jh8n2LerTqB97QEWRVBgn4Klz7fuweQJrCai09CKzt52nAzSAHSIchCOJ+lipWnncucBrGuuGcOdvfTUZeggl2HhTiPlb4s4zp5EpU7To+qYrmJlY75sUgNUNcOJx0JLVcRpyM364wtaJCnGpPDLA0t/pxKgf4tlMGfOLvVNr+ciaE1m5UTJQzttpZ0TRutlOiP+DPwFteQbnbIMlMl5UhXepfzgHkZp2fuitolGo1jK7l2sskKXFNRAJUc+2sU44a3VQtMS8oqvW2ggO3lWA+NoIDnzbcUp5LYtZvN/D4dHkjvsI9d76kwKmbZkGG8uOlp8Z9Tl+JgHjh3JnGGq00M1Uttr2pgcIku+M7elHO7swt3Y2j1r+Kwf+60DH37XNENLgkcow2t7zu/0S30//hG+bopNXyCqII+3REH1mde29YeohOhg3Aa5CMID8DSP/7Rbc3XkdafY/ODSMDyN7Ui8ddqsEOB0Yg4AJOMv2WhM3kYjL0NQE8tjzGy07cbLRXhgved8xSAA/4DW2G9JUFKY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a47f8bb-17f3-468f-0416-08dadd6ae785 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:04.8903 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AVZm6QoXsZBLNVOzegH+yivmniSYypsHBPyMxYLDDvR+iyvBt9hsjCoqI/SAatz2yBi9/dl2lS73K0gB3uSJ3VPbjNB83PlpAsjItWkZCNo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: ZfxX5ZQhCLBW_gpxjKA0hBQYi563WrY7 X-Proofpoint-GUID: ZfxX5ZQhCLBW_gpxjKA0hBQYi563WrY7 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the x509_certificate. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..b4443e507153 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (vlen < 2 || v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->root_ca = true; + } + return 0; } diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index a299c9c56f40..7c5c0ad1c22e 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -38,6 +38,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; + bool root_ca; /* T if basic constraints CA is set */ }; /* From patchwork Wed Dec 14 00:33:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 633961 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9DC46C4332F for ; Wed, 14 Dec 2022 00:35:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237892AbiLNAfT (ORCPT ); Tue, 13 Dec 2022 19:35:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237828AbiLNAe6 (ORCPT ); Tue, 13 Dec 2022 19:34:58 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E73C1EEEE; Tue, 13 Dec 2022 16:34:41 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOBYV014294; Wed, 14 Dec 2022 00:34:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=XQRNfbDWPLfk63//Lpf3B6uEnmzyVCWwZZBcczP2NXO6+8/j/ifAGuRF1F9UOlta4Slh 5Z8mGyH6Qf9XLbR8pvMIpvBkbu8ZhG2OUCxIn4wEyRNZrEknTDGaRwPQ8mISvsgNFq3s jUrHc/kvYXt1nZum4AE02MxR1MFBBtHawH4Va8+lsaKNkV9vUbmfko9Zgp8eib/HDuRl qS1ewwQ6oswQmb5d1HO+B0kQTfC/Z0pXZwh0NT3ZG5b/y2VJ1kdkAlFMiJUt6D+SS873 ZDkf4oE9rC6SzbUtCcZ2IO9E0zQw2Qs+ydpNfY98OwRilLH/xrF33IT1+G3dR54ScojJ ig== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyew8nr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:19 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE00AJC011802; Wed, 14 Dec 2022 00:34:12 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyenvsg7-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HTodrjEXusfq9LE/CDgLDqjXowG2axGtPul004Ku01KOjcOYcqnCRkzIonS0jzwbPP2x6KkoMqrrJabCvozF0FpPY86AiL/EV3JxUx/NFRXsL7eQYrpYneZC8MBl/kYROkwssKWQZGhHrfkLpasatStj2tnuqIx18QGxtuoC/b8dQKUtXIH9nvaWjkhsvyMTHsn8mRY8PqXuHxXiD768vCx8lmxLCU2yeX+qoTFa4zknLP0Z5inkP+9/O8lO4lWcbCbQ3rxMGAQJBO+o/t3ppOJqwbaLUNoh1Dcb7ZZOOkiebCEGuYZYW685/xStheQYGtB8mtGDPKfJoAVCKjKt0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=hv47EG+1HuU75V63dqt2Xgf79sXGJT39LEx8eO9nLAu5/svietNVV3Oxn98ory6Ym8gzh3/p1I5kLiQq2qz1v0sFTYkyJnhyHpN7PFAq0P0K3MEafr3p7UPJ1DCX+ZicZtXUrrCUx0MQqPNh2Q1g/nKjM4qWsUyKIDOgmpfEB10JYhMVKAtjeNF+SyS7KYHGgx/Gxn10bjxMCunDJhzXlrd39J7lYVG9I8y+UBjz1oFW/juMNbm6VoqZTuy0x2fdE/wKkxQfMr83SL8bRJ4fz5/UW8ikc/i3v+g7hlVbH/tdWCu8bJCWZFB2mJKYI6sxtwWa7zDKPPmmcCr8T8FetQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=rsvku0nplt2axLh5hzR65eB0QXumXt9dHJJRKMSgQmIkIdqeJ54QvnJtXNjajcO6hEn7JW3SaWeitYfHEJLo86L3ANODwkQBfIXn7LQ4zIzlGgucMPTEHm9kXKARpUSb8VJRH7Pt9qlHk8wzKx3GOiVUU2tKleo/VMc1kPI1uJE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:10 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:10 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust Date: Tue, 13 Dec 2022 19:33:57 -0500 Message-Id: <20221214003401.4086781-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR03CA0226.namprd03.prod.outlook.com (2603:10b6:5:3ba::21) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 740bf181-db06-456b-6f1b-08dadd6aeb05 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hzOUtONuq80RZKbd/Dw67mzpSymqvPghVueK0X32+Rgk1CnUQNijSHQbVZVhIB9BFcJqD9Eji3D8PCgIWecXoU5+PXcjbr5moMLwjbd3NBr0ggAKB13j9QCvwcfcw3xJr+23kqL4T6RinrNTnza9cj6ZXmIWtBQfInBvSVoM7fuclpsaQ6+ZVfyEj2V9a8XQ9GdTIzCtbrZLiY7B+Xb2KArT+BeDttuYHL2qCNJbw/ZeI3hZZJ392vAQs3kPgE4UOnO8n8Nc/2C7uxrxNI07wQ8FP9o66DoHDYvSK6AGsJfovNE+FFfV1+L1L7fWtjY3a+dhiNlPBK7bKhqECYxCR3NWo3jBOky9KWo2opMOeyiTLN02nQqNPPY6KDiDHz5nFd5A12nrSr9GnWpl+SJqBxkaDht2yFclhjTM0kQVyCPTZGZ+7iFOrVpKke6GJCSxmgqxhp6sn5ZKdqo9zOgvD4ozgjHb85ie0VDVdyQzFnjmPp4XxoARnB7bi4ygVKTuSmzmH4aAKyBFfGUcentkRDgDAWM3qH6uo5jxaIzyDDdHWgYkz1Xu8dlO0ZeydsowGldEy8a0w6siMrFKONpgTephDmTyhW47gILkhn/vUyH3gc73Z/6NVZjiobecAlRlTRS+koWrMAhuRl5ETf81wQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(15650500001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Shk6R4ng9qYZaxGJI35pPACXCN6bpeiKxQYkw6GYYGbHBtJVpU26DRAQ35bZHpvOmImtM3bIcAsS3Memfd+3tRIPGghviWTBq26s8iKDsUQ0j/NNTqJtET/Dl4wJ8mAnsOeIxHSl/u/g0gtyHk7TsgUPH3e8217MfYDX54g9Vw8qTk0mWPxM7Bp0f6nemXZ7AS78D0up6t9COoAdDMOX5pxngkpPd/QS2b6B/XHsWqXcJrY6UTVb3W30lXE0NenyDIK4oH65LdCfNn3+jqj7dHNT2UZaeJy65oc4Tq6ppWBao0GISXrQpZWbX13Y4mU6X99KPDyY9wWAGszNK5pXoxt5zql1s0MtduYcuTG0dBolptmRoBgMeIqnXAOXq0+ha/+dItti/iinU1NBClyi3McYCWA7fQ4j8cAreJdYTBmp1ug3IBEztMNQTiurB9WNy+W8fHKTblVvzuPjRg2xaOwFUcza8qlGbT0pI6LXRjwKV8eLfxN72h7KDphw2aby2nsDHfsPirJGPBZvDxhHS4qLpMk9xnzYPPbR53C87fjVIU26ANEXYKS28RTvZHffeWVchnrYvipF/AyGXD9XuvceBeK/A4H1oXhWXyIkqzB87178nv3j88oSthBOVz/SaqackQgwPSfqyoz7WuF9kljLrtcdCk71VFSYHb7IQj4R3RnlqoihII4xaqMAFQUQHYm/7N5Zn9OSwebGclm5oI7MMUlpm8qXAfpNwukz5EbmOWygHG4O7DKg5VAqwDmSIA6qHF7GMB539Z9/OBjn+HmjqBlNq2XsjrWghD5DuCvzvxadsM3Za2Hh03DCOELAUuydqTAGJEzYSe6TMwPvFRfGUPfBG6qoq3xkP5qChwER/UJS66RODwdx178F1R/D242kmY84CRfWONuMUONLMgLXRjp+YOfVCXaFSuyZZvTTSmf8sxaAdS+09RCqBzRhy22U4j9smF8Akj3D9RidjeMNeHfihr+DvDKNTBRmuAHC/txT0BynvycaksJbq9UaWMpvW6qEpVT1ANu3L8ieNxCs9muM9Rj4zIR+7deapSp7UdP0qbdM6bobx+o4rMPTdbejFGLXtP/bPXLXVzhkcD466dAunqZHlIDVEz2AOxMuDlMgUNth5Mafx2ftJi5kA4uIVQ5pVDmsCIZn5zyYly4BVgc2Ya7qS4q4XTSjuQMueHHsMofPf1fjHh7/WJeuURT2yvSsiaeOPIQktIRbUt9MJRDB4H8LTh8RWNYPZWIyKXTkK9fVjfPBWmIxTmDN9xjUEIHIXI7kpJjgIoZa3tha3gOBQXX+ZpvDT0KEwmRSMqdREK3C+r++QDF7PU+NkLaJ1cG0UcTeUYJTIQbNC1kIJ3aR9YrinInsI/c0vuhCI+jBfBR8I2/eS/N8FUo5+upAmNHr0n1e7QCd2uKg1fffG8o35w0yjvRPHBDEcHEBXyJT4IgouKdzTsZMv5tn2XVLsvfHIjvW3L+3CZs55xLwZfD3nMYXCsC8cOs5XbyrzGO5s/SyP2yMwJu+DKJHiXAZkXpmBP8yB3yX6h6n+H+vB2qtv3msSBkZ2xEPBOee/2uiUWlznpRbe3jOtegbBsmpqqvIYe/A/7kTNnd39H6zu//wscTK2FU3hfrd1rk= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 740bf181-db06-456b-6f1b-08dadd6aeb05 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:10.7182 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9iBdhBHTJohMNjXbEB9faKnB7zSnuQIGaPUP7MVTmlaQly/cK4jd3jpt2hVeU69aGnycEcY6K/hydOeXjWD693nQb3hp/a32Q3ad/tFaa44= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: UUWus2xm71YT6frHTpr4LSCg7ycJWTq8 X-Proofpoint-ORIG-GUID: UUWus2xm71YT6frHTpr4LSCg7ycJWTq8 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_ca_and_signature that both vouches for the new key and validates the vouching key is an endorsed certificate authority. Two new system keyring restrictions are added to use restrict_link_by_ca_and_signature. The first restriction called restrict_link_by_ca_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_ca_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++++++ crypto/asymmetric_keys/restrict.c | 41 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ include/keys/system_keyring.h | 12 ++++++++- 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e531b88bc570..0d219b6895aa 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_ca_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +91,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..005cb28969e4 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,47 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_ECA, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..e51bbc5ffe17 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..4e94bf72b998 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -24,9 +24,13 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_ca_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_ca_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +45,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_ca_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Wed Dec 14 00:33:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 633964 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C59A9C3DA71 for ; Wed, 14 Dec 2022 00:34:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237788AbiLNAei (ORCPT ); Tue, 13 Dec 2022 19:34:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237766AbiLNAef (ORCPT ); Tue, 13 Dec 2022 19:34:35 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 671D41D66C; Tue, 13 Dec 2022 16:34:34 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLO7dr016062; Wed, 14 Dec 2022 00:34:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=1DezFdD/LaHfgbOgLuNlGJx1QT26KX8gUISMbVChFcuABo7vj8MW8iMT03TMDOg0IavI S0qElciIA6Blcd/YsAlZMCkp2zB69pH3Qhohm1g47/wAkJtEquTi94CZx7NIf0DMiX7Q bZvw7SdupMWF9UfcyF8RAzRSK/qSffjK4XiwRm/JjJXmJE+q/GYBIM/5QOg6Tf2aOeIl RCIRyK6LTVtTGawhsyRPa5wtNpbOy4heQcjOJf6nzO9BnS3D7CqdVsfO9ZLoAkprb7Dq ruPsOML7K346dEf8Lyph0KzvBEtuDBbN7t/w5jyOp5IaNcCJkPGp97NwbT0idqViL/Jl Fg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyewrnth-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:15 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNUIaO037224; Wed, 14 Dec 2022 00:34:15 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3meyekcq6d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HMgnWFQCN1KMslKg64Pi+Xb3Z71Tk0Yk8QO704ZN57JPkWxDNWFL4tmkcMXh0FsUT+NhFuCbxdEzmfaEjxxKzB2cfbgLX3p4aAeHxJDVxwB3rTastWR+x2MmO9/30RjqxhTUmqgvgqLV2/znhzILGhtGK8q2SW4C6/wtz4r9MEtwHPwfQ7jsm/Bk0OVCABVhM5Y90ljc/nuzeaG2SZVDO1CgZDzAyK+7580pjbl+ljieOirNHHGAoogW8Hkyh7Y+3PYVP7dVLlNIGerKsrXGIATUa+Gnq+Xry9wbsj16LlF3i60TLpjtEMwvPUcZWXwlJDBgDqxtnOkBaZoR3FKMaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=ZzpJizFY1ioWpYpgD/ednEkzxoztMQtXrwCKQYG7xSEqZtFTRLGO7MjLWfhdyAs+buZZflaX4sE/MBsSc+kxe6QYRBYPOTYE9jKb1fOLxO1BEuxPzQsnl9QkpW2SERy+a42+ZiQeisICtv/dygfkpUjTKMlYo//8cgR8PGP0+IsOVZ+sMBBLvM3wYWkou6KLVjNUWNnVMqfebg4b7CcuOsOmbGLEun0BpGhuPx9dnR0b9r5Eo4mOcUlgumdez5uG6SYrDKxzr6ARx0kciR8OFUkoN1CowbHHmB3E4UQvlfQhmurVL9bmcWFfjqwdeYqao3AeUXPVgN6+mVQSnZXjdA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=EjY16i8J7wpSGAvU6QLehmKe0BGnegSxKne1dJ1Zapj2jF9zySCLnVd5hX5/H0olAMY0uqnCCHANCL5j8wsDQNU4ngyq8mTqVTlCx+Jm2L6pZL2vC+1bBMe4MYXu/+zA893B6aF+4JxSVDE2CCSBfZNS9Rufir6IX/3EigMsMHs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:12 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:12 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Date: Tue, 13 Dec 2022 19:33:58 -0500 Message-Id: <20221214003401.4086781-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM5PR07CA0080.namprd07.prod.outlook.com (2603:10b6:4:ad::45) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 6288827e-127a-491f-62eb-08dadd6aec15 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SmA4pAGxsvgJx6YI0KEcy7elaSsZ5LgxGgKOEDS3GO3bZCHNNeTI2Pe+CxQNg6kNpqiZtDsE23X9f45P2BoDBZmr9Eo/nz/085FFkKd9DGxZ3Ay/OvCCfYax/cHrOTKHVttVh0UAW4qrB2IWaxKMmMaRDB6AX6Ubik3WflQFrVUrq3La5s6THER0t0GlY91wqBNZDz20GCDDyAi2fuQZt9eYSOeDr7cO7abCzFp8GxOgSI8kb8A4NPWufJbpwln0AXfBuy8tu/RfRpNBIrBPN0HlZgGQl6dCfMWwa9lxlhW/fdUL/z6FrrkNFCcLYPEG8IuQZcK1YKv1TyMhJNysF+Ae5F2oMZUIgvn6FAgmkOHckI5/LnRNqN+c6VhioIS/MKvW1VaKA+eqkJI096gLMwl/TVjjxxCo1CthILuCkasvvrjTZcJAxxerBJVaUGQB7qUqdyh2G2j3pYh71pSoEN6V/t0DtRjypSGXQK9LTLkJpuozSnx+kxVPQncrvWBhXnA/IcUjkIwxL36Arf4tAM9/13fiHT/D0Gr+M0xBaPIYsgyTn5FKe0dTRfXmmJSQIsu4w9Fgj2Bl/zVlx2c+M0iMYdpADqK9quKRxfONfHA/O6+3BVM2ZGlmUMyzHiyIiFvsxf3I09ehRGJ0ZZtNlQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +n9qvO7wn/BPv+B/m6Ly7P5YM+0HCvXYA2Qd0iG3GYWZ8Q08hhY8cH1cKzmoS4GGhnRIKYBCUXyzDA6m3JBxH4rjthgWyf2G7zh/JYfZGg572pjw+go0toM8zxLmmH+5mquiF/CuQ2CxCyy4I96XeaOH+2xakcUUiV5gOI7a+OwIgtcDWvXqe7q0r2fEpWH9khraiCpscPCDmnApQEC12NYHjiVDANnxbxBBls4Cbbb9ELnHEC9kKWRPpVr4l8ff06Hap0RV4MDxhYeSvGgiP2dHbsP9+ua5X4BHRc+Bc2QtZ/SLr4wHso+sDUb3BXQV3KcoVtTOxl+2jXg67iCzogxfMsLou7lORM3ed2WySL2xAaiaWMNSC2UUUj3FNuDqd4s6P+z05Abf+X9fjyOfFAM1Kh9lxCotG6Sn41FKni/2oQcG+oHvKxKfE7rDwNW8KA37GG4BKLTx//JiwNM7GzlBkHhhzflIJixr5YXC5DQXV/uUlRgKs/pHyb6BPIlso0wNHTjORAoQOornWUBCevt8gE7fga1u1Re2iOIxdYRTMddYPn/H62WYteLFIpfPOphVMqMshZ9TSfkb90urFcuMXo3yJ2X65E7d7z50ks36DrQT8/I0a9poeRtnUsnJm3uhbfrsfdVGXezlCHnCp2JWxwC/xYGPbkW9Fq0tvRAYG5YJQ12uTtveNI2ns3DljJ5XkQZ5InHXfdbiGPS/8F7lB+3LdBDb79dxONO3s8eadrnjj2PX41IUQ1kH2I6tFt9MMn1dmazI7IiExtRmDkxPEwtuksZs0g/+LOUbMvXmp7HYA83bQOWpJ5GFOQ6j+Nkz1ILFTu784QuRl3MRKDxxP2fWBVWWMUpB1sLgHAHNW9DGV9027G+JW6oOreYCCarA8Um1UqEKGPQFtMdor9CJdh1lQPWTfQhhLOD9dTbkOwXfg3b2ojqP3AGIyk+CZQKs5nyHem0kMqUyJx4egDxXdlqUvvfIrxinXGm0xiO/LxBQOIrXgObVnbz9lZ7vZVYdtYat3c3m/q/Ywdm2WlikRyPWKIOR+KBFids0iYygAzA8KerWJp7+G3IICSYtceApP2KtD48W1nPGUQRKPeLWQP2E2SPx0nR7pi2h7EqyAOtT1FKVOq+tNhyCU9UaBVyS11ZON/CzOMsRc/z1qgGIf9mhFrZO4vTA+GiL22Vviz6V79/tYMNbO8B+rcV8AoB+ra0AvZf52gzrbepoa9kVhzPr/2Pk6CwhsdaE6gtAtUDtmKCN+F8GAi4Ci9gkMaeeUeQnFrluMpsrkqWm2J9KVFwUwt+9bmJYX8SCFC7bkExHE6uJ7jvW3gbXY152mOsqOPkIQgXH1h34h6uRBZoIQmb40bmTw1VI/CHshUj7ufDBhN44h5JOrMzH456C0G7EQ1jy0Nxc2Pueh+yrlWk5euG/TPytbIDkGgDYMObMcpmOpd870CADEaVIpB9gl+D2LskBzfXCmhY+iRe9g5Vs6xTL1qxoa54y0U5VfRzRPNLeICFTO0qxtF2Yec51m4XuZL2wFZ91q1+U83L/QGf+kLe/uW7NqC6HND9C5sMbLEblKe3eXz0Xb4lF7INiuD1ZEJyB1DrP1PI+rb8WrQ3sPsV9zUT1DFxG61Fusik= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6288827e-127a-491f-62eb-08dadd6aec15 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:12.8598 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MJb0eBPZLJMZFTzc48LgPdY9du/5m8rDC0pJc3GqlFHqYx2sI1w++277rQquy/aE3Ecl2UTM9cp1pRTwx6MQ4Btg6WY/0MpmATeOTgfIG/Y= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: -Qa9JTphCEIUQcJ91AbkgnOjgDa-PvCs X-Proofpoint-GUID: -Qa9JTphCEIUQcJ91AbkgnOjgDa-PvCs Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Currently X.509 intermediate certs with the CA flag set to false do not have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to be added. Requirements for an intermediate include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and the intermediate cert is signed by a current endorsed CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 11 +++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index fd1d7d6e68e7..75699987a6b1 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,8 +208,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } - if (cert->kcs_set && cert->root_ca) - prep->payload_flags |= KEY_ALLOC_PECA; + if (cert->kcs_set) { + if (cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_PECA for now. If the restriction check + * passes later, the key will be allocated with the + * correct CA flag + */ + else + prep->payload_flags |= KEY_MAYBE_PECA; + } /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..6597081b6b1a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -181,6 +182,16 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_trusted +#endif +#else +#define ima_validate_builtin_ca restrict_link_reject +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 0b500578441c..0d2f95f6b8a1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ +#define KEY_MAYBE_PECA 0x0002 /* Proposed possible ECA key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index e6b4946aca70..69d5f143683f 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate endorsed ca */ + if ((prep.payload_flags & KEY_MAYBE_PECA) && + !(ima_validate_builtin_ca(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_PECA; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From patchwork Wed Dec 14 00:34:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 633962 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B9C8C10F1B for ; Wed, 14 Dec 2022 00:35:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237851AbiLNAfA (ORCPT ); Tue, 13 Dec 2022 19:35:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237743AbiLNAek (ORCPT ); Tue, 13 Dec 2022 19:34:40 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 814D71EAD4; Tue, 13 Dec 2022 16:34:38 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNqvI019987; Wed, 14 Dec 2022 00:34:21 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=zeE/ZyeNAqjkTPDBdOX/rB5AhP1AtmamvrYa2mkpZE4tMJEtNteIoWCXnoCUOZvsWu1j ij0o70doNBOvD8I3ZxBWt9+TCdiljLW5VRGgLqXtLCG67ygH63M5uQi7VOiEcPIZ47hu J8ul0oP3GSVfAw7A6s6CdyjP/FoHVFPxqEFclGjehkPXUDXyqMs+xpXDLRBsSr5X8flh p72tudkOepCJe+uQvk8IQolretYusf5A1L/0kpv5rAddwEl9eSzhqyi2EQxOUBZGu93+ kd+NztY/l7J0nfJDQIAR26039jw+sXKwqf3GdqpQZuIqidfFruPgF7YSxOCbGpuVDrz4 8A== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyeu8p7q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:21 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNh14S031305; Wed, 14 Dec 2022 00:34:20 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2103.outbound.protection.outlook.com [104.47.58.103]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyet4sj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jupGOPsSczDLrX28VLKoZpb7zcvOkLDvDvSQb9zVPz/4fnTlyFDz6SLMlnLrATWXMQKBNtHz0467BMSAUriMl5kuIaXc3Xb+dgupchP/pbwFlv+s0fgufbx8hWP/50cuIt735+zy4RI8iPY7ArYijpaPTztragtQG8DouG2D361TpFBLrDawMdnM8u9Fccj4sdim53XQaEgKL+3cHphH9zl9i7tELmPDsKgoZdMZNCUI8dACL84tbJfq+szzHFJb4At6hqNYhs3IYxRxxo8vKq5Fg599p7dBzzyKzFj0vHhsab0vaLTsl1K+YbcvenmbMO42XKkJrcdI7EnphS46bA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=EREKDJm/BSV9f5XHhj/K8u7PnC0NtchLIB0vKAdim7G9DCNq0HDocfOMdVxCR4XEx5vhBroNrZMRcbI7A7LUTYo6wpGPthSVGf7W1qOgj81dZz7yr9baejUv5DsOAF1IDydbBfi9/rHK96qYJAmXe7rIjORU0CnmkvY+TdZxaY6QaI+8cfLGYwQ761N9JBo/EQqgE4XgnCSGHA0r2Es1zoQv9Vl8KDPTkPSHrKs88bgZ6xpX8Cz7iLtf8XPAkcmyXHGhG3Aiu7A6E7YeiNf3jXs0q5v3/f/v3ElYLjsA9jKTWya4T5EElMX7CsXfU7Flm05luqCLvch/7OkGfeX40w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=rLWm8w97qJ0gBOhp2ljHu6r60pEAEzeNLlJyVMb/15eQ7BRI8OlFlP5eCjAJ44wnzt8Zo5ysY01izyiOxED866z9dtJJpnZTJPn7YBoW/KJ1vcJXl+54RAzIJSFqIs8eK/iMshMpgvCeRHILealC0ptFo9ht8dRz30Y0ZAb1kcc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4324.namprd10.prod.outlook.com (2603:10b6:a03:205::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:18 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:18 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Date: Tue, 13 Dec 2022 19:34:01 -0500 Message-Id: <20221214003401.4086781-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR03CA0016.namprd03.prod.outlook.com (2603:10b6:5:3b8::21) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4324:EE_ X-MS-Office365-Filtering-Correlation-Id: 196a559b-97bd-4d29-e835-08dadd6aef82 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4d7kr/wZuvVUf9qwDa3FmJfTCjTlgXk8x2lyn0r7bxyHhuae7mveQGPtS5y74abcPyQQsHyviCnFs97Y2DeFfl/TwvqY8uIe6HFZ3f3g5PH2ns+F9MMstcV1aXu5bmUik+myiNPtJkYOc949wrSJZfDoOUxQ3SarYIEEZxBGIiBAaSlJ7/+/BEzy9bkRq5Xi1pijTx5cpuGwYW0R2vp9ld8eVNZaXscM0G9Dpv7tcomBG7P9mZm5/HNCuToraEVAyQtxIGz+O9y7nMnOQ5kXvXkaexUOlDF+oz9PlP6gNyccaffXz5qjeMrF0VyVR0x2jYDSiF1IQ6M3pm5reESPbgC6EZNoHuXY3Axv+GBdTM6jD17jWKYJp81/W04nicepZZePG5X+caIxkXHYIh5GBqYBMOhPWSdofiBetNu23p5Xi7ciUnE9TgnohucxeoBIBr2tYghdYAJ0aLQd1hNQebbeb+T9Rontv/WT+lfRHnVfCZJkqQBnxc7r8pRMmCxmVC5+H1jx/VgGfYGZp3pGPPNHeTel/D9D5nNbXR5BkOzDzkw+NtPGVBLsqRW2oewX3MwapIGbwyif3rWLMnNP+/s22IZxu9MRLOGdVqbJi3+1ezFnxPpc7eWRBf0iJk/7iqufpXbz4WK8eceMq60Obg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(366004)(376002)(346002)(39860400002)(396003)(451199015)(36756003)(478600001)(6666004)(6486002)(38100700002)(86362001)(8936002)(1076003)(83380400001)(44832011)(5660300002)(7416002)(2616005)(8676002)(66476007)(41300700001)(66556008)(2906002)(4326008)(6506007)(6512007)(316002)(66946007)(186003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: KUiArnUcO/nlF6E8RNlU/3UhRLU5zaIDp9npkktzz7yCD7VxolgTQQPtLAYLZdHR5cs1C1B7MXOGRtvzy4m8ZRdGluHLdbi1KsadKQLKJwrhQlDfUfcE3zI31Hd3rTSFXWQhxhjFKaRCu2Tv4Wi9/rt/PIPLQCFW8E8jUQAlJvD8ID1FWUKiiUkGXnMWzbKP9PpEXczdU7tbXWDt57mpZRb+kWD7jXR/iwfhREO7q/jEkbxrbWGztoTYByhA3axtf1sTucMQOArqpxs1cCwEX0bnhq9dWUE33hiNxWO0D/FI2bAaPNnwyTcRbvRlBtShinEDVXRWt6tTLZBWeNI5IZz2UEIgYCZIsD/Wyy28pyMxVZtWdC5a0AG4AW0rCYnmKFa0ntag+ys1VOluv04lA5BpRuKYcGBRXGUmYhWSVDEr1ZV7EaFj3u0Tp5Sn6Bgk+1xqpjdEifcSGfIDUqxZmDMNsI/2hppp1rgEzRvrSDuhJMDxJr40fgFq0DIkdpCb7u8vLmWGLZ/D5PPMcZOAIkpMpJUJZL7JSKog2pfgOO6QJogdBAuZjwgZkC/JMG4Hlkq6Y8YR/cL1Jww14DIz8UHaI+vGI+XY07hyzTZA+eUoP2vyXU+IMaKBCmLUjB2TCKrI52pN7Z+hrByCX7W7vjQMApz3Eijg6cnnlpkKxopvVN5VDWTcjHwMn1xTBbsIhRyngudOZCRGanlY9Fj8d89yvzJB9Oyxp8gOUGMdbWDitLmv3nzJ6+PKfwAp5VUlgK5mJmxYwx+hq//dBS2TGoVIXyaAB9bzssAR9OdwdJtm7eITaW6QWkxXbkFCVqxh4b7wYwWnKsAuqXyJ/eIYVKj15dHv2InzLE5Sy11JSpXypl8goM1HmCm9jl3blYJYujwEOjYtXAy67VRb9GJgZVrx8q4cco8K0wGSveQEyZXPwuHLFCpIhegWqN0jAMERU1wYsKGGlSruM+8ce6bKLxdMZJ26wdo2bd+0d+gMk1qGoliwgyY3bstKq+/O1YHcrnq49gtTo3b6o7gJ7VOxF6k/i+7ivuhTPcHe+0Q4g+n6Nl59ElyyIWX68RX6ITcwR93z2T77O+Rv90XMmrGOTIcuVY1Jq+//Cl6+XmEWnlcXDEay3YONsf+NI51OxEZ7HRj2L23laG9yvM/3K6Nn/8Ly1kpidSwRJFE92pUichuJqYMWGgtuwOUjsI/8QM6JfclHJ1jlNyifZ19DTFgFqnrbsykSzfjBqnSBjdXubVRI8HpviRxeIblBfJG0anwwDmGKXdeS5+3hOufT0FlKW+AMi8HtzmVG0XjD7hrZW8F3YhZlL1Jnn5SluMcPEdOfzHsbnz25m8Ub6633Xi65JF52ADMfL1Mz+KLy92zTug7H9TxWcqixeRm9hKppj8xFBubzO8RF2Uw586t2RCP96EJ1steIHw8kCmVXSzL8W1OjZ3VQ9kURKLVw2k4wBWdU4Kd1ETsAx3Gzhjix5eME1EnxnyFJhtJjHZ4RVY45YdApBKP7X5/j/Wu12pFskc0/fF2YNSJNpysUeLz6+1glHI13Abn8Q17FD6bCH1DmVjhTdQxq4jgv+S8BVTFA5AnEVQZZakwiYUo5Q1/osx+SEc/rs+eL2hCbMk065ZNX0mI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 196a559b-97bd-4d29-e835-08dadd6aef82 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:18.4233 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wi8uz4R9ZyMXugJAv48UsKj9mUnMassFK675FtgKVh6X/Je5Etdyk3xQkD5DBT5lxR28wdZ3e4xZippweda09zIlNKR5Lpr6Dd9wGuybnzc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4324 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: 4BiB11Szgt-6DAiV-T9Rdb9R3e1uWJDs X-Proofpoint-GUID: 4BiB11Szgt-6DAiV-T9Rdb9R3e1uWJDs Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 10 ++++++++++ security/integrity/digsig.c | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 14cc3c767270..3357883fa5a8 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Only allow CA keys into the Machine Keyring" + depends on INTEGRITY_MACHINE_KEYRING + help + If set, only Machine Owner Keys (MOK) that are Certificate + Authority (CA) keys will be added to the .machine keyring. All + other MOK keys will be added to the .platform keyring. After + booting, any other key signed by the CA key can be added to the + secondary_trusted_keys keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 1fe8d1ed6e0b..b0ec615745e3 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services