diff mbox series

[RFC,v3,02/13] certs: Introduce ability to link to a system key

Message ID 20241017155516.2582369-3-eric.snowberg@oracle.com (mailing list archive)
State New
Headers show
Series Clavis LSM | expand

Commit Message

Eric Snowberg Oct. 17, 2024, 3:55 p.m. UTC
Introduce system_key_link(), a new function to allow a keyring to link
to a key contained within one of the system keyrings (builtin, secondary,
or platform). Depending on how the kernel is built, if the machine
keyring is available, it will be checked as well, since it is linked to
the secondary keyring. If the asymmetric key id matches a key within one
of these system keyrings, the matching key is linked into the passed in
keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c        | 30 ++++++++++++++++++++++++++++++
 include/keys/system_keyring.h |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen Oct. 17, 2024, 4:16 p.m. UTC | #1
On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> Introduce system_key_link(), a new function to allow a keyring to
> link
> to a key contained within one of the system keyrings (builtin,
> secondary,
> or platform). Depending on how the kernel is built, if the machine
> keyring is available, it will be checked as well, since it is linked
> to
> the secondary keyring. If the asymmetric key id matches a key within
> one
> of these system keyrings, the matching key is linked into the passed
> in
> keyring.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  certs/system_keyring.c        | 30 ++++++++++++++++++++++++++++++
>  include/keys/system_keyring.h |  7 ++++++-
>  2 files changed, 36 insertions(+), 1 deletion(-)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index e344cee10d28..4abee7514442 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -20,6 +20,9 @@
>  static struct key *builtin_trusted_keys;
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>  static struct key *secondary_trusted_keys;

/*
 * Explain system_trusted_keys (nothing too detailed, only the gist)
 */

> +#define system_trusted_keys secondary_trusted_keys
> +#else
> +#define system_trusted_keys builtin_trusted_keys
>  #endif
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
>  static struct key *machine_trusted_keys;

We have enough these to make this quite convoluted so let's put some
helpful reminders. I would forget this in no time ;-) So if it comes
down to that, please put something because I have a goldfish memory.

BR, Jarkko
Eric Snowberg Oct. 17, 2024, 4:53 p.m. UTC | #2
> On Oct 17, 2024, at 10:16 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> 
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Introduce system_key_link(), a new function to allow a keyring to
>> link
>> to a key contained within one of the system keyrings (builtin,
>> secondary,
>> or platform). Depending on how the kernel is built, if the machine
>> keyring is available, it will be checked as well, since it is linked
>> to
>> the secondary keyring. If the asymmetric key id matches a key within
>> one
>> of these system keyrings, the matching key is linked into the passed
>> in
>> keyring.
>> 
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>> ---
>>  certs/system_keyring.c        | 30 ++++++++++++++++++++++++++++++
>>  include/keys/system_keyring.h |  7 ++++++-
>>  2 files changed, 36 insertions(+), 1 deletion(-)
>> 
>> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
>> index e344cee10d28..4abee7514442 100644
>> --- a/certs/system_keyring.c
>> +++ b/certs/system_keyring.c
>> @@ -20,6 +20,9 @@
>>  static struct key *builtin_trusted_keys;
>>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>>  static struct key *secondary_trusted_keys;
> 
> /*
> * Explain system_trusted_keys (nothing too detailed, only the gist)
> */
> 
>> +#define system_trusted_keys secondary_trusted_keys
>> +#else
>> +#define system_trusted_keys builtin_trusted_keys
>>  #endif
>>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
>>  static struct key *machine_trusted_keys;
> 
> We have enough these to make this quite convoluted so let's put some
> helpful reminders. I would forget this in no time ;-) So if it comes
> down to that, please put something because I have a goldfish memory.

I'll add a comment explaining this in the next round, thanks.
diff mbox series

Patch

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index e344cee10d28..4abee7514442 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -20,6 +20,9 @@ 
 static struct key *builtin_trusted_keys;
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 static struct key *secondary_trusted_keys;
+#define system_trusted_keys secondary_trusted_keys
+#else
+#define system_trusted_keys builtin_trusted_keys
 #endif
 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 static struct key *machine_trusted_keys;
@@ -420,3 +423,30 @@  void __init set_platform_trusted_keys(struct key *keyring)
 	platform_trusted_keys = keyring;
 }
 #endif
+
+/**
+ * system_key_link - Link to a system key
+ * @keyring: The keyring to link into
+ * @id: The asymmetric key id to look for in the system keyring
+ *
+ * Search the system keyrings to see if one of them contains a matching "id".
+ * If there is a match, link the key into "keyring".  System keyrings always
+ * includes the builtin. If any of the following keyrings are enabled:
+ * secondary, machine, and platform they are searched as well.
+ */
+int system_key_link(struct key *keyring, struct asymmetric_key_id *id)
+{
+	struct key *key;
+
+	key = find_asymmetric_key(system_trusted_keys, id, NULL, NULL, false);
+	if (!IS_ERR(key))
+		return key_link(keyring, key);
+
+	if (platform_trusted_keys) {
+		key = find_asymmetric_key(platform_trusted_keys, id, NULL, NULL, false);
+		if (!IS_ERR(key))
+			return key_link(keyring, key);
+	}
+
+	return -ENOKEY;
+}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 8365adf842ef..b47ac8e2001a 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -9,6 +9,7 @@ 
 #define _KEYS_SYSTEM_KEYRING_H
 
 #include <linux/key.h>
+struct asymmetric_key_id;
 
 enum blacklist_hash_type {
 	/* TBSCertificate hash */
@@ -28,7 +29,7 @@  int restrict_link_by_digsig_builtin(struct key *dest_keyring,
 				    const union key_payload *payload,
 				    struct key *restriction_key);
 extern __init int load_module_cert(struct key *keyring);
-
+extern int system_key_link(struct key *keyring, struct asymmetric_key_id *id);
 #else
 #define restrict_link_by_builtin_trusted restrict_link_reject
 #define restrict_link_by_digsig_builtin restrict_link_reject
@@ -38,6 +39,10 @@  static inline __init int load_module_cert(struct key *keyring)
 	return 0;
 }
 
+static inline int system_key_link(struct key *keyring, struct asymmetric_key_id *id)
+{
+	return 0;
+}
 #endif
 
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING