| Message ID | 20220406015337.4000739-7-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add CA enforcement keyring restrictions | expand |
Hi Eric,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on 3123109284176b1532874591f7c81f3837bbdc17]
url: https://github.com/intel-lab-lkp/linux/commits/Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
base: 3123109284176b1532874591f7c81f3837bbdc17
config: um-i386_defconfig (https://download.01.org/0day-ci/archive/20220407/202204070929.nFQNU3B8-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.2.0-19) 11.2.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/b0858df3dd6d627f8fa75cc973f55516372a5c98
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
git checkout b0858df3dd6d627f8fa75cc973f55516372a5c98
# save the config file to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=um SUBARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from fs/file_table.c:28:
>> include/linux/ima.h:189:56: warning: 'union key_payload' declared inside parameter list will not be visible outside of this definition or declaration
189 | const union key_payload *payload,
| ^~~~~~~~~~~
>> include/linux/ima.h:188:57: warning: 'struct key_type' declared inside parameter list will not be visible outside of this definition or declaration
188 | const struct key_type *type,
| ^~~~~~~~
vim +189 include/linux/ima.h
179
180 #ifdef CONFIG_ASYMMETRIC_KEY_TYPE
181 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
182 #define ima_validate_builtin_rot restrict_link_by_rot_builtin_and_secondary_trusted
183 #else
184 #define ima_validate_builtin_rot restrict_link_by_rot_builtin_trusted
185 #endif
186 #else
187 static inline int ima_validate_builtin_rot(struct key *dest_keyring,
> 188 const struct key_type *type,
> 189 const union key_payload *payload,
190 struct key *unused){
191 return -EPERM;
192 }
193 #endif
194
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 7290e765f46b..9052dd761ea3 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -215,8 +215,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) prep->payload.data[asym_auth] = cert->sig; prep->description = desc; prep->quotalen = 100; - if (cert->is_kcs_set && cert->self_signed && cert->is_root_ca) - prep->payload_flags |= KEY_ALLOC_ROT; + if (cert->is_kcs_set) { + if (cert->self_signed && cert->is_root_ca) + prep->payload_flags |= KEY_ALLOC_ROT; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_ROT for now. If the restriction check + * passes later, the key will be allocated with the + * correct ROT flag. + */ + else if (!cert->self_signed && !cert->is_root_ca) + prep->payload_flags |= KEY_MAYBE_ROT; + } /* We've finished with the certificate */ cert->pub = NULL; diff --git a/include/linux/ima.h b/include/linux/ima.h index 426b1744215e..3f23bccf880a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include <linux/security.h> #include <linux/kexec.h> #include <crypto/hash_info.h> +#include <keys/system_keyring.h> struct linux_binprm; #ifdef CONFIG_IMA @@ -176,6 +177,21 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_rot restrict_link_by_rot_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_rot restrict_link_by_rot_builtin_trusted +#endif +#else +static inline int ima_validate_builtin_rot(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused){ + return -EPERM; +} +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index ed0aaad3849b..da09e68903e2 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_ROT 0x0001 /* Proposed Root of Trust (ROT) key */ +#define KEY_MAYBE_ROT 0x0002 /* Proposed possible Root of Trust key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index 732bb837fc51..c553040dcc02 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate root of trust */ + if ((prep.payload_flags & KEY_MAYBE_ROT) && + !(ima_validate_builtin_rot(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_ROT; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE);
Currently X.509 Intermediate CA certs do not have the builtin root of trust key flag set. Allow intermediate CA certs to be added. Requirements for an intermediate CA include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and Intermediate CA cert is signed by a current builtin ROT key. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 16 ++++++++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 34 insertions(+), 2 deletions(-)