From patchwork Mon Sep 26 23:36:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mat Martineau X-Patchwork-Id: 9351389 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B48056077A for ; Mon, 26 Sep 2016 23:36:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A820328581 for ; Mon, 26 Sep 2016 23:36:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9CF6F28EAD; Mon, 26 Sep 2016 23:36:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29C8728581 for ; Mon, 26 Sep 2016 23:36:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932241AbcIZXg6 (ORCPT ); Mon, 26 Sep 2016 19:36:58 -0400 Received: from mga06.intel.com ([134.134.136.31]:46956 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753549AbcIZXgz (ORCPT ); Mon, 26 Sep 2016 19:36:55 -0400 Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP; 26 Sep 2016 16:36:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.30,401,1470726000"; d="scan'208";a="884066072" Received: from mjmartin-nuc01.wa.intel.com ([10.232.97.135]) by orsmga003.jf.intel.com with ESMTP; 26 Sep 2016 16:36:47 -0700 From: Mat Martineau To: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, dhowells@redhat.com Cc: Mat Martineau , zohar@linux.vnet.ibm.com Subject: [PATCH v7 8/9] KEYS: Add a lookup_restrict function for the asymmetric key type Date: Mon, 26 Sep 2016 16:36:41 -0700 Message-Id: <20160926233642.32204-9-mathew.j.martineau@linux.intel.com> X-Mailer: git-send-email 2.10.0 In-Reply-To: <20160926233642.32204-1-mathew.j.martineau@linux.intel.com> References: <20160926233642.32204-1-mathew.j.martineau@linux.intel.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Look up asymmetric keyring restriction information using the key-type lookup_restrict hook. Signed-off-by: Mat Martineau --- Documentation/crypto/asymmetric-keys.txt | 35 ++++++++++++++++++++++++++ crypto/asymmetric_keys/asymmetric_type.c | 42 ++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index b33a13c..07efce6 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -327,3 +327,38 @@ Functions are provided to register and unregister parsers: Parsers may not have the same name. The names are otherwise only used for displaying in debugging messages. + + +========================= +KEYRING LINK RESTRICTIONS +========================= + +Keyrings created from userspace using add_key can be configured to check the +signature of the key being linked. + +Several restriction methods are available: + + (1) Restrict using the kernel builtin trusted keyring + + - Options used when creating the keyring: + - restrict=asymmetric:builtin_trusted + + The kernel builtin trusted keyring will be searched for the signing + key. The ca_keys kernel parameter also affects which keys are used for + signature verification. + + (2) Restrict using the kernel builtin and secondary trusted keyrings + + - Options used when creating the keyring: + - restrict=asymmetric:builtin_and_secondary_trusted + + The kernel builtin and secondary trusted keyrings will be searched for the + signing key. The ca_keys kernel parameter also affects which keys are used + for signature verification. + +In all of these cases, if the signing key is found the signature of the key to +be linked will be verified using the signing key. The requested key is added +to the keyring only if the signature is successfully verified. -ENOKEY is +returned if the parent certificate could not be found, or -EKEYREJECTED is +returned if the signature check fails or the key is blacklisted. Other errors +may be returned if the signature check could not be performed. diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 77aa44a..8039a69 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "asymmetric_keys.h" MODULE_LICENSE("GPL"); @@ -491,6 +492,46 @@ static int asymmetric_key_verify_signature(struct kernel_pkey_params *params, return verify_signature(params->key, &sig); } +static struct key_restriction *asymmetric_restriction_alloc( + restrict_link_func_t check, + void (*free_data)(void *), + void *data) +{ + struct key_restriction *keyres = kzalloc(sizeof(struct key_restriction), + GFP_KERNEL); + if (!keyres) { + if (free_data) + free_data(data); + + return ERR_PTR(-ENOMEM); + } + + keyres->check = check; + keyres->free_data = free_data; + keyres->data = data; + + return keyres; +} + +/* + * look up keyring restrict functions for asymmetric keys + */ +static struct key_restriction *asymmetric_lookup_restrict(char *restriction) +{ + const char *restrict_method; + + if (strcmp("builtin_trusted", restriction) == 0) + return asymmetric_restriction_alloc( + restrict_link_by_builtin_trusted, NULL, NULL); + + if (strcmp("builtin_and_secondary_trusted", restriction) == 0) + return asymmetric_restriction_alloc( + restrict_link_by_builtin_and_secondary_trusted, + NULL, NULL); + + return ERR_PTR(-EINVAL); +} + struct key_type key_type_asymmetric = { .name = "asymmetric", .preparse = asymmetric_key_preparse, @@ -503,6 +544,7 @@ struct key_type key_type_asymmetric = { .asym_query = query_asymmetric_key, .asym_eds_op = asymmetric_key_eds_op, .asym_verify_signature = asymmetric_key_verify_signature, + .lookup_restrict = asymmetric_lookup_restrict, }; EXPORT_SYMBOL_GPL(key_type_asymmetric);