[0/4] Add CA enforcement in the machine keyring

Message

Eric Snowberg March 1, 2022, 5:36 p.m. UTC

A key added to the IMA keyring must be signed by a key contained in either the
built-in trusted or secondary trusted keyring. IMA also requires these keys 
to be a CA. The only option for an end-user to add their own CA is to compile
it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
do not want to compile their own kernels.  With the insert-sys-cert option, 
there are missing upstream changes. 

Currently, all Machine Owner Keys (MOK) load into the machine keyring.  Add 
a new Kconfig option to only allow CA keys into the machine keyring.  When 
compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
keys will load into the platform keyring instead. This will allow the end-
user to enroll their own CA key into the machine keyring for use with IMA.

These patches are based on Jarkko's linux-tpmdd tree.
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git


Eric Snowberg (4):
  KEYS: Create static version of public_key_verify_signature
  X.509: Parse Basic Constraints for CA
  KEYS: CA link restriction
  integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca

 certs/system_keyring.c                        |  9 ++--
 crypto/asymmetric_keys/restrict.c             | 43 +++++++++++++++++++
 crypto/asymmetric_keys/x509_cert_parser.c     |  9 ++++
 include/crypto/public_key.h                   | 25 +++++++++++
 include/keys/system_keyring.h                 |  3 +-
 security/integrity/Kconfig                    | 21 +++++++++
 security/integrity/Makefile                   |  1 +
 security/integrity/digsig.c                   | 14 ++++--
 security/integrity/integrity.h                |  3 +-
 .../platform_certs/keyring_handler.c          |  4 +-
 10 files changed, 123 insertions(+), 9 deletions(-)


base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1

Comments

Mimi Zohar March 6, 2022, 11:33 p.m. UTC | #1

Hi Eric,

On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:
> A key added to the IMA keyring must be signed by a key contained in either the
> built-in trusted or secondary trusted keyring. IMA also requires these keys 
> to be a CA. The only option for an end-user to add their own CA is to compile
> it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
> do not want to compile their own kernels.  With the insert-sys-cert option, 
> there are missing upstream changes. 
> 
> Currently, all Machine Owner Keys (MOK) load into the machine keyring.  Add 
> a new Kconfig option to only allow CA keys into the machine keyring.  When 
> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
> keys will load into the platform keyring instead. This will allow the end-
> user to enroll their own CA key into the machine keyring for use with IMA.

In addition to only loading the MOK CA keys onto the .machine keyring,
the keyUsage should be required and limited to keyCertSign.   Certs
with keyUsage of keyCertSign should not be allowed on the IMA keyring.

thanks,

Mimi

> 
> These patches are based on Jarkko's linux-tpmdd tree.
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
>

Eric Snowberg March 7, 2022, 6:55 p.m. UTC | #2

> On Mar 6, 2022, at 4:33 PM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> 
> Hi Eric,
> 
> On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:
>> A key added to the IMA keyring must be signed by a key contained in either the
>> built-in trusted or secondary trusted keyring. IMA also requires these keys 
>> to be a CA. The only option for an end-user to add their own CA is to compile
>> it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
>> do not want to compile their own kernels.  With the insert-sys-cert option, 
>> there are missing upstream changes. 
>> 
>> Currently, all Machine Owner Keys (MOK) load into the machine keyring.  Add 
>> a new Kconfig option to only allow CA keys into the machine keyring.  When 
>> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
>> keys will load into the platform keyring instead. This will allow the end-
>> user to enroll their own CA key into the machine keyring for use with IMA.
> 
> In addition to only loading the MOK CA keys onto the .machine keyring,
> the keyUsage should be required and limited to keyCertSign.

Ok, I’ll add this in the next round.

Mimi Zohar March 9, 2022, 6:43 p.m. UTC | #3

On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote:

I would begin by saying,

The "Enroll kernel keys thru MOK" patch set introduced a new root of
trust by defining a "machine" keyring, which is linked to the
secondary_trusted_keyring.  All Machine Owner Keys (MOK) are loaded
into the machine keyring.

Then proceed with the IMA new root of trust requirements - root CA
(self-signed CA) with keyUsage limited to keyCertSign.

> A key added to the IMA keyring must be signed by a key contained in either the

^A certificate ... must be signed

> built-in trusted or secondary trusted keyring. IMA also requires these keys 
> to be a CA. The only option for an end-user to add their own CA is to compile
> it into the kernel themselves or to use the insert-sys-cert.  Many end-users 
> do not want to compile their own kernels.  With the insert-sys-cert option, 
> there are missing upstream changes. 
> 
> Currently, all Machine Owner Keys (MOK) load into the machine keyring.

Moved to the beginning.


> Add

^Define
>  
> a new Kconfig option to only allow CA keys into the machine keyring.  When 

Add the other criteria here as well.

> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA 
> keys will load into the platform keyring instead. This will allow the end-
> user to enroll their own CA key into the machine keyring for use with IMA.
> 
> These patches are based on Jarkko's linux-tpmdd tree.
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

thanks,

Mimi