[RFC,1/3] keys: Add ability to trust the platform keyring

Commit Message

Eric Snowberg May 17, 2021, 10:57 p.m. UTC

Add the ability to allow the secondary_trusted keyring to trust
keys in the platform keyring. This is done by doing a key_link
of the platform_trusted_keys to the secondary_trusted_keys.
After they are linked, the platform_trusted_keys can be used for
validation instead of the secondary_trusted_keys if the user
chooses. This functionality will be used in a follow on patch.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c        | 19 ++++++++++++++++++-
 include/keys/system_keyring.h | 10 ++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen May 20, 2021, 3:59 p.m. UTC | #1

On Mon, May 17, 2021 at 06:57:12PM -0400, Eric Snowberg wrote:
> Add the ability to allow the secondary_trusted keyring to trust
> keys in the platform keyring. This is done by doing a key_link

What this looks for me doing is to *replace* the secondary 
trusted keyring with the platform keyring.

So this should be "Add ability to replace the secondary trusted
keyring with the platform keyring." This is what the code change
is actually doing so it would be nice to say it out loud.

> of the platform_trusted_keys to the secondary_trusted_keys.
> After they are linked, the platform_trusted_keys can be used for
> validation instead of the secondary_trusted_keys if the user
> chooses. This functionality will be used in a follow on patch.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

/Jarkko

Patch

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 4b693da488f1..471eb13e3cca 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -23,6 +23,7 @@  static struct key *secondary_trusted_keys;
 #endif
 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 static struct key *platform_trusted_keys;
+bool  secondary_trusts_platform;
 #endif
 
 extern __initconst const u8 system_certificate_list[];
@@ -67,6 +68,10 @@  int restrict_link_by_builtin_and_secondary_trusted(
 		/* Allow the builtin keyring to be added to the secondary */
 		return 0;
 
+	if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && secondary_trusts_platform)
+		return restrict_link_by_signature(dest_keyring, type, payload,
+						  platform_trusted_keys);
+
 	return restrict_link_by_signature(dest_keyring, type, payload,
 					  secondary_trusted_keys);
 }
@@ -227,7 +232,11 @@  int verify_pkcs7_message_sig(const void *data, size_t len,
 		trusted_keys = builtin_trusted_keys;
 	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
-		trusted_keys = secondary_trusted_keys;
+		if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) &&
+		   secondary_trusts_platform)
+			trusted_keys = platform_trusted_keys;
+		else
+			trusted_keys = secondary_trusted_keys;
 #else
 		trusted_keys = builtin_trusted_keys;
 #endif
@@ -312,4 +321,12 @@  void __init set_platform_trusted_keys(struct key *keyring)
 {
 	platform_trusted_keys = keyring;
 }
+
+void __init set_trust_platform_keys(void)
+{
+	secondary_trusts_platform = true;
+
+	if (key_link(platform_trusted_keys, secondary_trusted_keys) < 0)
+		panic("Can't link trusted keyrings\n");
+}
 #endif
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index fb8b07daa9d1..ffa5f0173ba8 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -72,4 +72,14 @@  static inline void set_platform_trusted_keys(struct key *keyring)
 }
 #endif
 
+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
+	defined(CONFIG_SYSTEM_TRUSTED_KEYRING) && \
+	defined(CONFIG_SECONDARY_TRUSTED_KEYRING)
+extern void __init set_trust_platform_keys(void);
+#else
+static inline void __init set_trust_platform_keys(void)
+{
+}
+#endif
+
 #endif /* _KEYS_SYSTEM_KEYRING_H */