| Message ID | 20211116001545.2639333-12-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Enroll kernel keys thru MOK | expand |
Hi Eric, On Mon, 2021-11-15 at 19:15 -0500, Eric Snowberg wrote: > Introduce a new link restriction that includes the trusted builtin, > secondary and machine keys. The restriction is based on the key to be > added being vouched for by a key in any of these three keyrings. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > v3: Initial version > v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING > v5: Rename to machine keyring > v6: Change subject name (suggested by Mimi) > Rename restrict_link_by_builtin_secondary_and_ca_trusted > to restrict_link_by_builtin_secondary_and_machine (suggested by > Mimi) > v7: Unmodified from v6 > --- > certs/system_keyring.c | 23 +++++++++++++++++++++++ > include/keys/system_keyring.h | 6 ++++++ > 2 files changed, 29 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index bc7e44fc82c2..71a00add9805 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) > { > machine_trusted_keys = keyring; > } > + > +/** This begins the start of kernel doc. > + * restrict_link_by_builtin_secondary_and_machine Missing are the parameter defintions. Please refer to Documentation/doc-guide/kernel-doc.rst for details. Mimi > + * > + * Restrict the addition of keys into a keyring based on the key-to-be-added > + * being vouched for by a key in either the built-in, the secondary, or > + * the machine keyrings. > + */ > +int restrict_link_by_builtin_secondary_and_machine( > + struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *restrict_key) > +{ > + if (machine_trusted_keys && type == &key_type_keyring && > + dest_keyring == secondary_trusted_keys && > + payload == &machine_trusted_keys->payload) > + /* Allow the machine keyring to be added to the secondary */ > + return 0; > + > + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, > + payload, restrict_key); > +} > #endif > > /* > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index 98c9b10cdc17..2419a735420f 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( > #endif > > #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +extern int restrict_link_by_builtin_secondary_and_machine( > + struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *restrict_key); > extern void __init set_machine_trusted_keys(struct key *keyring); > #else > +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted > static inline void __init set_machine_trusted_keys(struct key *keyring) > { > }
> On Nov 18, 2021, at 5:20 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Eric, > > On Mon, 2021-11-15 at 19:15 -0500, Eric Snowberg wrote: >> Introduce a new link restriction that includes the trusted builtin, >> secondary and machine keys. The restriction is based on the key to be >> added being vouched for by a key in any of these three keyrings. >> >> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> --- >> v3: Initial version >> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING >> v5: Rename to machine keyring >> v6: Change subject name (suggested by Mimi) >> Rename restrict_link_by_builtin_secondary_and_ca_trusted >> to restrict_link_by_builtin_secondary_and_machine (suggested by >> Mimi) >> v7: Unmodified from v6 >> --- >> certs/system_keyring.c | 23 +++++++++++++++++++++++ >> include/keys/system_keyring.h | 6 ++++++ >> 2 files changed, 29 insertions(+) >> >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c >> index bc7e44fc82c2..71a00add9805 100644 >> --- a/certs/system_keyring.c >> +++ b/certs/system_keyring.c >> @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) >> { >> machine_trusted_keys = keyring; >> } >> + >> +/** > > This begins the start of kernel doc. > >> + * restrict_link_by_builtin_secondary_and_machine > > Missing are the parameter defintions. Please refer to > Documentation/doc-guide/kernel-doc.rst for details. I’ll add this in the next round, thanks.
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index bc7e44fc82c2..71a00add9805 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; } + +/** + * restrict_link_by_builtin_secondary_and_machine + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the machine keyrings. + */ +int restrict_link_by_builtin_secondary_and_machine( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (machine_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &machine_trusted_keys->payload) + /* Allow the machine keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 98c9b10cdc17..2419a735420f 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern int restrict_link_by_builtin_secondary_and_machine( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_machine_trusted_keys(struct key *keyring); #else +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted static inline void __init set_machine_trusted_keys(struct key *keyring) { }
Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v3: Initial version v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring v6: Change subject name (suggested by Mimi) Rename restrict_link_by_builtin_secondary_and_ca_trusted to restrict_link_by_builtin_secondary_and_machine (suggested by Mimi) v7: Unmodified from v6 --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+)