From patchwork Fri May 31 00:39:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 800666 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCA5A4405; Fri, 31 May 2024 00:41:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; cv=fail; b=mVzIQ+T6jNkaSFQrb/JfnrWtMR463q//IYEXdF5JsLUUiutLgNEH/VIXGxiFhe3w/boyWwmdxemBBrnd18DKuW5ukVBRgCWl02t0pXXY/uYOcxNljzdMTs58kxDZls4zoGiRw4T4YZgFHarRyy6qhkTn0ZhdndphaaSs71PPLKU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; c=relaxed/simple; bh=GF4vGSeapOvgFn2kVLd2qCpV4w1dLINDA4qw7PXRRhM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Q6jgq0ZKfZlY9HXz/B6ChgRc5NFA4gT6IHTOD8p1D2LS0MUJpfUQPCX822G0ZWHN682wYzna1BdnGoiV9A1mJStJ5dFSBYSrlkFlHam0U9n6/L+Q6mN130oq8BgGnV5VGhdy0XY5P/21YBrjaJEd3uvElTD1aPymqyXvMbBUtfA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UEffSQ005706; Fri, 31 May 2024 00:40:01 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3Ddxiaq3H3Fq?= =?utf-8?q?3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=3D=3B_b=3DLn5/0ITy07SmGV9kFPyAz?= =?utf-8?q?k1jNuYheS5dhjOXtAPVtPl+aTcQx0jrHlZxr4CvHRgfCpN2_pPiLd8SBuvAGyvAH6?= =?utf-8?q?+ujCVtK5r4yeY3GUYtpo59UDyGpUnOP699FxPKp6vzZHpbnybrf_2C8FRwU1tFKU1?= =?utf-8?q?CjThG8AhVMaS/DbQr4r0ueuy5Pj+GIHqEYnGSxP/Vzg4jhxUmLlYsLj_THi8a2JtP?= =?utf-8?q?yePox+etwUFZw3jXDIevIBcX/0gEF5R3IgOAufNxOUk9cprGylzRxs6/Fzu_I0FYi?= =?utf-8?q?wukwQpfsZJTU1Vge7BZXTnlJVe9IJbNQLda0uJGDq2XQ8jkHLh9UZk0JNMVtVaW_9?= =?utf-8?q?w=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g4a61m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:01 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMfwEq026627; Fri, 31 May 2024 00:40:00 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098hkr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dzmXIxQ8OVmGBgP8hb3iA431xaY7Dq2EpxsRw41K0IKmMt7myO2xESmq+yKOr9ginjShqT/gvfaXoaZBAPRKrxr5L7iKvIkuqyIx53sfwHssKsoW0nMZWNyU5z7u1a8ip2M5ILRh2A+PqpBBvOGkbTQj2lO/TtEoyLpNKZqo7nyM5dDutE1UeXbVSPzMJGWXyqFN1wRJs7eWlp+nmlA5t4WQg1PBqK4VvXZJNwNOoGRCBGO+yJY6WH/SJDeKgQWfytBIPuJ573R4Co/3dmfnH3VJtGR+XP2APy5XwZiGEbMMP2T3/u32NajKonm0Ta3mbxI75x+MXkUHgujNJufWpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dxiaq3H3Fq3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=; b=GU+1bE6FBnCHQ+yUfKq144YfA9fkgd27RCZGYrR/HSo5KztvF3yvH81TGIPhCxtS7TCdCs1s0/EL8rTGPovDY74Wm+zu1br6UAkmQfwrfTezozs8+6aAJGWIrO4AOQI6XUe1Hl5ueLe1P9CZ1Rmwj6TmBynsZTOiac8oJ2D7/oRk27lpWryXXX4Jqf3PHRvBu2PkmZpf9JV+en1Hajcpw19FZgfVIfo1dlT4waxzGhUCHfV1DASfereraHHq9yqo448CTMogDTujW3Jw3stqHZ/kj/fhvFF61VeDnWUqPVtUTprY8NRzyYnNnqvHo+MosOZ6XZGJeQ4Aj0Jc0apKjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dxiaq3H3Fq3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=; b=omZQVmE5xmH3ASOBl/ECOJd3/BMl2fP4TcW9ZJ8gtLQmKR6jZkMCAejxcAmN7a3oIapZoJH85jxtmubAyvFJMfLzP0dsMfurVVd8XtE286llu7e6XwP4vWlUcP8gQSlNk8P33sE1piznzbt1M8yPzf5hWXTxPIKpCzTDEuWu9OA= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:39:55 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:39:55 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 1/8] certs: Introduce ability to link to a system key Date: Thu, 30 May 2024 18:39:38 -0600 Message-ID: <20240531003945.44594-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR06CA0032.namprd06.prod.outlook.com (2603:10b6:a03:d4::45) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: d2ef8dc0-a1a9-47dc-dfff-08dc810a30f2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: Uc5WXE1wv8rhS0TIgA7ykZ15a3/xAxt2HQHTRirgPMeKmy1bMAyt9ezIRxG2BdX1szKWOU5BqvUwDXpdR2r/3JgLp4uva7tvO/jV4xkL5TEYZ4GK7ILQjRabZ3aCqJZux4IW8k2gYOqJ3p6/D61PPuSd0MCqj6lziWH7LCJRHrTDpi/mZDy+uwiXr2+fSsgwSNs6Adx74+Ij66DQZ+VY1uv2DlwQvIvsgchtyyvHBPIeoFeC8yfkHNP5nTD1IhsImo0o7v5OdeRjrHN8axKrw9hH1ic3EpZpdvi9GZFmyM9WGecaZxvB0slkXQtuIlhpfaDYsVJOr8TeoAjIzyeauG9yVTscb0CKGusuIJopqtWxsMdNtlZd0QJhDx7R9hjg2W/bSJRnF5ft4obhEBUufGfQpGszo1/AqftLByPqsYME8yklEHbsD0u3G70oEy5DEmtOhp7kyGTtgfctkEpyD9BSA4y9j8VL/KSZE8Oualcj8dq8JIZDNHWvDWP3Uvd5AWN17n2aire+GvRb/t4W5YxZYyqfbx8mSBHnQYErgL959C6YdZZEdlfnr7Uho7Zvp63/ankSoXt7szDJTf4EzWARlOLdfk6Wg6qPkewcCfo9w3N6N8tqIAEgryVlSDGf/mnx4s/SBI38ugtEJ9e86SYx5SK7OiggdUP1puy1m8JXZzQGT9w9Q/rHSfp/ZQiFWgA30ODHIFVxwn7boK4jfFZtGIhBVRNEBQclSmriz6FBmw6kTWxnrd4SoEmN7vKC2hyp4II10PmMBqMmmKXIYJ2wc6qEt291i5BJegiTBlMXouxeQaG7oEOvYD0/4zCDrmJnBOK55iHyowv/XwgE1rOd+T8lOco6aUWONDrKEYXO0dGPuc3Oghd6rTolXIMj9X62vvMnAnrt5/2C1P3HTEiemluX1ShUaY2Bwk5CdDxT9NGnKnTNBWcxk38Yg5nkZvWPtYtjom1dL+ZA0qhWaDF6PcYvbLBJvhwQ1md3KF8fKofv44Y5Spo9+yZgaNjihGnKfHr2LD0mp07JBPzTKten/AkZgt31YzH0A7T63CwpXQJKaqdHb5YZl7w1UkdshO7k7Uef8JOameeV5KlOoQvO+wtZnYF/xylI7BNZKE7tMnIY2vEYp6F/70iezjeISzHUZnXVEqbQC/U9Exw2fpYpCYretch7k5Sl1jMJRPk15LJrkpPG2MYXF/WCpZdXMZxo9/uFYipv932FhygbzJgqFhLyMmx12AjjZWzyDcyv8kFVdSy+F9eiYTvT2B1v4x3BOv2+YDXbBUoMl8nZKA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015)(7416005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tDM4MY9PNv7o06+CFtGovj8HPD4tQ1TmCicyLQSzYiTDQ3q4HE9DYXrbAdC8SGXOBO8OZ+4ltuGI89bfPGo1y7WSXOaw2dpHK9EegfJF21JRGb3u0xwRPsQy4As2oXyYIlJlIfe/Nb9rMVeEbBjKvu1JLRDzILiFL5AA7iffWoXlYFND4BIsTAyNEB3h2/+EGXolGcD+cIHNvhTOp+yNy2ejzaqrFuwHg/z04s3oOa8c1CPvONlQtd/G2c4KJj4KDb+7BusTCpAAnlHWVOoxAKLF0r4aRWQTfK7RlE3A9qFgCw/CdkGVXHyICusqbQGJJiz/dH1odz+if67wxTCp0SuDovJjJyrqRcthw39N0bFYV5DXKx5Pwnfl7YV8y9/if2s8nVCTjaou6UxoAmrqyrOYNFUI6E341FdQPk1AP6yav54BBB8yvgZ8iP0tfTNOu0QyvsWNcsWIMNC2clZq7ck0NA9mJeoikF3VgCJF4XWQyUsoy2P99Uw9TLfO+TPqY1RwOe2sCcsFMBMZ9vheLSEWerHd8doiCpbj7CdrMSnZma+x+/rGGYdwRMAEH15pCovqK8x0OE0IP09WCcxYWhzFfhF52yk9N5j7F5S5T1OfXkoCtGSJ1nxJCI3E7p+OX7/bM65ma32YwQK273Pkzc4zKYkDfM4Ins6SHH64r3NYe0eTfwIgF/IXQ7NpSw2ky0fvC3+JDSgt01olrPPwtsSxBNMn/gXxqXLZkz3Pq4PTEVM1zxZvs7DbynwkdoP66JvEDDXqeYa+AIjjxPFGVDKE/6zmldKv0VYgOR2/4e4+Vogr84AZwAbDDSAg+MlSQBDVOw6OCBlsqAMMJTJ16n3VOuEc9foFpE53BedY5Ers0vIOAmmIlw4tdvTq6xnZAisAeE7xD2u4JUu8Y+GcYBSf1kOn7YYsIPkgm7hcxUj9QmTEkXl7750e7+WKs/hqyHops/t0f3W6y41udBV9JYZGSnQj3h2WnKySE7N72tYzqO+kC7UwfMhtscGDpmfraSdaivOJtRIBDuXZrSqw9V11QFZ3SXvqEU8lp024/6dRFZjv0A5JNPzlLl6eweV2pE8ZySPknNROj9MAJQRzARZ5da1rGIPEvjNstJYOyoKkVKLEDvtp4dQloUBrv9YiCrxxROnCLCR8RdsoYN7lNLeAYKP/Ip1azTLB8r9uEUqLtfAjkbTFfKEbQgDmKbrazffdEdxQPAzYxo8tBntwMHfja9vzEmxDFaSOfoT27Ji0u+PhPDOMMdFAXaJ00SYGDU38y70jVODic/4YvmwRMLTTibhDPQW6FtQv2J1vVatA3POvqVpgXrLZx3/w0ZvGJCyHXdoJfFXTF2qIZsyCg4Z5/k/M0SgY8WKu9lpgjuZorO2V/QTHu/0j5H7eeOp6w73mX7Ca6I6A3R9UH2PIw1pmh9H/gqyZOCiNqIH+MyxWv4agG/kgS64skCNcqTca5wgFXS3gUzQUgHzbTd9EAeHQlef9EDEifE5N53WiBQkjwf3nsh0FIU5d0Kc0MBGDB7sgiJYZadKgZZhYP+WmcLcAGbDBt/CtGoEZm3x1VK1yzWh/lGePkWQCurV1yUXUVdvAxl29pgpq1H4YFPOTIw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: daAoPpdVcY/6wuPdt52DSCHHSFPIqYGdVsIfzF2Tbes6ZFLzSME12wh4pohUrFsMfHDgNum/9+BX1PP2GzSzPdXi8GhjgkSCR1H61RAKyYkVih7p19Qn0mEgM6TameURT7a2OXRybchARuaJ/v25EnddoszUmO+t8mxuw2PSDUmLTQVeVf2nN3r4MjpivEAxZLz6VHo7XuLQncUKESZRRDr+i2EXjBt4lpaGFMojbZy9CApIJCrd7fwjBbyYp5PRfNMktvEnJUYP7mBzdQ8iN9Q0oGuJ6OWxZ1LO59uw+CgouNMk91imFTnbN154cYNoVl0XTv4vLh0Gm0og8jPsvk8Wzd59vlKsAI0AUxWhCXcPY10r0pMq2Zj7N28fUZZzY+EI/J2ErkaiJxfgtKEnq6n/kxg3E9Y/H+/yi6YilYxOYOC3FkrmBxNrwkHH4pCoHS4fRGMFn0EPSUdOQDpfWCxZB7M1FtHSgWA9h9Ir0hTdfD5b3YJZc2oa1+7tXwv7R6ggMT8k4KW0XZBvemZowBKw4S6/RlutFVqYdlJms1cFhpU81CpcfQIyOYIB/Tk3Z00m37hK8IeuFHYeWSzZs1E/vQm/Ko+jWOlPpx3b25o= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d2ef8dc0-a1a9-47dc-dfff-08dc810a30f2 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:39:55.2397 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4cNwofvojJqIbdy3jSQdGes6RVFXtso5A03VBcL/dYTci3po4qkCZ4JREY9cBbe176DlFzmbvmg8Z/b2i1MDFF57vgciE803YaP92WjKXLU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: cZNSQUa0p7ntgEWo6e5yWTgiWunZA6_k X-Proofpoint-ORIG-GUID: cZNSQUa0p7ntgEWo6e5yWTgiWunZA6_k Introduce a new function to allow a keyring to link to a key contained within one of the system keyrings (builtin, secondary, or platform). Depending on how the kernel is built, if the machine keyring is available, it will be checked as well, since it is linked to the secondary keyring. If the asymmetric key id matches a key within one of these system keyrings, the matching key is linked into the passed in keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 31 +++++++++++++++++++++++++++++++ include/keys/system_keyring.h | 7 ++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 9de610bf1f4b..94e47b6b3333 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -426,3 +426,34 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +/** + * system_key_link - Link to a system key + * @keyring: The keyring to link into + * @id: The asymmetric key id to look for in the system keyring + */ +int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + struct key *system_keyring; + struct key *key; + +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + system_keyring = secondary_trusted_keys; +#else + system_keyring = builtin_trusted_keys; +#endif + + key = find_asymmetric_key(system_keyring, id, NULL, NULL, false); + if (!IS_ERR(key)) + goto found; + + key = find_asymmetric_key(platform_trusted_keys, id, NULL, NULL, false); + if (!IS_ERR(key)) + goto found; + + return -ENOKEY; + +found: + key_link(keyring, key); + return 0; +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 8365adf842ef..b47ac8e2001a 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -9,6 +9,7 @@ #define _KEYS_SYSTEM_KEYRING_H #include +struct asymmetric_key_id; enum blacklist_hash_type { /* TBSCertificate hash */ @@ -28,7 +29,7 @@ int restrict_link_by_digsig_builtin(struct key *dest_keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int system_key_link(struct key *keyring, struct asymmetric_key_id *id); #else #define restrict_link_by_builtin_trusted restrict_link_reject #define restrict_link_by_digsig_builtin restrict_link_reject @@ -38,6 +39,10 @@ static inline __init int load_module_cert(struct key *keyring) return 0; } +static inline int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + return 0; +} #endif #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING From patchwork Fri May 31 00:39:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 800665 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80AA34A32; Fri, 31 May 2024 00:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; cv=fail; b=lrSKGEowzX6kZXS7wsejEX94aiTQGLxtPF/WH2FDV1i7L5/PTPHlE09cuIgcGs9OUleK4b0kx7BZH82QLt06Jf6NYnNErmM/GhSm8KdwMHEZ4i+AUO7QDs17OfE4Zy4GMOEg7iBTAZVAf87L4y8/IBE3/J8c5eoDKEvB4L3sDjg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; c=relaxed/simple; bh=ou8g1fR7tppvZPMKuEp2405tNPF2nleOZqyzyYtg7to=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=atee0+tim7q6uE5zudEguLwloHzMUUfGnPdKP5GF9C2rtjhw6jkHrczAj2U0M9bT67mSa3NMLGkAXk9Yxxc2Sh/RQsYYbqq834ieXoP7gqHkhxPi67BIPJSG5bIgZERTUovVVlZ2X/axq6JcQLlC7xuC0NmQluuNhq+PoeRhLV0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFUkap019783; Fri, 31 May 2024 00:40:09 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DdXo7ah+YtG?= =?utf-8?q?VwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=3D=3B_b=3Da3xn0g3voOpt/zuU+jDtb?= =?utf-8?q?famRdP2Eot+ADlBDFRWuotNH1wd67Ihjw5Ir/ykPFi6+0GT_XI7q439f7Na4lJoHn?= =?utf-8?q?iEKPnshegBkmF4RAmIiZvaG01jO3AHEQX/2pZxQChX+Q0HbEdrQ_8o2s33J9LELR4?= =?utf-8?q?z/zYYlcgkVWrMsdC+/q9T/RJ3QFADhPGc8nQ79pkWtuXHsVhX3Fv8+o_+k8uZnjsa?= =?utf-8?q?NMO3pkjYsS63RcbPBxHj0lxnFAZUswgRNC2Ihtdv/vFrGzlTzGTl6t0Uiuo_Ci5VZ?= =?utf-8?q?k+R1mVpm1K/MpxLkGbSPWAtoRlGe7GJFVhqGb0w+Y4Bn9yJKO9rExCPGLNsP7ph_3?= =?utf-8?q?g=3D=3D_?= Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g9tatb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:09 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMEg5b006320; Fri, 31 May 2024 00:40:08 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2048.outbound.protection.outlook.com [104.47.66.48]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yd7c7pm0c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OhNDXxCAa1qdihKkyQz/557+GDg1mc99CE7nbvZpwOGh56uczxrqCWZHOJ8n/PV362+o4sm60nbl5YbHO1ZD0TXjx/jo9UpbNeJOGJ/3HzwEzViSW4yNHyJw5pfMtA0APiM5clCX4+GFefNlHfRXd/XOtag7bHqmjGC7MXUpQuehBjiMKXvgIsTsy1UYxHpePY7cnmhOBvmBwJWMTd55V35OdMspmj8M8ZXtiqLfP5TaSxcr/nbWuaPXvfvN10UAdyO2hVeBGVAXB862L+IBrX9knvuCFK6p/clhJT1B772S6ds/j1QyzyYBH/4v4lqaP6YQKFhxstuk4+pq9Jeh4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dXo7ah+YtGVwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=; b=HoMzdcOuRJlLNOBxWawoVo5JJzSE9sH5PEZCdROrRq7JY6U+SdB7JZn06rVYzn/oFLQ7SLnfr7eVksvpIJ870ZKY4/KFuVi6m2D7joZjCUS1QFNhs1czNWjGKPfxB03ZCohHt6Ge3x6kjMArz3jAUbU38LVRNKwxtAipBjRdSVp/pH27+XJoAppdaI5fXZvUvRZcE5kjZ38377izl3ge1P3BfgKAcGw/VsUxTGoFd9mKF6yDAYIzzxpbP5QWX3T3eahmstlNLVrgStDF9PMZ0A6DYfZyXTajsvFrgb6tHGPMsxzAWhg0weET5VAcqW3wVKqlSKb7JZmO+tFU9moq1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dXo7ah+YtGVwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=; b=TxkiFbJv4cBYF7FZApGnOR6uZMVzp5FLC2gwoqemZoBuTLhtK5feI9uee/LnrSDJUfvrtBqWVjuDnmWYMFUdOHAoRuJCj+xUEq11m7UJE4bHmU9tACIpT1vNvLjFHk+33Y32DdX7WTV5aDNL5SUO+oFLr6rUNz+cHy3KrLckl6c= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CO1PR10MB4785.namprd10.prod.outlook.com (2603:10b6:303:95::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:06 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Date: Thu, 30 May 2024 18:39:42 -0600 Message-ID: <20240531003945.44594-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P123CA0591.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:295::13) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|CO1PR10MB4785:EE_ X-MS-Office365-Filtering-Correlation-Id: 026e2932-e2b7-4bdc-f811-08dc810a3760 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|7416005|1800799015|376005; X-Microsoft-Antispam-Message-Info: TyZzt53DOAqQUQmT9IvuxKI00WNLD2TInpYjo7LhISGeMDESJzI7TpbpQG66wmjm4oUQCy9J8aUF8stgNPt12FB3FuHrlWdG2FM9lGb/VnmcIKHHnTWCXfKQm1WKOLh6MT/O+5bhZ8ce0yM7bCi+FM5s0JYpB+mW8K+5CnQ4IFyTqLdmcN2PcMAi7+8ICLQps2XtuvvdHeMwsysJr8oMRTKDYJkWQTWZHvYMocFR165JCmwywZM1kwXtl8q/ePHG3GRzOa5UoAJ2qqTZwWa9HD2y62iv8KLXTdsxAipJeLjokJlYGpF8b5r52sLku9wpTo0yFNDwpnYBPkhztqgbUea7XhiImFt5f8yEwHiD/iNjv8ME4zNj+c38rkHrV3MN9S6QF5QVspsZgmyWByGUsUGZ76iK9izA9Tm/0Fr/F5Zaw7ZKDHrekkGn8BdGHH/XZD2FmmY/9BsWwVru5QYPBZQM20k/H2g9AINxRdrBnRToSl4SbcQ4Y0uUKS1DC5GgLE7O5KtXImurMFDWZvJ3ofbVecepF3QWUOqrcWDeYtOI9WYldMVOPWSOfRBfIO7n1ene4XSMsSN7SmD26L94SE6GXeITMy9jYYxDhSjjEfl+24hFo4OUQ4KDpUyR63okg22vwTEg9QBlKSHJDhDU3SDKjXaBUr+JOyNlpe+CV0iSP1NVHYlPNxOQLxsn0DBHkei4T3xfU+TmbYMuqbeIaJ1CvgHjkNZRYJVpJl9jaL6kQlE+j5T11+tKlzejEFE6Ow25YgCjrIt6j1yKJ1A3mSMsC3MRQOM5W9LPtSHxew38Iujcg8C8TXM77lOKS2IO5JjzQ3ld3o8wRLnSTWVrL54QCUFhR1PMkw5jUGJKdYBDQb1z4P4HaFNswiTp323CtHu5bQFmPGXGjUKOPWg8ToYcrAJYVkRtmosPtLUYZOvrmRA4m/uuhPufxf+pWDRWwhWY+F/cvMrnnFXrLTdnay2UCN6BQBgt/fWOd1W2FlwITZpOoIf9rzQAbwoCLcyCensJYBbP3UrhKS6JwciPXaG2xViN36LhqZ+US3xZ129GDYOKk5JiDkO9mh7BgSlx1NffYOOHoDbpcwO0luDaqIsZHibhYVxIFq8mHeieoZ6bOvBOHME0zAdXj+dTUrgdaPQ5pLZBDhhm9SRuwBZ2rBAxNrbzlRUxmh8qJrDBpjpdW052DvKxYvAK8MF2D6XRfztOOm3iWw8ROAgBzGkaWNWLpltgodNOo147Mk13a1MaFEMRoeXRJwGDdPjmMvBDTx/UVlPT5ZBDMNPEWFIKIw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(7416005)(1800799015)(376005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: V8nDKT1JuiR6iWyIHUB5Cdrnw1oFffMS6b4WcqN07vicP48SPZDXfB+2GRZWBWOkXbNKhlJVTgT0XswOHEiGZCFjXxf6JY4B2MxOyIDlfNC5pbwoSJpwc6CTkEmGOkpqiYIa0g6iaLMOf/SmBE2wXy5o+oIZzO1X6b0Yek5k1pbknqoTFEdHOO4HCY5YhNc76BeMmGGF6u4cpoX0HI0Mt/kelW1eLJ2LC6gCuFTFdm2f9KIdDXG7hG2jfL6QHvV5EzvqdQKm0T0ETUlip+GbuJWfLrIu75W7d6FUq50L1m8szWlaxvMP1BTzND1RvJi+iE89jvdeQw8UfsL7/lrAFiUJ+InJ7TIEABP5knOiwXzejADd6GuIJ2gm7rmBMap/cZ86QCdmu8J2EFgMvjI+ora5LT/p1dVkvWakHRz0oSnEFFaoOJppdAtvKwtUi7WdfkZbYv2mmKPgy0fa0lxEYbkgUyy+dDE6M/WtV7ZUyC6tYgh43WGTeUrrNJaZdkVp7ynw6ykNF1swn7kQpqlyw6qzAe2dt6ienk3DwBPRagHsX8lzj9Djf912bAU537Gg34GgmgZE/Lj6+7G0uYtOTaJcoh1j5h59nSNfAFpaYtaAtZmomOjL358GKJD/Z+AKImNcyeMg8edmk4vMLQhL3e7pgCd9BeQel6l6Z9XLfc10gBjhQpFUhqW/UB0HB1MaXWsnZUd53xFmni0tKc2I8g3v8hk4FfKEPbhzsqYXQn9mln4VagTgTjGo+31XsfsD2sa8QSSBC449oGkPe+b3ppJxGCvQQ3gLtSZ563MPcf0d9Ca3S/tpNWfdCK66LbJsFaVQeylCKhLB8U0TVH9wes5waCTtpk6HT1o9gnYnIKTxJ6St7Qd4rNL/JCsSonZqf2CIZ7G+VWrQSNAgVmrXdomjGWAfmlCZ+O7FmMmfEFivCzuWcWdlGnfQmLA8ceDsu48ufsmSIaq0khc1xsMZyANu4YS1kIo2Q+cC7vWyzlrdfgGZ8sxx56sbVaE88f58PaZCoGFs7WJRv1kGybMyk1PcYFENh2lKUCIsG1D3k+diyhoMLcgvFY9NwOlBqR07KKLCBpIaeAn8AK6TIBeQut0E+LgTwdwXswWF71cmUyyHewcVzsPYDuc120Lt8IDDpDG0/gCMX+kaNYwAhqxAudYQZRJvJzT9Tz02H/+8ZulTp/PY8YxHjpcjZ3T5crP9gQuxRCRqclS5glwWR/naYMAVexEsS6RCwjhkEkEZGczqMB5RW0bKIn5WQOBi73PTXB7TaaqQXy+5JYuPBsL86z2OLcThmRjnNfg/1NQCG+ReQLD5tHiWirFeiNNzVsyMoVnarfgckz1aqgO1ajZ5Qu8R8GvS7Vdx4EinV/0CSdSatZp+74utXhttqVMeiyv2/ayMPRF4kmAnW8PSgWLKCCIbskrTeGYGUGy8YeT2npu6VEaAZNvlVHBdf4dRioByced7yWR8qtIJffsE/137/LYpTrYxYAQG6Ao7hE/Exk4aLcV2XQ1382Eci8e2l7kT64WLeFKYE2RCb+L576f2EnjxArtjnk/pJLSjs0QLmU+QKXgEa7yhMmv0spaYH6S6TOrXspZmLfRB8/smUI5JTA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Yq/W15xiiMNz5+j+6D26v4MC9vGp2a0Ceifk32T0EOMJLRBWLvkY2PjWWtUle3pIly+nlG0+WwzekEXCUSbHVpS8LRTTY+SiqZ5Dv1rKC16JfFxXaYVlD2hSVmEz8ItQOoKwPqDuHT3tkVI2sHc2CNqWEjRGgL0CHUeNrAEHNX68VgWCxw2oV3zIWCd4nf24NiXnV5x8s5R9vFe6ILG2G51QtHX4L5Wxfgpw81DDhoi074pcYqCM6cdcUqIjxBf1+NEcsM14ee91OihamhJj0xD3Gy7v4CEckSfyfCNL6pWTjTB05tezPAs+F6i0Nq5AT2t7YHdlxpPrEpot7XkAjIiLEm2LcOntaWbPLP/Y5w+i63KEYn2e9IQKfb/4IBes77LuDDBtkzAvFIThtW3Wrkc9Rg/SUipwvDRie9AastdIqg7hL+2GAf09T8B9MGpBJLw5SWqWT/CPzbGrsjsybLrt2b7MSLvyyiy841uV49D2t2b88B82No8VB9EL6xignKggEFLyEbFGh7bHXXuf6h6pCBLT3i08m1d/dmWcRfj/IpGL1iAXYvmJ4ZweqUKX9snmSsXIV5CoOdu6z8moV3nCKBA/j1sTmUEKBH4oAuw= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 026e2932-e2b7-4bdc-f811-08dc810a3760 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:06.0713 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /8Xy8QiOztJIHvKTIuGh+Qbf5E7hbreoRNWVdHsHO/qAA1ncrAG0jMOsp0euJuhtPuZlmdNwyIvpDHMPDEDZiF63k+/CXhjsLKWe0XA/K4M= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4785 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: CBaVsG8IvjlCZYKq8KLJkBMPKz63MoGq X-Proofpoint-ORIG-GUID: CBaVsG8IvjlCZYKq8KLJkBMPKz63MoGq Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new usage will be used for validating keys added to the new clavis lsm keyring. This will be introduced in a follow-on patch. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/asymmetric_type.c | 1 + crypto/asymmetric_keys/pkcs7_verify.c | 1 + include/linux/verification.h | 1 + 3 files changed, 3 insertions(+) diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index a5da8ccd353e..7fdc006f18d6 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -25,6 +25,7 @@ const char *const key_being_used_for[NR__KEY_BEING_USED_FOR] = { [VERIFYING_KEY_SIGNATURE] = "key sig", [VERIFYING_KEY_SELF_SIGNATURE] = "key self sig", [VERIFYING_UNSPECIFIED_SIGNATURE] = "unspec sig", + [VERIFYING_CLAVIS_SIGNATURE] = "clavis sig", }; EXPORT_SYMBOL_GPL(key_being_used_for); diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index f0d4ff3c20a8..1dc80e68ce96 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -428,6 +428,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, } /* Authattr presence checked in parser */ break; + case VERIFYING_CLAVIS_SIGNATURE: case VERIFYING_UNSPECIFIED_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid unspecified sig (not pkcs7-data)\n"); diff --git a/include/linux/verification.h b/include/linux/verification.h index cb2d47f28091..970f748b5cc9 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -36,6 +36,7 @@ enum key_being_used_for { VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, VERIFYING_UNSPECIFIED_SIGNATURE, + VERIFYING_CLAVIS_SIGNATURE, NR__KEY_BEING_USED_FOR }; extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; From patchwork Fri May 31 00:39:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 800664 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 361825695; Fri, 31 May 2024 00:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116104; cv=fail; b=N7hPuodD0hlsmRnXp9HvBqRX0/azV+QgzL1SoWhxm8tY6Wk7ucdw7ygkG25lanLtS0Y6eZ7ZCNzHAowPTSAi7yp3PzB8FSxmHJIu/4yy+OnFc7HN3UgbELrCQ7OqwLHQr2DreXXqGm1sRCWCZ4YPQKvLM0USld5QTfQ9Wzm8PSA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116104; c=relaxed/simple; bh=5nglmItgmUESiaBm1j6gAbGqJ7G2YoBCtNqrOtHGk0k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=MbWMI9nhzS9EQ/z/vyPxzSFpa++b41VBftVdRYivi7tBh/Oyj56ylvTK9T7xQXVJiIcEJkdwYOhQUTIs9QXK7W4SmPc/2F8wxmmbW5HLZLAxEMYx6B7DrLTVNDDzNDdM1VRExDpeXP2jKM329HayCyA1E+Nr7TON2ObxpduIKrw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFUsZT002189; Fri, 31 May 2024 00:40:16 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DNkzwK8FbIM?= =?utf-8?q?fPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=3D=3B_b=3DJhyCDtFXVyQDqfQ0tcAFw?= =?utf-8?q?1H66xXEO2fdfMDIfnulCnJBPN2Pfl+iANc2JDoQPlTRd4CE_E6SfmS/CwrnGAxI3c?= =?utf-8?q?bBFs8hnQSGeeqK6If0xb6xeqjNKCjO++PZzoxZAxN/oY5ABvVyy_kuh/DlA73zu++?= =?utf-8?q?ToyuFDJaT3PgzCqfFPeasqU8UXdkP6RH43FlZpx7arpS7w5tTIoB/UY_e1m5njKj2?= =?utf-8?q?HD9IISfuqDAn5MrescAUtOVBcxwcKcskign8ETWTB1/Icag6ZwmZMjGkMye_Ge0z7?= =?utf-8?q?tkeSHf70wp888HmSTnujBLS4RDUU6LTbwfvQjOf2iwxRutw5AMiVRo+9jvsibCT_O?= =?utf-8?q?A=3D=3D_?= Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8kba71d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:16 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UNVWIe024113; Fri, 31 May 2024 00:40:15 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3yc52ejv6b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DQaCjSFB9QHnSMYQR5o/IBBu1K7jMbzLkUXHfrTashpBDrNS1GvcxPROzG2/Jpg083RcpMMkXFi5pKRAsZjexWcAz+Dwqo1Qtca2q39sakoa8omn6vLhOANFp8+zgUhp18NH22MyYfEv6ejrnNoZb9hI5LaXbZUfOX8IVxxxhBV2hBa9uC8koq7vaiFfFw4LUzVOtB95XdvD3/u0L7thflKJYl4Mfv+2O8+J5TTLficE0Lv3nK6Q15vDzujNPJaYnVYNQjJlBBxHzo+Cy9lOj/xxwGSoG863KRIzUF7NhJN1628mVn3mqSe+Ey0rXzI3fJgDxXzZDQ7AMA2+4K5NIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NkzwK8FbIMfPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=; b=iizwWBFjSUHXcuUBIbl1jTklXW/Mqg3HM4f+wMrir6ECKHSdHQjdPkrzvWI28YKPG+kC87QOQaQAToOlBT6D801jBIKNTHXP6NG62JyHitHXPPykBmI/tIQuWER/OiJYNe5pwyC6Li6dfEyYznj3MvyEooT8sov3x0tUWehPq3QrPlGd87sW/+YKW+/5hVUS1z2y/q36dfvj+bKnEmnrExYsRtV3awtcRqz3HFGHsWBFryqnQILLBFrdnUqBoHBXz9ffBj2u80gXYywG4EWwv//GyENxWTaXeRxeHF6NoPJ61Gf2kjXL96EDk4e1vKLVKjnwYmQ5GT6GyyWEACy81A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NkzwK8FbIMfPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=; b=tHMtQ5ndTrO9Tx2r48gAIwnzYuyJMMMQUVWX0T0yCCfLIWH/N+oBLMsBONd8Zjhm/n6dmXCpmQDMDHEpE3SRv0aP95+Ai1SoI06HTXyhJrkNMdKtL7zGoi5YGZkfw/BE4En0K1pJidwC0GSLFEcJ8RZRr1T6awebu/2hBQz8N5A= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:11 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:11 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 6/8] keys: Add ability to track intended usage of the public key Date: Thu, 30 May 2024 18:39:43 -0600 Message-ID: <20240531003945.44594-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P123CA0128.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:193::7) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: d81ab9f7-3539-4321-a79c-08dc810a3a5c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: +oJRAaie+W44H4awCDJ5TH7uGwwiV4kInA5K23Ovh7pzWTXBBZMEKFONbnaGTf7pAn4nzA1wiC5bwA4AyMdIWDstUm0Tdrl+p3hXk1vdtoFEoYLuRh8KIfeVoSnwUDZEJ4I104AMjHFYRoHK1ZfALomL2N2RdadLnbn9c249G5f5LGSBhxvoel6NMeG52gW5cYohE5WlshzeAaPZPyqcPMXbXtx3ezv9C9t/Xqxhixd3RCkpNcyx+50EctigFcfa0ojRMZD/2HtZG5KaWqBnnD5hEoCFRfBuy6FY5xFDcCqfcjwqQaWCYhhveIvLGU2WGEpWlgptrZFHZB+6dNNDVQnBFDBweXSTyL79eL/aIRZ0LlR5goecvo8CQLbmRkJsOXFnlWAiwtKeslaN0udvSKsLWM33C7JE//5QX7q+uDOJ4wmOV+Z6FDdCIkes8Kf9CAJbfPlkEeUkMoq0EJMR6THrQOcsBGlKOPf+zRbkmxQgnjMc6oqmDGOYHSrXJ00mTLhZa+6w3FZQTQ83sSmO5+FtEjaKERUTj6uspqWsSDbI7SbjCSNXbpxrysQmxQXbV/nYMGX3vpKQIn7cBb6WJomkkJYNHDMDlYfHIAkLKZ06+dEJPNHlFxwMqbhxB6uj03qEelGFLypF1V8RY6U3knDyVMPSEhd8OwwcVA58P24i6UMPPCvbbZRQ0VymQ+DwRPy1Se6AD9wXuOqEThlOgZuKdtyqcxfdwQLgqs7wvetj9XRB7UVl+7696ZSR2OIoMlSCorTZ/R5clLdjKGKJVOqAYLUJHhqaVVZS4O/8rbBdkiEF81UX8CxBpm0kf5argd3ryhGFhQA79sO0vDbk4xo5NzPctt/rcUc/TYpe+0sGv1eiFqVbih0QnubW3S2ksvSyUwWSFHWVPO4Pg6u3wi/lYu3VbZCfrK7vWgjxADQ4IQtuAIzW6hVPRR7geI8cFO/D4in7pLO6C46GWODvat4S+L0vxrWPOcujKhIAGWHpyz03NO+vysIEVi0LcOJZNdUCVCEWNbdpDV+U/Jg4n15qaSlmyANg0XOB1orq5oikquGI3t/wFSbZBRkX4Zd0nuChQCoCAANGu/eWE859VDmD5fleXjIOjCeBYQcklpowhzhsUeIUIIOgXt8I4+7Br9nJoy+ks3cxFwYxMcOyzNmLgSyncnjGVGUadPLdNQIyvuwmip+HuvSQODmzjsQFfiTRVMYj1CP5gGBZO+/XdRJGqTCD7sWS5AfFWwAX7lWZ1+xE7CfaUmG04pQNsrCnOPiEFwOHFC94/msMA9VTbg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015)(7416005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lysr31unsBdGWhjnnWACkbCiZqu9bqOGSdNNspRHUxxUVKAi0QcM5oPRNz5OO95cfc5R6uA2j20Vj9klha5dbVD+KRbzu/joauPTXqIEaWRBn+j3qdJgFS1ahIUJPJ/RzRvST0U13TrpLhHAVI0RBhEbhE3a432br+V9Gkk3dz1EtCTFoe6/0XUBk9uAK5jqiQDfLNPK59uJUrUVEvWaDTiAklp+UUv5LYkAUdO8vEXluBDSWOy3fyk2M+FzJ4Lnjwj2KyixthubqiIqRzLvOaW3wYMVnAoZec/Q6lVN+/0VLfDr1Y0tkuXWF8BKxu5UU0awlJgyglzCsju4zr3RZF4sTB98rIRS5cq/6/B2xi6z45NkUrzxEpIm0a18ua9y1lS3TtMjF1R9cID4Ov2KQVhCKm4Lh1Jylde339KwrIrgPmFILAC4a3jF/MWRlKe3gMZGcIiF0kgDWtZdO59nZtSbNaU+oAPpBW//YuoRj95ZSYN7wQlGVqVjt9p2/9gfUHwPG661WppvgQ0dOsDGAs/6XB2lXtVIM76yfGVpBJRwXICHq2BJziSphSJPKSaSLMXTmRkppj25aSrB+I2pl/Xzx2txYbFtG93OR97clgGhGlP/nPW+g9dqCjHdkO/Te74anuXyP2M8cAW+INKyWacHmXqQ9DJEuA77HDILfreOjjrnKyp6XBes4GqSq0xM38q/E0nQmhoJWhfp6j6jwMEJipF8WKJWBv+cNDRnzCf7j5Y8b/2Cuhhh/oMefd6LbdY8V2/WUAsjjEhKyov8HBn+g1h9AwajiWO5iC3TsIsnp2tAen30IxTyciiworl4gkgd1wfE3ZJRR28owF63OUf9wI886k/C/6R7ChelecjgfrCZnBvZy2DPHC0N8dNB9JQtCqCFdgs7IpHQ1wnNr8dYpG9XxLxBil0IxaLbN5SGhTDjDLHcyGsQAvpMdRs/wlfGAPAk9PpPyh8ENFqx3w+Cipg8Vj5KW5ZTs5vunS/nGMHqTfpZ8OkRhNMfGLpxzFuaTINS9mGd4Z38aARxhQhOB9NDkXm8vUNiAcrsFHiAenp7+1v99sVUps6DRruGv0KFnluu50gsIK79VPYxAOo5zocmU9wUqCGWgDbUkXSPGO8m9YxG/2AhOHSe8wH8PNT9+NkaiS93NRhMKbTSCYmqQV1U+8PWkk3S8VLBktrDkpevnqtNyakvCjZyGzFM5a1DyeT0zZBqjrPAib5zDHDVvE1m2942cZEYI26QAz2IdS97ohUGTiYhqhLoZwGECbD/AE02cOeIOnHzE8Rc8GMtte6x1m5/94xA5kTqynNZlcsCWHZemJ2R8NykSqnuDadRM564dTP0PCHJpyqnajYevmTx+V+eyiH48E7xiBVLm2U/ZtGUSSeNf3sWhBsP85ss2kkdjY8mmNcSfomr5NaHQmCuP8AlS17Tkv6E+odIbV803LgIkidqdAlM9qEGiNFRWOdPzKY3gvvldY12ZIHyHdqHAfoGT/RQId/ufkOqY5Kn/5YSrvAcftidBddlao9KQM8Fa7zqf8Z/yh1xgHtucAyTnVWUNuk68Y7DPgSg0OTsK3qxr/98JpVkB3dXngDyC6eJnw9sGufFv5LcRA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: e5qVIUucKLb51GMsnplnwkek5pj9/MEIVGqgQ11rnrkB39iMxpKA+UjWhmjLfsY4FqpbUHkSOk5aMjz6JkjrLBgLs2vE48OlXgv0/ZVwoMeM/lZGrQu9+48l1oMI0lU64K0TJCOhA5dfdGuThnvbK9rmjG9Va+D2kJ5oKGMt+uUE0Oy9r7818TZkB8Aco2GguG/vdLOSP3rNl5vvzMoUrL2a9IwyPduBjc9eddjK6+QQ2J3HODZr7XWcMequ0S0f7G+Ippf0Rro3eAflTrosog7XUJu+RaaPa12uIrhiDAwEnCQKKew7usDwC5K6qD6f9yvBh+xbT6eOl9RovEfWdh4OQpcj1JPEm8MeUtCkvE01Yt3BHcNyP1sdxv3EDDq/+tZaRhPi23ufBxh2GNZjs5DSGA5vWnvpg/jsiJIX57n60i8KAO2pnICC3s4TITIHtKXUsfD7eZ7+SPChHDbcdPgVLIaaYUF4YAe1rDNhGvtBaLFwSBhOhgZh5EK+Vm1qsTSQvNKjeQAh8hiTWDPCwM24/RDX/8tF6/F7tGTsrQXSW0Vkg9sHULgpKm4pqpPjDQxN1jv+NJs7ve/9vQXUvqSma7W1ABC3DZGx0DZU8o0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d81ab9f7-3539-4321-a79c-08dc810a3a5c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:11.0441 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MmwWY2WouRCRMAGnhZpSKwAArjC1tIbNqF7GywmMRfdg6jGA3uZmXRXIjvIiNCuMGzbOYAVqOSnuVmpuByQbl4qHS39U3sYIDxUY6F2c6DQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 phishscore=0 spamscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: rSOmBbXC_8TYqdxUwHOW3egne2EOEyWu X-Proofpoint-ORIG-GUID: rSOmBbXC_8TYqdxUwHOW3egne2EOEyWu Add two new fields in public_key_signature to track the intended usage of the signature. Also add a flag for the revocation pass. During signature validation, two verifications can take place for the same signature. One to see if it verifies against something on the .blacklist keyring and the other to see if it verifies against the supplied keyring. The flag is used to determine which stage the verification is in. Signed-off-by: Eric Snowberg --- certs/blacklist.c | 3 +++ crypto/asymmetric_keys/pkcs7_trust.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_verify.c | 4 ++++ include/crypto/pkcs7.h | 3 +++ include/crypto/public_key.h | 4 ++++ 5 files changed, 34 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index 675dd7a8f07a..dd34e56a6362 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "blacklist.h" /* @@ -289,7 +290,9 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7) { int ret; + pkcs7_set_usage_flag(pkcs7, PKS_REVOCATION_PASS); ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + pkcs7_clear_usage_flag(pkcs7, PKS_REVOCATION_PASS); if (ret == 0) return -EKEYREJECTED; diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 9a87c34ed173..64d70eb68864 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -131,6 +131,26 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return 0; } +void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + clear_bit(usage, &sinfo->sig->usage_flags); + } +} + +void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + set_bit(usage, &sinfo->sig->usage_flags); + } +} + /** * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 1dc80e68ce96..44b8bd0ad4d8 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -455,6 +455,10 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, return ret; } actual_ret = 0; + if (sinfo->sig) { + sinfo->sig->usage = usage; + set_bit(PKS_USAGE_SET, &sinfo->sig->usage_flags); + } } kleave(" = %d", actual_ret); diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..6c3c9061b118 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -32,6 +32,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, struct key *trust_keyring); +extern void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); +extern void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); + /* * pkcs7_verify.c */ diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b7f308977c84..394022b5d856 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -49,6 +49,10 @@ struct public_key_signature { const char *pkey_algo; const char *hash_algo; const char *encoding; + u32 usage; /* Intended usage */ + unsigned long usage_flags; +#define PKS_USAGE_SET 0 +#define PKS_REVOCATION_PASS 1 }; extern void public_key_signature_free(struct public_key_signature *sig); From patchwork Fri May 31 00:39:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 800663 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56B681DDE9; Fri, 31 May 2024 00:41:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116107; cv=fail; b=VT/5gtvMwelraFYBoeGmL6pnRA6E+XhEXL52YSQZeIxVZEGzEwBPa9f/2rk+SiLMOEy4LIs6fzdbaOB7IZ5UjbV9tH4YaGAhZA6x+mNp6zHyBuMIwBnCtkOzIrOSwlipqDaKG5mwn8gC7s36PHrOaJB63dh5dwtWy67t9Monb+k= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116107; c=relaxed/simple; bh=ITVAvLqAawJyqRwV/PAHLlzw2Br9h4m2ejQMvYG0IBs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=l8jFgzQtMqU2oQRhcP+C36oU6aGpHkD43xJ+RSyyhPaGw9RM2YciwuW/xCsxuAcC/CVyTmn3X2RcUSzpwiqD3ttKigABhn4tYLsYRxXbt/UBrSNlsBUoeorL0UYWp/7DJe7X3oTIKqkUVKCg10lz3AyneezPjKmBFaWe4WDd/gA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UExT4m018494; Fri, 31 May 2024 00:40:21 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DM9PQWKZVZv?= =?utf-8?q?sLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=3D=3B_b=3DZJQN7v0k8i2P8xeM74SSW?= =?utf-8?q?xmtgFO6jP/EyNyhh0MkjoEBy3Uxy5RDVb2OYHZC5u1C75lE_yyRJIzKCcDslw//XH?= =?utf-8?q?9M/E6MC13ay31Frqo/h5wCs2Mq7Xm3jrYibppWG4KgZvsdjT8V9_k/Oupd7Nc+MWo?= =?utf-8?q?nVX1d/5qIbfezLfqOiBFzbwBfkMOL/t3G2yXQ/k5sHE83dwxtfGsDWr_whfTG6quz?= =?utf-8?q?SZHNQDvtJa4kYDUogTya7dPY7acJGN5hKMqGYtTo3I8EfNC3NXHyLUpD9z2_y3vK7?= =?utf-8?q?30YITLUKmKUWAbD5sztcQsGT88EdK1pk3kK+Di5zfQvEhixLYLRn/Su39JaP2l2_1?= =?utf-8?q?g=3D=3D_?= Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8j8a213-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:21 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44V0RU1M010708; Fri, 31 May 2024 00:40:20 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3yc511ah6k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QBPK0xmmgN7Z2nJr212LbKESCxkGg7T5q/7FJlMbNDn07QliAB8qGiQ/dXTVpsiisQlAjgfWJ9iDA+IUcfTRyvTeqSlxGrstTsEFuszJzVQURaPVTObRI6j0GOLb48cnDNviofbUp2o2MoEqz6oa0cjJ96fGAlo6tvRS1Hnza1KrUOrVNJ/RHprSzSbTWGQqOmLSCNPOJsczandYcl9HaUIpmFBduP0h0aE5H5VCsiRWfHN97Xjmsbni/XBVJDVI5illoLDJELmcjxKFYoAuMFPhrve232dw07NczNH8R0Re/AwF0TH/EjwfNSrEjSm5Q04ITm50mP8iaPj39Bz6Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M9PQWKZVZvsLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=; b=PrWwliWImRxnWv7RT5iFVJ7Cak4Ukw1yJ7YKO60Xj8/aJsvyq/lHmq+0Z27wsPxIdlRVyh4q+TNCiqzjpb9aZDLsccW3C9td1BQbiBM8a7bkLCgss/5uapY6OdT/AbZGV0Xti4JycaLxr3VY1Ttjw0ia7uAZKa9sgBsRaZScGOGqDVV7OIFXvLOO7P16F/a7K8n6+RmPPhH4KrmiXTUGVeUqF84cWfKjyjRW1CxuHs6LPyAVeZzYwmUvj5hXjgrojNh8lY8ZaRvKgEeyNVLDIiTNiMC3omlc2GdfeTzdlrA+dHrjhyoZnEzHPDZpMCx95o0l5HzspalYOTs98FOpFw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M9PQWKZVZvsLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=; b=OqoD9/68TVSdkmq1j6ZzxNUTqSyOb5eYiFrKTIJz/ytSTNM/4VgtbJWw9zGVBVe0nsE5xHzQHiFA+kYKDj6nE4Nz0xUmf7izYCT9yHStnRLcoqVVRKepo8SNZwhAOn9Z5RolPfHziv7+tQLAaI/Od3qG00p1Gwk4wK16g58QxiE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:18 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:18 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 7/8] clavis: Introduce a new key type called clavis_key_acl Date: Thu, 30 May 2024 18:39:44 -0600 Message-ID: <20240531003945.44594-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P265CA0150.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c7::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: 3dcf537a-989f-460a-6ac1-08dc810a3e8a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|376005|7416005|1800799015; X-Microsoft-Antispam-Message-Info: 7lM3HLFGq5v1uRLtmWD+ePL9oxZEfrj8e+T1a1C6zL5QPZqsLmXPORdyCJ0V57HoFZiWdZKrhgDSn3JoOP49OvUYh5NUdw6jGBIZgFvq6gxn5JRaCuFaFVsQjxI7LS4IhqDhVZXfoA3EC5JaqRMYS9Q0yOJim1oanF8ImlrYPErIKfwo7dgDwFMIchiOyQZRRIj8IFd8XouCrlsjlon0ZVEhSab3/1vHEyeDWKmHt6q0xLzCEMYCdbo2Yi05bEi5/KzBeaUmQ4MMsw60nTO3UonN2HKV0/qTW4DhtEkumMYXDo0OW+4z92pS+7F/bkZ+bI0PiCX3D01TTPY4HYPHjCDPSkp+jnAFUhjWmqTRjYFYGTyvfJ9Yqh+92df/ZFC+90twxGKdDXxN6UEAdIVPCNrrZYg/IRjMtS5kQ7QQ2dedb8ykSRmNj5ogEMiW5Bqw0O8xKxO3bWPjvpy0SGh6+z0vMgb/J7STWJU7Wv8ZnKOw4MVYHKoxvRVWS0opMMJq+Z0vSzzEViJcV20mt5OGsYCDvVEKe1TbkcfO3Ho/1N6Vkq4tFEfIi6cgfdhK3mgPiZXnZ0kCdP5KA7jnDe6ENW2Q6rbiuebLTTynq5N7pezADz22i2PxTk26ECl2uHiTf+BW2ir0mIlXbk7uQwOKXv1tI+6Muq5X7itnzLzec1OcOgkdR9LRpIiKT6v4MM+sVcnmauHBwjDNqkjBYbopRHJ7aUM/05F74zBc32NuTSICMxnP8t2M5OuHUx+CdhM/if63+U83OsnbLcx/0FJjeayhgmyqZ/3TqwzGSrD8lZK0cAfWSdaC15SyxrXR8Mnu3fr8bLAvgPCmkoOIMCSLOkDDwdwZwPp2jrIEotm6DM/2yu5xFVJ3gw4RxBQMbNbheY4KLpySqgoARXJ+8iM1Xi473Pv90SNK2TXaadgPW0cMCNr6xS+JBc8OEzTbc/FOYqihlmFsEOSf2c+zGSunVtNSuZoEAh1uqdgaD/CeuvwqdCfUPMgCePv6rUwBTw6IzlENBw8HzY4bO+2IPv+53vhNYiqM1TkpboPfSqGxtKnwpEs3PDeysLZPkMEe5PMV2k5u1DsUOqTdUi9MK8J145FQjBFEvCp6A4du9Q56EzZDbVwlQfC4WeQ7yCgIfPyBGZItkN9m0gSubyeNa5Tqdtr2nSq7DhUAAJVp+DAEGdHExySB//y9/c8i0VuwN60z15L2SKVfIT+AMPL+zNdyQ6tYP60lELGoP6j5UKPbCQaVuRdDaFrq9RFsFMCl6jB2I3PV6H/p2Q0AEKQ+GX5/rQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR10MB4150.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(7416005)(1800799015); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jO9LuL7T+wSszHuiK///wi609R96mTAEScOz8NHW91lhjJROWixfulzNCs6JPW4D68l1xk5VqRhJvRp0Fc5+jMh5It3kld8ZpezANWq0FQ6zUM3Ont3fhcCbxYC3LJhOUmObdU55J9wflVBkrs/Xxr2zDu/owE7MyDTUv0eV/n6C37pyDbiw7emJ/v/fYDQlRRDoMpks2fX2OzeeOOk+iVyHKoKH+tgQXJ5TDB9frTCyvR+BlG0Fs02YcDgwNCpcnXecqfNyXNW0sqyrzryXJL0kMYK19zifOOohEK5Fr/iNur/euElL/7ZIXvzs6/jXz6bmA/9X2K8USDGPijv3BiYzE7RHDCrlIeMkUoo6RrYbCCYekDFtWfSHANdJrSZmTt3+5cfXf4VwNV0NLST9tszpVP31Dbfbw5uV6oMlqTEsLYLYS6caf+XVUP7ppTFFcO0qn4l4yNuolZ2RO+OcvxExe90bd5cxsrsCE/2XbYSYbQL/p/l6jpphbGO2RP1Tp45ofM6Z3+APdelsLHqBB9wBg0YxgOXL1sBnxPmG0Fz+uys7CXC8YWyYpOzAA2uWU5Wt+l++SYJiCFJulmxnjsXrejRys9dwmxTITEccK+K7bPuto6r9+fqXeqCQisWEQj18fgAU8CbaZM09o0iRPTdQ7hWmW9oszu8wtDaa94EAQFyznNx3RY4XLf/G+XWVo5QRF7W6uPwYCH+2vSOFR8bPCUttv7hhvAiOsRyYg2Cbrh/4mZesb3iqYeeKKxGsDjcHsukWYcLRjDUUbNRS08fhjTgV/J0tZFFHMXjGGl2YwBn17zXLLvZUb5k7cjmidjiVbBTiCoXG8xZWBfv0hn3eNOTwPXgOha0CvAC7qdIgDEdgIeJR7w9Tx9H4fR26gRbKcCe+W8VuOemaOyuEclbWGJqIY6l/cGOC3BYKa4sSVXHyS3WJD98SDlk5Ksd4yG37DgLZ0Y0S0XtH2Ry+9SPkf8FpUGYCkGIF9zqKn0Z/UBMyHFGLDhTRxzaF2jXeoVScCtBSX0w7gk0Fea9ImIb3QQRQfUYU76FBWLht4JEWuyacHikDaLYCuV+JV3rWSFBn4N3PWfXwUMXfuHEQgognKpEOhkOor81HRdyS+/9O8sko5YVpeBn2sYxuXM9Fdx85BGV548UPdtdBsEgI6CvxQxNGFNCKvMFEdBFM9AvbX0XW/BKOGhik1gvYEyICsLSvQ4VZpdECptL/0LcWXux8RkT9g5jALrIIxf4aFHPsCEvxCHi+wcTnrF9m4XEh/ZcDkbmuBhAmLkRvJMqk5/Ep8Ug2dMjXmAnFcpHUZ7UginJehslf0KHOeqxngoFtFddlGmTxJI613qMYA9PU1h6a+43Z40M1Iw+JLgvJavyznqwcf5IsfGh0RWB/37V3Covo2Hgde3GGI3VeFfvCyBOhci24UI9FnSbv4cM2Zc07iX2YyfiT280klbq+UAEiWL/ZlGawWxpMJz0h/M//2T2kWeck9HCJZS4uIz0iLBdYlB41YH42oBCXEVXJway2oMWJGfC6jZHXyR9oDWI6vqbrRuMi9wXR8E9ONz/Gzo+LEss6Tg5Pc1hkub/UnvPIDi/0odALbQq50cA2941kWg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 50iEhERYYMk/Lioe1Rf+0nvbCZ7zvddg+GKtA0RWd3xgYkNAuFHHaiJXgVQ6oCvWbFQcjghUmJDMvCIPZZz25JsSBtP6BU+D8x+hunGs3ypGavkyh8LHsMO+4SpXxcIFmfF0bQaNwRw5tZGBP5CkVnokHEp2qSfCHytepM/92q++OozTqoRX0tlm7A9XFbE0wCPap7SHKUFMrA5y1oyZDFlujSIk39+Dgplrq3iLjVhIKbKy9AF1qRGYLpQAaMY6IvE7D2Ilc7Kf6ldLFYWI3MuUxlsZifUHMj8BYmxZmWCLrAz5zT7hrNpZWzarGt0IfK3Rm5lKUanEZwYN+jOroW8HymHIZ1UtqgKzM5V04Ev3oeiG/B6GYglgCQ4mpqkSbMWrF+dg0coHXmzugWF5BdcTb5JO6tjTfPe1C2t7WIj9Q48hSOkwDv0Z4iHbwCORFqkcS4vW51QfEga2m+kKnBgn1yU5kr4UZxVkVwF7hRCvfqkB+cXlFTLskasgaWNQZN04Qld2xmzS0PRe2xHtqscEM6/31493SyQlvaY+RCvjFiuQtIlsT8IJw3Gd32KHFauCf7v5xS5oVNaahV35co+gbhNbbEKnafQVIZULAtI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3dcf537a-989f-460a-6ac1-08dc810a3e8a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:18.1017 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XJWJwAJzlAizUugLDEfYIimmho5o89tM7Bo3PvGYMYSBIsGvm3kqbGNjQrwSnR0R+7b5505kuqmqoCwMa+0JV6Kh4+bfgrNqm+yCXtIaK9U= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 spamscore=0 adultscore=0 mlxscore=0 phishscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-ORIG-GUID: 4uqA9cqxhN2NlmJllfgsgV4PW4aME5Qn X-Proofpoint-GUID: 4uqA9cqxhN2NlmJllfgsgV4PW4aME5Qn Introduce a new key type for keyring access control. The new key type is called clavis_key_acl. The clavis_key_acl contains the subject key identifier along with the allowed usage type for the key. The format is as follows: XX:YYYYYYYYYYY XX - Single byte of the key type VERIFYING_MODULE_SIGNATURE 00 VERIFYING_FIRMWARE_SIGNATURE 01 VERIFYING_KEXEC_PE_SIGNATURE 02 VERIFYING_KEY_SIGNATURE 03 VERIFYING_KEY_SELF_SIGNATURE 04 VERIFYING_UNSPECIFIED_SIGNATURE 05 : - ASCII colon YY - Even number of hexadecimal characters representing the key id This key type will be used in the clavis keyring for access control. To be added to the clavis keyring, the clavis_key_acl must be S/MIME signed by the sole asymmetric key contained within it. Below is an example of how this could be used. Within the example, the key (b360d113c848ace3f1e6a80060b43d1206f0487d) is already in the machine keyring. The intended usage for this key is to validate a signed kernel for kexec: echo "02:b360d113c848ace3f1e6a80060b43d1206f0487d" > kernel-acl.txt The next step is to sign it: openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in \ kernel-acl.txt -out kernel-acl.pkcs7 -binary -outform DER \ -nodetach -noattr The final step is how to add the acl to the .clavis keyring: keyctl padd clavis_key_acl "" %:.clavis < kernel-acl.pkcs7 Afterwards the new clavis_key_acl can be seen in the .clavis keyring: keyctl show %:.clavis Keyring keyring: .clavis \_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 \_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d Signed-off-by: Eric Snowberg --- .../admin-guide/kernel-parameters.txt | 2 + security/clavis/clavis_keyring.c | 128 ++++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 4d505535ea3b..c2d498eb2466 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -629,6 +629,8 @@ keyrings (builtin, secondary, or platform) to be used as the Clavis root of trust. Format: { } + See Documentation/admin-guide/LSM/clavis.rst for + details. clearcpuid=X[,X...] [X86] Disable CPUID feature X for the kernel. See diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 1225a8ee1e5a..9b3db299acef 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -2,13 +2,18 @@ #include #include +#include #include +#include #include +#include +#include #include "clavis.h" static struct key *clavis_keyring; static struct asymmetric_key_id *setup_keyid; +#define MAX_ASCII_KID 64 #define MAX_BIN_KID 32 static struct { @@ -16,6 +21,123 @@ static struct { unsigned char data[MAX_BIN_KID]; } setup_key; +static int pkcs7_preparse_content(void *ctx, const void *data, size_t len, + size_t asn1hdrlen) +{ + struct key_preparsed_payload *prep = ctx; + const void *saved_prep_data; + size_t saved_prep_datalen; + const char *p; + char *desc; + int ret, i; + + /* key_acl_free_preparse will free this */ + desc = kmalloc(len, GFP_KERNEL); + + if (!desc) + return -ENOMEM; + memcpy(desc, data, len); + + /* remove any white space */ + for (i = 0, p = desc; i < len; i++, p++) { + if (isspace(*p)) + desc[i] = 0; + } + + prep->description = desc; + saved_prep_data = prep->data; + saved_prep_datalen = prep->datalen; + prep->data = desc; + prep->datalen = len; + ret = user_preparse(prep); + prep->data = saved_prep_data; + prep->datalen = saved_prep_datalen; + return ret; +} + +static void key_acl_free_preparse(struct key_preparsed_payload *prep) +{ + kfree(prep->description); + user_free_preparse(prep); +} + +static int key_acl_preparse(struct key_preparsed_payload *prep) +{ + /* Only allow the description to be set via the pkcs7 data contents */ + if (prep->orig_description) + return -EINVAL; + + return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, clavis_keyring, + VERIFYING_CLAVIS_SIGNATURE, pkcs7_preparse_content, + prep); +} + +static int key_acl_instantiate(struct key *key, struct key_preparsed_payload *prep) +{ + key->perm |= KEY_USR_READ; + key->perm |= KEY_USR_SEARCH; + set_bit(KEY_FLAG_KEEP, &key->flags); + return generic_key_instantiate(key, prep); +} + +static void key_acl_destroy(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("destroy clavis_key_acl denied\n"); +} + +static void key_acl_revoke(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("revoke clavis_key_acl denied\n"); +} + +static int key_acl_update(struct key *key, struct key_preparsed_payload *prep) +{ + return -EPERM; +} + +static int key_acl_vet_description(const char *desc) +{ + unsigned char data[MAX_BIN_KID]; + int ascii_len, hex_len, error; + + ascii_len = strlen(desc); + + /* + * clavis_acl format: + * xx:yyyyyyyyy... + * + * xx - Single byte of the key type + * : - Ascii colon + * yyyy - Even number of hexadecimal characters representing the keyid + */ + if (ascii_len < 5 || ascii_len > (MAX_ASCII_KID + 3) || desc[2] != ':') + return -EINVAL; + + /* move past the colon */ + ascii_len -= 3; + hex_len = ascii_len / 2; + error = hex2bin(data, desc + 3, hex_len); + + if (error < 0) + pr_err("Unparsable clavis key id\n"); + + return error; +} + +static struct key_type clavis_key_acl = { + .name = "clavis_key_acl", + .preparse = key_acl_preparse, + .free_preparse = key_acl_free_preparse, + .instantiate = key_acl_instantiate, + .update = key_acl_update, + .revoke = key_acl_revoke, + .destroy = key_acl_destroy, + .vet_description = key_acl_vet_description, + .read = user_read, +}; + static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *restrict_key) { @@ -30,6 +152,9 @@ static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_t return 0; } + if (type == &clavis_key_acl) + return 0; + return -EOPNOTSUPP; } @@ -64,6 +189,9 @@ static int __init clavis_keyring_init(void) { struct key_restriction *restriction; + if (register_key_type(&clavis_key_acl) < 0) + panic("Can't allocate clavis key type\n"); + restriction = kzalloc(sizeof(*restriction), GFP_KERNEL); if (!restriction) panic("Can't allocate clavis keyring restriction\n");