From patchwork Mon May 8 22:07:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 679958 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 817BEC7EE26 for ; Mon, 8 May 2023 22:11:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234099AbjEHWL3 (ORCPT ); Mon, 8 May 2023 18:11:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48338 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233820AbjEHWLQ (ORCPT ); Mon, 8 May 2023 18:11:16 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C99959DA; Mon, 8 May 2023 15:11:14 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 348JOnug013290; Mon, 8 May 2023 22:10:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=CA/3g1Jj1BALJzeNjGclS1aW39twbOyywfaWvaYDKc8=; b=TWLgmh5lYxpjRvI6ACepa8hTkWt97tjYaBuxoGxM4i0KyvLjL3NrHLMGzYrd8JVmYhd5 c3CS+TUEs6Vv7Gb4XHqkY1wKiQEIc1L36JmsHpwwiXEDEDEJ3T6UFOEOpvGzECu2CunZ VKZABXZfdxbpWYyaAhzF6Ngs/4YtwqswYDJ3iWIkRypIOI/KWsl7NMyWisIS0TUrY5zQ f12PXO7E+SEtlX2qamN3gNhFcvbsSZfS+zuvh+SGybEBJPo5CqUxvEKU2aK6PjYnTezF zbXr7KHn1yrt0qSuCEt602ASgfwIxypuAKHp3JYNBjUEnzjHylg4/LNxNLlmeykuNGgR kg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qf776g9hm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:40 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 348KJH8M020059; Mon, 8 May 2023 22:10:39 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2049.outbound.protection.outlook.com [104.47.73.49]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3qf80yu968-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:39 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L560UIoe0+uCSBcmQ6eFvCRfTtZe3rd09eG3/hEDGKP9ErvKJfjjKwqKoB0f7+RX9IZXpE5nIvt1TivdUOsZvaFiGar2AtNLFYjAlMmI/fF1O07gGP6DEUrSBF/UoD9bN1yVCAvAVXoagubUBAmi4fsyhBI/Y/qEZGICK7M4Z146q+uWUhicMvKGbAmzekJDt5cNp8hMqQshe7nBAPyxgEH056uJeFg9MsXRcHwDnjnJjK6omtPNr/Onek6LcYwznIQpxhQnG3OTdjnRnMNPdL+p3n0JQzyVltPhk8UL1DLCQy4u9oNn8ln6pluEe9I8XWuA6E8M9Spd+4HnIXizWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CA/3g1Jj1BALJzeNjGclS1aW39twbOyywfaWvaYDKc8=; b=CNw3EIWW/GdDL5LYMriWhvcfXMZNL/BAQiej7ensF8WwTSXnKs4G6VLF64VU/B6NtizWxaW+vkH3XJG245KxXez4sGdkxtaUGscAoLiuh9yKBPXXeyAhZiZ8hkZ+QTFeJC6Q0THUFQc3glUCEC9hPNJcg6lNleiPAYWmhFPrBQcy32wzSgLX1Rm222waxVPPCzfxa4P3GvEp02jHr+zObqvrxOmnUKjrYrusYac+q2UVgjt8jceYOeInPR1h+iBLT/M0BIE7oRddCqUqD6GJgXWsYvttBNRDylUhSHfoKLcoXiSA3oxNZ7AqGUIbIjP4CtVmvwik8A382P/ij2MFMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CA/3g1Jj1BALJzeNjGclS1aW39twbOyywfaWvaYDKc8=; b=BKlKgjTW06Xkdt0ULo8OdLRE3OTKUms12EeQMQ5fR627F/aRvMcMDkV/HpHxLaiUcOQyDt3fF8EipBTQ+gjMgaXSHNN/j5MolV7RvIrZc4C71WgXXXtSq4t8spyQCyspOWwwbWnve7Mpg44KDwqPMEtP0Dk/rmJxJNOap8lIY2k= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7065.namprd10.prod.outlook.com (2603:10b6:8:143::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.31; Mon, 8 May 2023 22:10:37 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6363.032; Mon, 8 May 2023 22:10:37 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 1/3] KEYS: DigitalSignature link restriction Date: Mon, 8 May 2023 18:07:06 -0400 Message-Id: <20230508220708.2888510-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230508220708.2888510-1-eric.snowberg@oracle.com> References: <20230508220708.2888510-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY5PR17CA0011.namprd17.prod.outlook.com (2603:10b6:a03:1b8::24) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7065:EE_ X-MS-Office365-Filtering-Correlation-Id: b35df5d4-8d47-408d-13cb-08db50110d21 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hLGpbZdlBy2b9QUz8VqZMXUspQ0g07pQayurQKU9OHc3bQWhn7oIqYGKrBrczJbD2Ayo9PN5/TcJ5nMQKvYVpLFOxCdUJjWV+gbATFXSUcisw2J7b2tJxLeDIiagJnpLdlvlKY3ADzEMzWscxt79ERAIr0N8rcwefbtuexuq6BAPq6noM8anazHGmBSnHXmnu6MlTSqPHIxilui8+3GJYslhZ2LTOFu1PHSTvoLlIbA3W11BOIt31KOfHjBO7k+dhcXrmHajfRrJja8wvOwrwumrgMMPxGUJLeth3GXPhT14D783B9ZF7JcG2vIZePrGQNziauG5xrt8ukerUKtr2dpZ30V2IsHBrKTHvA5TClQhv4gcOmzjU7mJu04WxqM/IGruc3gESwYKR5S/lJVXLULC3gKF1CoX9ovf2YvAF3tG0WM3R+61S/BvNjLATxjwPrlp5iIxkbpN2ebTYDZnENRC8X7JXeFAeBKnFzh9JoQi/+E+WqcZtBpQh/tYAYXCGphmnNLC5smrFYzraU/1p11PvrMNSgGiyJ2oGutGRTqItrIzdvXKnO5X2/yIVThS X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(136003)(376002)(396003)(346002)(39860400002)(366004)(451199021)(83380400001)(2616005)(186003)(2906002)(38100700002)(36756003)(86362001)(6486002)(8936002)(8676002)(316002)(41300700001)(6666004)(5660300002)(44832011)(7416002)(478600001)(66556008)(66946007)(66476007)(6506007)(1076003)(6512007)(4326008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: AisVj1DGw6m8a0HRi20c6goGsS4y406MTLlohdzrUjgUppv87dOHiWvHjLu7tfsOewHsg97UKsxsQy6Dwrx/VgZKsOgcOjIm5qh071xXsoMwqG4ZddJxBLgnQDvoPekarBE2HhK4w96ObATU1rmkKfJBVEooH3mZ7dxYNXIBIgSf3plJrLtajhNyvc5m+T+v5P2KluVnuiRzFv1alkQ6cUdRPZpNFIGLTO4uTCszOQNZ+OAaLBrblGdqCaoF0fS9lTKDvvQZwM47akMomA5NU8OqKQSL2CnE9dlG6Mq7wgjAz/OfOs47KikUx1xlXxLtPGNhPTwbjIJj+n7XWy+AJEKGOuZlW+YT8vJSfgE/gjUcfkZ6bypYHDZBMx6sOgUAd1byyvP4++Wm7h9JHitnV5X2R/xD5D0CTVqWOqx9qSg1c/cujokgRvTFYxh4nhowVtxMQSUGfxnsOHvS0vJerMp5EKnZPieZ16rUd8vJ/AIfURcl7FqRkiVzbc/iAuJQ/JwAUuNwOAhGfKW2h5Vg2vf2jofJr6sww5awTP/nVvmlQ9wtyWaMAj6tnI8r7DYXURQsP9B8JZQYRlEIlqtyhQ8YaqJGWPEQBzDeSPxJMwfdtbzESNtaXRcxylkeQ662JZtXarfWciDQe9yGo+Hth5EsdnLYgAyA2blj6CqtV/U5w/hR4ernEZpfJECh51uT90ArHGh2/EJXtRuKZ+x+1X8YBAwBxo04a5TcfT4anzNBgbmYYmtsXRb47pm06yRvVr/FCoRS7Vn6lhz9JEGlZ+718tMsPP6TfkunIWt5k9NWmrGWTWaWPweLfvN36f/Yht7VQDLNqyY29s2LaaA9SHDyVwX/Yz6z7WRAQk4YDI9/heaOVZ5bGQzlP0UPX9HP+wRvb18NiYjZ5Pem2tTeomH/p5wDLcd6vt4DytMpMZ3BtGC9bruxHCiJ0ebLQMgjCO/R9MesAH7mHTiX83SNNJt5BZUclevaXo4pdTPPm9v5Msjd5I7tE2q1SEWV9wGk8J7hQN3ag8raRgWufDDeEokyDj4cfhW1ibViBas7TK6C2bo6toinEVP1E1AqU5nX7LO4fUdj5fmJGisxWHcRZ5phRw2/JtuImwb45oHFZDdajuAXp3wB7vwCsjzZSGQNpgxAOEZGX3m23tOJeTuXqTDEBHd9w9B8NocWQZLcd71hBiCIRj6WPk4+h/RpIORkyD23kwhE5Trw5Nqg/P1gxwYKZNoPqnCLJvmsauTb4XshPEvcVNryld55XLTM3BIK1tBecCJcw4XiUQ19pdZ1XLTtx8cDPXIxujGlb6OP6dWoa+/3LCqXr+O2pwt1+kYYEYgwozyUyfAdD3QsDDjATDXdiW/5pGvcwz6sn6ecSMNPVK1SmW4hFUEWSPpsTJxEWnUgMmddsljjpy1Z/0oSLnZl4ZPPFpC+V0EvQ3DruxDHtQPS9rUpHXj46ZNEWuam8p9iVYFdrM+HDf96VpJ6n1Xu9Sfnzl131JxFUnGOyw/O8FUnPS4uiAKoS57LBszhnPiFLoT6/zDL3dfL9vAHIb8aN5L4nIBHs9XpDTZJ73JcBNVZyClsgDMVu2Pw5T1b/d0QzAalouoEt6DRTYsPTfK6q9iiJgT1HtNXtOefL70= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Ncv1Nw+1suxKcO/AvHVKquDy4fXMxJFGDt1F+RmL+ni/OJFwXCHzCO4Dvp/pY19WYFxuM0/DdjwOMwYe/yYql3XhBHor0XaMYXlJh6yWX6zniP4jnaBNk3h2Vr37uHPizzOfrzXY9UKymbvfNCmrowTQAkapIvnTYmC42hPEwV8wu56ISfuM5cocZV7zPHG2869s3NUNLNE+eTBIaE63lH1PfGHbK13uEP5IEZorEacJsEgKc5kHcKIQhvQZcLqmHWQpuO43z7nJF3Jo24sK6wyQI981lehrrI0AFmyCxzp1MUTEnpfco2SlBnkpF6bVBfDSBNJgiEkvBD17tLtAdj5yJ45axQxTq9x6WU0aXB+0Isj6k9XAq8lz7o3nAzzbyKidGu76W5OoreOd9611A5UaASrnmprCEfO9t0qBwkjys8KVeKThZ69iXEDNG/YmsJ5qr9AfmccBmW4odFAdkGg1IwU98AqB1jj3OUBAWMXbW7mqrt2NPKXSVZda1W32EzO+VLOhHBcipV8302/aOPNG1EV5epT8UKVyaZAscOsuhu+mx80DMzLgWodpe1dWIpFiByaa22Q4UTo4x+w6BnUiGYcIiP2HHvq1Dq8+CGD5dgMGwKMUGrxD0bkE4nDHfOmqNz4CzmX4BNpTUAwp3ONxexDEaen+3uHY5Ev+yHFnyBrleV+QF2kWjf3QB+mSw1KGUaxzLuam79zqe1k7jX0GfG8pbaAPFmsecJIAgQbE5IWPKa38XrA/MeO+apWnkOUmRJZLudGB7z1Dx+5yhmhgsCRrb9Ld2NZUvncYF7LDTE0XiLdPZR3g5hJUxajU9FGrMnNqSkZYCHwzAEyjbI9oC32HXVZdWaKIAI1X12JbbYwuEbJjzNKNJL4OIFb2cfEr5eF0dbrOsAfqpFGBq5U5cz7O+fG+hpkAXfFtbUCIz0sg/3CPSqH8WPC2L9VgBRkZvr0dxlXiWaNHgrEz+4ojDEv9sJCy2QBP3k2PXmYm8G7vy43dnVHiHtpMd+D6mwb7GuiF+GtQGjSLtmzm+squw7ouiscEogx1cfOhNY5lczy+0HGS2oKMThQzuZa6dOxJR7hDf+P+KiRQyV08D5TAIRNBgxPdZyNzKzDg8J0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b35df5d4-8d47-408d-13cb-08db50110d21 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2023 22:10:37.0123 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JLeMvitJG43/EDLVHwv1kUAQW6dFyWfjNa8AzlyeetbJENXFDnwF0u/rvwp2zY3dZU6o34WBlvcu601wazI2uIg3oClu2hCIrOUpNmTebUE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7065 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-08_16,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 adultscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305080146 X-Proofpoint-ORIG-GUID: I9kAFTEb3FpvcC7JH2TzCnl-1dqHFdCn X-Proofpoint-GUID: I9kAFTEb3FpvcC7JH2TzCnl-1dqHFdCn Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key having digitalSignature usage set. Additionally, verify the new certificate against the ones in the system keyrings. Add two additional functions to use the new restriction within either the builtin or secondary keyrings. Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- certs/system_keyring.c | 52 +++++++++++++++++++++++++++++++ crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++ include/crypto/public_key.h | 11 +++++++ include/keys/system_keyring.h | 11 +++++++ 4 files changed, 118 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..4249c49bd43b 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,27 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +/** + * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions + * by the built-in keyring. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in the built in system keyring. The new key + * must have the digitalSignature usage field set. + */ +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key) +{ + return restrict_link_by_digsig(dest_keyring, type, payload, + builtin_trusted_keys); +} + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +104,37 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_digsig_builtin_and_secondary - Restrict digitalSignature + * key additions by both built-in and secondary keyrings. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in or the secondary system + * keyrings. The new key must have the digitalSignature usage field set. + */ +int restrict_link_by_digsig_builtin_and_secondary( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + /* If we have a secondary trusted keyring, then that contains a link + * through to the builtin keyring and the search will follow that link. + */ + if (type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &builtin_trusted_keys->payload) + /* Allow the builtin keyring to be added to the secondary */ + return 0; + + return restrict_link_by_digsig(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 276bdb627498..6b69ea40da23 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -148,6 +148,50 @@ int restrict_link_by_ca(struct key *dest_keyring, return 0; } +/** + * restrict_link_by_digsig - Restrict additions to a ring of digsig keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: A ring of keys that can be used to vouch for the new cert. + * + * Check if the new certificate has digitalSignature usage set. If it is, + * then mark the new certificate as being ok to link. Afterwards verify + * the new certificate against the ones in the trust_keyring. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a digsig. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + + if (!pkey) + return -ENOPKG; + + if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + + if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + + return restrict_link_by_signature(dest_keyring, type, payload, + trust_keyring); +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 653992a6e941..8eb5eff059f3 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,6 +80,10 @@ extern int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *trust_keyring); +int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); #else static inline int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, @@ -88,6 +92,13 @@ static inline int restrict_link_by_ca(struct key *dest_keyring, { return 0; } +static inline int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} #endif extern int query_asymmetric_key(const struct kernel_pkey_params *, diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..38f63f1c2cbe 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_digsig_builtin restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +46,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_digsig_builtin_and_secondary( + struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Mon May 8 22:07:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 680278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7584CC7EE30 for ; Mon, 8 May 2023 22:11:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234394AbjEHWLa (ORCPT ); Mon, 8 May 2023 18:11:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229690AbjEHWLR (ORCPT ); Mon, 8 May 2023 18:11:17 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6C4A61AD; Mon, 8 May 2023 15:11:15 -0700 (PDT) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 348JOmCD025761; Mon, 8 May 2023 22:10:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=WAc2o8evP5QrJAXt5SFJeOiH/ErrwgwG5Vrrg8IgJBI=; b=P2E/OLwB8rMzih6truj8UnmE2dKbSSle7IteBONmjJ/gZku/uibU+cFPkQXtDBtUB4RF GJ0K8tMBdb6qDoDw/Kk28ZTonrd4MChAAj1FBgYaJFViybfxeLBvJVf3bTUDsUT3g0Fr CDXXAuZJusE8j1A9FsUd3B2sYh4JXVDnm64pcXBJUU3KSBWnmdNPoCnAtDJpmJ2zOqPq 82D3pMblKcg006ED3iF+mNlPdh6q+mbfjbpGoHN6v1c5b+L7EO1juMe3vKMDjw62QxLN DdFSPiiuGnLV7PUFmUKON827d7WpqRNBWqw47ajVVxzxxdmdUSJbPOrlfx2lcEaXQOcd 9Q== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qf77709p4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:42 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 348LW7nD015439; Mon, 8 May 2023 22:10:42 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2049.outbound.protection.outlook.com [104.47.73.49]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3qf77f56et-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BsDk7FF/kYRqRXPz8CbdkLY1uXMhIEaRaKMLf1J0Cqkgxa+Wj+x9Qx2cpwKyfYNQZz61V+oepdLEPYqUGa42Mto8yzr+AupwBtuCkt3+4dQtRVgH/d53FROqrDhcEA5lWAhSQ88mgi1qyNwkrhgpjCWdmB/7e5h0tk7YEvl+5zHrnrhI+0yWl4UO4Nw8aId8xahLDCWdMLKnhDbE+pjZIuIgx+0Vr/4F0ZJcENDxWLEGVGpWiGO8KMvTOT2bfKCx+vfh0JILmbh/RALfbU7siULUvSx/hmgsKLqnLz5eQMoCqts6qVTiJWFKISjRWF76nzjr1+29HrJsvS0AWVVDqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WAc2o8evP5QrJAXt5SFJeOiH/ErrwgwG5Vrrg8IgJBI=; b=iilygXdY3kp9vZl8HNS3Q/Kb2DRrpaeKpUA23635d9EQj+tP9jnnI133W64Y3bGoCmyWn8LDFm9WAVG3QOr2uAcCQVM3qpRdSQ6R7DQ1NH1s6xm0psR3inldRkRi8LYGoyy3HXwVJqLNwtotqWJGf5i+eGL1pUvtXL98PT2fwxRYthqnByCv1wrMxqa49/05GfH34RV8UBJ0hGdS99jPTxzz5PONxglrjLRLHv+1ytc1fXh1LSJgQHBDXdQfRCGvCcDGZLyDCq0jOEQOWLdf4czvOr93OXrqyQK9R5Hyt9K4O1AfCgWSkDGIlFNV4HeiPb5uZOF3XFKVHF+eMRhXiw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WAc2o8evP5QrJAXt5SFJeOiH/ErrwgwG5Vrrg8IgJBI=; b=uaJuQDsbZ7Iz9TvaTp/Lv41l5CmZokbq9A+FzogNtGGSr2JgPF/gw2gxots5R9Gf5uG91QCoZ5IcxmZa5vjhHwHZxLM1A95d2xOql5a1s+eyDxiwtKKHGcRdWKFk6k0FMaPpSbA5JDe2m6IQTehifA06hmkIOjnlgMFMDwr8LOg= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7065.namprd10.prod.outlook.com (2603:10b6:8:143::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.31; Mon, 8 May 2023 22:10:40 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6363.032; Mon, 8 May 2023 22:10:40 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/3] integrity: Enforce digitalSignature usage in the ima and evm keyrings Date: Mon, 8 May 2023 18:07:07 -0400 Message-Id: <20230508220708.2888510-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230508220708.2888510-1-eric.snowberg@oracle.com> References: <20230508220708.2888510-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR03CA0019.namprd03.prod.outlook.com (2603:10b6:a03:39a::24) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7065:EE_ X-MS-Office365-Filtering-Correlation-Id: df2284cf-9e60-469d-7231-08db50110efb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9h6UPQkvZDqoGeY4RbalhGy1pK6tb9FdeqGylmIIPKFt1O77nQJ+k1Hrd1JUBBZVa4F6isR75Rym4aYONxRUvjDe8jvjyKRNeLQaq+SwXppattlwZ4ltO7wr4sk/dIPPRAEy1PDj2G20vWMBfePXzWZMSr8ekP8+LRwdXaGG88Y0rqS83FMwPMiLmlSG+FTOg53yzzIhvR9abs4mjQDDaMs31sgBCwjjh5MmasCPHYWaef4TdTvd8O1EOTHmMFIXa3UcUDvZnUolkJn1ImRcv8r4aY2vqaRsXSpb0glp9xqz0QEQM7e1Hxsjg51+s/A6y+Yk/Eq7QkV9nUlqQVvnzmczr+TPy/eTvInVtsUXMeJZn57RpMm/PeS4SJBIMrX4/AdjkkI+7ThDjz5sZan1gCGfbn8Wc111ITcwRV3t4DiUeffwxEjiIwlcSZDf0oW0msYvvhQI/JwkEq1kqtR1piV7YeaD8IZlBser1nNldzaT3gEPXa1r89ZtyFc5k6AUnw/J/uvBxUQZE1ZVWuLbdefp7/N47Du/g/zfW2bN6sM= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(136003)(376002)(396003)(346002)(39860400002)(366004)(451199021)(83380400001)(2616005)(186003)(2906002)(38100700002)(36756003)(86362001)(6486002)(8936002)(8676002)(966005)(316002)(41300700001)(6666004)(5660300002)(44832011)(7416002)(478600001)(66556008)(66946007)(66476007)(6506007)(1076003)(6512007)(4326008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: DeRtIrzdGhptxhaE692XkggExcajncWNpeDiyDRIeMzt6nItQ3YEa34QApQod0ZjS9Qx/rPpvLT7jb7yaZNgq1uknlU8CK8yOlveibU8QieIbuwei2egVrek5UH0BC1N9NW0ZmcDyF5UhIiDjqcaT1mh9SDHInWzmnJuC0gMNzJQFVrQR6M/XhgMCHA0e8nTK8vJmEORoMC8+/fg7gLyyEvFdmuixDUZGLiE26Mx/i3P2j5tnzuyZK8OZ/S1TLoXLLpr3p1FJhh5Gyu8cgH6QqV+Xhnyvox/oHTxsfhT3oWPDj5kBOgdNP8LZTvmWvZ6RuVLujccnm4opgZ87oQ7Y8EjEIbj59TQw6IWoGJxmCJ6RYDg5Wb7w3i7ao6PZVTENZG5YzvhJPijzLC31h+L7q/olT0lV1wuiUbOudkJIv2XOk7xhmiuVjkXis01TjL3qakx3X/mGBJOj3JilYKqEzA9PbYLGMqL1M8DbjDPoLXN8vQT7y1whkKnW7o2TcF4a2tYjtaCFTsBvpUHUap4TBWNMLyBjL+DjHn04MJ1ij5i7K7ixvR8dty84XBgLX2EdbglRsJKt3B7r+LonGz1D7YMigZojzVhb9TlcKV0P++U5tt6gdqfKClDrcFYTTTlrXPw/D7OuoAPBVApWAyTqT2LEjt7xW4wC+8K76F4XhN23h+VVtKwwKNyVODpQJsoKkaoSsCBVjNCG2Wd3Jz5PPhJHjw5vbxZRzPvYkNvjaJphyO4vmmTsTJ7m93WTAtZ+eyHbW3V91v+AuYwur2BPpiUed7mJn2F7RQs8NsSsKq4P8Jjcy/isXSLm8DOIeKAs9R62aXED/scQSoqaAH6r9t1g63MwzfqdTFm8rbb1NeWvKo0PNg5XNbdavUzQ1MZy2dQwFas3LK+rjo1YUdBnc46/5PO7zRfnX0Z/1xSr1rS0CEcmf737pt4nKi/nAQpdMcVBVr2fay8eDhKkalMvfaFZWB3bIccyJkhi12gzcBiFyC7CpxoVo83ECh6q+ia8GKQUdPPOaRYkn9DePqwvQ45yxmTj7PWObpluDPnOYCiZqWphrpmmE+7Vm2V9QRSy7nDpYnoUdM2Z/F5eQ+DPlSVmZtGUdmFH6BiVGaDF3AAVN2DtlfYRiYDl/6HOIzS/S87eDLc522zoj+BtFkDDEBONj1zwFdoJG4NgBswK4LmpZeFAAIoyuxGvb/C7uI3kAYp950Xtf5CSI1oSH7a3BtbgJ4R/60+5QkOaEtNxzEERhCh7r1RNu22Evsrri7hB5+zgU+4Bomz5idV5ZRmPmatkJfvMGG7U4X7laShOdr+NVjkR3Q48Rxf34ISm2uysKUAJEHcJtGGW/DsBUlBxf8ntKiocePzCs3FwM2LvXCU1e6FaZ1NSPND8ZPmZscSUcLb5nH21NfLJ21kAFXAPQxT0ICAfo2B9QezzFLM4T+aRrY6FBeCosUDpCFqceHJunCOVperE61J6/UnIO6Wgt81bOkccolAsqWmVRdEot7UDfKws0LhidCQGnGcq1tLHdfArISVr1gWN+fZolJflhuTNnJaLWeGPQ5bsfwCyjVIpLOpGdQQ8KkWr1IF9dlgqqDtXVj86l2SyJE6BvilIQd2qwwH/HhFDED/e42ZG0w= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: T16wsvkYXxfGbQIC5pVXrr8PcuhwjBxsAZMjGpadHa/pwfGxZ4HBk+YFrnMCgXaqWkfTWF66Melhgdud01A56u06ixnp+WJZqa4m2GKif23SlCnG2QImHiGCXdFA8H7wAv5msFwM5I1whdtuuU932J3413iovaM/+xaugKtuU+mPjRd3Ca7nrV2OAJ/4rNqNx6k8653vRVFgiaeJ0FFenIMIkcw3LtIGDruq4rUC2euBZc3GeCMovK2R1thrlP4N5Hi0R49l0BpEBqssZLBigvDHd4GCvGsHRNt5tBIEoyCaDvnPd5d2huYR9hoc3KaaRDb8FWUpYc1KbaL2fUx0hFit2E/qS/6wXidrshRkf3T17t+KjEWpsb+65f7zrYwubr8IomXbC0FirnfKhI4k2B1PzaPLhyIySZQdYM0rzV7q19qXZzGelIpGOb1/wUF+iX4jn/jagmW67Kh4vyhGkgJIgEK+E0+BoH6jfetzpOw9AzfURbnpDf7WcXRNFVGdJUZZGvfsqj+4IgPX6DF7Jv5QC99Qlp9tL28q4WGfNc7AWO/4jMLMHIssoAqGYEUME3m38agU2CZ1BpZytkWaaRZlqHZbPkLx4RLg0roRI3qP+x3l9kv4Mo6nM0jucog0BkShlvVJzA0/mqjHFh2iHry3xn5tMSIaM/2btyx6QqTMDawu8GhJCYzD+w99fO9ZJPOVCOeAROiMP0X41wr+o2UW7V41hoGZbs9rPBvsYjcv85JE+Vp7MnvKfOFgr2x4A7T9b7k1a7vY9N1gISYBCBE5B55r27uY4DID5gFYWQ0SwoffE8bSI7TIk5dg+zlJPfuSPrh0pvzJYyw52NK1jSc66NQcwxKRPwSkyez6dY5qbLwfw97hmQwKdgVCXXmqqIOjHInXi+HhsyRRAe9V7xA4GQibOcpRBKgb3JWVmX3eoKcCISMw1uooM9YZei+rd3i/cRispiFQ87rCNb/deZi+a2gXneC8EVYJi6NH+Ba4k1pBr6qR1+UcOxtoaEwq46M6Ly+MvMOCuLf2eCCVLMG/qvlXd+dlsDzxEowUE3EzDtwI8n22axHIarX7lz0XBLTOd9SbmkmlqRY2ThvvWRuWp5vBzXSLHt13USC9uag= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: df2284cf-9e60-469d-7231-08db50110efb X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2023 22:10:40.1774 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /dFVYDX1uD2S+Z1+NKez2DYxy4NlFhCDvNZlyoZSsgTpapoOkHjHPRUrDGNH4/AOTdSnkwY3wrQz63jPS1E6slJZo+kQ7hA+PvptFV3O4Rw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7065 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-08_16,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 mlxscore=0 phishscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305080146 X-Proofpoint-GUID: NryV67p_AYvlZYAGQJh0ILmMLP0R3k0e X-Proofpoint-ORIG-GUID: NryV67p_AYvlZYAGQJh0ILmMLP0R3k0e Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org After being vouched for by a system keyring, only allow keys into the .ima and .evm keyrings that have the digitalSignature usage field set. Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com Suggested-by: Mimi Zohar Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar --- security/integrity/digsig.c | 4 ++-- security/integrity/evm/Kconfig | 3 ++- security/integrity/ima/Kconfig | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f31ffe23c48..d0704b1597d4 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index a6e19d23e700..fba9ee359bc9 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -64,7 +64,8 @@ config EVM_LOAD_X509 This option enables X509 certificate loading from the kernel onto the '.evm' trusted keyring. A public key can be used to - verify EVM integrity starting from the 'init' process. + verify EVM integrity starting from the 'init' process. The + key must have digitalSignature usage set. config EVM_X509_PATH string "EVM X509 certificate path" diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..684425936c53 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help Keys may be added to the IMA or IMA blacklist keyrings, if the key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + secondary trusted keyrings. The key must also have the + digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, From patchwork Mon May 8 22:07:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 679957 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67A0AC7EE22 for ; Mon, 8 May 2023 22:11:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234303AbjEHWLe (ORCPT ); Mon, 8 May 2023 18:11:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233958AbjEHWL2 (ORCPT ); Mon, 8 May 2023 18:11:28 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF83D65A4; Mon, 8 May 2023 15:11:20 -0700 (PDT) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 348JOfdT019671; Mon, 8 May 2023 22:10:50 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=/ML4z9buu/tKu3pmw4Uu+TAMQuENNubX/WpRl8kjGMw=; b=HGAZJSvRNxqUYJoNZAZTvgpx8alticJ0txdZhzIUkrBn2AsgGCyTwM05BDfHh3j4oh6T PgTMuxOHE8OSGLDv9RPjDyKjg1jOTZAU5gjRzlvx6k2kp3ikIxmjxV5aq14jFB8E6te/ gdLZUelmNZ0sxOjWU2LFGQ+z/waOd49EfggnwsczYKxtPTS8reCpKc2OaUPDr3sky3Uq R6TZZNh9jiF6OjGjDYnGo5CHWEXph2KQfAdujZz3/a3RNT5Mzs1EeRXm4qByjp3X1e9t si8xErXMrPCo5/yGZ/0N0OeOIcKgGj0ps3sJE68lMsNyTGPNumqrgVNijZ2ArxnZx+iF pg== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qf778r9xg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:49 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 348Jv2Wo005865; Mon, 8 May 2023 22:10:48 GMT Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2046.outbound.protection.outlook.com [104.47.56.46]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3qf7pgc65b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:48 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DGa1fXS1Ze3QUDA+w2R+rlkgBBC/5iuLUe0F2xpv0jYiIgSPpnDkIIvSF2g1Vi4eFwGapqfNqmjoMMp2oodMg3Fyz6U5eR7d/WByMdtomo4Ugebuw7DFe7zW2w8nGF0apE3+dBl9hJZb3iB0de1YggnhcL1iEvurcbixte+0kphU/11f49mbwF4canX+nWndZLGyupxvQYCtJ6b3UJ2Nh3wjUYMg9OL/j0YbYKmktBIW38z3pZFUngUsOzp7SGMLHm9m2Kjve5oaLeV4QlZRM7xOualu3yGaAeBqncreByxYcQ7ioEz9ZAhRTYTQWDSW0br3FGjgz74bUM/FOIIF4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/ML4z9buu/tKu3pmw4Uu+TAMQuENNubX/WpRl8kjGMw=; b=RZ5QZTOG8vEkEQqbgMBYTkf9HDnx0dasUKiheaYC0Vc0AtDMS5uL6tGbqBaGzTINl7pbwXP2H2nryV41nvMQuY5rYYSz3oIsYbWTlOV+BljabYKLbCvUaNaRpIs4QAYgck41fDQDnvjB1gW5rbYElGPBtRwLLk53gj96FCChKt7hUNXtZ7Xu1tqQft6hiaWd1Joii1IK9/jBPAbVbS1cbZnED1CewkG9BQohaISLsC6WyjZqx61/YbY7nEhuDhpSf+dJWviXt5nyPHqwWfioU2fBy1Hrhjw+yBN4f6lGpYcO4gZK4lGBWKLGWWzD/6XJeW7dNMr/672MDJ7M/DGsBA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ML4z9buu/tKu3pmw4Uu+TAMQuENNubX/WpRl8kjGMw=; b=xRh1gEZCrCPlqeUSQNXN5pQ69JSu9QRwsWdBnpfGYNHNiPzGVGw19ZbrBXPKJdb1iP4a2BhNO865fPxtuYdYiT1FuUVSBuXuVx1iRaRHHmsqLOirGcpxpS7tBcTGq2Ky5c+ETJ+v3Wec8r/f6AoCFkP/oyAgKy51mZvS1Y0qmgs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7065.namprd10.prod.outlook.com (2603:10b6:8:143::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.31; Mon, 8 May 2023 22:10:46 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6363.032; Mon, 8 May 2023 22:10:46 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 3/3] integrity: Remove EXPERIMENTAL from Kconfig Date: Mon, 8 May 2023 18:07:08 -0400 Message-Id: <20230508220708.2888510-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230508220708.2888510-1-eric.snowberg@oracle.com> References: <20230508220708.2888510-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO2P265CA0371.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a3::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7065:EE_ X-MS-Office365-Filtering-Correlation-Id: b6319162-f24b-4e5c-f0fb-08db501112d3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mK11fKzeBN+DuiFGPULydUxcv+z8d56Os9tPiZIU2MDmzOEBMqpAbPbwwc85MOx7Z2F6XgHOGXKRDOOHnp7iLky4bDINBmQzBASOsTUoZwt3Tu3XcDatpmWR7S8Dcm/XCn65YsIPXcVlTnY/hhMkjEFfXhPT4X8vWkJ9xA0ddNidIUsz524vSsTt90WfdTCfvV6IxZM7327/k2zQCSLC5FiHUp/99M4v225FrCFWOiYrJVvh67fzxF5rwHaqHS3OeH9+cxGn5CCbudnEt2LRdHkulvyyT0AAVPIajtOgc9cxITHjt5HRhu9WlebH1wWfFo1wEQGlzB+DHaZplwsFtFM8Pj37brbc1UQWfnFjWqKaQaRaargvaOTjP1thnOpX5yd/0AMYZdSlPPs46Bi5EikjhILE/5mytx2qlYXmtrjUqELv36qbPx1ApxaMID/09DbWWLJcbQSLwpWpRcw8a+7KcAAiFlEfGlKe3ucsCPDNAysMGlyaoIS8NgteF9iXxJKrfnjmV5W9CMT6wbT0VZcBTpbKKA4BVML7MngqGXo4PZ9+bNEy0c5JXQkjVHeq X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(136003)(376002)(396003)(346002)(39860400002)(366004)(451199021)(83380400001)(2616005)(186003)(4744005)(2906002)(38100700002)(36756003)(86362001)(6486002)(8936002)(8676002)(316002)(41300700001)(6666004)(5660300002)(44832011)(7416002)(478600001)(66556008)(66946007)(66476007)(6506007)(1076003)(6512007)(4326008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tKWend+t8WvzJeg86uixEx2F+LdKsSvzKlgrps0ICELjgszCrc7GUS0gC8cAWiUiF33wY2nHLPPW2UG3vzvCPdTMk7d7++hduwl4VIB4Hl/eMu0goqgUTJLpaQ+ffd/LjW+H/THH22nWZlXTRkkt6LGbEJVNe0bwZi8E1nrgoYNVw2v4SGhW98ChifDagvvDvUdkR6SxtIei+c8R/MRvAjq9CEZwYaqvNJ2X+a7k2V4IV7NHvh3OuIWLmZuY/Oc2/KnQl07nU8pUMJl9473EiF75avhx4zsNmxrFBHk3jBdwy2mdRpoQj+3KAM57DJPexAwTrhNagE1dqRxczbqcrrojpjE6ES1pH2A7CEIfRyJln4VIbq6/mcWmL3wHb1fivbUXiDldTu4rrvlVdJgTO+lZ4Ad8bCFW0/QnhNbcTjf1JF8TqzAUGFNGs9Gd6Rg8sBYswnX4w10ltIP9+pRs/qKdIJhe+d1Nd6/KdH8JJnu/JZ0VRE6UHZCPygPnLRQaiJhKtU9FC/SZkq0GhwDQundgP30l1y/KBLJY4A6o4bufxyZ6KGwcFWEq2GLFiWUIzWvIxXer6RyPMR4JlSKyMe1nv+TqkNgERn7wG5HlHruayW8vouXAWe0zy6GbFlmQUJtyFuswX9YRHTD4EQjgZn035M/tQGUfeCrbqhUocHU71E4x6ROmtwLQanjaMNlYn+eGmYzZiGnzbSWKCAciSO4aCfeGX+3s5PtswDAwADgHtVyEDittafnGgCOmC/gY04Winq7/SOgLOXF46FVQmtiTfxwTg+d9TkS7+JNZYAt4xxS6AlNoVbjawkBSw79J09tfXb25Sy5Fvsw+6rhpmCrPfYmMfeXIvKzvGyqGuD2gDSY2hvxZh4OBmPc1b+5bw54kk7n19RIiexEMO/OU4eUI/uw19E1BJ2MtosOELyMUqEMTXh7H45GCkWlvVChjLpAuhL190H8kNa0gtrMNnkodwopcTSnGU2y5qVkRrLM8Ou+DxYJVRbd9H5TQbaU5s6y93RZStW/IjRMrTu2uN2o/qMfEFq2D7H82AwWHGMTmN6e9r7VA2+HU56j3Z+gHaSJMnbvZuuxITfRuXZjtBUx18f+nvKGpcswan0GAOVmNvNAzvEhe7D4qBOKinSImi9OXBduJdnKCZ4KbW73v4YfzfIbQSuowVRtfSvbYOwOXZKs+4ioHhAnc0ClMt/r0WkfFm6F/GGK/gvJvtdkhA1glBGopPB89idIDB5+xuKfctH/uAX0ZxnpHvCveMc49nzjCrWg7K5solbwMpTNjzgTb4X3GnI3f+xiLqfJzT2gqLeoW27lCDavyT5Jd8Jz/y1ao6ogcMBbzv5MCSo8eDW2ko2dMsAvZdaNHTgtWVfevdHreWR8jqs6/gW5pZdJcgdTtkYRtyzjooEbvKgTZwiqzKadGE3Eq2k7Q2kvQ0s8vgFE3fdyFSnx+h+SHOqVz53nfEh64yE4OeWzL1TOfPjLJ5KI0fV+11BeLw/2tlb0dcsFEtIg70zmmBzhXsWudIdWq6OF6aLKMphkXEyZ1jUSqiA5s644tvvKtcm51z/y2DIf3Rg2lHEB/m4wuE8+Bp7oaCPMUO/m1ftEW1ShPc7YXadcDN+T8GmkG7t/OVJI= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: cv3d0bTVmt9U8ZvKOsjSK6GHdcpjk41ON9VtE1CArPrQRiImB765qUAQb3g38oyOUlhDlh/GPOt0+fo9CLOqqcql2S8tKx/USQQpPNjYjyzO0ySa49PA01lpDNgmmaMNs0uPlYG6ZFS0fAxJyF8vFBuyDKG7Skdl3+ligUC/O0WZltVcyYDjQieza8M0r4VAF8+NSLzVmc/06KvP06sm+ta1lMFRt0mCuIe/kfP4iUFOoHQkq//ixNhQq5cJ6wbgh27MvrkyC2F3XovMKKMNOe7tFQ9vJBcIeKxLlVjoo4ATJZa2HKSaCU8sci+k+pahjY+ms2wANuoOQDjfp22l5zVT6TjsXT/QfzeG5esOClMQO7bnh9/79ndiTO9gkiJF6vrLjOd+GrwdXYXGvjycfJIYIeHDZYEhBHnTGXsc0CHbII5PhhLExhedR5+P19gVZPkATiAboeRxE6gpHCANVPS2RfqlJdqsR9FasKrFBxnRRKOH6H2xZos6UzGmyxVQ1xPZ6+WGaU0bhod3bar4xE87G8c4mRe0KWlTGamqfq/AHDPW9lQuCYeK9sa3LTkW9f+mXd2JGkRHxnx6GCGeOUimNLdCe+O9TRCkr1Vyaf3JcX+aBq7PN45D8AlCuWcAHw6lhEIisAGthGXdjEpDYNjbO6gSqqhw6yvFFtE+PjehVJXPjNU7TDI6stqrjJOWkSFlnFWftLIR3fmuifTBQYj1Od8+VR9V5dXxaDxNGSKj7WlvqB3PFcrAskXawvx++qaLziJLUbKKcnJNjKh2cX9C+kfzqluHXvayOFC/mCoaXl6e5fPoJJn828LS2ckgtSY2W/ZOB7fsNlO1UmrnCwLwLOuSv6umQ2m5akh0xXikHHDv+hgI4lBJKDNEsnX096l/EpoGJkNELCwVoEGRpkdeNQRQdg8OB/uBDL2AunXSgMuXSS2dZTk07roEqT0+PfEpClYMrjJ88BBbFhDv340Tl3OgVOqgLrJaVzOucSUiWP5/NSlghOTv6lMXjdlklIenklx1hkk71/XVCBmFfO941gCYIAkR2kWXzvxPbzuwL+4qN+KvV2Vx+mgasnBOq3wGUai+fbciP33lKbRneH7QPAFrCxjnY4GeqdGKjWg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b6319162-f24b-4e5c-f0fb-08db501112d3 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2023 22:10:46.5284 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ahJ7pR+2g0wd+KVCjL89s2OigDGfb971KClfsCBPdrRMb1kYqbHor8Oy4JJLCxJi6+e1e1awsTFsFqAlR3vbOE1S1kcAFltzml231f/SSEc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7065 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-08_16,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305080146 X-Proofpoint-GUID: uJW5mHjC2nWt5miknFr4JmFnFpko7Plt X-Proofpoint-ORIG-GUID: uJW5mHjC2nWt5miknFr4JmFnFpko7Plt Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Remove the EXPERIMENTAL from the IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig now that digitalSignature usage enforcement is set. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Reviewed-by: Mimi Zohar --- security/integrity/ima/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 684425936c53..225c92052a4d 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -261,7 +261,7 @@ config IMA_TRUSTED_KEYRING This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + bool "Permit keys validly signed by a built-in or secondary CA cert" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS