| Message ID | 20220406015337.4000739-6-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add CA enforcement keyring restrictions | expand |
Hi Eric,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on 3123109284176b1532874591f7c81f3837bbdc17]
url: https://github.com/intel-lab-lkp/linux/commits/Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
base: 3123109284176b1532874591f7c81f3837bbdc17
config: riscv-randconfig-r042-20220406 (https://download.01.org/0day-ci/archive/20220407/202204070321.X7bLj3Ce-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/68d98a175d29032d888f3f5700c43cf771ef17d8
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
git checkout 68d98a175d29032d888f3f5700c43cf771ef17d8
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=riscv SHELL=/bin/bash crypto/asymmetric_keys/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> crypto/asymmetric_keys/restrict.c:111:5: warning: no previous prototype for 'restrict_link_by_rot_and_signature' [-Wmissing-prototypes]
111 | int restrict_link_by_rot_and_signature(struct key *dest_keyring,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/restrict_link_by_rot_and_signature +111 crypto/asymmetric_keys/restrict.c
110
> 111 int restrict_link_by_rot_and_signature(struct key *dest_keyring,
112 const struct key_type *type,
113 const union key_payload *payload,
114 struct key *trust_keyring)
115 {
116 const struct public_key_signature *sig;
117 struct key *key;
118 int ret;
119
120 if (!trust_keyring)
121 return -ENOKEY;
122
123 if (type != &key_type_asymmetric)
124 return -EOPNOTSUPP;
125
126 sig = payload->data[asym_auth];
127 if (!sig)
128 return -ENOPKG;
129 if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
130 return -ENOKEY;
131
132 if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
133 return -EPERM;
134
135 /* See if we have a key that signed this one. */
136 key = find_asymmetric_key(trust_keyring,
137 sig->auth_ids[0], sig->auth_ids[1],
138 sig->auth_ids[2], false);
139 if (IS_ERR(key))
140 return -ENOKEY;
141
142 if (!test_bit(KEY_FLAG_BUILTIN_ROT, &key->flags))
143 ret = -ENOKEY;
144 else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
145 ret = -ENOKEY;
146 else
147 ret = verify_signature(key, sig);
148 key_put(key);
149 return ret;
150 }
151
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 05b66ce9d1c9..a8b53446ec25 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -48,6 +48,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_rot_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_rot_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -76,6 +84,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_rot_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_rot_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..840ea302b40a 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,48 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_rot_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_BUILTIN_ROT, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 2419a735420f..2c1241042f1f 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -17,9 +17,18 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_rot_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); +extern int restrict_link_by_rot_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_rot_and_signature restrict_link_reject +#define restrict_link_by_rot_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -34,8 +43,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_rot_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_rot_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_rot_and_signature that both vouches for the new key and validates the vouching key contains the builtin root of trust flag. Two new system keyring restrictions are added to use restrict_link_by_rot_and_signature. The first restriction called restrict_link_by_rot_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_rot_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- certs/system_keyring.c | 18 +++++++++++++ crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++++++++++ include/keys/system_keyring.h | 17 ++++++++++++- 3 files changed, 76 insertions(+), 1 deletion(-)