From patchwork Tue Feb 7 02:59:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 651377 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C71E2C64EC6 for ; Tue, 7 Feb 2023 03:00:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229792AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229781AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03B593527D; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE5fY029679; Tue, 7 Feb 2023 03:00:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=WOYHaxbehtjloTMw3TE3ZEjX0YHMCq7mc1U1MYLJK4TVlKPYMK+AqdNWUsGLPW+aPkfw WBQaW3g0PJld+gCcE0YApINeIyMtDYfDUMVn08QvmPhaWEyap/1p7VABgMJ4Rb1rHgLI wl32geLy7aZ0qhaplyerV5HLBMqiuXZV7j4Dfay4oRD5uCI4ArLDzrqhMfQg92vngYWC jxWq3Xbbd3Lm6M6I4aRLgBRMRxYZfmQxApimPzaJvrc9QG1XAgfij8V3A9KeO0DuPURX Ozv5tJcc6L5KCQOt4ccauNZTpeouyR4eOy57xGLBwPW4j5O5zY0O/pfiu1nih1WpWpzo bA== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh3t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:00 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3172s0fV020885; Tue, 7 Feb 2023 02:59:59 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdt4yqfx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 02:59:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ly1LiiCQGyLJZIQb93lOJdJcE4tEKoS+vAsu6NVnarTpSJKjq7P8PIUxC5ztqcUiKmy2qnyi7bZHvtoTC40n37V9bk6HO9ihBymx9dkIYmDClRoCVTx4wDSIyJf+NJ+rcrkqs7NBq57mIwQhMRVGmuGfCi4N6BNw0Qpk7PRiJ8/0dnsmqjOqt8PL5fQ0p2Xd0yWD4DFHACQXwaZezQd//zQ+L01419TV/ETBsnwbmUGf2krkqve8kfTBpC462Z6BxiP5na1CRkWbjN4DMiAZYof0zVuZIZE5GfdTD7HfVD3HFaKQPBV1kQaQO+ejyBoMFAq1Sk73xns69WRxTSBfrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=FVq1bdASLyRIgu/ocro6cNWLf1oNLTr9Y0Tnz8Qla6q7gT9ZGQcsMQmMNTBxsyQ87qtW+aW7JnuycFOhLeL4NJpMiX4lv975hMKJ4VBhMMNVQinNDYQsbU3muW93KQaJGYnlJ2w03iGGG2i3DWVFTvBrty3EyjEGWn8DJfG2557qPTFwm6nfT+rYA/Pswi58aml5nwnjavxvOK60LwYSWREpobBItHih/EzgCcvmUZdHU/sO+q/0WXm9+HMYcvVfFO+ZIjSUI2GlbdAkSmkERc/VbcoBfWABVE5C6LqnURK8y/TWQJAfWWb9cwOyhxBuX8sHTGD0GmuaHCwrXIp+XA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=OMUvzHmGq68VHJcQ0eVHOhz2RUoRK27gCo7s0/U4dQ63A6SEZaKKz7vhrBzytIkkkRvUCt1BSJn6raIgSCFn5AMNYbaMrkEjYJjfIELNKvx0T7XOPj9ZCKJy7gN0Y29SbjMGtilRI9Y/fEWojaftQGpe+DLS/87evEy1hWwN56I= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 02:59:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 02:59:57 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Date: Mon, 6 Feb 2023 21:59:53 -0500 Message-Id: <20230207025958.974056-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0501CA0106.namprd05.prod.outlook.com (2603:10b6:803:42::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0sRGjkFbS4z7jFrsuqM+aQsSJsFhwZbkE5b3vVmwfjGPbvUyHhpYO91K9nmal/xmSCq8n2ZL/lDqz914SdMvKTBEu/VLXhTA428mwAgZKdooDXwNG0GP8o3eTkTkofxtntSiGdS7cEkD10K0mbdwQeL3nnKYGMQpUUwTudb5OFgkWOPRrEyn9G++cV4fNHSb2aKW/kjcbtO2BmL1R5E95hYNhYJwvAR4WiMGtzGHERCRB1D94bmSU3cC2GKAUlC/AMNFZUfqiNofVmK4NH3ENQIUDGgIicSbuh2SDpq/R19e4WICcdbnCt8X7ShnOQDRE14Q3KeFgP7dijpDgQ/QS2J+6D5p+PnxOLLRJKNhAp4YfCaGBzn2DooQHKw3Lu2OE1E8F7Bp2xKP7wervjHXvs3ar50uB4zUwQBPpqcq7g5CYSe+nnYvHmaMd0K/x79sVPQZwN4/itn74gfnFoOW/IIZQLZ687CbbUjSo2OyR/1/O+kSlr+M4ZHMk1Okw6JEjhW82/HyUwBSRe/CRZE3AtExK9VYM2vLoZBFzs3FBF2g0uabgbhTc+PjgAxS4gW44z3jJ44p9MEU5RN634610rhtwKdwYAoNChSk0kLrA25BJyQhl8K54Z/xqpR1bB1hZWAxXjrhUUx78IeFaGyiYw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(83380400001)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: J2sS36o6Ng7FeAOSogf7TSRV21RASDdi2ebF87/m6vtKosO4MRIOLTi1z2dXAohqbPoAOuqoMwu/vAA2IGo7imZ59yskQ6godpHmniYo0yj9a40+eWnvg6CvOLvXLf/0cV90COI8w6+D7wup8AItmIpZ0MT/n6R3fx1kzlbjlbR56HRHXs2YxVugBCRuPL6HwUZjs+ldAjQhj2wMyFvWMJe/avsWQ8ywjA4XweENQYSGoU2oCBtW9cD7oaxzT+F6FITDNf8vFEJR1N1ZADqVRB3LpqeIZqf0ADMtkLcfHjCxqFlPtcHw/Q2Lcn2WcNZNUQvNrMH3sZZ7Z3u919Ao10hYThOdIIBt4cbpX3VLmwTVC40D6p3DI7065nTkgLA/tWAXUrS9kjJW1ytfYytQA4k1M2H/7vEEqci2msjr09EZEW8kxnVIG4+nhLq/WtgGOWZDmeUZLkc1dphQD/NT5cfiK2U9T0Irqh4NY5hyDHFRke7FbFnWDQ53SdMdNqpZYKeu/sXmmJ8imqJE28meyyOLqXvCoGaoF5eVde9SM2AzcHaMSU8k0/i2x0n6L5zhd8MSknZF18r5N3rDhLdJL/xWySUnfpYTLNsdWrKr4P7Mh8hAHNrAasFhBXJLXH8yWvfWpv4d6S6zzS9dKvgnzYxE45bYDVkciPq4kVbkV7oz2SXzc8dtTUsCIAb0Zgh60daHlJq+q8Fz2GUWRfnDlrADeZXGNGiYr5sjldoGNL0nzjEKjvBhRqn+NYv0LA8dkuPMlhLgE5cCgk54cQ6yFF2K9HPtvOjQpkj5I7oj1ZZR9/mzcoFfK7wNXtPEQnSdm4aV45lfmpfe5Ibp/mt9W8YBNULHaBOhK8GDecFknKAdsLrHTd5pn4rr3Jy37rIN2BWN7EQ3f6aFDR1Ml6NNA9h00IYaBE1KR7QALi7IGhzj1a4NsjtPPOunz/hxy5XhyI9nid4/drUC0lpe8HrXDuD2ZWhJS/jWrCN2Rt4Cvjla8hevayKMMAxog7M5jBk75klGM+pzNlRvhCSfZ45d1Ep+vTCGKRAd/2UeYb1I7AYi85jjpLyTPN2lUkGfvdS5/WywaMwexbwnJzyXxtziNyDQF09eKM3f70uiEOUDW7JuVVif8LMQOqqHE9k/Q8INGIUZyO6VO46Nk2XlhVnQIvwmgVxB2QwvrHgj3cFhkofD3LR1w6W8Y+OuBUDVM+uKOLe+PVIcXty3enfYzF78+2pev4eTBzEbZTVQMsHBPM1CESieA1PRvRCcV02zX58DZ0iTFZih8qziOROYHcgJCQdOI1UeeUYe8iVsjFM1AjLD5J16DI0evMJWLWqsvZTvyIaOo6EFCcXma4hBqLtzwrft48wsiT0+osZdgI6rk/WyF1guRZPCqVJdY5Sr7lzmGF6tBHO1a8UzV1vUG/ZBt5u8jt5OQf+9Nm3pdUfRnKS2qh4ax9eWB37SJ7DACfblVmMZMGI1fXngskQ6PHI2FkP8YpRewmcUJO264uYNMsY/kJe7P9Vb/jMVjAL1jUTcbgGN7c2oLZG0OE4jiHHUKBd+3OxGoeYH529lyilLqvserZsWVB8I9sGO66i4EAkR6YfAoHnxe+JDlgIslPtJ4w5WdZLPA3gEN3ECXM1DebU= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: WBqPBZS04e66X53Mdh4e86Ym8g+ZFgXJkw0QXpBTzDYjW2Dtu9YcE6y/IiSnPvWldnuBXZuS9wxkrQZGErY3eUyrnsahci76DyboZbFYgqaq10DhSVHbchhqmPqauFFxrONR805119gKkuaGFFL7fOPaRpWW6B2ZL8xCnv8LrptGk6NwexUQuqFvZqjlBdL1ma0CXLJKs+3wz57ep66IWYbvm8CUGRU9nvIirb2sqO9eoEaB6TOvw38haqniIjmAYssdt+O8ByfZ8tQVZ1SKWXw4lb1oy5O1Cqcrrj4JiKWD3koXlWFqUotv4/ak/rk68sm139nbPerkAP4AcIZXjTza7v/Z36SJv+Dt2hcYLmPJdGOKFdOHpSRgPobeF7MiP21UOkLivVh1e0oLk78cmTj4Y8tOIt/l/02HWXexmv5z8Zy3NV/MRnCXrioGu9LcThpgh5HUGID6Fx2xkDv739g60FLF4h3D1EoSR2FFR8bdbbZD6IvlyZAyvb0/lgQBhEYJvE+wp8W/NfxQorFg5LeLbCGZo1KBc+EDxC3FgWHOYsix2enSMFPnxxjdoborwKL3MFbaSsz6rLeJhmgE3kgh9tFlcDA7h0PAtJWT/UFlrg6Kvx/6GiGGVUJk0/AtVHwmbN6bqnGkPMcH/vyDPaI7PTU9jImOgJ+4J50uwRwsBH/58tRFJvZNhyplQ7vTzTXI/pgsvtq9oZjQddxugtf3rDZKXGoJVOCtlDLMlCxZKUwTsqor6T/rZcjpQ4oBwMb69ikDsbRxNQ/w0u3Sf5GUElLyUWoC9iKLky9hETu7uHcYDpnnFuXEzQbNiOP2tw5ofTJys/n/gN8qN/QSlOR3jq/n0xZcr6FcXbO4f2YrLFVfsmU/uF2CS/XHfDqhgYZuC3YusirbyXMSmN1YW9CcXwRBjkgO71fP7dCb9i1hFeO8arfYU7cOouUOwH6p0D1EOpkChrGlE8Yj3BQEm/xkwrEhn2Dz9Mx0+H31AKtzkUvZTCFhgXfFpZqjqa7QJolvwvSAMMk9WMSw65GGSnQo4mf0QAG/rzCO75XSV8oz+s2+LM5wRkkiTpto6H29zwN+WfCp06Lf/qX6XHawO+bgx1gFUGzcf5nQ0v/9K/ZXe2e2x11vir2tfI9/VWZ5WATx0khSs/08i17TMxEQgxbL0mhk+2vGdUysReP/dJyfM16VkkxETsf2aUOYYjMo X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 02:59:57.2817 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ULYbbP1SVjn+Q53VIDOd+njn0O+G00GDFUP9BM9PdZpiDwZLs9UxT3qYnpR9a1bawLJd9iBEC8L34NJrD8PWXTShGiktsem/tpBnPsaI0ks= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 X-Proofpoint-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Tue Feb 7 02:59:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 651376 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC9F0C636D3 for ; Tue, 7 Feb 2023 03:00:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230137AbjBGDAk (ORCPT ); Mon, 6 Feb 2023 22:00:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230088AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB2473527B; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE2Vu029647; Tue, 7 Feb 2023 03:00:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=F9/4OnParyIKyTL3kBF9H76yB2hXCEgtUnMIWvRh9wzWsgozP+S4ItQ765Cg832qH6Ic xw+8nsOPROaUkxYxTZYGdwZEpfpq1ShO7o5tac1moVfBWiSPlAjn9c1/1JQ9Y48tuy0X e97GSu93/FGPHX3wI8ac9FHdiHnE/M9MNKzquxkzJ6NiFmEWKQMtKfPBLzItPXSMytYZ VqL0fe91KC9hjvw/cQx31hvQxpFLqPwmaXlu3Pl9mLjhUk2dpe6zCMFkK0k2aPO9UKAy XiTFvAGhFqkK1qcXUk6cnqw86b9BvysUYs9xiQMCIhoY/SgSHKkc0HIIEnMhzgEVe0Lf TA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:04 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 31721H1b037579; Tue, 7 Feb 2023 03:00:03 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8bge-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:03 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=klQ/bpAAYeeHI848wY4hczFkrAX1SsJODmrhFCSyrpmjkhQnWAfzMHVdnutccy1c8P1mo3klB6AHRiLBnVcB3hqq7qCVNpjkJ5wLZ4wRSY1OOHDa8DS+IpLhdfg2RzFk+HFpdZK3YdZtltm778qSmg/ArbJ3AqnWWQ5+DQfvwgqSTJw4vRrjeucA3RdefjP181px6Hf9hW39QBiiKgam3XbDGbvCcU3bSBkdOrcX8lV0Hm6S+THr+3fHUo4raqGzHTXe4wcYHvQ3ENpYv3Qdne9KJbMkGRs7HNygoTxIfqmUtbixusqIvqbK3PEOPUGdU/Eiyzcry9p4DN2jNeJxww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=m9lMAnPY0z7mJFf/Jbkq2TiKmBicSBzUKroapNEmE0uJ2ALWxbC/EFjDBqDyf0YdFvBJMLgvcGjY42aTUL45gcgOvgOtd/YBwR4YM8i7sDBKkBdUohRcVxWCiju0L33Jc7Dt62teKanrz/1zxb8tP71cbXGjO4EWVHvj8giz4a7dnL6ZLIOfgI5aLZRqNlxkNsTj5RXOafb9FocjqNGEKVMWg50rID7sbjU5AmdKmYraJcKyf5vQJFThbr+009Bcsz73dAh5NqUYcZf/hH4HeHh4on2FGxxKyk+BYO0TmTBhYxPUZEk3cuhtv3FT8CKn3FfczQ39xpyIO6j9UxIGfg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=rWtg9ZjrUY86Xp0E/jxKvy+Nik02Y/7clQNMKqfM5oK025jPxSWMn79In5aDccOyEVPP6U96FYb/fBkpWuT6YD063t4YqA0AAPzoxtz6G1pjIS5JSU9MAvqy7ehFVbbU3SIQS1ggRKWYuugw8w+o+M81I7sttOluZFkZwsV9f7g= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:01 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:01 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Date: Mon, 6 Feb 2023 21:59:55 -0500 Message-Id: <20230207025958.974056-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA9PR13CA0023.namprd13.prod.outlook.com (2603:10b6:806:21::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: U+8wT0o9uoRZ8mLvak1yfchmW2w28PeIIhh29H+aqUjs5w5X2JPDy+/qu0bqyWQj7vldy7Rnix+o6768blJ/EOFGxjluJhTMKeGq3hBOW/dypCQ/f1qTxyXV4Viartl9PmHiNx0GKGrKdqIt6kEkeXbimmPDKQXF6ptul+Oq+/AbusPn7gOCDfJr7V5WERMWQQI93ydcgL7w8NqIQUWietANO5xoITNnjjTwzds4ghBAf8wFcSE7MkxiqtuLV4J0UbYsc6RrQnDI682piAgEsU8T28WPeQveCpCT9x7BSFSDU4Iv9WQwhd9S4gLDbc2/nCQSuq5+ms4wv57xIudaNjiPGzCmaBTfH+w6cCXosvKV27dBYepQmNaElbN+z6hSlV3vpcEOoPt3UOESdXO1QirmYg2KpwlcstjCkHjond2rN+j6wcDnoyqaQkezjbq9xVDfkousv0SeLtSVf8s1zQc003ahay7/xu3tQU9p+uQgmcrCtjB+Y8EDYfQ6DeMkC37mksmWl/c2gmrfAydBalnkmE3YAM6H6EhjsG7jWK5/WtiAcmpFU03wh/7yW+r3VCC/mWhOKMO1gkORkUAEhcGKjbWsO4f/jAVf41voQq2k6v9vyffnUGNULF+4MIN6WpswOH1AU4lnMMxOnIPGrB4PBWMB7KULqgmQ85Xh76k= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(966005)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dL4bCwkQwoRxtcAYqJxZ09qN4o92s3rm+LwghkQgBJg8eifKCQydurZZqTSmzgg5AyUk48MP1hFWUAhBd7sHIC9/vexkclbFSPLMzhRUNZKtcd7fpZRhUouF3lFk97YwMko60WblB7lM9RBzAOVwJx/WfCYOvQUGo7kCE57Y9r/NFRWGmwGpKWQHZw965SAUmr4G21DK5Rb4l+nwIhIQwoPvHL8ZJzEB9qKXQ/cZ0/R0GhbCh5oOKb+3BE8lBvoETvBIQVapgS0d6YEFOoX2UYQYVATrPRfUWlFMKPTCCmBlZwwgCKzo3HeTH3SsSqOLnW/pjhRNHswtHOiSL+Xroas0l9Kqh6sQ8lisbGrOzd0PNZ10QURmrAMNYWCKhKfntSEvjCqoOaKO47lP1rmqABFU7GJzv4SqOdpTFLGJLuWsJfIBmyuKQQF6ahthQUbPSfqULkV1gLCm00/w9VnkTw5zy51ZWNy+RahjitXBMx7xP1h2HCq1cGgdYOPp6Wqp2jlTijCSo+4Ov+aYHrCkgMdVDYqrKe1zHnS3w5j3QKGJhyf12NgT+a1V4Nqkoosu1HfNOcXQ+35OfzAj2HOKDMX0N1ymIkRzrYiBtL3BWFxWwQ37F/Z79IY86E+OL16yunSt5FzZwri89fjArSjqDAEIeyl1iPyTpZC0jLXgpZ7kY+6m6sktOT0OkSs79xptuelJOimrGnjBVMUOTi5F5URATqr7iOaDiyuBbs7O5/QddFAqFT0irQT/IkwP2ozAPXJhGZ/XwlKh4W9+irfAfTJNpgnucDJAD5CLhVjrB0WF5yIaJnRAIOrh+PcFATPiaLt05xNUCR9qzoD6fkj70FLFo3pVhXJ25s5ZOnv9Q1PBYHZ8+LayLxo6BNbLDmMDplObO51qB2/+1S0oZAJ0GamF3cRlrmNPN5yPIoG1TcgNvW/573eHI557SJYe/NpRZYqdz2u351Q5WmQMdB+G+EQcWdvPmXhZOy6rDXiEkdQveyV6vy18HHeLdb2rQFKKQ/7UY14WzFp2ADbDZCEcj0QTKKMz2W+wsPSt3sUNqNV34H9rVPXRk40Q0YAfp76/MVuJDU4nss5UFkPVI08qi5saCuUMpXBGZBv5UtAse4EfYGaJPC4m6AY91dhHiD8YWmXDx49pcvDSMQucO6Z42ObfNWMGJzG+sNEQkkU7IPALoqnm/EH/JdRGVIpRNPSbI6ZujQAwvEHhNUjH1IaeVKu+0oDnU1ZCxUYr++KgxytuEcvLscH1WyZJ0LF44s2eC49zHIlVDp4WNTetvYJtrgJWOzCiu3g+IRkYq39AaTUozUFwJyJD0qHsNm1eNfMrlTGJozW+ylgmN0V8V867AdjHEnRC+6Fpz0sa0lnT05vG2+IQr542SJETexp5uQGPn0nFb25IEUdxMuDSOHbfY6DZssDy150n4cDzLYa+ze+YhWX/ptPCP9//EofjjnsdCF2DC82R9K0vAJ8UyhEdx5VwD2euMObXsCoraQhtkjUGfl17BCBd9SsT6rCW1deMG4z7mffJ7+E85TTViZY8b/batS/TUj4itqzjibdz3rb5mkYdJN9812uWde+uRChFUjA4TUYHIF7XF+wBAnYRRJ0XNKerw3MsjyV/v8f+Z/A= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: q/i9VJLpoKo5VrrlDpBEeB1fitO4cnZRK+iBVmtbaW1mOxkBLWPfghIvluJef28v9Ddm0V/BBNn+WoV+vVxDJ8z1Sl+uNTfl8bXZawq7D+mkeykH1JmZJwMKrHUd+oKe6LsYw8cqW70lvC5rPwBTUwAL0YHWyCBmblgzDnIL+Z1A535D9/egaxyo4eSRpCgl/gDFss0M58F2ARSPzBIQjZaymPvUGG8EDRJXHOqIDaHtaaMjeTWlwyFVR1PdZ4Cx0pM73LBpttwjhOpYKu9p97YReuEgBVitWNT6Pidv7TE+83gmtx5SbxEK3GkAUp3Z2r/x2Qe8xHV7x/OAYC3mytIFwt1MtK+bhEyUfd1RdsG1ddWo2IQ2J/djoLaNZll4dFZOl1Qe/C44d6KUB1iBtl9vTMS5mb9uphViMnSI7BqA7k7romXx+rrzyXO3vWX2dMmO6z7Vi2UGWrfwIr12ylrwkcuD3g4LKPJyT5E+6HSWtlyceASBUKXiyXkpUg14ZXKIRoXRPsl3jNOmpWz7FJQHOIxsigtj4LhxYidLvJENGXDhZtECjVoZF35/BqHG0GitqMr7oHAolRP9lP2d+9Kp6jf77c7hyxWo9EkNsS6HEszFHW+P2/UTlVMmZyo/rOr9nimVmkcqxQssrFxp13EwyJqUvoeri6IQA4QVyKgiYnDU2WQROk3CLoFDuulW/jrcpe+PxcUx2OiVbE5m3FqxYmUE2J/+cCxmMNL8rHbiUdff73HI3ERRDr9o6CkI3ezBLhTeELe5HGRDNe7aAB/mO383DBMD7kzABo2LfS8NeW+b5zpSqelnGQEadtiYpbcKHbM6drPh8vXFzhJgiSIR52jc7Uvv2+QSCxpo/9RH2tFY6cOYUYzcU+MEQ8xFXI7jn6Qmha/Dcv6clC+zap23TTPECjlgPONcHVhHCfwBNEB+lgYXK4FTWsYiephv7sKrn9SUm8shfA1xopzOK/8uGXoIPq4JL2uoEWdbm3enFp9AodUiP6tZekpGtkF7m7OWsgvX2WNIozOw+w8fxOfwxL/ZkFvCN+IjSiHvblmmhWVOrRZMlDurcwtlmAtmYHBb9n/mTOSEm87oyizbRinGnI+BQLqpckMZcq30pAHmg2VcVgrF2iU2JyBqeo7354DaCKkKGYXsDtGLLzluZmIJX7+Yy143YRfn9xaJPpOf11SbepiNm2n9rmSVhzk/ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:01.5949 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: K+dNH3J+5iSGfe+ystJghODW/DSaCHj/QxHHELD36VpInzSq/LZaxGvrbPp69z6bf/gFEiV6BrgwCldQbCgbBVLUSUnEucEjXxEOREUeMd8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i X-Proofpoint-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the public_key. This will be used in a follow on patch that requires knowing if the public key is a CA. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 24 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..77547d4bd94d 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + /* + * Get hold of the basicConstraints + * v[1] is the encoding size + * (Expect 0x2 or greater, making it 1 or more bytes) + * v[2] is the encoding type + * (Expect an ASN1_BOOL for the CA) + * v[3] is the contents of the ASN1_BOOL + * (Expect 1 if the CA is TRUE) + * vlen should match the entire extension size + */ + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (vlen < 2) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA; + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..c401762850f2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,8 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned long key_eflags; /* key extension flags */ +#define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ }; extern void public_key_free(struct public_key *key); From patchwork Tue Feb 7 02:59:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 651375 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D607EC64EC6 for ; Tue, 7 Feb 2023 03:00:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230152AbjBGDAm (ORCPT ); Mon, 6 Feb 2023 22:00:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230079AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D5F736084; Mon, 6 Feb 2023 19:00:33 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDr83003908; Tue, 7 Feb 2023 03:00:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=t7nCvIdLZ6td36h0LjPIcZkf543oZwPjG6f3h8phAKwOIaiS9DBkg5wVLmRbfCmRJmqb t6XB4ANkX+zV5oeP9pG3x8x2+3B0aQAhGaw/15ZRmQtQ8Xbvd7e3Yk2oC+seqFyGOokI DfprdpASPm6esQcbZyt4sDkG3AdCFQSv7tg8aWxUSr/xHBioxPxjEvOCUlLmbCBE1jMh +lXhvp7qZrFCEzLJ/y9TsgcNNyCGRUU5KICXLsXMPh67w56yAV+pCyB+CIBHIp3MeghF fnh1SQbBUVnNKgVEsHIgSCog0mv7sVA4ryUGhpbYc2PUwPFZnxozSRk/86gMiuc6QgFt lA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nheytvg8f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:11 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171xPwO016811; Tue, 7 Feb 2023 03:00:11 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3njrb9gdyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W27Ar1eLHSbld3csnCOpK0dHRtqPZTjii5xA3+OS65d+hAd/XjeEcUJ62bIYnPFPp7qBZciIGPORSTuHaS6+CHkEWZ/Yp2oZ2F1uCMundE//ojvxUukQ9tkjeR8E5aJpIrnDXzCx/yEFEL0Di/BI0Y40DUfPZkfCnORXKcVfUxdy4Rz20bxdaF4q6CDoKIS5BX4E6gdTUpRyUVdvsRdjs6os/mBTqfyOqOCJCu8CIwr3TYBy0jjTCWMJ4dVZ2YlAg6NRsC6jW0s9SFTT1VX7zsYP9Ku7UwdL6WUkQvP79ughRae785f9Fozcl0TLR0jmRR92RS0SR3Z911mXIQcxVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=iwuiO7Iwb5cMMlzG7JWdZT3Z5Nz4VVIFxkuc36wM/bOl4WkuBnQF8fRyQ4fmg8YRQhzgiPkHbOWsSErTuq87FPlqhXbm5L4E8tyXSECaKgWXkn7Pow0tlNSryZx7aLtdbVqmdL/NphmxFznJqwN96IE22o7+WOQcvBjWc9d4WbCsPhVQQyIEgyReS5RhHIPmkY8N1j3dRT3kV0L3CxTEtps9gZT9llLqneGJCSuXRf/ceMnSNoWs6pnowY8Stt+VoIYNrudMYbvGU6nwQj1FUnOfwLFaQ/hQa9nygA/5M4RIYUMcnsEWeOgrhs5/c9aKqXeB3MXQxAoylgHmHuWGqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=CtsVnMkM7b/OzPVFdIQFsy8zyc2c3vKhhAsjRXA77wqbk8aAgAxdtISITRIE8zJWrH8eAGvlBt0cmfdaGJZCQ9EKYuUOmc4mUUhJeEXZRH2Wt92/Z7Zw4bT3fvj2NO5mGWo260nZtNndP43/UGd1FUt/DRogCW2fo7bFloZ1A0M= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5031.namprd10.prod.outlook.com (2603:10b6:408:117::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.15; Tue, 7 Feb 2023 03:00:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:07 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 6/6] integrity: machine keyring CA configuration Date: Mon, 6 Feb 2023 21:59:58 -0500 Message-Id: <20230207025958.974056-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0015.namprd06.prod.outlook.com (2603:10b6:8:2a::26) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5031:EE_ X-MS-Office365-Filtering-Correlation-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 29mRbXdp06dEl7gO7yASuUIygUAaB9qJyNa3EUriIFKk6IZqAobL5iQhUvWmg46uHnMvKSL19rQsIjulL24zDng6y/vl2X6z1LU2ZjHCr7JUplycW9Xf+iJFtT/7LEPh7p+zTXnyMeBlvqU+gWWjQKG91vNTAGh/ozUNP2470g7nacIVq4y4U4WPYoxtnr6V0LCJ85Ru05XetMb9GQ70DV9EfrlfBqpisHZoQL0OshUddoxqqPTvVG7j3MkeVNTyBVokjuQOMB48ZMMXtqdGvaagjVHaq6hYvIscFwk2eippL+KG6IdObp39ckjejW401izQDVsm6ZrFDuSE+hMdrgNUl7kO8TSjOylqolS/dTDikKUznoxRBfT2cd5uI2g+wWMwq5rHCLEW/5Z0NEADLno0twH7WepIsIjbl+XVsn+rYequF0FuW491EsfqKDvC2t1XNUt9QsX2vKTYwZLTvey0aOd7jXXpOv8mZ4VFS9i3lSvTRWC7Bv2zR8ZOkf+AEdhCxPVtRmQUaztXyfS/wG/hn46YgW1NqxrUeYOoW7sySNgq5mvSfzjw1lSQ1kClWm4zBzWv3qpNbsj42wfXuXFKa/MEKpGWfCOpDa65jKe8T8jgLs32ntDry96jAHmPjtRFdyS3+t1MwpSG1WKHFA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(346002)(136003)(39860400002)(376002)(366004)(396003)(451199018)(36756003)(316002)(186003)(86362001)(6512007)(66556008)(44832011)(2906002)(7416002)(41300700001)(5660300002)(8676002)(4326008)(66476007)(478600001)(6486002)(8936002)(2616005)(6506007)(6666004)(1076003)(38100700002)(66946007)(83380400001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: w24MofaSWFQCACOLIu0DWfM99gWTbrquxbT5Uv9u/N/bbuM+uKMzcG/swK/bS/QXeG8F8FU2okriGg9b/zdIlJVk7DarTj4T1Bp1TFx7mPXzdSlk8bTVD3WYgQXPjwe2TUATkgrO9rAWYmBu2rLE4AltsndJ8KthQ4hMzK1h8gMrK3eAH620ZNdx+ZY6wdRNU/RdZ2wsq8/vQIbq1vhvsOOaRiuX5jhH4Yr26FnE5tHk4SmAxFXSE+l/oDkdaBe+JGWFPzvRfXoVHG/9AX8djrBsT+wF4L7+kw9irLmSH4oRE5233y8MK98+iJvSjxDUH6FLIJjQyIZDLT8g31DeFjmQEJk/RfT2IZ8HJKhE2oVqENbZS43cbKGkNRHpuqvBAO0JnO96WlfgANqNvkQbk1FkPlTSotLKNZ7pl2TkMhVSCdHWxzzmtPS3uFB+dFGywiS1ArqPN9BVOC+6hGbc3VQCu7/Jun15V0b1oR1rr8smDtNUZHK/QcNpteW8EkrgVJ2RyJhj7V6od00Ss5PsNl94EYC0qcWJ14xlQVf3QqQOIOUnu9+AcaPfQFyMb53VTqFi3r7FDzFdG8qLiDh7YGkxAGRjZpDuK8W8z6M6bCgjBpDJVQVtOumsKLfgWJAM8B1M+odl90rlwmmqYQ8yMafq3eB9jRV2uU4++tbQCnE6Ra6gB1K4rK6EXJPBc+jX1re9V1Zepw9E3/KB5cojX8F4NwyjyYzlVu4XqnIqomQ6JnKLFK5D0aG2nFEu5lhKiRrgG5SE10HV/RN0PRu9bPR3xb+rfe8RtfX8IbY9ZnHi+F7YTruGA1gJMDK2Ad7XkUjhtl9IzDqxoR31bOl9PY/ym1FOel6WWyjq22aAUfvmaizYWUZ7Ia6fG+eqbHebTYv7B8UX+/ZFvxk/AyTCHrvogz1en818FshpG8qtp95qHT6ZRnDF7sud8l9Fz+rcYyHUyoS7OdmEnnUWKX+1OSZ3ylNHAcGo3UT1oQoqBWstXRpIX1uyR9ZylW5xvt9W28SKeqTm+8k0Hb6+JWvvMKvizYLqFSU0Z+nNDdV2B+4ZWRQTi786K7z44XErtaZpYCEotIBJYjkyi971x5MRnoxUTyFfuChszQnopdkEafi7wFtfZQEsO6fn4t1+JIl+W2mnXAdyoKr9HOobJAzxhub7Xnnu0lNkkRZgCs3bedsxho+pM7sUiw/gfn4LGjSuEUn9ccsM9fxx36yWv3bp99xFV7/gaaK6DdkoIB57MUEB/mirwzAy8Uxwnz3iwCsMF17PCa3rxnD/03OUX+ivFx9+dtRei5u23IY6lzbkLEEM6r3cI3HhT4XzTxmUenfPn+JKdXyc/XMrQDH3Gp9oeRS0HkbAm3WhgPL+bT/mRPLQ0h0OMYh72j3R4knHFR1iyN3JScOC8YU1rCMYO59/wt0UdNQzn1s+8Oae8KF+M+TnFs5xuQqPWJO/7Ahwv23hIE6d0p9kWY6ItymGrpB2oODGI0yaplBpZFMP1HDaO7wrgf0pb91Lo9+Sl8YADPtMY0A3hTG135VMxdbpy7YwV7FkTlxVtuDSiaCq+qoiYTGkyuMIH7GlNh/dz/Ded+bR6XXswAaVEciXFPqKJ5pfWvbz/6JJW84iNm/CLGyX8cE= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: QiMGiuKaGOyaRSzXk907MAl+l4zAbEZI2Roxt+CeGDLMj6TGmdRao11awXb5GeJodAhSmPOk9Xl6g6W3jia3SgyS14EO4IBVx1DNEQvxJm56t8XktZhc/oo3f57J46X92cY3HPc5/o7U60ONRo8FadT6TjkiJUSwcopO34HakqZn0zTqMLWxWmGSEgygsIhmFwCjSA3OOgpLoyKnrWbf8Tbq9TpeQc/e/VxAapg8tYaQz2kZtvUnpn5m2qWnUWCV3QdeZpZ/cPPHwEf3iQ9Zv6biYXTaWtjpcwqO4BOjTak4+IUOWDjVSQGruJdO8McgGGiuW9ydwKuSYgJpUjclzkOxbc68mtcbxCePlL8UyxAF04ZR4Rbpr6koLhfyZiNxSl8VMcC7Q261sN5Gr468FUlkccU3s984+rPdqCxYrwvPETHLd4dl0d3LaWI6pjS/4RZUvSW1RNWv/RcDkwUDrBWWnzMHXluLB1E0jeggYT+pVNGazdHukktTvgKF4c63KYb1BJmYveQdjs9Ncydh2i8uVLNY/vz4lwuVAFnj9J8sZDtGcvffRHf+EW56mDOBZfychSCr7ngM4VBXBUhzUXsS2ZxRuluccZjjOOgq3V7+dhuu3osoL1rCGXzzUJtSSXZ7PuMiAyc16rwGg/M/MU/kHLAHhbCqQlQTLirkKt/Qhx6DI3s7RlNwrIujCua0DVgyXOdHHM3JkQoyPs3/M0nwusbQzbPSYgKEfdgcLoGwAzXo3QrJuyeOMvNUnB0iCKBnb4qFzPRH9ej6zgVpR01bGMz+kmc9trESxtL5NDHpCPFvTDLMKQ4hQzgLY9VmyOrGUbQm7PMsSs4Nn7jy+9L2L5ViFqFhfjV8401HjSQIXLXY7cvyFN7a9VLkBGBNdQKQtNZ4NerFMq9+IQ+raH2Vxn9yoACvq8m0BCOXt2T6n+q378CnXlf/0UhkLRQ9CpEl9bnkOlA2jba6yN8i+0ZajsA7KkmEV6eydcBJojD/s8VYKdzvdk/vNuHulS9ChVm0QXZ3eiOHnLlF+JxWUhwtLfyTEyD3F7CRnGjmIsBmw1Gpj6qsn3q37PGozi7jQXyLS12sZiQ/pHunI8cg/SMu8ehEuCmgvMbFgy1xKJJyIbYxVZfhlgDvmXy/VhML1jpeBdEcI5Rstlwsutb2u6JM0p2H5n3eXtzcSH4xN+OZyKLhdTySemwczJNNzZDi X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:07.6561 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oz0SJvs3qOevgNPxY2F8nVk6Bhcifx2SYsYipxk1VEwkCGwgLURvCGbZdkYC26fe5OgD0YtoxNr354glqjnex1Fv0a2IgvnHDICLLo2ulEw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5031 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp X-Proofpoint-ORIG-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add a machine keyring CA restriction menu option to control the type of keys that may be added to it. The options include none, min and max restrictions. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 2 ++ security/integrity/Kconfig | 39 ++++++++++++++++++++++++++++++- security/integrity/digsig.c | 8 +++++-- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 48457c6f33f9..633021ea7901 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -140,6 +140,8 @@ int restrict_link_by_ca(struct key *dest_keyring, return -ENOKEY; if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) return -ENOKEY; + if (IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN)) + return 0; if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) return -ENOKEY; diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..eba6fd59fd16 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,13 +68,50 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +choice + prompt "Enforce Machine Keyring CA Restrictions" + default INTEGRITY_CA_MACHINE_KEYRING_NONE + depends on INTEGRITY_MACHINE_KEYRING + help + The .machine keyring can be configured to enforce CA restriction + on any key added to it. The options include none, min and max + restrictions. By default no restrictions are in place and all + Machine Owner Keys (MOK) are added to the machine keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_NONE + bool "No restrictions" + help + When no restrictions are selected, all Machine Owner Keys (MOK) + are added to the machine keyring. MOK keys do not require the + CA bit to be set. The key usage field is ignored. This is the + default setting. + +config INTEGRITY_CA_MACHINE_KEYRING_MIN + bool "Only CA keys (with or without DigitialSignature usage set)" + help + When min is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will also be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_MAX + bool "Only CA keys" + help + When max is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will not be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +endchoice + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f2193c531f4a..3385f534f1da 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE))) { restriction = NULL; goto out; } @@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services