From patchwork Wed Jul 7 02:43:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE984C07E96 for ; Wed, 7 Jul 2021 02:45:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BB8FF61C81 for ; Wed, 7 Jul 2021 02:45:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230249AbhGGCsJ (ORCPT ); Tue, 6 Jul 2021 22:48:09 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:61672 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229989AbhGGCry (ORCPT ); Tue, 6 Jul 2021 22:47:54 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aHGI015804; Wed, 7 Jul 2021 02:44:29 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=sjwKBquBEgBJoZiIrZeiO2Vo6a9z35hYFhDWstq0C5c=; b=mbbL7/dInnHLD+oZ3eGZgs6uBJVa8PYkCCSjvmLBO+wfA9ymiT978wtVBGwmpkTU807Z WknbdpaYpqE3NqSErGnS1RWkKzpJT9lF+b1//9Qkg6BNL/aChhuAy7Nmwl2nIS437mar YrT/rsAW13J1Fl9ID23wB6RQxtr1UypiNnIohU1GNQAp7QuyDjYxGU1TxtZCjg6lyJKX wgzuuKXLNXrPnLZoPd/89P4AsMpnd5b0OE1ljuVhxg+vILo6wThX/c/M1MaPVnjIM3S9 Jyi01qPyNMOG7V80IMasdi9H0VBTKifj5gifYIED/sPkzm2ias8vRBsU+0pqs4k+myRL PQ== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 39m27hb64u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:29 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672a75u145022; Wed, 7 Jul 2021 02:44:28 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2173.outbound.protection.outlook.com [104.47.73.173]) by userp3030.oracle.com with ESMTP id 39jd12ghun-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:27 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VzmnwZRru2FfDi6DXiX2FPJtnPSNhXSb2RaQHBJ6LROa27CCX6ekpjj1eHaqD9Oqb/eh5qwkJAUyEjnxstGQpPdBtpS74jx9XbLfvepKDRsHU6JPtvOV7VAfR4bDS65ZsV3mPc6K67+5agdd3bbKXsHPeayD00amPEPNfGKtV7bPzocL2EgE7imb71/x118rGG8g2edFRj+rche/ml+0qlENApCASZ8dx/imt45QLyOavFu6YLTQJ9l3yxZ/299C7gnKU0QnQb02n+ScOoIXe87VJxPMyq69tgKt7D+VaLf0qboER1Ne1DgkIyZuGMHr9gnEFSfN9OcFKbcZOAKkPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sjwKBquBEgBJoZiIrZeiO2Vo6a9z35hYFhDWstq0C5c=; b=DyEcfDqYa17BNn2Lh8VVpsb2M7K+n+hlc+NB8CH4wtH7voKA2yt8iUYVwxttvjdZfKEfzjV2izTBEHN2Sz26dGO9ddBOpzdbobpJqWOjPd41T1OJ8HPIH3fYC90sx8szHJE0a38qXwGEME+vLHe0339XcGR6tyC42iGZCxETEUSmqL26eJgFytVDHEcvFHvayYZix3xBvqJWZwKLMXlKarXsj7lC5emaU29cg3xYDoo8faYYh3Ejufj0VlkL5f/6OO6UmLIAlPgRzes2WJuh09xuq2L7sZ5n4otvsj/SflobmoDqW1G21wsUtJAT4/KW9QXBTmzETHnn2aV0jdSXkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sjwKBquBEgBJoZiIrZeiO2Vo6a9z35hYFhDWstq0C5c=; b=zRbDnwtwtNThkXYEJoyH8ezhS1sJZ/LWqmZrvimUaDg/gmHuikeLQcaM4q2oZiArBhEVkg2PU1nnr2DtTEQkKGGWeBMHMgRwQvFk6Ga6ynivHswLEB6r+ujjF9xLjvFOAt/ZIx+8Izk4xwWBBuS+kqnfUKKurV1YpF0KoVjgqXY= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:26 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:26 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 01/12] KEYS: Add KEY_ALLOC_BYPASS_RESTRICTION option to key_move Date: Tue, 6 Jul 2021 22:43:52 -0400 Message-Id: <20210707024403.1083977-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:24 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9b24f473-3a23-4efc-90dd-08d940f12279 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: q5k6Kk5Ay2KXWDaj1CDuRgQT/Vo3w+05/eoUY/K/z3joq5dGgXDZFb6KnN/7FGdkNaydXrStMJ3YPouONmyWpnglotMUSVhpiOBcH4rt0dU+zeGytKtI9/CqCurDDeYAuPyDF4qG22pM9RrqWhXCjrpZnJufTuAeYrRAycnZhdGJuh6dXRmY8vkXnGI7BdsBSb3UhT7mw51yPXoUAc2tTlveS9TFsUCqOGpT3XhO/2Shn5gRK/wwjfvCYtdDL817pbt8VjbR+ai2zm7XYAslHn7WRhnzqbCaEhCs5MZNsUTvg4PPfSBtfz++yAe1i9fKp4s2hGG1NH0BObsseMLEgrxqqCE4dmuHvFOZZu0wS0ByV19pyc6838O8GTl1j83gyfX29FFvOk+KOmSdgi+/SHzCOWdHGeshqsi6bSftXtc/UzI172/s4CxkskM6+ZYPB58VHmR6OCiEM6iOKNbwO5jPb8KMeXNnM6Hs03UHnPJJju+CdWgeXT0BqEoJLjiBVvqijlLdI1m/A4Ra07VRb6nQvSF7zq1MuqvoR3QxvpTRUMyLZIqja2i9Gg0upbrdf8UGCW4vQ7Fm/sreb0g1E5w+EfAMIg6wnkd+Mlv2XYiQoaA3XkP8i10ZsqT77IBQmTTUN3w3Im0QB4BvgxbdkCCCl1GaSvB6iwAjf8Fxq2NzLVZcyXv4D8Pb3gYA3v5xVMjhcRxlS14INP1HkF5DTJe4SJIdRcm+s/IwYet9s1s= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iJf1NBSbo28Ym+2MwDJhhCZrAOKNWiZ1pDVyf0ftvYJaJ4VAk2ejCt7yeX0ut3NnHhDDUzCiK3yOEHiDPPdrLss/IaV6x/V6QWi9s4oBqbOjTh8+SahJkVq3DF9JjIbr9cZ93NVZ6vakSLKsB0ImKhv6aNHvqQnGSGvzxWzyfZa5cHU1Ee6b/07bhRTkEe1dLtyA2HZSg18mt83YC0RQA1SexFkKlX+Y4dR10BHRRizxpF66f7Xn7V2I3HfeLAGdZxHWYIcSzysSq14JC+S8rsShbocE9Bl+jXBbj00CvHXHjo7SSEtcR81JowMrvmy8QjYbKOgef5YsfO+djbdXiMLlLFOqMnvQhxbWCHK761Nn3STFn1CBk/U1S4KtXMmPqli4rBpDaMGBPyqORaiiZcTcceNUJrSjJNL+Va08peZjklzj7DpCngbBvbrD+dzRJ7kztBZthTG5JdloPr36fTEyy9aAuWCcBih4rugQx19tGHbpMkHmZRbGj88EquzWKHPqtFBahjc4R8bfHEEbPHrWc6WKtyEyP3Zrfo5G6qoaq5amCL/Bx8V/jQpsSEd3IyxneFZeGwMOBhfL0P2RhNuIn8c410G1EL1bBznTBFAoE8fQ5RD2xJwTWIIeWOm1LNTFodzGFnI/KssBvFouAewebs09qMSxMI5NpJeNPb76KVJxi4r21G7pbBVL04MWk6yBukwOuVq1t5FpCYMzfin3jtpzMvtQzfTDo5ycBYSUQLw2GipzE0EMflGffJxwG7qK0dH3nEvmev0ueDEQ78T/VFy+rEDl3Qp8UGs4+whsdHI/g6EyYxEAxapLBwdu21YOVGjmn4Pd7seqkTZxQiIMSGnuJbBwveTYaiZl7yoCaHryXJk4QOyON3te3X7UYSTC/bxii5mQbZjN+Cgkl5+hLo91MumpeKs7oKUuoe6Xpo6A/F1xe2EuGTFj/cLxIqo3KARgOYza5tebDIIxxsli+/F9IJkIU/9oRBdiH3ehTMkpVrxZiVJaK7LeeFazAKzuO+Q9itaO0F39bKkNbU3cCfKniRKA/9UQF3Co8IvPzACJH9/tKdZyrHErjA6IdTvtQFKCRQmlir2jcDRX2yywG44rWdZaGcTqmPmmH8sunPNQXlQDOsJFtBClnp1P2riCZolRYR8Q8CnjJgSZY+H1X4icwauow+aLe95mK9j+1C4uWu6W4qfAKdfREcA0yplNO8QUmjNFhoGhMUMXAe9Ovja6p5fRBOX8kZvmruNKXrtS6Dxo/hAs6dgE4OFyqDOg+9o6YzvI/Vcdh8qcDZ5w9/EzWG9F7wR/ae1CcoGc+fLM9MmZG8q1W52toWw1 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9b24f473-3a23-4efc-90dd-08d940f12279 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:26.1663 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Sliigm/184mgftabsdwpGGRvo+kbzThqRVzR5g4u7Jn6RNBK4f70LJy0f1eB2i4r2409XmogmZFb/ZPXQ+ec94Isv7thy0EFsmXj1kl33hs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 suspectscore=0 phishscore=0 mlxscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-ORIG-GUID: ozIm2wWofO_A-UkL1MLrLx50NRDG3P5H X-Proofpoint-GUID: ozIm2wWofO_A-UkL1MLrLx50NRDG3P5H Precedence: bulk List-ID: Callers of key_create_or_update can pass KEY_ALLOC_BYPASS_RESTRICTION to suppress the restrictions check. Add the same support to key_move to bypass restrictions on the destination keyring. Signed-off-by: Eric Snowberg --- security/keys/keyring.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 5e6a90760753..56ea2b78d2e5 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -1585,7 +1585,7 @@ EXPORT_SYMBOL(key_unlink); * * It is assumed that the caller has checked that it is permitted for a link to * be made (the keyring should have Write permission and the key Link - * permission). + * permission). It can be overridden by passing KEY_ALLOC_BYPASS_RESTRICTION. */ int key_move(struct key *key, struct key *from_keyring, @@ -1618,9 +1618,11 @@ int key_move(struct key *key, if (to_edit->dead_leaf && (flags & KEYCTL_MOVE_EXCL)) goto error; - ret = __key_link_check_restriction(to_keyring, key); - if (ret < 0) - goto error; + if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) { + ret = __key_link_check_restriction(to_keyring, key); + if (ret < 0) + goto error; + } ret = __key_link_check_live_key(to_keyring, key); if (ret < 0) goto error; From patchwork Wed Jul 7 02:43:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE328C07E9B for ; Wed, 7 Jul 2021 02:45:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B1FCA61CB6 for ; Wed, 7 Jul 2021 02:45:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230004AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:59838 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229894AbhGGCrw (ORCPT ); Tue, 6 Jul 2021 22:47:52 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aKj7004673; Wed, 7 Jul 2021 02:44:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=nW4aK3GUP382Wr3b5VoGn/3JiX+UF1jdEJ8cNrpydfTxiQ0k3pjVuDmlArXOdec2rQjC a3Rp19tKNE3rZD8jyPu1yij7K/I9g7D2vn7gr7qpYkmHbU7W1v6CDCNeQnDEhBqtJsiL 7/ZIV6rZhTIu25PEhsGmyAGFXDvM52J2yp+RnvEJkh/ZPAg9bTmweKL06Bvei6ZahD39 CgOvK51AhsclrYvYxFbAsWoxKUw9bjtI9fsU5I3v7UruHFZs3WPu37eVlqAvVcco7hfh xJzccyvWrjWAKHP0oL3N2fQWDPO77X8LTaitXQbEby0dIiOFc2YvHEzKXbxrmqJ43C3M sA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 39m3mhb2ud-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:32 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUVJ193064; Wed, 7 Jul 2021 02:44:30 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2172.outbound.protection.outlook.com [104.47.73.172]) by aserp3030.oracle.com with ESMTP id 39jdxjaahd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:30 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WUInn5ecEygorVzm2KJQ3Q5v78w3n9Y7EIBMf2VaEy2TC63UkP1qULQC0Zbs+HFMR7GoBs3wVUdcc0tb2hN5brCcdkcOgVjnVT0gcXZKEq7XEdByFBMoVRqAzh74ScWmOcJ/fmmiNi8q+qzl+COoQ4iX9HWlTeYN+InjZatJZA0KFe6DavenUKKrsropHDlQn81SgnXbWcTPrFCeG9ks0QWz9SvzITxmfyal7JZlecLSQPih744FmApjrJlc0KEqa5uWOUnV8U0q43Psnk8J/QlsRYXEKfU2UxgXP4H/SagRlm7CfuhpkLJuZb2hszbnwuXO4Bw9LJmI6/gKMRJROw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=UjC8N7KU/SlAn9a0ZlLF4h6s57Putqk3x9W8/ZkzZrPiwoqhuW9L3+cRhRRmu3yx6y/pm1wzPgkCF+43flDLyyF90smHt5TcHLfOybkpVfmGVc8a1wPIHhESeNH7Tr6M/HtEwjZdNFsb9UEJxuWpqhgT33+6Xhke0IU3o89JWCotSXLK9Gvp/JZwcNZ4mnKXnNIdPAEXG8nN2bhLb9mSHxHfBcaTdKgN3VFyveFr14V8shMUkXdudDHIXUkfZvE5N5IERcXx4fMx31nzveREV1a+0K0J8LXmUXEFrVoDT00749GbvCVdnYHnB81GKtnPrByh3HXDEy18v0WvK0votg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zHV6mIOdL0wBvrgQOW8vMNFAB8zdE3I/osIowexbogU=; b=arPQO0jL0TqLUk/9LWtm3AFzvEU6qiSb1JHt8J8pqDDf9LJbWeMexVcGMaI5lfkyfNnfmcDVOjQP6JkdOLecig52b0q0tzt+HR/NNhW7CAHOw6ZyGGrHqho6PR2xeRIaT/8/z932UlijDahxsYmZSlTgYrbh/ofqLEzMpFNKs2A= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:28 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:28 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring Date: Tue, 6 Jul 2021 22:43:53 -0400 Message-Id: <20210707024403.1083977-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d4f55a56-db4a-481d-500b-08d940f123c9 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SByp2sc3Pk6id8t38p8I6eeu0TsN+OgIvSQ+ZN71f5FBnO32jb75ZBcroMxSVG7MMGoGSnxxQN0YXkintDgh76d6lGSUpxw/1OAWYtTaCQ8kObeDswEQZz4xhF+uX9o03/ZQ4FS9iuHsDrWFG+tATKT0JXEks6lckt5glEv67WfCoUr6dZZ6/9Ksdox8H6LuKyqjHy8Sx25V4Z9iNzMoges34xxVqpABVqVVj6d85o21XDo7oaAKZ9Z9DVhgDZ425QVYf+Zy49i/frWse+b1RKY69PDf0Av8uTxt31r9NSd3tVuShn7vWojbniPPbS9d60nM3wNyGevGx6VUg00XfWihy6g/t25nsJHIgJarpeb03VpcjZq42Y1P9XDxXSMq4LnHZZ1QkxD4OhIHu0csaDxw9EEZ9N3SQWQgBagwd8kF52T8YXtYn9n1hLOSS0CQMM3j8Qzg6/mX+hXPCPUtc2M0ft78H3TPdFlRTdQNF2+aFEjJtGy0S6OBTB5VOMadJ4Ymbd5xdj02oUDCDBTnvDYAkFtFYQJVcre0hk7Zi8J0EocZv5AuNV+voU1EoOWEmA+mhQBSaWEaBoilpQu90/Cvgkc+brxHO28TNZBsLY4fEbbPwiqqmYl11QDPvTuBDsr/WxaY56IIVKwOG2MtUFthIYGZVOgB4XtlmCVAk6Tgs21b/WfzaFq1hkbl3nsHLBUFXbZOEKE06oWcoFNQEPfQBBDT/kUfydUIUH5YEyo= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: qzKPd+2GL7/0APMSH4Z/DojXVOamHwErvRtggDgmBPb/jSW2eBFQaUjzhG+7chEUMpAVf3nLC4MRn/ZYp/1B3fIggw2CYtRRmKWudsxsM/U/3Jl6ZfO+FuOvFz+7sdT1Ycf0uj653ETeeIHMgHLCCv5TIbwRNHHHLjoM0cCpcWWKACdPkFMvbC9sCPnZ9LWF0sOqV9305lqvOW4AwJUI/XIpFfQg+CCnnQxWorNh9L1NEVddo6JznpnzkYbNsc0Wh8iZ//Td7X9xxAE2U2+R8E4YXmbYh9gy2QavFAnUu2OWf1yzxwGDCHRvrHjvoVlbRiC4+c+CFF8xGZe1BKO5PIL87bNeyBY0sW0rzS9lqS6BehYzrusT1Jds+Gk1jB7qkTy7eO2ypLcPEIw6nz9vsLv0of0Fwiv6tMTtQ9Nn/HFnuJJ/cF/bxdnnZTk/GjoOY3zbGRYbo90XXEPcSmU7RPye31BowK4gaqA19+6Y50f0tC0OgKTsnFo9j4bYXASg+wKiDM90yp790Pd5HD9C12oozx3aCBHEq2bS7cUjXePXGrhjLjH5zpgtQ/9HsraiJyLM3Sl/YEfy9KPj0lWaSB2ZscDZ2q9O8eGN2io4NIuGlR6sRbXxxsaXb7+APwNG2gCMsNZStMNmNwNWS0pFkSe3W9y/Q+b9Idqdt90SM/y8oM/QbfY7/hh1YBdTx5oZq4PK4FvzYX+o5JdbtsZIxOiQP+ntITMEJBibBgq+EEGqoa6mgBPX41R53DpiUiuU+Byd1OBZhuLbyqb1vwnO0F1sH15WVZaHVFcWEejUmkk5Dyk210Mlue9Tv/S0sATHJ6c5IODS2bUsa3uqDaSg4v72NbGWBoNIA04FcEMIBiSXy2u7d3oj1ZvZ+8DniftqoekVDijGHqhD2Fd9Q8lwLwVMfnrP8iK3icggriHkntEXQ3ZZTl15GZtUsAk8GbPo72/IqCR/PMPoUOI9Lz82joQzt2SLeXKMa4xghpHRLfi8gEoXltxWQp6GD46bAjEWZ54ntQd+JSDSVy47GHDQh2RK+3Nk8KoaMgI59nc/s8nWwR+6BwWPwCijbaBEXW8eef7LxOOj76FXIKkSJoE4cf/TzkbWhp0KDFl9LPUsS9z4kJ/jrfQ3BuSQsZ6bNtR80MK2gkv/W2jPui1dyI4JceWa4pe1t772gq6bQmv2ffA0wSJTYloGFQe/3EESTfPrWy2BphSlO7cad+yfnXmKdSS/Gb8AhcF9vPGhDJOTA3RGYT0pVEV5pkY5hLA1kQKvETBK4X+DH6amLznUc56IWcB2M1pqNeZtoqG0xikRypIPn+8wY6wawzndpaUkHdps X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d4f55a56-db4a-481d-500b-08d940f123c9 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:28.3328 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fcHN3yTIp/gpZDt5NY8/dm+YNEG/mFc3p7Ry9xSqVSLsdXW3fVTuYXSpxxV74T7xUZ1sgfcZhxL0gBHF5Dl5lcrWF4OxKaMykJegednsCDM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: NG63G9Q4TQQM4Qz2RIm2cz838Jqzt2ME X-Proofpoint-ORIG-GUID: NG63G9Q4TQQM4Qz2RIm2cz838Jqzt2ME Precedence: bulk List-ID: Allow keys to be moved into the secondary keyring without checking its trust chain. This is available only during kernel initialization. This will allow keys in the MOK list to be added during boot. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 25 +++++++++++++++++++++++++ include/keys/system_keyring.h | 7 +++++++ 2 files changed, 32 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..f02bc5832684 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -90,6 +90,31 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } + +/** + * move_to_trusted_secondary_keyring - Move to the secondary trusted + * keyring with no validation. + * @key: The key to add to the secondary trusted keyring + * @from_keyring: The keyring containing the key to move from + * + * Move key to the secondary keyring without checking its trust chain. This + * is available only during kernel initialization. + */ +__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring) +{ + int ret; + + ret = key_move(key, from_keyring, secondary_trusted_keys, + KEY_ALLOC_BYPASS_RESTRICTION); + + if (ret) + pr_err("Problem loading X.509 certificate %d\n", ret); + else + pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n", + key->description); + + return ret; +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..f40837026d6d 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,8 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern __init int move_to_trusted_secondary_keyring(struct key *key, + struct key *from_keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline __init int move_to_trusted_secondary_keyring(struct key *key, + struct key *from_keyring) +{ + return -EKEYREVOKED; +} #endif extern struct pkcs7_message *pkcs7; From patchwork Wed Jul 7 02:43:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD7D8C07E9C for ; Wed, 7 Jul 2021 02:45:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AEAB661CB6 for ; Wed, 7 Jul 2021 02:45:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230215AbhGGCsG (ORCPT ); Tue, 6 Jul 2021 22:48:06 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60896 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230020AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aFEK017231; Wed, 7 Jul 2021 02:44:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=V8oTlJP6lmHZiQSGT1l3Ld4zRcE+7R2d1WdRLwreGiaflWqxJWM34sH3ByhwkjFNwuIm NUmRywFDZQDclKmwDeoGS2Ij3Wr/RwllFFyUE+7UiWdoblxnMkpOmJHPKoW3Tenbz76X Zr7IpdWM379Lx4llTbkP2M1bRaagjqJyJkcEr8Kr04PNX24WDFx1xSYdiec8qlcsap32 Y2eXaA+F1m9qbAkxiYwj52OrvCfVp5Xje5JskQA8tZ4dfCP3SVvGm9IYKm2/0CKuPPOT u6QhjE0PqrFjxn/N1bvvF3dFy4lYrtGDxtsozrrWAbtPBXSgopezao8MaWz2g4GgPa5b Mw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:34 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUAJ070945; Wed, 7 Jul 2021 02:44:33 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2171.outbound.protection.outlook.com [104.47.73.171]) by userp3020.oracle.com with ESMTP id 39k1nw7pvg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V0gzmR+sksUeQkawTvpekX7H5hXpfElYMhjBJ7r3l+57HwIGVDiyLLFqbYesbxRfWqnHpFQWtH7V4kWz81nZQlzql0Mvwwb/3rwHjRQayz9a6BbhGfWL1YLRcmZeS2diSMXxGoJoXXJWQApr+KkZEOp7bz9QVSafoNLFj6Qo+XLmmY8AhGTUFKX5L1y8PJ5Y/iiA+/OmREpqjAnaBY3+Pasu7TrMxwN+m2kSASJ/1iE3dCaIZjtAkn8LIjJW/Dk0AaJuE2EuWzld3MxZWNbrKGXeD0r2N6e501/VHmQ4D76o4b8mJx+Mgl1caL5MCr11Ev0Qi5QZ4GisuUE1/cFaQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=mQdrrTUB134QIOZtmxhe4EJ/WQk8PJjXD+oCluqERZb+LejO0wn526H9U/pg0JygW/P0kcLK81YM+j2o4Li6Mp2CDgd1h6FmPQIo4fx7aneeICOlOZI9gmivofnnbcxj/yL+mU9PBr66tJF4/RS7DdCpRJdfQjXn0w1OzgPUVBEIpgj+9PEOTVemnpczWsTscRkwczNC+6eO2aGJrh36xmHmYAREW3avz0q8tma2nxCEr7IyubGEi2vpADsOdpithMqerOJIc4B54P/mFxOcasSF+ISmtXXgPx7VEHhWA07oy4FeeAmZ9R8ulT6+CSEQr3U/1+/Il0zXSbv3DxEEDg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RYNAzFQOovIxcpaw7/0caBRX98DslUctRyd2Ikn616k=; b=B3bKAUkOoedReMGQ8Rlw7Zsy2k540Oz4PNB8Csh8nHVski6AqLocOWSHGa+1svAHifql/r+JMn3M0W/U6Xo1jJUDqT9hiurlthXMYcwwRC9hNPlTgJX2AxFpXTQCj2AqppIDsuTOHlaQC5YHOeWc7cwxaAq2/e40IIngGsDGpBk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:30 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:30 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 03/12] KEYS: CA link restriction Date: Tue, 6 Jul 2021 22:43:54 -0400 Message-Id: <20210707024403.1083977-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ddbe8614-7ee7-4e7e-7d0e-08d940f1250f X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Cyk7ZOVQh2fnTcZYI0+iXW2M0kJZpGFLAHfDs3nt0BZfmjzZRmaPLd97edCM2X9GJBA/C9Ua7h/XPf54RYcagiua+zBCT76WwCtSNbVaSqvaedwuY/Je9/RH34U7O629W7EcT5TcPMtmZMlcv1ni6c8MHi/PKzScIQp6bDTrEeO6VKIgS1+jF/IRiDtv6rlaFmAc2USpEE/eP+5jaQ7TRZxLIESxT0+4k/ErlO3hs7679zCztiLDab5e9hlDPoqYzGC+Z6Q+rKKFYgmbynQU0t7aiqzcpjXha+XcW4QTdQM0zNCoH4jh9S79Zs9RfMLk3Hlxlvy2AQzcifzXYOz3pGAY0SL1DdJ32XJB8geeRZZKMcjKphf0KAePiI5UzhYZI9MJktLMfhgBTYZefcUscnOScDNRTvXRejtN0DMlDYvnbLZ4EOd/gU1e5eCTEqhHEgIX7GTIXHJ7khzPLj++I2Avm+nC+DhfHvn/i0I2ADvZk0/dlCbOnheO57qRhOj0yiqlqmIKfUDN+X3kaG4PnBlyTsnzyO+aGTtYmgGIuThrup9rmOqRjKBdmYCOHNwtwBDQS2qXv4VHwiBXFljKu61xsV6wz6o6oHwStpnefOtH7k9Muz9CL5b58gCIYAIkn1Bh9YX5m1N6gL9Z0dWotDE0q4cF66XquafhBNt/7MhXtpvUDLRUL1OcC388zi2+Zt+VEze6ZRoUYalIPqhHnlZzXvHOKkf67nEplS4Wu3I= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(45080400002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 3rc61Hstpdozsp/DGXsxbFxEFI+hBSB+b9aqv3oxCFmdQ4kz1wj+yx8TbP1Y0l/SzAK7ULtp0yvauAt9ilF0JqO+htxJQ1fvwJjsdsV2JcZD3zpdb2jkLdx9j2PQbc3CGSqx50ITNVbb5X37eM/hxU4W1o1dd1WlIbnYJXlEMVpxrEkvChca6V8FQmDdvmVUIpctswHA0RLmBNo5/n5tLssVmDS21Oq0wpyrcOkyVVWxyUNcaHUowCnauaCGiuapEaFajze8iiWA3dr8qrVb5Pf0MZsIJAOZAmJiRWubHoXH9tVy0cvELOS5NJBW6fUQQSiAotQeYkhy/4SyZ4/aIaaHcj4xwu2Mq2jJODscPI+5KenQ+Cm+93AB/ENjMz2/5KmXfi57GmM4PHP0HyaytraETCkPxQ1cXF5rSswzAlyFURPlPX8lec6vYK+d8whDdgoF/AMw+PqEwsV9jR+Tow6aUUWKd9miM3fVY2n53JhABWW2nooR4wo3icdh59HJyVJ0B+MwK4+M9HaIaQ3Rfh5MuGIc3obljZYv00TMTdoRborG8od8pms+I/I0D0b4QjcQsLWU3tGoobbikJHrvvC8FuQGnzGKwyrUBuGPWU4BWNTHijrJyzVLSII8tsLBudgAtWKWTbWpQqtkFC6m175d4RIlg/AHe6MHd2ONZpG9/A3MHGNYIsCHDwnhma/Qj8lZPmjpBBfhZLPVkfWn1TCPLQYcmTn4fySx58Z0N0ShsNYNvFMWYrcG5RPeCUrw/nozuvJK8Sf1uAFiMksUv55wo9JAg/v1Rwxv6/0n3gvHoOHFnTVcaJYto9fvXELb1j4VofN6+6vHmcdR+n4mP5bq04fW4mZqQaoQhLCVv/6+MWHS6VkGM+Im5ZvsTmykHAMcYDi+cwESCrHgYekFam7eVd8msP95675ivKToYO5ZlSVs4fzUO0O4GR21EBVhMkhPJmuzVSilc9AhXqKiGZrHKYAjQ4oiXsQAKv7PVGMLFAFqKEKQtYm7R73Z77rFseCbPIqHe2rij51gLIBCT0tXJicMhJeponJVXbXwtGDePihhEQ7djiwhbrD1N2uQxBWHm2fTfCf3yOF/m5xf9FPqT1Lbi0O3ZdmHjwVC6lMKYbB58E1G4vkDCxXnhpuMsRbeNzuvwwmHLyvMfLcGEDV7JyRpIpSy5c+e9VuBuuVQOGB55pYcStjxtecDTzf6JgbjPUI5hJC/nuFsU6UTI5NlzsvKOWwktxzPl/n2aiCT94TMIZL71tm8fL06/3Qd3Psl3DocnOCk2XJtZcPcLhTy3aNMydh9L9lORGbPEOBoAun6UQ3b+EWq4/hJtWy3 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: ddbe8614-7ee7-4e7e-7d0e-08d940f1250f X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:30.4834 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +Bcq4RuzJCevXB2R82vBp76ciTcoP77vEtKhJkSZFRxv+ztiETeoHfaxref3KEcCmk7yhiHrfKJOtcL9O8xxUvQAGEhqiilRW38Lyq7pQVU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: n4gquWvlNTFZNQ9kvwQ2HTPWT7Lm1-d_ X-Proofpoint-ORIG-GUID: n4gquWvlNTFZNQ9kvwQ2HTPWT7Lm1-d_ Precedence: bulk List-ID: Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed) or by being vouched for by a key in either the built-in or the secondary trusted keyrings. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++ crypto/asymmetric_keys/restrict.c | 60 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 +++ include/keys/system_keyring.h | 14 ++++++++ 4 files changed, 97 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index f02bc5832684..b4c82276bba5 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -73,6 +73,24 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_secondary_trusted_or_ca - Restrict keyring + * addition by being a CA or vouched by the secondary keyrings. + * + * Restrict the addition of keys in a keyring based on the key-to-be-added + * being a CA (self signed) or by being vouched for by a key in either + * the built-in or the secondary system keyrings. + */ +int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + return restrict_link_by_ca(dest_keyring, type, payload, + secondary_trusted_keys); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..75e4379226e8 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,66 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of public keys + * based on it being a CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: A key or ring of keys that can be used to vouch for the new cert. + * + * Check if the new certificate is a CA or if they key can be vouched for + * by keys already linked in the destination keyring or the trusted + * keyring. If one of those is the signing key or it is self signed, then + * mark the new certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + struct key *key; + int ret; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + ret = public_key_verify_signature(pkey, sig); + if (!ret) + return 0; + + if (!trust_keyring) + return -ENOKEY; + + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + false); + if (IS_ERR(key)) + return -ENOKEY; + + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index f40837026d6d..43c76fba9481 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,10 +34,24 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern __init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline int restrict_link_by_secondary_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + return -ENOKEY; +} + static inline __init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring) { From patchwork Wed Jul 7 02:43:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DE99C11F6E for ; Wed, 7 Jul 2021 02:45:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 21DDA61CB6 for ; Wed, 7 Jul 2021 02:45:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230195AbhGGCsF (ORCPT ); Tue, 6 Jul 2021 22:48:05 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60666 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230018AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aK8d015829; Wed, 7 Jul 2021 02:44:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=YpggEFtvAPAAGMDIHbav61y9dIX1TvkDnvtZP9SGZYU=; b=O+66iPmyGHm4Z8DebrU1wwAU84G7HHoi+I53FIBDRNIo/OMxc+VanFYq/g2ot2Dh8VQg UDQOV5pDZzJAyGXItQetU4QNIhaXTaRBsal5uDgBJq/whAFbAqP9b0aSzla/g38DkFDP Bh/I2yAHETR46yemywZwMi6lIiR6rHg90oYqlwt7gQv0lEUupdWryrnxJUv1BroN4en/ O1Za+e2iTb4Pf9gxn/VpLz9CF9C6hw2BXiENOvubLjpqEOrZi7IOD4YOk1RIlMJDHLVb ie6TSKp53gtN4Hv4v1y5oGnY9reifS7zQ8N7gr+LqTFU7rk4vt5CI/a2DluWNwWh+fLB SA== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 39m27hb64y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:36 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aI1i007653; Wed, 7 Jul 2021 02:44:35 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2175.outbound.protection.outlook.com [104.47.73.175]) by aserp3020.oracle.com with ESMTP id 39jfq9phb7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:35 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UqKI+Iw4fjTFcxli9qncmwaB/gTzSVLrr4W7yEbsY6z7+hmMrTRLQwUuH5bIA62bATnqwvftTbDFCEHRwjUTBZYxtGLV6/m/t9BUf/Z5uGhWyMM1VJc7jbjNjMX/NBszwhpqVSp4EzfouYcUkhlCNLrxK28RzJKmAnyX4O7/FyblkEowDT/F/n2rssDaQejZTtNuV3rKXfxDGWLje5MvImF1Lu1gwaojBCPZVryqCfDdAj+qE2UWBMrGjwOdEIkx18b81KJ0G0O6SNDRijFl2s6S7uOjAMTlCF2P+O1qGqi2h6vr4bhs9gxc1lsW8gFjYsv7u7zZ3kjFrsO+1hFNAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YpggEFtvAPAAGMDIHbav61y9dIX1TvkDnvtZP9SGZYU=; b=DmLFAJ5iV2FCMD8a5L6gyFXELzWKV+J6WoGhQ8WjHdgcBU1T8APOokciKG/mD7dzGCEE5LGwD/HDysJnDVz8fqQSFVpm1JnRGG6LMBF2ddZ0WWtxwxCkk06ar5JLZ0jCmgJ4OsRFvCd+d5F0oQSZxifKSCWN2JiBmJRhl4FOaHjGecV7eLuiJ1aweYfWQ2KUTJZLhk2Op4DFhsRlGCdPBO9FLllpnJjOI4avFiDbUYjljU/7mfxSveFeXONI8QhwHKtlfWYUTVNVc1zE/SststrLdJOk8bJ71Pm5mvbd2nWtJFIlDBMe3Mp2OWFmM5ziXJleJkHe9ru8AidJ6Rw9MA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YpggEFtvAPAAGMDIHbav61y9dIX1TvkDnvtZP9SGZYU=; b=H8BwpeYQiLZoDY2q2vUtttXHVWFAzHSrVWlcSZDK7nEBBU/MAPVcGGIsFEdUNa1mdLwwe54LbdfVKP2p+HAh32gxGe/IcvY3YXN0/pRtlViKGa8ik/xiRgFDL4gU3llBJyqdWCPMPbHKtAQLs9XeyRO2vlATVZ85pXnddKAV1Uk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:32 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:32 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 04/12] integrity: add integrity_destroy_keyring Date: Tue, 6 Jul 2021 22:43:55 -0400 Message-Id: <20210707024403.1083977-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:30 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 78a6d3a6-b2fb-428d-f4d7-08d940f1265c X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:213; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GOAZKg8LBH4Km7h5gfbew+ztjwZF0bgl3T6Ab2vDaEERGwuLnMj0PykhPfK6TTxy0GPcv6OYv679LMvRI+ZluLuePzDVtAoEq2KU3dYM0s5GjuUkXrAinV6LNvmguXRzpM+ILItF51fv0e6zWzOQB3vnn3LqIut6IScaGrzuHXJs5Kn9M8FfY7xWBfS+RqotRVbnA2K8RyDE0Nb2oPxGJUmwojvS2hSMiKT48W1QecNqu5t4clP0r1nY1SU8oibO6PaEEE+xvYRv+R1dVlxeMr7q3B/dRL6ztcJAK/ozBDO3xDjX52r/26joBcv6M0ArQCgEiVuBuYOzbx4ROl7DhaojDO1iy2l9W53NKOON1Vo+Yei3OI0tFtxlAlmPykOEHcD0PTbM6kBfZtHDSFOC4n0Akwoil3I9MieNMiAoJg1qbAeFrCNwrznQpaEvfnZHee/nqD1GJq8NpzSFkHJwtUEtWg20cG6ohoxHdZRYIBeRi/bBDpY9WyGFDmmdCpnU+UB6i1BvwvD98UadVpKPnUOCdKot+oDnTNgHZDgrni1Upt9yGpGrhiXqByR9uWeB8PJVq2EOXXcX74mtDWYXAemQ1qby+DCM2/5gfc9ARzT7kKAxXwz/bPE9spS5ZFt0jvmpiR/bDR9z86Vih/IDbg98xdSum2LpaNbUbp7g8yntrycph+xuMEMdJ0HJ99xhECf+UZ8HHG6TWJsU5wVuLRZmyBaZyrVnsmiEWEuvPFc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: WkLpWR9Xf5EHcDxIK4COKbuNd8XN6iTWiQnpBgbuqhWztiHgrB/dZryK/ECpsXNG0YiVugG2uV45EJRFXvG1hbjm2BYpH80J5SqTYykDViNJmm0m17XTKyNk34q8YT9XZCjH/OSUEQlAOtPeeFCwU86odoo6jWw4cfQcl4LkdNnWt2sAW4nli4J/nB1yg8MyWrOeGN+EQRltckAwpXxR3qfmskxxrVi5KZB7oY/sc65gQAhvQYDawItubomgE2up11Ri1iKchKSa6wzzYZOUzi4G+1XzsFe4910bESsA3tArzup0Q+YADhYby6YDzsiu47CpVpUn9eo4yK7IxQlgpiLU2yX+GqtSQ4qhGrTuiJ1/HCQLiK76/mr8J1Pibz8foIMxOk3gDMJFvfcLmyXvkYDmml945ns4WHuykIOFbQDmOZKUz9EolYWvoVSM+F+2BOyRoG/iI0W8btanUwVbwwSFZ/0zLQOqxi0Ceh9OyFC1GBuFS2a9+lVQ92qOqKdbjPfuFjdXVWEYZP1c3zOI/nGuklFZY8CGYcTP5ylg9Fj+1NnarhuRAIBv2R6BT/YF0jIBsXyNFRomj0UJqeqKX/vXtfORiBOggpIgHuXqaaV2yE/seZIGK4TI7i9gHxbr5KyjTv2zj0TQv3VD7RfuTcVKrkEdvjC2u7Mh4AHSeRtAJFi2D7E2h1tbJEobxPbsxQ0vMajFnok3ztBJO4aVFJzpeaqxQlHR9iKoiYonJKxBEzH1kw1xnxK+/ESKF3YouXxZKjg4BWOpmNoWYIPYUKh4gT3MhLih6XcL0o39wz8NzVgVCSVgGxMJtoGRAk+tgcBHoCYn3MeloR0n6u4KPUQxL0n7IY05KJmvzMFcu90LJ3TeXC2zUgDppc3PFRooX8BZRDQqGa6lt90Jf+C6cLcrSou/8beO4bwBzujS0z37qJ/rHGGtfKBuA3E4VPMUk1oOFOvjhkeY3WyC4uw99iAMyg/4LubW8EZQvNQBOxPbjFRCLnFz2ysOa2gvF/OaTIpWcdmJn7N3JsiA2QIj4V2DtYC1ykwUAJE6GmoNRmn8ZL7VisC1MzKSEwF/JfHjI8ua401ba0yu/syA59ffEYxLXO8TbZA0ZkXvHETTIrmP1HHRqhh1yd2550QttCtaTOsaGp5ys7ZvgVut9NTfYlEchS4qsocQ11CEZlgZ36ZYCOieK2MvE7InJjO2wCG6ifliooURxzI3NuoSshaY+6RUqAxvOwi1jXmJt1/ollwBzLiatKan1O7cEhfKumBZg8+V5DesXL12ektjrZXV1oatN3Vdyi0TiNeJsOY2CRencJT1flfU8ZGi7m4q+A19 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 78a6d3a6-b2fb-428d-f4d7-08d940f1265c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:32.6957 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /s0vCg5hHsRfrVYe4JKeayTgAOuPhn5NmTNzkEcYsPBi1FvleHkvEiqTCN2/nRrExyVGHR7IpFvw8QVYway6vMyillnEDVFycS/rCV1j7xk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 phishscore=0 mlxscore=0 bulkscore=0 malwarescore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-ORIG-GUID: dO-djTem9x3AGNBNlzsjFF1J7T2sxu83 X-Proofpoint-GUID: dO-djTem9x3AGNBNlzsjFF1J7T2sxu83 Precedence: bulk List-ID: Not all kernel keyrings need to survive past boot. Add a destroy function to remove a keyring no longer needed. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 8 ++++++++ security/integrity/integrity.h | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..a8436c6b93ec 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -145,6 +145,14 @@ int __init integrity_init_keyring(const unsigned int id) return __integrity_init_keyring(id, perm, restriction); } +void __init integrity_destroy_keyring(const unsigned int id) +{ + if (id >= INTEGRITY_KEYRING_MAX) + return; + key_put(keyring[id]); + keyring[id] = NULL; +} + static int __init integrity_add_key(const unsigned int id, const void *data, off_t size, key_perm_t perm) { diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..f801b2076f01 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -164,6 +164,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_modsig_verify(unsigned int id, const struct modsig *modsig); int __init integrity_init_keyring(const unsigned int id); +void __init integrity_destroy_keyring(const unsigned int id); int __init integrity_load_x509(const unsigned int id, const char *path); int __init integrity_load_cert(const unsigned int id, const char *source, const void *data, size_t len, key_perm_t perm); @@ -187,6 +188,10 @@ static inline int integrity_init_keyring(const unsigned int id) return 0; } +static inline void __init integrity_destroy_keyring(const unsigned int id) +{ +} + static inline int __init integrity_load_cert(const unsigned int id, const char *source, const void *data, size_t len, From patchwork Wed Jul 7 02:43:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57F91C11F6C for ; Wed, 7 Jul 2021 02:45:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4331961CCE for ; Wed, 7 Jul 2021 02:45:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbhGGCsD (ORCPT ); Tue, 6 Jul 2021 22:48:03 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60548 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230015AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aAW3017217; Wed, 7 Jul 2021 02:44:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=+nPl48nlWnXHpdaxRKVuTTPNiBsbRpR28wSSqdusiRA=; b=U79iRAYrgKecSWaEB6kegkBLMlP9EGx9ZE2N8jznrJY+1GeAHbJR5fHnVYQQhavY900o elWJM7OFsaYNMwue5zYJ1YnVtsbNTlMjPhJu2ixj9GDZ97zlrX9bgyVEnf7vmSF+N2io SAA79O4DQ6xYluJ8oa0TQy4dzxyq+zP0yaOv0SFriVaAwX2HiWGUDNOlSme5b7DAi9cJ RD6VsMTDOrvZOCGV9g/CZVMSKw6EpX6VNrRjnTtGot32wY+SMtOdvXIhYoWHHgRqdhWM 3skEkUuZQ3byH0vr00T7ZgAZKTnASU4Y6ytrfNsov/Ko61Z/q/Y7iomQIp38SxYqUGJn Hw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:39 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTlK070901; Wed, 7 Jul 2021 02:44:37 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by userp3020.oracle.com with ESMTP id 39k1nw7pxf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:37 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IPA8w+5st964rjIW7AgqQ7YR8P6xig4cBYOYemGJQyJX8BaCe+Gvf4gs+tDoUlxknDg2xUw1Lev3k5+965nVHLS0AjgY+Q4a7040xgFHESBpwwq1oty0TYbu4EHfNWaAxuI6B6tOeM+29je5xkXRojaoGJQmyRlnb56Tb8RPgfJvaHvs+bzcMBFyOP+Ef4prpKhgH5fEbu9HhkGuwcbQCDrOMZkWfL3YW9uEGOwJlBzXL3ah1Of2GItss9dsl1EbG7iH7XNpbz4myybQ6MkNRM36BHb7khZuq3YuTbyCLGKnm5UhG2OJqGHfnOayOVs5vNsMSGKTIt88Y7g53qgUTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+nPl48nlWnXHpdaxRKVuTTPNiBsbRpR28wSSqdusiRA=; b=NsLz9R18zNLUihxUVs6ITwhrZA5es1YFgf5rj0/w/7uYmFEnlN/LqRqqO3hw3B+br3udjG72XMrxipSsZgs8TxmrPEazr0CA0GpNCxvTTvxmCKBNnF4ATvePHS3gyUEfgoO7LJoGFk96j5pTboo4iUC2/j4RciUsQjFRPLo/6LLy+lNK/dO2a44aDvZvz6xkRIej9E45WfuSIzDIyeTVgacXOWVKPvDUQ6XlqZOEjjHJtynlly3S4WmzatAW4ImND+EAf+9dwMjFow97xpcCxdr2wXLpVnrJNK6bhssnoehOO0f6lJt7p1qByw7FGz3MtO6WDUAlC8f+tx072EpSdg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+nPl48nlWnXHpdaxRKVuTTPNiBsbRpR28wSSqdusiRA=; b=st67fMjah++GFdaVVqpDncnckqJkvmiLUxJG9n4iI9fMKK1ikkdYPHpul+QcboT5md/dQAMNqXjFsJHZnBL9ewmYWBG9f9PNEk63syzKefyIbybu8hMHMqdKUZ3b2k9HrcQlGR3a8Dp0K7gpxzSbZCr/vhHO9/8+c33l95+pCPs= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:35 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:34 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 05/12] integrity: Introduce mok keyring Date: Tue, 6 Jul 2021 22:43:56 -0400 Message-Id: <20210707024403.1083977-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3942b30d-6347-4d3f-2bae-08d940f127a6 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:626; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2Sfx/w0LBKbMcJLgSDsuMKYQ+2HKedRF6T6JxYl9tGZ3Fn2RWmk+udHu7qco638lrPy1QVfK2i19hfYoClxC7GX8GgKJX7fC8fHd2wwnpSW+e1Q0JlPPcvhk+CGnC8Gulwwbh2FULYHH8GmIpHZzrDv77vbyOhuj439cI78bxUts3/UTUociF6RHbcmeF7awiBpxvAvjQoC3oqUO8bVkCoRFAMrLfbA8PB9Xls4r9YtejEX8XdEKL4aqGtZwaDLo9nzJflIgpZXXWINGLL5A81WuFOdh1jmUemShFfAyhzCVprmLKXQEcOJQteCat7PBZvzJ9DvjwIFh3BLxKb0Zc5BYO3N3AgsRPE/8iSRyuQjiaDM+Ra7AuqjcNK7m1o3KkahRYLQHTVuUXIUO938Aw+//J2hj6lgx2ESjgLCqjTt7FMXl8XeSzwFmrMmX+e0/92vlLRf9oZ2QCPUjnYZ8fJVmsulyAqe3hZl6aQAyE/BO9YSgl5clx3HVchi6bg7GGZA7C/RctqwfSt2qr4ia1MrCJc94PyWHD+2kCcJpeEKc3eHpcT7PfMr6XNbw4ZwSO7ToVmRRDXpe5ZhxBiovJUsI9let/PO4hG6WiME+B0WJBOOCXcoK3uePHR0PN0BIDTiMWupetfZacEdYlXZeFapSYFYnujLZddNaQ0kP5wLXjLLC/rbFQSGPM/7JoBxYlPsDIduvPjmf1mAym+BEfUgErMu4Cu6jwiychocbrvM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: DqTthVWiL3GOa5qBX1Bzs2mEdg95pr4KD2HH6Nr4fWn4PfdCL6yibwF8kebGfSuEQZ51sk0zd2jURtQ0XqmiX/iHxm1AoDrwFUIQPU/Jpb8b529CQzGAchwuVA4Z5hBhiTEhv6Ct9ZugjLLRsr/mlWHA8FLLfgtliFtWVRHKvd7KVxWej4lt4UoadUp8YWV0FprLS3SlFjhUCdinAMutohDbJ5OOGgGoR9sBMN6AOYc4pGiIAcmoBNn+OT2x6X0Dict4hPt9WvHg/qPfpnTSmgSfbe6NUe6O53tWJR6crwMTR07hYxfUGigjPGY2TLxOsdY4GEqa5O1TClqLbrAeVJleVigbGkp/Y2NJyI9W5fiMCtGt9rrlF1pOP9/kURJ29ZVWxaXvCruriJwXlo0ocpYuztM/hZqqdWHz7towl304pxuJB7y3A7cI1SsX1n0OePSb5YaBVqIH7yQop5MZH4jdAE0OdLdbafse4fZIowo8GhCLAOm+oI5TqwMUgXRgFhwCMNPO3rBqHVRQqljw8zAl+GWJ3r0obNU4pvvgWHmjqBdmKkBOunTmSIWWpclidZtWzZb31O2B712WHv7I4NKBQFkM5o4UAE7rGn+HyHIkqgKeLtQ3/eY4wGgsEKkZh/y1MQiUYdpevfxw1RXdgNgsGXJ7rcdd4vjvQADhI6Dtk2dPrbR3zOCzgX9XVoJuJwzFNZrZZGxJ0vQusVvw5H0/0ZTxtb/1l7You7tu6xiwFGC7YFZJIBkqTwTv7cvv5iEYTwISRLAU3davphE8F1MGJRVRdRTlcD9oJ27pzfLmraEyls9YcM0TLwxA3NQlReIxrFUEqkeb/9BKnanCh9E9EnazNfEHo0/oO6aOgsHdBm72IMHiakYcqtc+JNNFZZYdeoTxvvu6fgOZvXTqwyGDNUHgPZIy3EqxipxkiMoSSHAiTag4bobnEQRxONHGjszhMsAhdVX7aQ5oT606HoasGvcTs+TghBxiPay0ctarAhu/OW1Ckg3B122HUEiaUBVD9aOTmShuY1X9yRh7fqsikPNd7t09pPIojQCfyjIqhxecDt6MPcqVLYiHMUSLY1TVZdJb80EYrNxxKkVQ0aJ+UEI0DU1dZQk7yI4aVgNqdSSWRQDzM3GGpkB8n4gkiHSStijn+dLAcopKZ++6T5ltvKLO8FRG/QU1OV9/aaA8C50SpSGI3VpyC+juf+3NvixrKi1jOpA3HINZetIMupOuzo7bc2soNIaGYgSEhVDRIad+7AsHNILt24Ue32bgKqbmm8H2iSc7lqvGGrGDRNhoHmq2c4yJKyDgyfqKvKA26PjnQDho524aKHdun8az X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3942b30d-6347-4d3f-2bae-08d940f127a6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:34.8064 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uePlM1zyZWYx3k2aIAYfnxxdvo07i7QM2KRSMrJEYzIpgN4ei2B61uJzC2tyJWB8GOR3oIMfXPtQt6R2hyjOnMt87rRA1+jyXaMaU8RrQhY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: VCpXr_neGmwqRLQc2TUPzYDlEhuyMTZy X-Proofpoint-ORIG-GUID: VCpXr_neGmwqRLQc2TUPzYDlEhuyMTZy Precedence: bulk List-ID: Introduce a new keyring called mok. This keyring will be used during boot. Afterwards it will be destroyed. Follow on patches will use this keyring to load trusted MOK keys. Signed-off-by: Eric Snowberg --- security/integrity/Makefile | 3 ++- security/integrity/digsig.c | 1 + security/integrity/integrity.h | 7 ++++- security/integrity/platform_certs/load_uefi.c | 1 + .../integrity/platform_certs/mok_keyring.c | 26 +++++++++++++++++++ 5 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 security/integrity/platform_certs/mok_keyring.c diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..8e2e98cba1f6 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -9,7 +9,8 @@ integrity-y := iint.o integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ + platform_certs/mok_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index a8436c6b93ec..56800a5f1e10 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".mok", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index f801b2076f01..5126c80bd0d4 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MOK 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; @@ -282,9 +283,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING void __init add_to_platform_keyring(const char *source, const void *data, size_t len); +void __init destroy_mok_keyring(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) { } +static inline void __init destroy_mok_keyring(void) +{ +} #endif diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..94faa4b32441 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -193,6 +193,7 @@ static int __init load_uefi_certs(void) /* Load the MokListRT certs */ rc = load_moklist_certs(); + destroy_mok_keyring(); return rc; } diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c new file mode 100644 index 000000000000..2b0d17caf8fd --- /dev/null +++ b/security/integrity/platform_certs/mok_keyring.c @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * MOK keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int mok_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MOK); + if (rc) + return rc; + + pr_notice("MOK Keyring initialized\n"); + return 0; +} +device_initcall(mok_keyring_init); + +void __init destroy_mok_keyring(void) +{ + return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK); +} From patchwork Wed Jul 7 02:43:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361499 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81F3EC07E9E for ; Wed, 7 Jul 2021 02:45:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B87A61CB2 for ; Wed, 7 Jul 2021 02:45:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229989AbhGGCsO (ORCPT ); Tue, 6 Jul 2021 22:48:14 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:4542 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230103AbhGGCr5 (ORCPT ); Tue, 6 Jul 2021 22:47:57 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672Zp27001385; Wed, 7 Jul 2021 02:44:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=mCQa35unsKLCWjUAacOLLQhoferqUcqZZZCcQwGumcDx2m1pQH62jHGY1718fLJmAGVG UClLaWbPTn+gKU4r9E7yJQyvkYxT/8aPoki2hcH59RMNzwH40hBDzJQBLh+IzyoZ5ANJ m4VVnhuEQvQl++Z9BI/nW9AADt2p10YyRgYI+EE++VAUNZS7GHF/StQkDBInOtp7If4D BswMYtQ6Q4pwXEGFtJAOdAEXuyXMCpaF9i6cZeajS1OsWcZ0I/YvshDp7gsz6aJogPmG 9xsiMG4+5H3Xoii9M8HMg4c5LgmZ/r/557wfKyArfhzSsQRPV8zWCXXKrhhOmSpPMkxe 5g== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kw5k3w94-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:40 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTlL070901; Wed, 7 Jul 2021 02:44:38 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by userp3020.oracle.com with ESMTP id 39k1nw7pxf-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WSogeLoOLhilLj4jVDOgK5A6b/5Tgth6OeTYGsAkxl7geb5jd46RHCA12Y99Swr26uelpLZQVtMLKje/vPIHYyetsbMLFDJJPl+ggpmIau9O5bso92Nuh1zDp0EMcCclX7HpKgLDPRKRp66xuRE89lEeVZkIkUoZbA47iJ6a41VWBEo56h4nmEjBfZNvhOP0hCdFl8n3HDUFA0TQCy33lf/miV5wngD6xDFMEjfjIi3pMi3lo9TpHxG5GAUrtsnbOIFq+gRSpEEauIfXOmvUAm+mQeQcw1rUmeJp6zrvRkf2564kdgN05k+TK7Ot5MoIoIQvGtP9S67y38OnwkhoCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=kmUbRyNHLRbiV/4+4ISeESG+3B2Gp77xX2YR7xuoKTcF3i0Nm9RDxEM6oAuqGyPbHm4ub4XvYuPO6tLyuKQzl3RkYU7QwaI6dRQWyDs5UnEk1xcrmZV3yfmNgJEYrb/sem9An0lq1KqonhPEpHKgoX+ry8yxc4RJy/+2axwi4uNiROP/PQ6vXy1oecDyh0CI828BgyhpiBl2cxl1EMJA9vqj/MeVi8GGceEVE/YdSXZTqE9cnCbavzRBUuBueNvQYvMhbYVlmg0KqCu1oE4wyulvDWlKHjK+tLPldUCTpOcYMEQnAEBn+3NOe9p0VP8kS6szphYX2OICAhgHaOwRSg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIpJdn9h6v2TffanyfnpCNI1NeljTy+vJpTQzEK1rcE=; b=iSDwhHZCqAsKIKdJ6O1mkuHLg5RfjQ1DCmxCpnYyewT5O7V65apZht9i/vzLTUHQ1+tpU6NI3WhvMbATzDJIIcLroYglE3R9abbw8MfUM3FY+YVvoNTljUmV/pRs83xcxun1HuzwOUp5Q/Fj6/K1KakXPrvWSmZFhDLPuQCMl4M= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:37 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:37 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 06/12] integrity: Trust mok keys if MokListTrustedRT found Date: Tue, 6 Jul 2021 22:43:57 -0400 Message-Id: <20210707024403.1083977-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3dd4181d-75fd-4040-6f53-08d940f128eb X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dbeHlibev7Ct8z/Gg7dFZ7sZV6j1aXnrB0AXO24RB+q2+ytjIWgq0mbNPcOuc4AIjKCbZGc+xXMksHM0cdjxSv8B1QsTd7lTI24iMOtLmWJpHG5LuaMkvLuCTDDSQC1PL3Q5gU6jf3AMI6ZWX94EOE39sqH1Hp58dUJQdUKIlE9O2Ni7XxcGR5T0UHGZYwHJQ6eEnX8GNBu98MwMyve1a/yHH9VSus17PZYncRbu8M6ABuOs10kXa3dmBCPAVxlrzzfDkt5Zjf34GlgnAdSLQYI+gNhsp6KazemRWXFhAuRmdw7VIbIfHqSXFwhOVdv2o28pk33svHDEtKemaS/FyN0jL6+XoCUHwoCqPSole+dBJl7fP/SC0xEFfNKO5SsT0fR95RZEoRcQeoHR/mTql+61ys61PosA2NanoRdWXH1CWh1xTOavI+K8zYY3ZJLcwINcCmu6JyiB5eT7bFo7z2xrBMMMLz05JUj4jbkjj+MYcDvNcvWEiUiGOVdmRmgRAkvtU1N5VyCSGrqcv16GS6rOkD2PlLL2IUU79iAu3qLmPi8Lj/fPbukMfBwbwaYg1T5ETYpEJ0F5tkB2kSCjtTLkaRQkGqg+IOaPZk6UyrmiLOsMksSFdgQdLty3KcSArqlqQYTugIfNriGptNcdvl2nZ/suaQCCgOfpIOsz7CklsrlPoN41spsSJjmbN2/L1S7uJKIHKaDELhYlbcfJEaugkM1qDXzG8itnTPWa50s= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: RjJiqHqdL7fGzGa7p39gaUAys3K53J0xzJ6tmbXBdjEAeuj1gtkiFjRXv1wXHXSpswr1ZxDQRe85c5M9C3T+W3QxfuJwoHNZYon+HKRKCnIgrofTbC/MFQaNYKsglquVSUo9H0Y8NBz0xNKTmoznGAgkzcivwQNqrYbynCwycDuMXEQ2RRyCu1wKGjG8xzPEF97s6xAj3smN3UntRsMzFz6RP8yhzfVsexAgto05d/yCc9Ec0+HLxVXbXDpZwaaWqQHjPvzHBpXs8QS75eIO2W7PJLpYZTCLPBoN1R9enqsZ7DigA//jUBEeGFDCpVm4TU1oEndAuDQFqaNfuxDmnlJUX0E4GibfRBzs9YlTZaMugtUXR4lYkGU+1j3wPmhx/TbgIN3OyPN3I/rS+sOwxNpuc3bB8fiS7+4Vr1Rk9SbY2W/SeMWc2nJm0OIIeePTEvEr8E6mmCSpQing61y6FqndZ9sfFhoHOmE93k5rg1XdL+RBqCscGnLZ6Hw6ENNMXQMH1mwnQ9pZZvkepr+X07r4FfvaPGInVJIUFR6h+aOnhOiTLgg4zsesHp5jkCoNm/yzCEeRUO068Mu5Wc9nEMx1gGNJ0mIAAL7GWReCrPAsOjgKIxeOh79xNmppZpLUJomPDyvJR71asTVJZUMoeUFfWyYwKir6BBpxv1tqbAZ/HssmeHX/7BT0JvXYDGBNkpEt1hUhY8sz0CpIqRTDKrVmVGC/e8PiVnGajAUYpV3xCQ1b9bqZlokkTvk5Vajc5FyhWItcohaHKN3OS076sF8Vk0N1WUkldsNVCWMdNuRYe3RjeTQ37rIFopUG9k9tcc/TQ6OjzNQb/0dK69sPOyl9X5SxAFCyrSqmWicRQtYJ8Gubodw5+wkPsQGsg2LXkW94XGejRhz70aM4IYbtZ01KKM05A0C8ofPNgV+Sk+w4eKhyeNmoObpP09jR1NVBnPEf2H0hKcaG8EqOmymA+zCnIB2Jv7uIqcov0xNBfdTghQ7t0WX3SyfW+CJJcchcVA7g9io3zNsEgTQqv80x6SjAb+ZsWavnTVsaoY7NhQUuwWCD9jOatqHozCG45i8lfrlLh9QOi+HPtIqZ1FHRYNC5O7zO0WFZOKe1B2GpauqyX1jxeMQKzoVinl6E3erVdpneMg0ggPbmSMY7yWE0Qc4GuMAJSLGnZkUeElYfN/1KJxR/hgT6dM4SS9GIgbfLBpocUDGUG9CcN+v57OCKvSvE8kCWC2Rwnmb30pNAsCXf9fyXnHW8ug5N0/D+Id7TPBOwR9rUCbuh6oKRWxkVfpGZLsvTPge0Hi7vuyaOBugN41bfgJVu4WPWd+/nNYH7 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3dd4181d-75fd-4040-6f53-08d940f128eb X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:36.9411 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: epFX+w+uphI4hwk3AJiJO94XrDIHvCHu/9XqXTYUFzINRfX+mzEgdYLzaxvYlG9wuOg3eWJHvAmY7Pnor5dxZpsjFoubJp6UHtMH67b2Y3g= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: RLvYSHhy4ZAIuetnwdYWF6SFpqjg9wpb X-Proofpoint-ORIG-GUID: RLvYSHhy4ZAIuetnwdYWF6SFpqjg9wpb Precedence: bulk List-ID: A new MOK variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_mok_keys to return false. Signed-off-by: Eric Snowberg --- .../integrity/platform_certs/mok_keyring.c | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index 2b0d17caf8fd..666fa355996d 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -5,8 +5,11 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -24,3 +27,38 @@ void __init destroy_mok_keyring(void) { return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK); } + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the kernel. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} + +static __init int mok_keyring_trust_setup(void) +{ + if (uefi_check_trust_mok_keys()) + trust_mok = true; + return 0; +} + +late_initcall(mok_keyring_trust_setup); From patchwork Wed Jul 7 02:43:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361501 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2ACDCC11F66 for ; Wed, 7 Jul 2021 02:45:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0C9D661CB2 for ; Wed, 7 Jul 2021 02:45:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230015AbhGGCsP (ORCPT ); Tue, 6 Jul 2021 22:48:15 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:64698 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230123AbhGGCr6 (ORCPT ); Tue, 6 Jul 2021 22:47:58 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aKj8004673; Wed, 7 Jul 2021 02:44:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=AcJ5Vm/PFZfAwSMjIejgKMjx+s/HnRr7by4aEdvqO2c=; b=j3uIHIvS26hGHBcaRK9gGYTOFBtKqhROvd5pV51jGHT0WbcLCxcq1iX+99BpmRQNCSpi Q1m0ijtsr2XzKpYnHJ5Gvt5ZOrADKtF80QJWY+E0cATrV0fZJYUbmV083okIjeqZz+mi PP9DdoJZxDXVZpHORvucrMD7fLlA3TWFVv4vziwajsCojMttC+c4DXpI/9/axnPoP+RZ WSBl+mX+ylFebH4EiTpUX7GRp2qDSe/SeUziMc1jNbpREjVdvJljnHhtNV/uOlgD7OXg eJLXuErdntTRZJWmG2Q7gBX9e/+ed64fwI1Eh0B/TATuJVsBHSq60I+UPkp/sj4jmizz Eg== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 39m3mhb2uk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:42 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aIHs007624; Wed, 7 Jul 2021 02:44:41 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by aserp3020.oracle.com with ESMTP id 39jfq9phdb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c2ZDBDa/QeP4jWiln2UNfF7DQpb1vGlaEjaiqFEcVRRFvzcGxN97thdt2/Wo6oC4grJJVcyz11FpqecY17NoVhL1NZERuwNSCUupdKLfQhVKWjjNgiiYuv7TJYHKxUK6ewkxUYscrRfjGlBniCXCabDutuBWaI+RHKJVPmYjGRvhMU7TzwMHdty8BFMNwLLfQdQfdqw6PDS+xYa+gwUAJJvrp+23YQiITT51FHOkILSOfoYBLGkjqxNsyuc+3Ycifcmkf46h/uVTgw2mwqjpCXX7TrTJ+3L7YY9uZubBy2MVqdAgyg5d0NDKz2ZwiahAWOgTn+2amWNJBA3ByUq3nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AcJ5Vm/PFZfAwSMjIejgKMjx+s/HnRr7by4aEdvqO2c=; b=U+aWggSX0bl649EPagMZULRB7SYU0GDg4LaZRLhRGcjqgWFVrJHGjHge/baZeOVswYagd/VPk/prnT4r2dHUou2mOv7clKdv0t1rCe8lin4FSpr4Ag5GyIWsnHjoxrE7xliOBnsEPSTj3a17Nj31zWeThtdrFeRIOWsRUNqEb8G4ljmSeU/rAzOczZOozlNDgaBy4hDP8fYqhLrpATsu4crETI1qdYs7HjKgQF0lQq2LM7wiuSwS4VW8SYEkFiC8JimzEH+DCO3AkPW/MiAG2+902pDq6/iN9I/TdBPtbUdKs7ZLDyo2sAB2rMTKiiShlSlAfQs3+z8IYBF15j60+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AcJ5Vm/PFZfAwSMjIejgKMjx+s/HnRr7by4aEdvqO2c=; b=btr2BWwu/UKWS/sof6dldTrp+PdG0jZdnmR6h6zGJA/BO7HUQlhoLR6HBBZWclSw7/4+cfmGWS7TG/iO3i6ddpaxO7ihRTqoT7m3gcrPQG7VYtyKZQyY8qC6vkMfOymOot1oGCuVt/fyYLgub9cufesja4qAnkYeQCO2bY+bdOE= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:39 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:39 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 07/12] integrity: add add_to_mok_keyring Date: Tue, 6 Jul 2021 22:43:58 -0400 Message-Id: <20210707024403.1083977-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e59a91c6-577a-4970-00b6-08d940f12a31 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1303; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wEtfjukE3sVZBk8DX9ZEVDdNoMbDdoi9cma3naJPR8YAd8QghrYzACOr26Rl4+ZO+gIy+XoYcjAYpEynQKH3+x2ZYCoJBTHHdvOs0Zn74NOfw+cqHPpTsQYbhA5Ojrd1pqokFEYL2j3S1HAkPT2i4czg4tNPUm91kOJcsx3pEv76rpD6Oq3f/+5Wu09FiCX4ptmyiXmGNuPH2b40gszWe/chuGemUrofA3vkR8RIehIUtIJZEyotJ1wPZeRNgeKf6KIWbbLLT87p8BGqGXZ/O2RoDfgC9RlhJIBCxOWRT2Em7LdYqA4Q81ZIOkeL7i4zxyQdN/9iLDmKkZpektIhoNMKlUfxdkD8F9aIwqjrY//J3brXQ0qWN1uu6oSA5CtyDH4k+gDC6xAB0fCdM40rcPzE2U+trkeL2GwefXVjNQh31eImgAJKfAwQy5/gjAS3469+QU2HoRSZ16U5BMkrY2nPZKchHMp+BncCIa+V3E5p724U5XrvogHVJv7J5l6EB1EviBSNFvtZlRCbmka4FcogKLstBXYoXuqosD1rgaEJFuGG31Eqw0xYrWgmNluCZ596WdsWzfkEvNGUQY6yp+c0pG/1D2IpRv0NheHAhHK3+Aw3c4av1nyLUHlDOPggVsC+hrpX+o9aMjMPCTGZD25xbzZLCrERS5AWuKR+z5UsopHRaqYhFgSdEfUeYnn/WQ8uF3pHoW/imeiq2EeLPUQyEtryui8xSZNUW++Vdqw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 61Pf4O40z2xKnEO1LjhNbkfUIvUoYqyFWA9yq6vSSwXV+hsKITAukaU3veDYLkxsx64dpfAllku2mDDUBU16S7bqT7fnK0Frtb0WyiMpIZrHLEOApeNhrcB/YdgGNe3DU3m6q7WFC5KAqC47EwU0WUmLPkiLU+hql5KScMpYoKEyNfRSAo0RyjgUcMDZIBpphBbqwfKJcECC48KcEVkU7JNiCxmpEmuKDIZET1V01u8FM6HQyA72cdmve0VHAUsG3l4I2hrniwG/rZL0X76LweE2ku42BbILRMfnZzyYiyNZC7qbtIRSumMJXJSRwPjDc/A36WtFlO2C9ZkpgkrC8/apjhNf+njLcbhYCEWeh2PvML27apwN1z4qHX/mB99SvBSdN7OSd1wiCNpKnUXz7RI9ItSMXPwwgilqWYC1+Fn3JZw96cncyk19Hs66GCNT4by2BSHLNkZDDavVs+DcQkfF3R6xF4MzajHIttER8eQTHOxciNlds8ziz+CffD/JG0sgKElAkoAgOS8vAN7ucMKLTz5Yjib0jWE5Xh9+rJB0Jk/Uk7/RyJ2kV5Ua+eC8TtdOCOMkmf9BifPfTrwoz0hS361ewcWChMHiQu2iKBpDAxhcz/ldTyXaodvoCJpLUfkHGUqh2ssLCIZz5/zwowPX2Q5cTqtGrfnpwNnV5ixw1JAeML/Y2W1xkLIk+7FMMqSs+UWlIk69YrYfT4PHJQYi16QUN7bu3a1nxTS7NvRPkpv7WL9Na8JjNBJt2FCUzahBZWxWi5qFecc5/CvMzgVfWPJNowqKVNz6cNpMAYBBFufs2lAkCjkyTKOEDDQt6YpsjeDWCAYNwmdto7rh2aEyRrOlKJO1cNXG8m0z2aOta7+BUqclLfJwnzP0JJ1K41CaniJItmcNpb7eNyTz86+fR5xmJId9W6eympj+ne2fVD0lGoBy9CWK17BgcDFuE+4U/qEUMw2fXlKcnSVIyIWrUoJP+SCIXZ6T0Y0XXMsb/B2MCnDtur/KXaZ5Dj6NVTHx06PCLOcTWfJt1nEe2+QYOrrHmWgy1IYqlOkpVfRsYRnRHzyRSkqBnzr66TW6SSWQLsWYmq+TlCm/cY7u8epaHINw1OfscyJQAEFY72dbmbG1+GAukHo0r9+i/G8oU8rN9Ljh4w+sPFlrPK93nT62b63IyPk/ICbnLqzn4xtTmQbXcGQ1FawrThUH+fg8+7IjMXbecA8Uh0oCzxi/ey2XA9OJ6HHFLEp85B4fq8/g1R4mkADqFPE8TVGYzPTgFPyow3dhaeDwIfBML8U8s9fBrBnKf0f3SA1MJPGnTKBtoPW3qFmPFJzo70SEHgaL X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e59a91c6-577a-4970-00b6-08d940f12a31 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:39.0807 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DLNXBKUvFIypRQbH4M69DgGGEQu4i2PSJz/pahxvUYIHltu+qgqMLtONxhnENQIijLfaISS/Jj6opo72mab3Sz98NlOsMB3ZKv+NbKcGfPg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 phishscore=0 mlxscore=0 bulkscore=0 malwarescore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: sV4X-iYLqK-M82kNBRj1rJKkqvj-Maw6 X-Proofpoint-ORIG-GUID: sV4X-iYLqK-M82kNBRj1rJKkqvj-Maw6 Precedence: bulk List-ID: Add the ability to load MOK keys to the mok keyring. If the permssions do not allow the key to be added to the MOK keyring this is not an error, add it to the platform keyring instead. Signed-off-by: Eric Snowberg --- security/integrity/integrity.h | 4 ++++ .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 5126c80bd0d4..68720fa6454f 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -284,6 +284,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init destroy_mok_keyring(void); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -292,4 +293,7 @@ static inline void __init add_to_platform_keyring(const char *source, static inline void __init destroy_mok_keyring(void) { } +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index 666fa355996d..a5644a8a834c 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -28,6 +28,27 @@ void __init destroy_mok_keyring(void) return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK); } +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); + + /* + * If the mok keyring restrictions prevented the cert from loading, + * this is not an error. Just load it into the platform keyring + * instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to mok keyring %s\n", source); +} + /* * Try to load the MokListTrustedRT UEFI variable to see if we should trust * the mok keys within the kernel. It is not an error if this variable From patchwork Wed Jul 7 02:43:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361495 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7235CC11F6A for ; Wed, 7 Jul 2021 02:45:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5E15F61CB8 for ; Wed, 7 Jul 2021 02:45:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230288AbhGGCsL (ORCPT ); Tue, 6 Jul 2021 22:48:11 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:63140 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230082AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672a9JZ017211; Wed, 7 Jul 2021 02:44:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=Hhg5l5h4YjII2HR52pfY8gC2MsBnYHGL4wGQtxVoOyoV1q+zNbKJjIN8NKGi0QFDcAmM j57s/y0RIU4eGd5z3/TaJWOwsRq66IbWh2cyug4Q8O9fUHhFpdX0F93AbQjG31Jivy7G +2iS1lL2chuqQ5nqHIr6zxdFbR+6c7G9ZSTjz/53F8NNX/N3YuXx82f8BKL/9dGBlKKQ 3+nrZUfiXU5psIHNjPScVhTRtpD42YuLQ5vFvUA02n2S7mTwU/6Rjl9bhn3FgLBOf6yn P1gsxbW5Vjml3GpzKn6YlqYdkHgQ8ASYfegXrbcGD7iAhtRh9wXsj8RxuFOoNxxfMSDU oA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4ys-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:45 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTGU070897; Wed, 7 Jul 2021 02:44:43 GMT Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam08lp2168.outbound.protection.outlook.com [104.47.73.168]) by userp3020.oracle.com with ESMTP id 39k1nw7q21-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cf6Tilkp2eAGCVWrka0o5ZXHmTRkDqxJv/brySOTNOx2Y+kDJPXOHujg7Gw1b93BPEC93Huk0eF8/Ga/zt5V8U30H1H+T9QiDpO01NcHwdF72FsFu//i3MZwJ1oTLVP7PXCx9whjbiLB4ClOCfsdchXy+QyHWShF8hkpkJxs8zvolw03j8Ku7SUv5oJIDpGviMRBHhAgYBf570+x5MpH1DcddbYisur7/QeSGA49RJ7DPlAw5+6QNItHhNvl8hv13YfLPss+kkZgJC+6Upf5GWlSYhzUwu7mOYepXakcDhRcGOQpPFVOkF5k8EzvQ8SJv/gdnQM+YBQOIrTfzyWu3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=PNoEFEFp38BMbK7xqh1M1HuOnu/lOI1llC0AbXgT2eTsnHaI6AET/cfeKP2j3bsM5UySTxJoFoe8Yq628J+kAen6WTU7eJ21OT8zBXB1eLfZbigTZsj0wcSdEJQQgewq6jBDNlzh6b8iKOOg1iHUzQlTYjHBcBats7KpKxWEd2n7zuE2MB+QYrPrsBxG2zwMNGYUFSxLF3sEuxNQWn2bWJi1QOyzuCPjxEBXmy15M5rxFxWk/nxPCN31VuBwcBk7adi0+iqm4VM8xX+DLTGz/9nN+Yf5gpZpL/va6Pg0VS3NGt59514oqYFsxAsD6dLmuCVz9WF1G8yCW6hyXS/JQg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZmQod4qvBmWOCJDpC0dpvXdZyvsxrEFYeq80iODTeUA=; b=E1aQ+j4yqf8EPFjtb8AKjCNcWz5vIUAdfCLtaEJhi6sxVhpsyCjWQt2kzREV0lJQj/HYgFjisCmnd8FuKXHIZe2zLKqhwGLuI9GNMOUZZlvnlIIitz7Uk7iEUwoBfLWC3wkYQ1VARZKdNyDzDRtHUOux3a7WMrchonaXaiqKOkc= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3863.namprd10.prod.outlook.com (2603:10b6:610:c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Wed, 7 Jul 2021 02:44:41 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:41 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 08/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_secondary_trusted_or_ca Date: Tue, 6 Jul 2021 22:43:59 -0400 Message-Id: <20210707024403.1083977-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b3c61bb5-7168-4d1a-e659-08d940f12b74 X-MS-TrafficTypeDiagnostic: CH2PR10MB3863: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NspFxjNX3PbUyqjwgfki5BJOAa733riLWm3ciM00GeuOvxC7DglSgX6kopK+v7B7mS+r5d5NoMntlXW2aMwiRnYVGaUgeTMjHW0YQF0WT4L4IWWXrufoArvaRAUNmQx6l08e7eTu2lMZCikvhoKGSFOM/ftpZJw83Ver57hn3sT19ES7/x1FiFz9gH6sHbrxU6cz0wAKWO/oJ4I60j4pisrsihjQZXhQky+JAPWXSeZM2FrnhxhM6oa1+navBvnPNBik01Ge4FAE3MjsCHCkZiFkF9tE7mYXkPaQWZSmB4FlyNdIIoX0yaPctJfIfa0ieCFPyhEDbIStSKeLLRm7yHjYvawhzNViXcdxg+JvSQhbha2LLSThkFoVO0nfefrQ9bGn2tAUvf/nDpJm0HubVN0Ph+o03WeL8zF1NjAjvuLqHRTDLkD3wCQP8NzKpp+nPEa2u7fsO0mWVzwh4e+rmYKkkvxi96KTSGugfW6d2tGaWQXyhSXE3AHnYaef4CT7gOD2x5Px0i7LcnrgDkpuv/bLf+3LUNVB/BrQRP9gkoe656vTH/C/Pq4POGehkItND1xhAOmsfBEaQaqAvbyX1z/3o5o4xYQOYZhrjQ7XrwV7PZUV/4GHw7vMjSrsbGGwCoUjGvTig6YBcYkol9/obazI0do/UHscd/ayjtthFTJ+1wBD1wejZ4f/JKeL41svvl83VJ9sNduhLYuGxX2XXwDi5KN4hihKTs3YLFBvmhI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(366004)(346002)(396003)(376002)(921005)(107886003)(6486002)(7696005)(316002)(66946007)(1076003)(44832011)(86362001)(38350700002)(6666004)(36756003)(83380400001)(186003)(4326008)(956004)(4744005)(26005)(7416002)(8676002)(52116002)(2906002)(38100700002)(2616005)(8936002)(66476007)(5660300002)(478600001)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: E+N1Bkt2sGMpa+A6lRcnEQuBFNWF9eSDOKH4omTJsRu95szzVLAlzv92+X3QGsuU34vlZovdGqR3S662WAON0cbOWaU7eM4uLHgtXezd/Nj+uFolKFj+dJ6+vLNmYAL69nklEPclfWHYgfEPFtEvJVRYdNFya17TnhnuH6XQWMXzyUQc25j2XypVEAJl2wVitZU/2wUoljucIX93hRJ/bKe3O9It16lYKSJGWssWeyCrzgj+B9RUqDErnb4Difv7DBAH4jW7UVh/KZRrHYd+ZlQAiE6EA0XFaYTaTYdFUWdeLQDT0Y+WI1EdmvncDGp1q9B9TI8YKsJxq1sCOcQAZLUD6pmbT5E8QKtQGk9MAn5wb3aBC8FaePRFPxZCdOMBEekwJOGn77CX2KZxm9cDJLWMIw7k2M7J+mojR9mXaD0uFTO2hgVmjPdIhEB5N/+LC9f39Y9rDmmPqtW/W3hjECiFIbgZlrdLwZ75GN0wKag3+CkWilPrnR/xwkW8ANJjL7+CirWZLqqdZwmKsMebU25Wgn0ExClRp6fo4OnC05/Nouk0YLDgfcwNNIfr66wS1clS8kGwNxJQA+T8QTUJUZRq/pnzd+DSp+H8PkilHhq3CJ0qnAAjULVKrmvRxEiz7eSqi0Ogk0OkARAPLO8wBpbZ53kdQTvKSmWgsC8URuTE45/OsSFEoaQWsqPIB1HUcl2J5xe8AwCB79VxtLIuivd8oIlHKw0CxiFlRNAJ/uhwa1hiwggHeS7j+Kxg8RyRVCWKxiXin9BzaPT2Dlunz8qYdooWmrXZYqE1VeUAKYOLJgOWzU7PxWm2j+g3Gmx+2jZFIRj2lcug23VNcmmI2juDW1eN5Q5TCu+MKjePeyeQdo1fVNDN02ACmzAR3X9tinX2DZhCQtR/gur6xxfGFlfQKEaeNJqO4GtBcgl/zCP994KGzNrWFlaEuw+C0XhOjyxHQetp1HHTudQNtU2IsP6doIAEj1JnVC10meryXPZETWHVwIhFM3f/3HLcy3kxBOUslUDBNl4q1DBY8syv0MwrkkDObpM864XBP6QWG1dXu8benwGs6EaHT3PCfMAVj9LXzbLhqXGQ3Dw55Ms6nujvgTZfEouYCGhyhoxjTk6HqISFuulVV1XAk5PEoIeOgHfy8p2XGC1hHLoODzmES8owLhDlN0QP60dw1wJrTugcmcPv22CnxGyhGXRyghg8dBBkGt9dD99DQoCWhco1bQyHiKj3Hv2fGuPb6T/h3drrzxhzEmuloXTyCEoTwRds7hqRVFZItVD0xZH7f9aXq281+fPXOAVxnz3XMOon5exof13NFIWjYp1bd10IRcDY X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b3c61bb5-7168-4d1a-e659-08d940f12b74 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:41.2472 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mZypqgWbnQGwpjqEpgq7pQDviAzut7632Toztt7GCL1i1A2darxhX+IXzdCMDUsG3DWShqKzAdTDG3JP4Z9I8KbAGn8HHjQhHw9MeFjoAnQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3863 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: rZiOoQNgqSdkCoAeZORh2voxyjOT2QFQ X-Proofpoint-ORIG-GUID: rZiOoQNgqSdkCoAeZORh2voxyjOT2QFQ Precedence: bulk List-ID: Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_secondary_trusted_or_ca. This will only allow keys into the mok keyring that are either a CA or trusted by a key contained within the secondary trusted keyring. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 56800a5f1e10..07547f1a4806 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -140,6 +140,11 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_secondary_trusted_or_ca; + else + restriction->check = restrict_link_to_ima; + perm |= KEY_USR_WRITE; out: From patchwork Wed Jul 7 02:44:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D61E6C11F79 for ; Wed, 7 Jul 2021 02:45:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C0B6C61CB2 for ; Wed, 7 Jul 2021 02:45:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230031AbhGGCsE (ORCPT ); Tue, 6 Jul 2021 22:48:04 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:60546 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230012AbhGGCrx (ORCPT ); Tue, 6 Jul 2021 22:47:53 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aFEM017231; Wed, 7 Jul 2021 02:44:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=twkBVUHpyjHTbcJgPfA5TZwP96HaqoCEdweCGC+OoFZ9DBQhAToJMEyyjAEW+Mhl4BnF NotS997jI18CLUkrnfT0FmssKe51xgEqLz1fePODPrnSy70E/Ep42B2CMeeR9cVFJpNG wALGL6cwjP8sMdR32akdxQVMrOnn5lmPD/Z97NI681s7vJb3UZE7tZ2Swghm241Vp/Ey xcXK1Cgx7KZdNTgk1YxgbML4Gfi1MiIXwcFDTWh60vnMcPQgFIi+1TQC7UJdEDQp0Y62 sQep5iMyjz+WeMuzC+5LZMb0hHbRbGeCladJdR52S2HoJa8lmTskNlBUVZrDgG4WK3ul fA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:47 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUMK070936; Wed, 7 Jul 2021 02:44:46 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by userp3020.oracle.com with ESMTP id 39k1nw7q2y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h6j4R6nv12kyKMS6zcX0nlWNxeVnoT3CnCgj+EG4aE53pd3wT+8nVdewGvuAxOjbAc0LafsWwEyhz6w+KEm+It7buGYHWR45lO5Ne8JBaeKe0Ykm4g3tSDPb5PR+CBpP/RzJjY/2nZKWTgvU4wiY821C8zwmUYbF9AmATyUzvON/TYmUF+kTVH4q30wEtqDHS+dhvH3WpqiO2lf43TMLBi6NF9rdVuUAcQUQWyCJwoiPrEOoWU3S4IJz72JzciWOdCwBuxuXmj/tfGTkduS5HhXdWbdXpb2oPEE1C9uWglRY/Sm1el0bon7+bqjoliHvNLZCKQ6S2ET8O1/Yp7G89A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=nC0kkU/PJ0aIsRsDJ0lZlc8ZOmYVtsLx6+k7DTL/4K0OCo3uZg/XVqSjNy9kHJ4cvtbAjS5pYBuLKTYIGgynbnkVb4+IINzaWaeG7t1/TU1iZoAFZkOppboyQgjd10gyJ6jhT9lFUJgCDUt8B3/WhBFYJTpIF1JUmkATnehgiXlDnV8gaDxZcJYBSQOEw8uvB0d6zE6bo6tw6/duDfogFHZkYKKC1p1bpXJkuFdGBbcZjHO5tQ7dw6xXzXd4unmk/OGU6AkW9AcmWpgBzzUKJXvAjZn9lfF7YgX63q0u+7/Bn/EtWa+NuSnnoVHgw206Px6m2gQwKlq3MG/K23V21Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/9NZdz2FBIvHSF5Bfi6i5QA0uvNa/mdVRacs+bY098=; b=LBZz4j+QRW9paohVaJTR2YURB+BjGidN7z1PEityESUwYjom8b8KxBu++9uRYqR4J++NRfOkDKYQaShvubCaeH+q6trOd39VnT3Kd3/VFE59xmXrc+9rAcj0XXeGVzfir4nhi8YiCoLw/S4sX31kGBcTyXX1LKEKjL2f759GSJ4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:43 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:43 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 09/12] integrity: accessor function to get trust_moklist Date: Tue, 6 Jul 2021 22:44:00 -0400 Message-Id: <20210707024403.1083977-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 14cab4d6-af44-40f1-5155-08d940f12cc6 X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:499; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kI7eTrBrVzSionxSlWJU9v2zPUMPutCCTLqWuJs94uTLEaH8qVMLWww0CYeD1ObbbkFnp7WODhALWL6OdgVlvyIT4pxb0yt6OM1j/6VLXCPeTx+HBxnUv+gC8URaCKxiaW1SICLiVNAVusC7tiZL3cPbGAVX3x7R8Ccjr775Kh1ZrcAE/fqj1YNWBoRRVOoj/HM4Lbdi1pw7DVrs7xYySHX2EnwkIVhtH6134c25/AsRT7rjQODQYk6Dyvv9WThDi+Bw1bNpNZ2JotYEN9/jg2WZPxd+zjMWrgyFpMBPXk0f0j8gz3qAczTX9P5ig4lscFbwxGSCFI4dm6/Z4w2JGR+ixBVH9xaqyzJ2VPkIr78szUCdc51vsbkknaZ4PXwMQBKV55p1vBKSJ8ABEP/DdvPHxM18Ezxec0qcAxy4oDZxzYIN1tj3z2wDhqu4YAVZplckkbpMtSHpIYmzvbyKjjmAvhTEg/IU8RLNExBimLSGYiWqTgEImD6tzvSvwAIu2UR8uv26rm6b7vrDq25nGeKRQCDwWSoJ5noj8Xc49ALn3uxNf2utWnvpNk1uCkN0k8CWPSf57g1sQSbfh/Ll3j10/3QnYz4mLGXcHkh594d3Kfq2IBEK+fpgDoxwI7+dCnfBO/RBtbbvZHqHHdIJRSSGeaApxbmJlskTBlnXDdhDZX9iZc6fid0VsJfyOh3KfTk8Eq3rwg3Tt0RnehJdqAwfNYsnCIMyQFbxpZlMivM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hQN5doBiYbco0AG0U1z30nN9VoNXM85w8g8bFE4xBhG8u9iH0qnVJdDljQD31G8RolIvtF81L94j0cCP2tu97gUCRtHUeY8VfvfxUguQ9vY/UuVQzr6KkLkboEG7wcyQ+AGLTNzsMykIyQ14pRUhxNPq1XtqMMrT97d48Z9h6hOLym7E+0NDZDLgKhLgFaln2ujaeH13dMt9HGfOSGKxaQLbEZhnSPVeHvZ5PKd0q+O08E4MnO/eRbc/2OWq72WUzDetL8uJ43qR7xkhd2SxdWfrGGzoT7CDAVMbavXIsGLgfojTX1oO6pZJ7DdG4FWIQeYreCF2Pb63gH7LXTF/NbhIs0dO/F9WWXm83c3HpP3J6+J1tJscg8zhsNLwn1vo8SD9eaGyPKIbXQslt/loaY1J8wS+omPh5XTibXgEizryfyFYpigqOtgUkVgB2APmFgyYrm0xtMMFjKyhE6A4M6eXWRF40fh06oSVsUEj5l7Hcug20vp4XVTjOfa1edNEllYxUl4cfV8PuK079eBJBgHhUmDyqJvJVLqB6ApZIn1kJ/oRoALGXbypNaXAKC8CkAQtgm9+6s/0qg7L3L17kaygfGt/LLVWGX9EnMoU7EfSN08DjPUhEvfnsk2Hs0mR7xY5X2IN7C5O7KrsaGPtvpTlfwCHtaVSbB7ZNM3svqPBfosqqXxYg37llmIwXfzRgLSHC3T8sB+9rN1UmLZNcibI/+XgqO9gIJBFg8RCy95i3hiA6VqQtg0G9ahgMPaNm04+nbMeNGahgjRR1hqhNWWJrg8c9Kk3dcTA4rjOMug4uZoI5/yWOO7NekIppa/1Lx0u7OJ2nVsVUF4qgCeY9ziv0AE4JJyzppjSZcIZTgNdqb6WJrcpB2XMf2rkDtrfnRcuE29IeTA84d1j5pBa64P6XKWjCwgiOOzi710sDvkfcg4EzBRoQlsiLLXgFLsyZkKyN/MUOSs+LiDUhRfX4PTWCtG92NwQIYpLR6nv4Es9GsVkJdqSw7uLMVCWmzwmOAy1dFNrFphPWPfmvqhg9TdlCiJS/d4nBF8giIAxisUQbhd4O8M2ghOSr1tgQgkOCDkurtAonnl8PBt/ed0Q5+yyJujTA9JO2FEt9dj95TTk7JnrYFU10a9H9Rv4Q0jNXWuekmG9adwtLd9yADiRmIkxtN4U6pylXkjuh++n6F+0HGt/diuW+53+r/4vOgaFr0odlEJgk1wsL6O4bh6XfBY6E2xJwDJk3fwbv41luqIW/AQOdHzR7dsVxQZqRZWF3qnANxPiujX2TOhXXFN4RVNC0Jao/RmmIGvOX8vIr5N3MHuYmkUJsJoycK2bvbtK X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 14cab4d6-af44-40f1-5155-08d940f12cc6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:43.4227 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: e41ouRDReub3cGX+KvVmiRlVTgiw0CAPso1qbCuwmLn7fXRcH+FovjbzQe4gjGDjAIDh9joBeOxxjsXYGJv3VB0x9A2Ye0csU+Msw4D+qv8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: WloLYm9LKETXjbV733TeDSigNq3Yfj2B X-Proofpoint-ORIG-GUID: WloLYm9LKETXjbV733TeDSigNq3Yfj2B Precedence: bulk List-ID: Add an accessor function to see if the mok list should be trusted. Signed-off-by: Eric Snowberg --- security/integrity/integrity.h | 5 +++++ security/integrity/platform_certs/mok_keyring.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 68720fa6454f..a5f7af825f9b 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -285,6 +285,7 @@ void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init destroy_mok_keyring(void); void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -296,4 +297,8 @@ static inline void __init destroy_mok_keyring(void) void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index a5644a8a834c..7d23772a1135 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -83,3 +83,8 @@ static __init int mok_keyring_trust_setup(void) } late_initcall(mok_keyring_trust_setup); + +bool __init trust_moklist(void) +{ + return trust_mok; +} From patchwork Wed Jul 7 02:44:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361503 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF6B8C11F68 for ; Wed, 7 Jul 2021 02:45:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A4AB461CB2 for ; Wed, 7 Jul 2021 02:45:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230225AbhGGCsP (ORCPT ); Tue, 6 Jul 2021 22:48:15 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:64340 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230120AbhGGCr6 (ORCPT ); Tue, 6 Jul 2021 22:47:58 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672a9Z7004644; Wed, 7 Jul 2021 02:44:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=CysHKMbG+OKP/uSvJ9Y3nbENuYsk+4Rjps2ef6KvQL7k0BXRpTEtwim0zDu7VMui7uoi 1cFxHx4mZrwheSb1c9Ik0uDVCfWxnRxxS5R6tnmqVoCEqdDfVROBiJ9toHmFDX3eBUzE zWaQec0RraMXUkZs7MWSdTnDTUmEDv3aPi4S0vauPC7kGeplRAw9o0dn+JhB6KU9DIJU ZgSkv2KrQ30OURnUct1AK7G61kHuyUMYBjMsZYqCKFrZdTTARXxjLcWDhmLXtSK3Nf9B 87PPNYe9i0/t9C7Qoh1DfxD6SY6hqQaxxoD1WGUfYPZv2+2ja8f5GcV4Bf/Qu4M1tUBR 5Q== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39m3mhb2un-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:48 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUML070936; Wed, 7 Jul 2021 02:44:46 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by userp3020.oracle.com with ESMTP id 39k1nw7q2y-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MS6QV5D5Ff6OFsT6OUxIRzNRGdV6c/vTiL9e4H4dvmcwxWx/hRqfnf6OFIvp7l+7eTRhCB7KIwcrOslnZmWKK708VZofX9pQioMj41y6znbsz3XUXxYcI56bdYjBWF+2O3om+Wi0h35PcM6ErIlFOTelf1x2OIMDFG3Qy44H6iLiHZtEnJSraUhteWCSxUsPfMPYYxe37dyglSLLJxV2kl+R3EmNCtB42J46ZTfUq1jyV6YCjtv4vKnH1tx6WylO+zjRUyGvo45h23TnVSNuW5rJdz0g/KXMcgL6j/SA6zaG4kdCSBwpmQOACTUzORmhs/jz271exl2zgcEDZcBu+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=dPjfic8aYi/ftU3OYy6PEsTEVp74S25TYNttSQAOH0DJ7pQ9NtBGi6Xn3HqblUctwtrrREIyp+p6J/6T+Ih7PBKPMThRnNwrbT4TbB/ypnNA30BBmlohlxi/NauTULxe9wPSia3EMHUhtrp/01lrWGJ6uEHru/bkCd+sN7Dg5trOsYwJzdgvfLcu6WzSPlJ2mpk422CTJ0rNiguhZ/d2Yi439WRCyco+u2lsPr1VNRNyww39DXwXu6Wx6+VJc99g70WYE4gIVTrvegiWv1JGMZf6r2e9pfCRNoG3qgqXN/SJSwBFFlnrSzAws7IsfP9iuR/HFOtgQvgyWyAOx0kGMQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGxuXowtbQESZvPNXTxJtfyZD+1TLYu5wqxvVdsFu7o=; b=MOv66FxahqmC6wljsIOvo1YRscVzKekuVhWua6CYbx21IkxmrjjGTR/iRaRl6Lk7KORf+ZbuH4SgLR8koaO8qQUqObwDRKJOW7VgWDFBOV+qUiSywg7FTWluXwDz7x/2t/i659ccDY6c0qEZCmSC/11k4ZLc47GcrVxcegl6LN8= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:45 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:45 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 10/12] integrity: add new keyring handler Date: Tue, 6 Jul 2021 22:44:01 -0400 Message-Id: <20210707024403.1083977-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:43 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d5451e1d-cfbc-427a-a243-08d940f12e13 X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vvePDKK00UtEGmnTRvSgl2dhrvG/A+xpY6LE85dV1ri1rd7zyu/P65jF0JfqFoa35zNCCCXJSpm7C+6UFB40x7eUBygRtSDEmMY1iaygGNp34vgbgrplTm7P+QUMF5DK6KGy+hjN6ia07X1eIQNpBvrBTFRPFNLYdA4s+I8XLXzfzod5VfrgD4p97tZ+5YB3V4jz/ZJhYj1H51dIaTPyge3pYKuAcfcVsgXAmKlQEdRabopbLmInvVktCGzjRl/WMtgtebs9fvQnprhdv/BiRvX2Ntk7Gkh7C/KNddy+jIfr87rXIZJvSNy92gS7te1zJnPiSSOG5rFrPxENClFShMHqeOsuq3htzV0KuCpg/l5WAWALJcbHnHJg3nIO+iKpreRnMEISDlw6iEVb0bHh1dTRn0roSMy4eerWJwid60vKZqWv0GizDeULsr3sKza7VmyJmjzg2bM7+DjHKS47RDaq1vTtRgakaTylgBMZFJSqN4yJCKvrcHchQhhj0zx/ZdLjoTVgLxW8tMWmfjz2MA5WwNdYy0Zfy6Mjl1zDWI9nUNkSufGVztaTyRGOMTvDbTPqrZAxTeaIbJCFaR9aUqtFFqGh/1TC5k0udW1H0nZ232KFx6VQW5aAJIKx/LSX/EhdvIhNUf1ifRuivoCR4ZKoMMM/eEnfMrLWnGTAmYoicMe26SoT8QjakB82T5m+bkWxFVx8nBtnSLHJXYJ4ZEzxEiAPt2xKtoyl6uCi8Xk= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: utrF0dK81WLeg2nmUlyRWe8h0Mp22PubRD4M1kAQWHnF2ds8mtafRIaim+xxUEuAlSBqksBsUv6GNmYUGYbTDGksIAIGGp087iQdTiADvITfKCblOORvvWFVFZ4OiFQGFuqqxBaT7hXW+FSuU5SWw2tM9z5KD04u/whd+z9vFjcxuDGN9bNFrVZ4e2FSH09zMbwsp3fXpUuJMxgeLvC1XepYN92vWRS4eZgNvBD4BSzHH8F+xwGQWXUbb1e7wERhV8AipEDCv/4qrS0Pm/CKLjqwdPFVzYOt//tu8FlgqOAIaMFN0fUptq7kEOBI/dsNVM2zYJC9cg1BiPNZDEK8KuJH57zCFiFlX0cQYVkS1VkxcFvhwL56SqlaL7IUMd8rVY6684AxcAd0+M6YDH/Ni3YOY1RNDFF6Lowq4z432Q6lR+WKEFCvYXWO4fiSJlX0sP6AmmREHSxtwHGffsuTzgmgkJmLGCtOLRt0WkZRSALc2Rgn5tjtZpcVhVY0pucCsFHd96RDIxhBl1pKZcyftlLcJpJQSK7FtiQGi2X8SgGX1imPaMYqdw/dYs+fTLL9GuMdJw4xTRLBZsTDkXDDCvEpX84u1VkUi/98QBMw7Vq9UO3FLZSQ7GPbH1weijfSxCR9HhV6T/RkZuCjvjvKt/tDFVWJjJz+vjcnAtx4BFnEN1c/itg4ZNT7b0gaXIgNm6Xr8+Ca8O7AvWd7aBtTnstK3j+h443QAQOSUcWLFxOV7NYLeSaWXsFmddL2cPsr7qHPnpLvur8D6DV96Rz+kHFp1WTTd8WZsak3rdwlm2F6pVckx89ay0bia/rZqcfZAS6DBpZEhX7NuUVTzByTYNBZIC5bU+lVVXJRaldLCDkun65A4Jd7kFDiftVAHR+0PFwCm0Sq7wq2myEava8GAO5lSdz/swjVzhmY35WexfYFIyXRfy7k4pHzG68PT3VGZu8NL/xTxH6WDnfy5RC5PaQRurCY3XhVmNKYmxNh1pQtWYxL9Te1TPcsQhHrqPwPBxayUiVOti/gFH60D0mkduY8I42zjws63F4L5gXjZFyk7QNOK2Ip06JMCcfv0uORgBSNSriwVaWA17nYaNNSe0MAoA2sH1U5L7zs0OcWyWiBMSdA33yKVXNYSO37xTqz/WpgDCe2Jrk0pWpKEUTpW4z6LJUlZzWKH4KRXsQPEQu21dN+d/QRtr+dJSWFZqHUod9O+FDkJLphcorDqSEzW8ovlJeJ0P/h6p/e43ld9FG5M97j9EZpLkgY5I2B+MmYC2ZdqdT+erLwtFgrlFpgcHf8sYZO/ohl6zSZUO52PS+FWlGjJuE4RtrRkyULmQ1W X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d5451e1d-cfbc-427a-a243-08d940f12e13 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:45.5892 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9YmJfJivTlQyRImNkGRyepiz9OYtPr58vNN2gQ3yRFNVJr2+/dMnBiXzeAw46nCF+nxodHG7vjDGiCpDSe2a7KT3KDyJyzgEqxv8mAFBDjA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: KspeI3saG8Llww8fwGUJg2wr-jmO2a8H X-Proofpoint-ORIG-GUID: KspeI3saG8Llww8fwGUJg2wr-jmO2a8H Precedence: bulk List-ID: Add a new keyring handler for the mok keyring. If the Secondary trusted keyring is enabled and the end-user trusts the MOK keys, this new keyring handler is used. Signed-off-by: Eric Snowberg --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..b6daeb1e3de5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (IS_ENABLED(CONFIG_SECONDARY_TRUSTED_KEYRING) && trust_moklist()) + return add_to_mok_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 94faa4b32441..f021dd81f080 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Wed Jul 7 02:44:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361497 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C76DDC11F6C for ; Wed, 7 Jul 2021 02:45:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B383961C81 for ; Wed, 7 Jul 2021 02:45:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230146AbhGGCsM (ORCPT ); Tue, 6 Jul 2021 22:48:12 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:62926 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229894AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672a8XF017205; Wed, 7 Jul 2021 02:44:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=VvtRZG7iF38K/lY85XiHx02e20BYTaYTDdf4OfOhxcM=; b=P+A2awKLup3cT09nUHOAVZVjsPFEn9HjzQ/00j+3cmzJWfkJ4/fL/zvzxb+Na1pTH5pS eLBwHtc45uGf5AhZo5APLIcHQG6uKUK2KNlIJBmhqfBiS/XikncAH14a/PO2r78RtWD0 ARLlg8udCqohlZGVMaO5MtWoEt8HtmxAr3d1DD6M918JJLyQSa1E5wLFpekbzn8zmbYm 8tbaFtqBjhiFapc3GcbQv3Dslk1APTGcStjnecMHTNsNSE9bzmApJ5m1zhblviedWZcG TpQZShHBOIyQUQE0EfnS2RL3FMN/urIQwgmNMZjAmk8MHiwJWe6jAHiRVp/c1SYwEcn/ Rw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39kq8ec4yu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:51 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aUf3070944; Wed, 7 Jul 2021 02:44:49 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2109.outbound.protection.outlook.com [104.47.58.109]) by userp3020.oracle.com with ESMTP id 39k1nw7q56-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:49 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JP6TAVo2/wMSQ1cHWV5B8obPRt7IWubQiRRbZLRj7rScAPeWzQ8e4wp09oNarG1PsiWyA0LZXypoZb6VlfQx7I08WT2SafSJ6HAxMiMNm7v+RQJySsj49P2DtcgHOYFYY+EBsgyZzRy1ztrvsP0O6HkjbZZEN+5WXuWMZ6DVo17BJzI+6PRCwHtzn0ddnLt+l7lEcnUazaIhJBAGyGITB2Qq663Ttghr4GtibzmKxtc65kCj7Ymi6+1dPVtI9vAcFx12i35LECzVUqY1dDGgo5k5c+D31ShPPhkS4f6ZWv4g/yAg/woH1BCyYB+558uVSUUYHE4OEi0/ROGyrcsicQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VvtRZG7iF38K/lY85XiHx02e20BYTaYTDdf4OfOhxcM=; b=O27PAJKNyrTxPdpdQf8/lOme7tOX1srG7Fxop4WHm4yLzxgQjwjijcXqZxPX4ywbExKJO+9+s32oWWnK4P6S3cXVos3d7qCQlr9avlZ7HfHR1bFhzLzceg4JNcPBnijuHB5SauMxnMedWn0j6slEtp91ZLjO1671a5JOPQLqfQCNDLfOSIIT6bukQYCFUddQI2fa63QKiL+ZOLZYzTnakZZoP6mjmVq5de3lvBMFIethDMrZuhIXrRmsLEyxmnZeoBG8HxwwMGIauwBDeyOJWD0ORJVhqJTasy5nZx5dqpw5IhqeA1Zc4gloMwLRPikOaabZzkBg+Q1Gh7QZ7ksITA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VvtRZG7iF38K/lY85XiHx02e20BYTaYTDdf4OfOhxcM=; b=yfgfIVsqv6qoAuKfIDQYKnREkCO9ZRPT+7g1t4jM1LMAGZHPXKqoezaO4u1Kf+xiRMrj+qchY0+OVKudmQXqlKcqdcrIQnlf9GiHacp2gn385iUUvy8gHucTqErBTE4+7WMOWQJAyZOZT+cGXfe62noGHrUyfL0REi43ufo3ltE= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:47 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:47 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 11/12] integrity: move keys from the mok keyring into the secondary keyring Date: Tue, 6 Jul 2021 22:44:02 -0400 Message-Id: <20210707024403.1083977-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:45 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ed965cf1-86d3-4997-fffd-08d940f12f5c X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:265; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: F5b7YUU1CFOaLMkEM/jWOBGZjvTawjucIYk1TpFWBy2nS7L8KtL/Mhrg1rBfnvTBR9zMZs1ZSRrgrFTaIoJWoxMBJ8PLHU8Mgk4aFDE7EgTrwM9Cd6wFo+9XeCtwDoO3GvTNYvqJKqXlOEnJ+C3EDXTa2WgpUnEwg/7aroaus77c397rd4BxceFqmJXY6x6gYyBGlNPc0RXlsPHv8BNVSHNEc8GHF37WNc7caHNH5jUGICgiupe7nd2uL7OgjakRglkj9mb3/qVZhoUsgErTZ4G2ukFP3Pa0kScXgrATLXeGveo15IvUSHX+2iuhSroVfYPdkh254/ksfiaNEHQ+YnhzUk6LCxzsLazojwMaUdMKkr9fexrNNomdXsfWJTqxswGq/p/gpGul+QqW2QXkW20E7utYUn3ivCHla7+VZ0TKhPhmJmgHYyr/ATIgT7kCu8WwjJh8nYZNr4fN/8Nx9NiyrZjDEP4vcYaEDg8+VvERnPOMOjaVocYee6pMduj7SOqr+B7ZVEcavD0qClPbb1NjrsCLn1wDKE9/0+4HBeYtvS05XmChP3losCkUcPj7xph15QPRXX0r2eBWucJOL9nA+wIKrbQSYO7iPgPpPqiMMvXKfiLm8hMWxma2ZaU4JZFdnRfyfHtVLiEohc+Fn+x1sYqz06v9wSz8zNntIh87BzJeUKtvpFkaiqw2/7Hy/UwPn8Whjt0TN5STCcaR/8yeXrgYVOQcpFv+KlJodUA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(4744005)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: q02XCdCAL9JgCqnRsNYRxMVGTHNvZZM93mT9inm9sQXpKp3s1tmt3RvDvnHtsZ2c5x3JhBHq7KW1R3R7VzhunnT6pV4qtfU3MyOuNsveBBKIm5RVwcSzNr3uJDND0u9nBmQ+V16x8616er2H69Te3k4wbjqV5dIh3DjI3jZoeihgJx9Q64JxhTcEqxstWMz0L6zJqTGVJ4ZHspFlHZQ/+/loXK45/XUNqvOAm8FyJj6pIMIRsUjAKa170ApgsPaF+ikQSWb1PaXnoY1e/yfpl9ieg5WfQC8weapkhGgMc1WFTALJVTqgwrfCgZI9zfmV030Q8lFyJzq20v4mUFrmqogOz/52r36B6Gai+jrrWc/dy1WYoAeyIWQCZRF/RQFZHTdZJcdAe9WeLMM0Sg3Yb5XQm9fkyivNaX5QGYkTTLpeUmdm+xwhn81JDoSp5WGeHekq+dW6+Y4xM1YbShaYE5OkngUCbkHEcKyDo7s+4u2EmasHYZVvqssHjDlmnb89N8pWk51f/KzAEyUDX41GpJ+BIX+nBOJdpsUFDGthgkqIAFR5BObzZEaq7wLIw8IM63nUkcmKVJusJIFDwquEq69XTQr6Shaw9W4dppBiBIasLAuynMen2HShw/SidacGkInKkxvoEE5TA9TF/W7chBO92qiUjbh1Ilpp6rTnYr1Jjkq0WxlrSHh/yQbBLj2H5wg8iGUKqC/FtccXKWU9asgiWc7d8V1wVeMarbzXU9y5A83NZfgeswa0S9Upbwn9Q4U2kVtTAAqWGNU6kIoC64Lwv7elQekGiKj2F9+7HkiFwMf9k6s2o4Ub41Xbzp2N9UOQMdt+JDHv+O5xF1dLdhEIn86tOIqYr44kN19MbLpnVhPpIGdMKVQmosfSeSsSgNFyP/FS1BrZxm7i6y9sl8eGH6ZANMf/+tV8qEGOC6S64fcD36fBaE4CWwitOm75RTNVnKkTlfYNebN/z/Y/AxT5zFZ5UYSXFsTWps5+/2Zlkfd22P1+VnUS4jHmsq2S3t6L1B8ldyzVX+vbLSDX5vuTuNAVeeQE/YGQa7MKQR/uTkl/+kUtoQtC5wbUOhVUEl9XL9bcguwdOz67cfoj65s2Jx/qvirConwTT7nS5IRp1ztnud8M0zfHXs9tprDW+6Za9znxpjVLoBVk1qKno0+Gr3+NcdGyF0MuNiAWILFQNC7/a60Q+oXzdVHwY03UyJQWy3tQds6F7mc0CowjkETHmd6TY5spyxV2UAXJNXekC56geaOmHW8kPM1y9A9c8V5ZFhYoiTOPEQn8eLDewJLQVO1AABgKy1/wrGWgtMTzud1FyJ5HIvYI/TLe1BIN X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed965cf1-86d3-4997-fffd-08d940f12f5c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:47.8144 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7+TNiWrFJQS0FNn2Fr7+Ef7baTS8+tepBjIZrFJI+8WS5xvsNgSCySHcMrIu+oJ22ROGexy+ZizcM96ZCADcRFPMY+8tENKGz5c3xWBIxIU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-GUID: BK59Kxxta2jnfHlYZ-BF_RUQl3cJZzck X-Proofpoint-ORIG-GUID: BK59Kxxta2jnfHlYZ-BF_RUQl3cJZzck Precedence: bulk List-ID: Keys added to the mok keyring are only stored there temporarily. After passing the permissions check, move the key from the mok keyring into the secondary trusted keyring. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 07547f1a4806..e301cee037bf 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -175,8 +175,13 @@ static int __init integrity_add_key(const unsigned int id, const void *data, rc = PTR_ERR(key); pr_err("Problem loading X.509 certificate %d\n", rc); } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); + if (id == INTEGRITY_KEYRING_MOK) + rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key), + keyring[id]); + else + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); } From patchwork Wed Jul 7 02:44:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12361493 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A52D4C11F7D for ; Wed, 7 Jul 2021 02:45:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 91D9661CB7 for ; Wed, 7 Jul 2021 02:45:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230259AbhGGCsK (ORCPT ); Tue, 6 Jul 2021 22:48:10 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:62660 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230081AbhGGCr4 (ORCPT ); Tue, 6 Jul 2021 22:47:56 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1672aK8f015829; Wed, 7 Jul 2021 02:44:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=X8rRucTXFtoUwqPLMTqRdm6oacpfYr5l0ute6tWPE3xs0BNxuV52HGn3NZ6CY56phw0u dNO6VoN5xNflcZgQba5j6b5f658awj+Het4lpWqdndG3Cri74U4uzujYUz2QJ9cTAKFF aj4BT595BH/UX1JYvPTp+wNyZe7A3S6iBuUizaD+AIc8uF5R28dj4WVATkisp2vN9vcv jCO0wG+lLe+asMEqonruucu9ie3+z4bSQ9ztwZux4MPuzB/+ltATePZhS2OIsZRVFKG1 fkrzD0OtWOQxWxyFf8xyDkV+KLxmpMO0L5dxs5NorA4ESrp/HcMJ/xA8bdMD/WVRXB/l fA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 39m27hb657-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:52 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1672aTIq192975; Wed, 7 Jul 2021 02:44:51 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by aserp3030.oracle.com with ESMTP id 39jdxjaard-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Jul 2021 02:44:51 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cSC7znJw+5BLshEgB3UM3DpIkWH3L8+Tjc2VMiKzzNrnzM0nlCiq1jarRtuFU1DAVpgLFu1iBWfIpEfly9ZWUlIVyxFeyXgn8Gr7zDm1HmViwYqcY/vxX+kuotQhdjBra9p8QRY8Yz29jlpnLXzYaAtYgTqZCXjW42tsPCNA/8ALyetcnBhAgab3GRofHxqpBi2ayzPtgDyMKuejQsqnANJAtRbedFy18NwlJ4SqlHFGPDnpn+2oE7fgJTWgaBqeyaclfpCvjWdENBNsa7uoDrDOHXa/NPXEc1qnhtqHHDx0BOtA2DKxbn4Z4PW1W4jYIO8ehEH3P/9xZ+PV39n36g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=BRDonWi0nxExAuWsOJGqCr8iMilKMEFnirZP93euJkCdY4BeLUVWXPFHo1gGVgGzUVtdnbnZlEbPIL5x6LnIeLL9RHIlg95VcnzGbkAIXqxvyqkntUMzeNrOqSnF0Hp0bYMZ7B5qe8puro88eG33MOGd+tCxodXcR72a3u9WsZ+xjMq8NYtyHBK87AE31hZNopLrBmc3OT0DGCWI/3BLxHG/YDnfe0sDqI17SiXa5WBW/YKCz4jnICthw72w31ynmmg32ZlJr8moJV8KI1/Xb6nEG0TQcA0HgdnkcWuv0eGttX4BqqRhpkGorYnmXHvOuvUl3mO/XFhPLk40GP7lIw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iuE+tGZbVbAMa5zP1v//f55T29uLk98NDB6zbGPeC/0=; b=cI2Awc0bpSStbut417J+PDCzNV+mfMCGT9QpPcPPqz62U8PP9uP13AiVVQaxU9bGFqROdzTAp5ORgW2AGeuM1kzbh+zXnK4Ont3DLGM0NC4VWASdiWkAseXFN6onukLml6YKT3yCEqiI54+J/PT171tihej5EH31gudRwH+msJI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4166.namprd10.prod.outlook.com (2603:10b6:610:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.31; Wed, 7 Jul 2021 02:44:50 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a890:e571:de3a:7197%8]) with mapi id 15.20.4287.027; Wed, 7 Jul 2021 02:44:50 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC 12/12] integrity: Suppress error message for keys added to the mok keyring Date: Tue, 6 Jul 2021 22:44:03 -0400 Message-Id: <20210707024403.1083977-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com> References: <20210707024403.1083977-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.5) by SJ0PR03CA0245.namprd03.prod.outlook.com (2603:10b6:a03:3a0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20 via Frontend Transport; Wed, 7 Jul 2021 02:44:47 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3240b108-3afb-41cf-2a01-08d940f130aa X-MS-TrafficTypeDiagnostic: CH2PR10MB4166: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3968; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WllmmNFP7FydVnruQwBPu6vb9hq57CA7tq8/MHTDZfEQFZX56PX4TlahdANdjEnNdY/i+MyUA5MK3YGPM/9NqZFAGtHYNTq9SbvhjeZJXkMuVX1pWJovR5jbmFBfzit8k+GYMeusRyxL+W2x4vg6u5UOUR8Qdjw49dqjrph4VZkjZjexZ8A/4mcCiVNGuh0Yr/Tl6x/gCrY2zr3KK2i5RRWXy90xPSSHZAvVuxRpHsUqD7rAQNHX39JjeiJGz4Z4SaLMZU/aCf0U1vUXKBL9qHl00fhWgjtEiwr9RJ55nIR5QwOq9/7FIUUNAaAP2KI4rmdBpU/TjEup6ZFFepk9xJSB8nhAXJ4JkmhR3Dl+ZlSS9GuRwCxcItUGluvVF4ntxzcua43krDkj/Sf19m8aB7g8yvSekze2q56n4Kp3TDiR+sNw/Pdzz+g/HOTEUYY+wTxOzOcrg/P/hYti/0n8tEoV3c8PY/CCxGX1yClLmjMbNCofujuZi80Chnpf63Uuai/4paGDg4WF0yoo5rdRnIaHT4O4TYroQ66VJW8DRjSHkHss5068dsCKnH+HI/810m2icb9OTBBDngKUL4Zk5X5xlbbfrIZuSgUpA6t6tgTfwhvAoSWgw+JUvafTb9p7rVTYdlb8POEXvw9AAUSS9iG655w/oR0DlhwfMzBNJnIRvsZFsbXqrQYfoCvsK/vZoV5T3+TPxBY487lL2Hbyxy2NvZluI5l4UrB1mYI+K34= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(36756003)(7416002)(52116002)(2906002)(4744005)(15650500001)(7696005)(4326008)(44832011)(38100700002)(83380400001)(86362001)(316002)(6486002)(38350700002)(186003)(921005)(6666004)(8936002)(956004)(66476007)(478600001)(66946007)(107886003)(66556008)(8676002)(26005)(5660300002)(1076003)(2616005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: NgRjvr2yUPGSUPGLz7rDbc2IbKLMsTy/bRUHqmWkZjZAYFiwGbRAq7oji5jQgo8lQ2FyPsC4aoRX3EGQ+4PuU9rMFgQ7ZS8skKc5Z98es1N4tl1h+wtHLPv6NxpTsEeg1HEtA3TUkMoIiPXBIpA58beRIi91ifhrH3rt+3fKH26qcr90pXtydttWPwoUYBIp3Skv/XdSvE8yTwoE98Tf4NhzKPg2CUYWqrLyf2Ybkf/a4w5nxiiq9PFAHDx5GN20hy59ww4GzTHkpt4phbcAt/Enp1xH0RnGpBis0UfOlB5X1Ce1V7WP6/n74zP9cBObF34dMS11nR3SXMCA7WlFzM1WCOnMvk1VOp0gxxmHsqdrUXZK0wY5j8S8A2omoYem5Jhs8IwlHK29mFlP6sa8SrHG3vJjVOW3pctjb1yQlqaevBknYacmmO74Od8HHgLxG/B+BHn64puD2Tg5c6BdOzp3qEQ0nLRXA8T5rVdXKbfoynycxBymlI7z/51wGJoQJI2FPSDFCCYfMRxna6//2Q/nAhzfY4sZ30O83LIlriN0YLKFSEbMxLwHWO1hxFGiW0q4BomzOx7V++l+Hro8Xd6RNJFH/O9lH2K+5OZYUosykYK0bWqeZVJxfm4Zz44t0YIkRv6iEjWAkXH2iBHdr6GeGRiunzx00hgKrmJxjBfwZS39XpJ+vErzSdbMsgCp7S2lpm4cwqtHtymdXc99B3OR61IOBHahrfC6t9hJrrMOjkv0K8gnpMHe9kltYuFyviRARxXDTQDggxTm6yOJXutGqazEsYdOayVir2loKFhEiYqR/JrKUcpgz07pzXJfgGS5X7HDwpJKAHzs96QwlFWY0tWnnFFeL8vhO2Djo/NswnxNs6wFu8y+zZtlo2yVHOzSCA2J99n6gUndvkqHWcDCc5hdSHdkTgYcbsR3vx8vg2U7D4evE5HpP+RUIl6A155TeafDY13yOKMfvej6oKO4Jp0bVanQXSpOYhefhkL/DcSHNjkGfAvMnKLywaO0cuqf6O1krFxWMjlUMV28ru5fI0XmhJL0UWSUMk3IhPu8tXJTp4eorvReiErd4YUwbx+f1nGsRUm2oIqVQg+D4SN7FqImD6xs8Gj30EZOr+scVAihD902WPuuyMqJaIHlQHU/FMSs0RLZbcKXD9fN4lTxksBbMfrms0jid0SJLm5u1Nk41wrQrd/ZwhRKKu36m/LkvjFbQ+8PedGu01EGhSM5XU9aMs7ZsOn8R5GXaoMaEcAApamklnFD4JWGTKzxsZlsSkucqKMOGhAWvRNjsbFhaXqkDDsnNGZl9V+ut7i/+DAPLaaCvYfxeoP3YMin X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3240b108-3afb-41cf-2a01-08d940f130aa X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2021 02:44:49.9699 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: s2jS1ZB4nq0Vrjnwf+6p7qOokn46Os+CIsaFOHp6X/wHGVYuvwyUf8xIv9MAAIFoYAyDz3rbbKi0YhaU9FsbUNuGkHhqT9rQThM1LkPRZd0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4166 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10037 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107070012 X-Proofpoint-ORIG-GUID: JN4QKQ25D4XKEf5PHZjevqtW4Zc1FEIM X-Proofpoint-GUID: JN4QKQ25D4XKEf5PHZjevqtW4Zc1FEIM Precedence: bulk List-ID: Suppress the error message for keys added to the mok keyring. If an error occurs, the key will be added to the platform keyring instead. Signed-off-by: Eric Snowberg --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index e301cee037bf..50bdf839fa44 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -173,7 +173,8 @@ static int __init integrity_add_key(const unsigned int id, const void *data, KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); - pr_err("Problem loading X.509 certificate %d\n", rc); + if (id != INTEGRITY_KEYRING_MOK) + pr_err("Problem loading X.509 certificate %d\n", rc); } else { if (id == INTEGRITY_KEYRING_MOK) rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key),