From patchwork Mon Jul 26 17:13:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B454C43214 for ; Mon, 26 Jul 2021 17:15:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B0916056C for ; Mon, 26 Jul 2021 17:15:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236657AbhGZQey (ORCPT ); Mon, 26 Jul 2021 12:34:54 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:23372 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241035AbhGZQdz (ORCPT ); Mon, 26 Jul 2021 12:33:55 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBpFW008000; Mon, 26 Jul 2021 17:13:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=l0Hc3OrVRdyYubbnPL2AmsyeHp+KLuDWkOWF+PubySQ=; b=t58W39eRIcwXw3WKxdXeLBrDXb2mQxwsX2jPni+N073wS1u361xnfwk37IB3Ud7bIBGa 81cpol2QxoR3EcrDRGQk5Ct6xwjvOmXEs/32itAuoOM1in9IUHTLT83A6Xpee9gXB6XY OSKJxwIvLPtjDQsr/yfw57rKgSeMpBkHqrK3GdzUSwcBnswas6gOpq+EAwVRbRLk2C2x Ry0kq1wxrVKVi+BD3FZ3DhdQtQpCWWWWzYDVF3kYLaecCwljaV7zTWR1Pwh1JeAoAib+ 9mASqIFYLMdP5TjBpn44NTLT/4OmXGoqgxtAZPTk66Ohyg3Mkiq/ziCUnmuhbANsXpvq 0Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=l0Hc3OrVRdyYubbnPL2AmsyeHp+KLuDWkOWF+PubySQ=; b=WWONsCrLpMau67/OJyrKZKtt5pml+ob1DIeOKyq5mxkuiS/SmliKJdf5VQK1tA5CXZNC IkoUmEo/JF0vdgqExnzI8zqeW+1A1u1Z3vfvtyYl/TJVup5OkWrp+KJEP2yu+qHxZ7Fo L4OaonO5ZqOoSfg9uvXes4SoB+57pQlP19ic3VP5jSoIhzGbVlvlcFVXEPid8gp/eRj7 I9LzSuxYyaCEfRWl9hv6x2mW6RwXopNjV/YcV1392eg18Xr28Umm6KxH4zQU0VbLHIu7 vHC7uIhq46PZ6ssyVzwsnrmIRP6QKcMnfJPSHhqFjfbDdLLcuywi+zxtEtwDNbOS6/mS 6A== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk1c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:40 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHAhCH005160; Mon, 26 Jul 2021 17:13:39 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by userp3020.oracle.com with ESMTP id 3a0vmtcv8w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wn5xVvk/CNqYZdNtz6I5R5TvktUoB8F/BnskmUegk9sRzUqs/abD9Peeg/rtgoz5cQhlc4Ak9+toXaOJy+55y+b+Q4h9IyFbJqBbyw2xDBUFDG9cAiJ/BBlWKcslpJQWcKJ3C5j50dnuVSaOdkXQyF82iHoeA4TR6fcSgvLVt+JCK6nH7huix24ibYTlh/8U0OiGNz7z8Z7soD57m0TBOsqxIEigGZgpQEacPJcA+//XE7RbB4o0/dvM0FvyXHblCs9xEn/TR7FNf5/63QY+ZCEVIqgEQqbl02U9hcz6lnsOj+paxy+zxIW8fz4JAZk0CVa1qyj4yBJNlpfvGUovDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l0Hc3OrVRdyYubbnPL2AmsyeHp+KLuDWkOWF+PubySQ=; b=QWsuWBIKQFVtsQVrB5gC/CpxwbYk1n4sv4VJv+2DfmOicJzE3zBvs1dNdkWTt1ZpLc4e/dKqxy1LZKIAFxawyRC7HbdY66GKOjwVpaHnwOf2x/ecIPsMoffM0eRUlMXYHSx3ct/Yd0YJ2Dk0OVlW8vD6UF3ZyU7W4jc1UxedZCVVTYpIRsr9+MgBNN4k0F0KLDSwUGc/+xupAtI5F30Ssw1OKReDDQ1RqA4fprWvBW2wDYZhiD6HYtIaqUeBZ+fGMZOXrI2AikiwWoGPNHvtoXjcF0JsDp47tJid8JzENexjxoiMa+4WGGZyqODnW+FLjKnWNf/SDXGfMkRrCCT1Mw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l0Hc3OrVRdyYubbnPL2AmsyeHp+KLuDWkOWF+PubySQ=; b=UOjiUKvw58cnnVAW8kuC696eK2UFtj6oCOTLHt2JdL5pnRU7xnW6nF3OBoAB34RGaYBQ8ba8qP89R/gduIPaTY/mg1Pyb9euOEkuDLh3nMWCNRn5LJHpKI6meagswTtcXx7RWYRmYWjYGvQcQ6mOLLlponTn3UZ/AySK0wFGeM4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:36 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:36 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 01/12] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) Date: Mon, 26 Jul 2021 13:13:08 -0400 Message-Id: <20210726171319.3133879-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: aef61e13-f484-475a-e569-08d95058b468 X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: BbVqZlgc6kdwbnwXiSVNFLiiEIpw3v6qkL99VJtDqumMck5phHb6ufHfhn9YurGORTuhL1l4cTTnzMmJ2a5sAUmM+mBdukdqoSizncF0l+zR1LX4XMgK3XPNjP+zvbKDMDyy5oRR7Qv1VRsqlOwfrSVOQ4U+e1QepSwzADWe9IvQ2rQ1MDjjzleyt9yZx03QcD5/7Jrm5dfESc0Q1PRdl6GpEyEWkGdrOOkjv3nUDiRsUZtMxyBk2A7LX98OqL+mGiQVdMQSajAi8gSyFTqz7jNdO6CUILls6nolRCNH3tH68La/8txQ0guUI6ozkkXcJfMtxDMjHJOkoRm1gj8cOMt3awOfnnUQzR8ySGuc04ZDp0eT2f2O4Ei1DYn5mzI3NAiLQ9w164G3UHFOzaID65u5AyQs0GgG30qTuiOYald/eyaeXpRhKFdIQlFPXwuGNBOGXs+3Dn2WXqj7jDMMRDH3DzGrijum6TH5NiKkpWlOrslOwSThqE9yCkN3KOaKeDAwCp9V+A3NE69w1MFNt+jJ6/06/iCC76pII+Zf64EK4x7WTIJ5qE+QS8wTlqffAxH+rWYUXY5hEPP0vyuH9W6RrokmsgXl6vGHTTZwXbx4uCGWx7tMN3JYb8oQ3WM23prB4PjQdkhGMuRzs7ojgjLV5csuMnfepU7eUxg7w2uqxqLHpHSwG8FVxiNvcR7Zax/ZJlyCyE91Z4y/M/cehyhJgTT8QrE+kAZRax8IRxI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8Tbw6Sv64vd2y6qjKMmC2swNApKqSjlwLZJJoTFw2xKMhByQ37VcJHWeA81/nuTVy1swI1bx995QsHUq2h/FRVvpcn6KCNIWtIhBoCCOaeSDdKgnRiwHD50vD9mk9U3tsAMNbn0cADSehc3FQXYYH4sYRtJPbG/VjyEHaxxynvEuAI7T8Eo/mo7EDzclvSizNmSHqclbuBD04lzJPfrR+Do4KxNttaNIV2odg2oAUSf+mxRT+OAT1HNq7fOSD32XPV7VHZYnnddLOCGnZAg5BwSALTAg6IEScaqHzDr0mBnKk1RfgYWNt3Tzu7TACWKNHO2WrZi3ttN0esIAjXYmBHfCiCYg0JWoaj6LZFH4NavvGuguDwjbElL73WVRBCPNdaJSsA97HiOrsc1QdujXTh/Q8Zbox5hWT3WbAujvXOMLTv+OU735HshFTgHoK009PbNf/hiE2o/kvCSfd3JYdnYmK8j1qbl/UEUbrd+clUckQPx8LvTg4geY1T83dXf56Crq+lqci5CkG8pA9BrDw1SYjJbMFBh5pJhk8qbR8kIMqUM2T6+jRKnp+TELgT21OBVJ9kiJK9dS12SBv3uBhm3HYFLSD12qsozWVwMpzfWdLO0RPs6NfQYvvpAGBcFiKk77b3sall/GrAa26dQQe3wBnp9W2+VhAHdhLCKuzo41lnqKmG5n1KG9ez/+QLWBc7Rq3QSd8ny8niZO4ceG5ZEL7ZAX88GFG40Nz5j3gmZcxmJQwfbJZsQfXx0Z4j4Tk4kObH0wRwxQwG/dQBaJc7geFLrJxgVAY+ynUw8UGBpxUw85l+YzocLvrejkD73WNJXE1keOtf3sViQTA8rQXRhTInKKTdAI24CQggUCG8IVoW0LGm98xZRGT8ZEwkpvIAHP9nX3RB036TcVC8K2Uf7QkNJYtJxs+O8AOf/Qzgda+ZIwJ1lpHDirQxN53DhW/HkAV1goAur+yOfUtVx5oszxJKjPX8mCZvp1RCzSTxDYIuZzA8SRm5kJoy2i0cohBLEv8ETZbWCyj2juZNHj7eMj2CJxJAiHW22GQFBroNqbz44Lbt7PfpPw/NEThbTIACsTvO/JwZCLu6bfhAFWuSBpQmuFisRUj5gUsmNQVurbko/Nb1ywQvtZhygNL+WC72wKYk8RfGSb7jVAghc10VCrBArpMSpjHulrO+OlCkuQ0J7r2vPMko/EfsV0p8OUnql1gzkRTCgewKFfzWg+J8saM826ag/zaWmAL9huwB1wptKzy0O+WGgVS7eESnG/2lAXMcgTRAMA5/BaPpMliINB2K08iD6VyInC/mpr1a2Ea5m3xPX0vFPR5kWvhBFC X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: aef61e13-f484-475a-e569-08d95058b468 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:36.5724 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ug0VIKatbchfKvLEBnBnHdyGX+Z3MPypw4gk3FoESOE3iDMkHRFCjoWEJprBq8V8c5n1oTfLm8YW5bsnNUSg25KGbqBYfCipkhbw4sh4owo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: 1tE7YwvdNHp5MI6B7lPxj2QuUeXQIduk X-Proofpoint-ORIG-GUID: 1tE7YwvdNHp5MI6B7lPxj2QuUeXQIduk Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Add a new Linux keyring called .mok. This keyring shall contain just MOK keys and not the remaining keys in the platform keyring. This new .mok keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the .mok keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed destory keyring code --- security/integrity/Makefile | 3 ++- security/integrity/digsig.c | 1 + security/integrity/integrity.h | 3 ++- .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 4 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 security/integrity/platform_certs/mok_keyring.c diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..8e2e98cba1f6 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -9,7 +9,8 @@ integrity-y := iint.o integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ + platform_certs/mok_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..e07334504ef1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".mok", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..e0e17ccba2e6 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MOK 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c new file mode 100644 index 000000000000..b1ee45b77731 --- /dev/null +++ b/security/integrity/platform_certs/mok_keyring.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * MOK keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int mok_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MOK); + if (rc) + return rc; + + pr_notice("MOK Keyring initialized\n"); + return 0; +} +device_initcall(mok_keyring_init); From patchwork Mon Jul 26 17:13:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F34AEC00144 for ; Mon, 26 Jul 2021 17:15:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DE25B6056B for ; Mon, 26 Jul 2021 17:15:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241043AbhGZQez (ORCPT ); Mon, 26 Jul 2021 12:34:55 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:26336 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241046AbhGZQdz (ORCPT ); Mon, 26 Jul 2021 12:33:55 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHAZ0j029680; Mon, 26 Jul 2021 17:13:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=H3k8iZ+ZstgTPCj8dUlmi+/L05F8rsLsy8An/AHnn4A=; b=VJxfrDUE2G8T7eeRvlWuBi/T7X4G7K0FNT2GzsdOQKKDpdmF2mU+2B9u3IuetvGjvFdz 5KkKWSVk/mpAGuWL8Q253WgYBKYLodgR0OQlOsNGVFhpKi1lkP36schsufhKQ6W2D//K t27etmxWfninn0DAUNBBzUovzIujL5pBSH/jae0+fRBKKrJxZgy9AmS2mPKPHAkk9+Ja 3l8vh4XhO5XoKwcUaMwQoRsUiZ9QeP1soK+K5xYvfWtCyY/zk3g3PY39WE0r8+N2NuTq MXm/TmOP1p1w2BzkaRXFBTGLIbbk9zhfW/iEiNJ0f5j7tatzWUmvQrCFTkp9yUx/kR01 1w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=H3k8iZ+ZstgTPCj8dUlmi+/L05F8rsLsy8An/AHnn4A=; b=dQKagH/WmSnHRTefxEFYJwEmXun94cvnpReFeBFjCwcpmFCXbpvGoQUHYNk/T+b5Jen0 EjNmQczgiPHK68I5eHvCRW/P7mpl5UySvuFE9TxYV4tYAvi4A4/UfE9i2qslRE98v8tI dEMueEKUrXA5ViyXtojEOoEvkdeemf++5Q7f5WvEXcFpWA4Gzq74MT34IHmO773yzU7Y vR0KxbUT9VodLE/0ejus8LZwWK8Y3iAe9p2HLyogQwy0E5mv4TyMLE6tSC6060hjvAt/ /HzEGYIe/uqwkt7R7t9a5ppRwkvvk6REUVGqwdOoFhAUi3Fb3tN2NWiveaLH4HzmQ7QJ 0g== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1cmb22k0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:43 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHAihc005213; Mon, 26 Jul 2021 17:13:42 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2173.outbound.protection.outlook.com [104.47.57.173]) by userp3020.oracle.com with ESMTP id 3a0vmtcvb0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GCCpIbtyStvzrbaLeQtWZ7Tb1niCPOYlbJ/dcwMFO2J6plCuV+2FCDIMryMnRPZZQzwiZIkcwSlc4onjYHvW9WhtLguryfCdcICSItX3bVFF1ziCzKvQcnuTGqHWDGEtAavjFKUf8oVRpup2oYCjKlPDrTcnS9jkQnqMNxzX3E4WSV+UwyHHYPRVZAEopD0sJhsiwlcvp3VV3LbHd9rd93RPgi07/i2bkDTVDO6fBq8nFMgbdGdaEINk8PtVeI3BYjrteXUHyVbca96FW5zNjMc5V9jVpoZZI9HyQ8josq+40hxBwdRZSRQJCJ85zhVVNP6F4hVAjnn3Qe1QLvDw5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H3k8iZ+ZstgTPCj8dUlmi+/L05F8rsLsy8An/AHnn4A=; b=F5Af7OiUOqNuPX2iskdritGxBTbg1IBRLOjS5m6UphDMSymDlG2El9M2izeKutWWCzfiOfroAJE0BYaIKGbBAmCPfDXsS+APhhjw4uLNUWczNi3Aww2BfMxvuDYCTieZN7P4WQGlHrIs9B4iQCbMj77a1pnmXI1GpEqLJaVaaFJGI6tBQdcamTosyX6UTfegk+4GN1t/jnx0qmB4aKof+5UaRBly+kHDG8sjY1nx+/zstUR0hsFutUg257QypFr2zkaPebeWqAfofF/lprnVsGs79K54m6uRcYYaNxalkh0g19TaxnQgpO/AtZISogJH23jbgXAMCs+NePdhQJ062A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H3k8iZ+ZstgTPCj8dUlmi+/L05F8rsLsy8An/AHnn4A=; b=qjnpwzII5dkRC3FMGdv+s2XXwkHiqnMeT1e6NkyH+XYjCnBOT5V3ihF2VFCQLZVt+giBR+em9rRtFyj3/cjDeyBuvhMsvnfnwLeEDKsLt3hr8ITyQbKr4Uw5Ng7A7Q7cbJqYODtkTS4IUEx3qmg0OKbFj9JGlNGgJ2LFmTU3+yM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:39 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:39 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 02/12] KEYS: CA link restriction Date: Mon, 26 Jul 2021 13:13:09 -0400 Message-Id: <20210726171319.3133879-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e04c1087-89d6-477f-e2dc-08d95058b61e X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DQad2unGuIAX3v5l7mW2l7c8TYM+FDpOJMrE/Gy9vILuFmboDyrgkk1yfZiK/l8GtvBRFO3FRy6QjtlaKQL+sVhV1CrKgBWXjox8HWM6OHLlEKAWpcvK+iFhWvZLUx8seFTJ8O40r0Xws2kJTzzGy7f57rMAK4e3hxC4Ckp/mpv7mHfiX5+qze4loU2KVZvKmNBETLC1tK8jFfHaYrsxR56LlpomSchzIhpJI51gwon8Dp6mMpWOyn1K5D0T/T/FC1hUuDA5IhOBlzJ5m7NyoI3U+jZkhyG3CDEtpQBeLEH0IUfsCIgiQkFlifhxHOtNTD0A5MsSQkPgMyD9BTnPAlA+MCrE9RCA0ZIS5Gafa+xSma4e7XI5ofkefyTyTPiXVTKtq8SP8mVcH+6pBDGwq55Yai4F7QRo45bxke7zMnRgBTPlD6BkQY5BE/ATyyMzWDTrUt0gnDt3X/Q/SO64+UIDgbw+Lk+/r8d+mGkqF6trPA+SrdakoWkutZWKWMBByyEdjuX81DjLyf0mooIRsg4745LdNtR14jUhqtRjPPqyHymzgARUQ++RRRMDLB0dVtubTsjzCKyqT4GdyUKc0zIQBXiDjHVWcayZWBAMPqBbuOuU5Lb8GPVjr+KOog8SGDFfCkesUx0B+WomLQvO+tzn0joTCnXutGOI4kh8MZutwfvDaLtknCBvfeN1XZKHcTMcCK+Ab9+o1aPMr7wSnvp9U3cNjxd7x4JS5pncyNc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(45080400002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 7h/QBGnU12g65nYIo4MWuhA/KbQu1q7e6hOWhm1MutRD4tNXQb55g0+X1WWcW2Gm8H04/l3vpPNKcjMmTA9whIeRPIAuct2+aXPENqCvNUTiS0pNKyvkt6YN2E+t43yO8Jv2A3zL3SfAXxUS3XOfFR9QLoK/sE93EZtKNbIcA7dCoDTDKA0jUw12LQrRCmZEcE1hAvVklBsOQAU7GVg1ZdxZEtM4rJ6hO9Fn+HVTvUzU4KEhnM3aQ2W13+DKvmRuz2m2DQWcw8IUgcRLb7cTldID60d/ltwWvxQ0Na5i8qZBhynZSxcuX96+iijVotn1WdMYV6CEp3Ak36U97LSCOMxbQ0oyyT6LJpa68iJccadQ5npSVbdiBPB2eCE+FXIFAqjemvE4/4bx+H2nHduCddfrTwcpbUyW8X/0nvO9XiWVc75MRk9wXxSfmP/L5+Ub4gH0bvoKkBPj1patd8SPdOw+l4OEkpxT3glDcbl4FIwYIFHcIUSaWimBVZZ87py8DShurzAugt2/kxPuDiinBkzWM4cs4oJDowD6SysH3GpV1IGtI2MAK6M3NkQMVrSPmPjQ2/4k/nhj3a/eAduy/yq3P0katp/2NXgNCFGt1Z5y2j2IutTqn3S5xDAindZi/BQqiW4+Clqs6E++uHo7wTllTS+ZpLIUk2Xqgv1+fzdI6Xjcp0wAROriQt60zj3M6woJQjDl6bs9QWzDtYxOgvW87Pnx9p8yWZFtTzBZZY4bUdKZ2kULIWk8WsmSh9cPX+gnX36Cr0k4IRptI8T89vi4trsMHnSeeIvr97EbH0dytXeMTbF4dHE6L352MoT1czAOQLQR/cKmZYdXP6Csmq+vUmzDDHpBTPqutt1/rFY6TkS5wQ4IfQoQik4YqTEyYgOvrpb33b7QBPQ877m92QxkrvoCz3WtJHj7iRdg8z/rZwzygrtlvJ36+xiBSe106sae5tHPt412uuf0IiRLx9XAssaPh1KQ80CABV8M8xd2+z/m4ZNS5lpvcRhisMZxYLnl9DBh3IqgW7zp9kYGblZyFkyXLS9jraTyhp2SIScmgmwuoN7zc0pA645dciiTSgu93WskLTe9XTcCTpl+7mGfZv/YsS1t7ik20xPC/zOBWXFxoZNB1RSKH8shZM+Dde1s8yCG7wu89MG7GhuuBOFBuQYfR7layeGFzvEs4zgOjPIQhhMD3aT4/DHyjkT7egHcty8keKND2CuoZ5Eld3mMLTRCp9Vhsz69s8Ospj4ESIjW1BTnfnhcanmsUG3OuuRK8DxlYbbl8vuEqns5XhhRVCLUfbynLdx3zBtII81TsEUZFC9KaR8iJPqQZmGd X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e04c1087-89d6-477f-e2dc-08d95058b61e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:39.4070 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ucIAfJxgd0rvAxHd5TEfN7WX8kEuQDlkZbQGY6bDOo+JplCg87l8TSXfC3QZjg1XyK/S6jC8JquJtpYJPd8KHLfzfKs3fMyOUm8NC40C5FY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: 1ZrtGkhRFXU8avLinyJyMhx4e1V4sCAj X-Proofpoint-ORIG-GUID: 1ZrtGkhRFXU8avLinyJyMhx4e1V4sCAj Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed) or by being vouched for by a key in either the built-in or the secondary trusted keyrings. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed secondary keyring references --- certs/system_keyring.c | 21 +++++++++++ crypto/asymmetric_keys/restrict.c | 60 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 +++ include/keys/system_keyring.h | 6 ++++ 4 files changed, 92 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..0a7b16c28a72 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -21,6 +21,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; +#define system_trusted_keys secondary_trusted_keys +#else +#define system_trusted_keys builtin_trusted_keys #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; @@ -45,6 +48,24 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +/** + * restrict_link_by_system_trusted_or_ca - Restrict keyring + * addition by being a CA or vouched by the system trusted keyrings. + * + * Restrict the addition of keys in a keyring based on the key-to-be-added + * being a CA (self signed) or by being vouched for by a key in either + * the built-in or the secondary system keyrings. + */ +int restrict_link_by_system_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + return restrict_link_by_ca(dest_keyring, type, payload, + system_trusted_keys); +} + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..75e4379226e8 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,66 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of public keys + * based on it being a CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: A key or ring of keys that can be used to vouch for the new cert. + * + * Check if the new certificate is a CA or if they key can be vouched for + * by keys already linked in the destination keyring or the trusted + * keyring. If one of those is the signing key or it is self signed, then + * mark the new certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + struct key *key; + int ret; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + ret = public_key_verify_signature(pkey, sig); + if (!ret) + return 0; + + if (!trust_keyring) + return -ENOKEY; + + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + false); + if (IS_ERR(key)) + return -ENOKEY; + + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..2041254d74f4 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -28,6 +28,12 @@ static inline __init int load_module_cert(struct key *keyring) #endif +extern int restrict_link_by_system_trusted_or_ca( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING extern int restrict_link_by_builtin_and_secondary_trusted( struct key *keyring, From patchwork Mon Jul 26 17:13:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400315 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0BDBC4320A for ; Mon, 26 Jul 2021 17:15:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C8E6D6056C for ; Mon, 26 Jul 2021 17:15:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240984AbhGZQeh (ORCPT ); Mon, 26 Jul 2021 12:34:37 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:22530 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241007AbhGZQdx (ORCPT ); Mon, 26 Jul 2021 12:33:53 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBpFZ008000; Mon, 26 Jul 2021 17:13:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=e3mwnTanO1Eru2mV6C6lBUUD8WSx9o1BkN0UkIxKQuY=; b=J9HYADxYl4jj84eQpsPI07eCsZo9qywviN6LLPI9/mIpYbP20D3RS7ZUWaxlwnXOfHr8 IEZQQNiqGObop+7SJFw8yEsZi4r7AcONlK+7BAwcVwWHT8pHiU05LcGXrPhTxpbcr3DO Bz6QVdS6WWvtSyI8LZJzSubQOSm4D0TBYAaadGa7fpDp1PRA5/JLS5eZ8A+Abr6kE7GC sb1DbB/1ar+wpeCgnrWGEXTg3R4hKNiTcUzNXBzJud5Nq70Lf49RoBdfEKnTcip1vBkK h3dMDi8WARaLumK/my/8K9QKYFkGLU9SPPXINWrfgOCR1jqTN470moRYof2NVFU85gc1 JA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=e3mwnTanO1Eru2mV6C6lBUUD8WSx9o1BkN0UkIxKQuY=; b=XcA/ApQdc78NRbH5CpZpJgtFuLSbUnH4YIv80EIZRY+xsSbtJ4zCHoLq4RbkF5bVoick ZuWYWQpoTAuSKdVsy/CZxshkyqzsXOxdpi/3ZWxQgJ+c/g69QNhy6vldpClLhyh5lk4D l/iGH362q2DyD/HQ0nZrAup4B8T86JcWg0jhQXBR7e8Pkm4IcIuG1e/bzzc0Sp/rZigG E9ar1/+tI8iRx1ZBeyo7v+0ffcEgCTVlVK0oNcPC5eoiuKjIXLsCdnUFIkm7LAZP3IFa T6eyIQgfMAp75tU5YrnwgiQWnwoU4Mh5bfvYNFdHUdB6Xa89yqjKpkEfv+jrokYWZuwx ww== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk1r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:45 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBd0O043753; Mon, 26 Jul 2021 17:13:44 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2171.outbound.protection.outlook.com [104.47.57.171]) by aserp3030.oracle.com with ESMTP id 3a08wewwje-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:44 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lj9yj2BIytqxfgxmtv3DczMXTjm7ZUGhzM6X+luQRtvWYP0SPMGlQsJBaW76q6kixhBC3Yk53T+QG/gmWXmX3jDChdRgpBWZufw6TUsYUmHle6i9vs3j3XVJyGD5PE01LEHQUCgFEOVAkEzoVfI9nt+4r/BlDIWmEeySgxqP/IB4/2EQ00+D+dIGRrd2+PThU9BJzUfrzlti5HV8M0d6lE15UGinDIK47WFumKcJ7SVyJo0dkqrCT4lFaaF+hDB4cHV6tJIOSsRZQMmvfVEDVmB4Ey600fZ8tAUhgMOyPjkRVXgsVn+551//EdTm2/B35uuMs+qCoJ/tKo3I0Y7vDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e3mwnTanO1Eru2mV6C6lBUUD8WSx9o1BkN0UkIxKQuY=; b=WGX4jJLD1wdWz+CABT2lfdsTSL6+46YkYjNnc5xiSDVjafx5IqFnbiCRCBQYNJ4ECzekuhmPPLqmeVtfrabDqsePlEA57AeCwfXPKBzBIYNbW4xiKJW9p7l0Yi84ML+civv8VpSruRldQ4mV2yUiw7zuz6OTAWLmj/LcTPX82k7eJgtqOlzglosxR43+tcRLiClDrWoDuVQQkYdyxSSgR7f7KUJBbbRn+5O4pvfSJ2A1bmfMBGC71vmbHIzesAnXG627TdpfwaZdvcc9K7+68ollkjSLNprq+vZ4GBzkkv8Ck4FLUhCYYEFRZRPRjYt2cNNDwIf42cUW+++z2wsPcQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e3mwnTanO1Eru2mV6C6lBUUD8WSx9o1BkN0UkIxKQuY=; b=faVSIA6eBrS62yWoDJwO1S83AEM8ne333+sI7CS8Vgp1BKQtVrSFYKTRNLAm3v+080y9/EvWEwXJLIC2Ggj5D+2VQxuUErP5VlcOdb65AixoNJAv8CdizAxvmm42vjU5R6HKe3RR86qar2wQ5Gryzg5+PXHo8+trfSXwCDksvto= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:42 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:42 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 03/12] integrity: Trust MOK keys if MokListTrustedRT found Date: Mon, 26 Jul 2021 13:13:10 -0400 Message-Id: <20210726171319.3133879-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f739f15d-03a1-4b4d-3ada-08d95058b7d1 X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vSFbs7suSNezk2m9K2kJvV2STEriruxZA8nMjvx2O90/gMccdBomMWTX6HZOcHTZVZljocuIaMNX42z/rRvtZVij0UCG3vLTgd/y65axe9ZwVVA9cctq8M6LFRmsH859WHkN1vNcpw4BCkmKkHIbCbqTFEIgnLQ5g7bRgJZSb4HubUYWvnMMeMg6X1aB5R6waC8FnP0MaFnsZunS2oWE+TMwzvr2r3iTo/yA42TRXQSOACEI0SsLh4qd/Dzo+PKca6N0cHw2m9WVbuoVP4RVXyUrCMQSvjCz5kUrAAhN78WIk4UU/aa5MienUcnFcfz/ceT4+KTk6Ra3WbnPkGjSpoP40lPkMBDbbxMP6DDNJRtQ5WdO3p75mqG/t3PPd63o3RPhbVoalqRRwnPzR2fiSIiAIO6a6lrYBJedhGjKHggruoFq1IHxQY9qv0kz/k8B8bXbU8ZJB0k7nsG0aQ8m67BaR/ebXIb56T5htuw8vZEtHHQ7Zk173GJBZeXHO2luedDyGp8xSI/RFp7idPjy0vsrbsaiskXd2hY309xvKxP1dNZXT3Q07oYEuw8BdFAkvy+41upSZqqDAnkgbAxRCYBsHhjBhWZSrjwQ3Sh2+BYLqs/hqWL5rjvPpm7r3H+LKyZF8ATaiD3q4FQ+l+8DFo5pcBsD+au03DPKBE6ocLCaj3aJFJP7FF0XwSzVl+FV15nhuGH6t6WVjqvcLXvXyNAnrN8AzgRwmZE60S7nPEM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Hxpim7CFEpCvXQRSigY6wMtnQ8QhiNtNAvs4qijgtHcWsgADtQ2xBrTDBAByHTqch58JXlTTHaUeZ+tw8Xy69rJlJaoKuqDSTldX5Mlv/vg9Ew1cADrL1/hXBzpIaZZL3qoPBcUHnk1Q1rBFJKz2Evxh7We1d69MEVdqm3iF9xd/jzpDYfzQXlPKU9QqQsXGL1jkawZ61F+olqMtwJybcmecWGujzOn2bWKkDdVqzje9xaj/+fnWInfXRJ895Mr8feVrCUxVLAzzOLTpKHM3rjCuubNCX0HkYBG/ab6ptc7HHdKQwjWB/UUEUT7/bbi0LUKIuV19AcyA21UST1L7w20LCRCKk6R50g6lA1AfPgNuBxOzqpfb3Fl7b/MVC6WWbSO0IZgigq0VGAJgZgBZpFkbo4kbE9JlN4RVnj6dRbgdQfzRjnLlDL6/dhexwQxxepBeXBS9/76qQkvbVAlSA0PFKv1oUn7YlWRtTA5i+YNnG6NaEViNv1p0mm3Roy1obhQRBgPUMLJNREJxOeu1S+weyuDAUSCSUB8gWyB5ZPSsSLc6ta9/yuOpnu43umsHbbzKya+JUVvRsvCJ0TS068LtXlWoGXy14JEoN91KRt4X+tU2Y/acKj8nzU/iIqDQHA5m7pF16gEqcetAaa46dxGkWCnINx5NUcepw49S9ouNKhL0i3Oc0i9N8wiJGAjytrUooVbkCXxRu/vpgEffosucALBAnw+78Un6GLgZAlzx7p2h0dqd8LA6WxG3+jMkv+LFe35M9rPUFgk9qG8eDmN5MVmvmOxNm8zZHn/g8gbpKgDooqmvyz1FSml3e10OypnOPRNMuIUTwNPxVE/2iPRU/ookQdJj5ugFTW9EBOqLrT/P09uNw4/GOLoM86b7feFxkqe2jsnElX4MR9HcrPocUPxNFHxk4yUAoWxEyC/X/V1piecBiy5f7gVHwN2jBP9ogCjdPCVqOnWsQOnLJS3VEI8MCvb+7Tm5u6IbHMZzY+MCasyramCBJjL0TR6Aj4MwIkuK8AFJFKRhlqaK2dc64umODKES6Fwx3SshNeqew3aQrPjWvsZRSBf7VOYlDfDF/+/0S4G2EodbHM4CLPLA+ugNXbH29NPPzbI+MjkUeHRYilC/ZMucGJoL2ViOC+Gftld0ljNBR1qawTJeIMlSl/VtPW+I/uY4k9cGTld5D0Xz6ZZs+ku4MrPzb0hJohHVs/fPP9JjrTwxiF7CG31D/ZN4EgEvQrwp8IwYXlee0Neas0oA25jjiqSpSh6CXRGVm8VJKISGpYLjicTDW55uBJ6XX5EcX21ayJd8iQQW2ySEPiSzZY5kCjiyAaX2 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f739f15d-03a1-4b4d-3ada-08d95058b7d1 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:42.2734 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tjyw24is3VUxDIUY3C5Zqdz4NojyhEQwUvxC6VP65vY5PapIsw3MyENsQEC7jQE/tVMoNPZdB6F0++Yh9sQNmIgt9XJXwzZ8pv17nmZG7O4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: KZXCCym4V2TF1YwprUHKRUBNdzInkxDE X-Proofpoint-ORIG-GUID: KZXCCym4V2TF1YwprUHKRUBNdzInkxDE Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_mok_keys to return false. Signed-off-by: Eric Snowberg --- v1: Initial version v2: removed mok_keyring_trust_setup function --- .../integrity/platform_certs/mok_keyring.c | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index b1ee45b77731..fe4f2d336260 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -5,6 +5,7 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" static __init int mok_keyring_init(void) @@ -19,3 +20,29 @@ static __init int mok_keyring_init(void) return 0; } device_initcall(mok_keyring_init); + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the kernel. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} From patchwork Mon Jul 26 17:13:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400313 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 013BCC4338F for ; Mon, 26 Jul 2021 17:15:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D9C306056C for ; Mon, 26 Jul 2021 17:15:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240157AbhGZQeg (ORCPT ); Mon, 26 Jul 2021 12:34:36 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:23054 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241016AbhGZQdx (ORCPT ); Mon, 26 Jul 2021 12:33:53 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBn6n007952; Mon, 26 Jul 2021 17:13:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=NmeSW/zO8BVMJZcO+IuH9pOtMzJchYajDu8YD/VIhPE=; b=Ts1cXJ9nDa34ditM8Ka2RMpsS/WrIziCMe1GXEpL6EaZYkRcSP/ekZIZiM0kBkbMay4Z FpooREvcpeOUFw525Fejyf2uL5PBQMqizOS2oTFg2hFu+G33Z6KwLH0AX9eyiYhhZL9B x0wzmMIXOUAz/eNeWbvv+5wlzn710paoMQ7pUbY1XX6syo4jUEavq2wU/s58IneVxcNT Grg27cSUOUxBHFsmFP6YGUbqcXINQkSvo5DHNoFXRfKa44MNlIOXteS+9ZHqymJR4h3q PmsefvCy0VTMXTP2grVBwXD6iLLnjLka+5xA7iyUsWHlO5y0KQiWNT+sd3YiXcDIIb6P 1A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=NmeSW/zO8BVMJZcO+IuH9pOtMzJchYajDu8YD/VIhPE=; b=eWM5kNCLrX3mSWtK9d4Fa8Fvj0/niQ28/UjjszqRfm+gDm84df8d6VIiY9NeJOpomsL4 jaKpIB5eVLviigecihG4dtRbDIoIHSdR4F2wy3Jxy3TEFxHOnQCvvq7vpBNqY9BdEvxk csNfl1u9kaU3wB0j5LQQZW+21Us5kObf7+jaOoAnpLZe1atALXWjCDvzQPPHR+uWlyWM GUIzEgUdnwc7NIiSXhCyvXS6Uo4lwSwtPFlYcL/3Gko1rHjCyQmby19nYNEE8k3pPZok RlqxvdEeHZdZiuB1AU5e33twq9s6qQ87xgya4Y3djA+Q0UH5enfk7ix+Hf0AG5Eb8KAg uA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk20-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:48 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBdWS043745; Mon, 26 Jul 2021 17:13:47 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2173.outbound.protection.outlook.com [104.47.57.173]) by aserp3030.oracle.com with ESMTP id 3a08wewwmk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gCoF4Atm++nsaGHuMM78BknNRyd1KVMPnJ9GalWEFLX6FqAPpIFNJqZSiYIXBrSH+npoCRsCvrbfBlXrzgNLJLtkLxt/g231D0LzM3yEcSLKsSnQR3acKLEDxq6R7FHxLAwouPyozlOlES4G6zl5bsnnbNu8GIPAXF+hRL6oP6fpVQ/TFfwJC4QsjSG6Rx+TqvhDcSU6h3RCdg+rj6AEptD4osz3ef+26oN+Csm0yqUT856xBBzWmuiVFWQRtYormlfZnFqlgNKBOR4yTAUtqO9XFG/4VTO+j3MtXk4gqUIk81QrmASG7MzKsLIgnertV8VpOUXaDy+hO5FbpcErow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NmeSW/zO8BVMJZcO+IuH9pOtMzJchYajDu8YD/VIhPE=; b=QBn8OINfPozhT+fI68rmmG4kVyaHppRqcuMOsJB1CM+AZn1geQMhvoM1yYS+odl/bqYnzsQ0VNsdOBEmUQdWrYbFGY+xowKI7/rgWjP/WKsHC0CFDZ5SMQGo9beS9RG7bD0QSFTAjvi3g+cp90iisILrmibujODVSCIUhnoJ5k1s3LeAVvCjxhiqpEj6hb67T1juMEyW2DQC8htD29C7N4ii3XjDc3ZcumNGKMY+XlFluxAGTTFj5zzc44WxzeZzRU6HmrVXK+N9thACh86juRmUQL1IyHG006lJZQUijzhn1O/hEWZQEG+r7f6GIfQxHp+3uBUi0rNu7BwK9VLEtA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NmeSW/zO8BVMJZcO+IuH9pOtMzJchYajDu8YD/VIhPE=; b=vWASxXJ+L86+fqXIt+JhrKQAEcEWFCfeiyYW/T8fQTAPb0Dn9RHxo3xz71chlBj2VPNa8+92h5s4HIH+F/wE/y3sDdhLXDI3uvz73ZbxxhILItrZqxQCbVVOh7nKsAyQXryijChCKlbPvbqXvpDKQyZmTWJ7Ulo1kGfwrhk2tqk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:45 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:45 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 04/12] integrity: add add_to_mok_keyring Date: Mon, 26 Jul 2021 13:13:11 -0400 Message-Id: <20210726171319.3133879-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9c38deaf-2c57-4cf7-58cb-08d95058b989 X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: QRnbBJt64VTL9iNJdiw8BADy5TdvDK/fKbJ59Oh5JYmO/goOGURmo5Q5CTN/TZD9Phz7iz2uzSoPx78S457vGYCzJwV0c0/L4mIUpmWzUPa70NL/szNbmAarQbz+CSYjeiWAjgWbBvpLdTqXrIG+IfJ2ipCzMG3fmZApAFBSYVLWymEe+7Tk6aqQwfsnthnyiKRfazzFoul/0r/Mux+MbrkAXsw3msn0RA0MVS2vyOZmik5rld8ATthC4Eqsb11OXkYTiZFxkzswBpIn3/sChauS3xgDYEcx3cuL6zadK5+FLffy1kArERbapp/IKwk0y4X60iJP51chnaDOuhcyiLtUZXpgPiZwBqlVRuULm69xuV1Pf+dpp27cjq97EbALt4AYoZvMd+MdpfzNz0Vo2zFOpwFusqDcaGizCM9Fw9hiGnM19BMkqsaKnIUdppQIK4+xC7Bt8lzfZXu/9yCV+PXtFxzmfxQ0mpkR8+l8fYu6je10INCLBnd8aIU6DS61gTqJw8jO6LdfXxwBhRhGk01jah/bixY7txqvFTgGYdAl4aaWVR5HKo0qfl3KV/yHAwPBnjsE/l0o1eBUiqcDaCNrRoWQX4KOiXXFXjFzl/72vbm7tFYsiWjWGRkYUkzZ26HZwP6bSBeofMsqzpqYRH4Cfrk26XPAlmNt7TKljs6O3Mj4U0npIV6abB/zUmfzzIfcD04773bF+DjDokTGyTKUfM3epEfkYXl0OjaHOr8= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8Kg42MzF2DRRTyq4YNfEsucHaBZgyxjD9R0WSoLbwMvSenkDA4I4oOLarx98ipZMjuYgJM5tzie3d6KNBkhM82aU2QzxeBUcklvFSgBhJU+yuaCv0FNoSwUFYOGVuf2EM5oWdQCZcqf5kJpPR5TKEwbovmfa70SF6uwxFlrAHkvClXiMojXdQxJkxKIeomCCMUTWsKE7cgXhJFlm/zBvPVbtHRR37PcS/KfSoq4Iqz5jeBO6rqigoY/rphG2NVuWR6EdFqHlkpf4DV6XwrwjJ51xGKyUisfhcJQA9GL5+9Chgt8Pcs66Ro6Ixp94d7E24E5tw16gwnVRN7fWS6d7cLznT/PQndHVuQrJBLXIz622olIRA/Iix2zLqIgb+X6KlkymyKtTxMMgWTwRFl252fXNPtRBgkjjFzpfXVuGfe1jKewP8A1Lt77FDQE5SnERqi69Zc2U6w6VjQq2cpEk+D4tSimmiVhfZnkh7Bf1Fw4Vzn25dYxmUMkYNuW+CZV0xTQw/hY6Vk6wtemWy7Asq9aIFIW9zg37o4rV0RDKjHftlKRRauF3ZPAWIh8iOKtPCl8D0/anKpAksZrH16yLsqFb8KQDARN9HNLV+SjUk+DZxQUJBaIQkL2mDhr1T6gw2psoQbK21yzvdUmSD8iYXCouhTpHnPZkJlHHNV3lMoHKhWmwYwy/7FxZxHNmuTGJlcfyKBYP/RZ5ykuSloROjzk3c4FUhzDAscLSu36lqjCP5Szwrltp8+dWy+daEmyX31phrFgqrJa9DaCavL0u0HmLyQFmRRBqQnweNtsmSS8e9l5tQ1eQ9CgofPWQXklHEsafKxM6X8KoPlnpaOweFQGaRSbz6PMuOiu2WLKoHJzT1KaeO+U5b0xQCFVsSX5ucAbci4f+UKAKmaRwh/RskdrEBoB1nmgJsM8d/0DwTDWxxhEjJ6bHDS58+z21L2qQdB1f+FHLaB66LdsNYNJY0cHHpjuCpPQ+Zl4CjO2da8n/V1NqesXYYnUOC/PY3LVAFXjKttK9FVGsPuwT2Dihp01OIa0kYKiiLLyg2S7Emyhdjy6zfsEHaDJxxuwKaMjAi+uiVk5sTYgn4w9arFlNW9rURbYwcXtF8PM2Erpgf6CPslgdO/4obQHkVRbHSsPDsB3fM6H5LQcMsz6LumSa6pB8pwYjqZVo0KE4K4coc9WBSLZ01X+D8rgBTpCLhMAw8hcDVzp95pIspN0s+iC7twfhPLu+AYqI5x78pkat7Qjv6BbBGMovN2mb+qNnSwMaeDPr3dM2YkSwBTocdid1CPjG3QKcjykx9MshRp26AA1GxxK2l+FKsDhIyIeSilpe X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9c38deaf-2c57-4cf7-58cb-08d95058b989 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:45.1767 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jtB4BcEMQs+Z5m00Orxcy9dE/CPcxMN6oofa/BeGZJ07228+lyYGVvccahP5icepmLI9qh+rr6QGiadEISfudk2KrQ6+rYSrlHVnCwY6Yi4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: 1VI6GjBJFVArkXw1I3EJFJfaGlllDyLE X-Proofpoint-ORIG-GUID: 1VI6GjBJFVArkXw1I3EJFJfaGlllDyLE Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add the ability to load Machine Owner Key (MOK) keys to the mok keyring. If the permissions do not allow the key to be added to the mok keyring this is not an error, add it to the platform keyring instead. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Unmodified from v1 --- security/integrity/integrity.h | 4 ++++ .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e0e17ccba2e6..60d5c7ba05b2 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING void __init add_to_platform_keyring(const char *source, const void *data, size_t len); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) { } +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index fe4f2d336260..f260edac0863 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void) } device_initcall(mok_keyring_init); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); + + /* + * If the mok keyring restrictions prevented the cert from loading, + * this is not an error. Just load it into the platform keyring + * instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to mok keyring %s\n", source); +} + /* * Try to load the MokListTrustedRT UEFI variable to see if we should trust * the mok keys within the kernel. It is not an error if this variable From patchwork Mon Jul 26 17:13:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80F6AC19F35 for ; Mon, 26 Jul 2021 17:15:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 614D26056B for ; Mon, 26 Jul 2021 17:15:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241707AbhGZQew (ORCPT ); Mon, 26 Jul 2021 12:34:52 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:23714 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241018AbhGZQdx (ORCPT ); Mon, 26 Jul 2021 12:33:53 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBeV3006257; Mon, 26 Jul 2021 17:13:50 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=DYRBArv035U6vYrXuHYu1Z4x2/dZlbUUPk6aU1x/2eU=; b=wEqX32miNuufldH5qnR2/YKYErq2i71XVIG31UiCE9EP1xtb7hVDS/zg9U5tXrQyanaw rYLi/obx8Fl/eXUdVUTr5NFzbY6BAjLTQt3x/LHgRy+p7MQxo6zIsgsf5UXWPLhsSO38 7kypZkR504uOdbirYSz+gWSxdtguDdHZs+bGfbwuDqj3y/rqz6LETWPOzYjtCiQ0BCtG qUC7TJO4qLBtUpAquuZK004CrDDHIH3KX5YSB2vU4vJT0b5IlMDiI/0n+OPQtXaTVNq8 yNgznoYBVsJh3U639gqPcpXoNl7Q1crZwuv1caneoQfyBRgCmgXXffhILZhF0EHCTLiu Dw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=DYRBArv035U6vYrXuHYu1Z4x2/dZlbUUPk6aU1x/2eU=; b=UpcQK5Ftdph0YiwZGnZMU6tlveH0q9AjcXMk/32GbUdKEx6UUFXbs9dKAm7/A8KAbnZ6 XcQT1mV0Weirubk32l7nF2Gy8IQl+IiDnj1Vh5ccoVXNi4I4KCFOto3541JtJE4TaTdP xt0VZ5rJwlsVHDUjahcL6Ivy5DDuA1caVhf//vX7IqriKIskyTP1i+B3w1FSwZHkBLDl S2BzhhSfu5U9Ikk1zHmjIr8C9F0d7lKhhtsfr703T31QksJresbGqTXQmpXspMK1Y4xJ /Tv0jpNIOMLrjvtfhX60FyYH8k7g5cDv/wZa8NtQjRMtrSpfqLFzZLfsCZKIuIq7OQVk 5w== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1vmc0u7k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:50 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBP0K160169; Mon, 26 Jul 2021 17:13:49 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2174.outbound.protection.outlook.com [104.47.57.174]) by aserp3020.oracle.com with ESMTP id 3a0n2gcp6n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:49 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X5TW3Au8mbytukuqzPAfHPZuYq4L1jOZ0D9rFmIS6h4r4bkQI9R6DUPBHaFfcEreU9fiL0gKhlIKsAY3KrTYAr7zUqg/GYJqu8WMvNJZS1Hy3vUIzG4JW5LpbjW6jX3T0VAp2EsBRNx1iM9Qx+MYQLd0RMUTMiWzqhva36akjKbqy/8lUR6CWa5SI9vUsZjbWNs1fOSRYFLuwjKvANTWiTtpsD81S9PFwWZTFD+SVcTVRx6XzLyzmTYQ7QGy+jodx86pEzvPPHi+udP2LEkB4AM/7xC8/YwfW4Jz35VezpiAxyV41PHvOT0ikRDNiS/KOli8+/UrDtKELIUEZTmk7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DYRBArv035U6vYrXuHYu1Z4x2/dZlbUUPk6aU1x/2eU=; b=WVqi82xntuBdD5PUs4ifNdniDpRXGqKyasD1I1ALcj58NLsBbidKmwkhTi+CqGYYYH8iRWfJ+/o8PQnde7QwOWwCdw7Q3c96MfRsTh9w79hmkwDQEzry3eTC/nhk+nGP7R7L3sS09bRc4P0tyIjJvP26JuTBbfntn9hNjgXZ7N+P+SXUDFduexJfSZ6Fki7fXUCM/XIIqxUY1/6NcPCRHoJqjfio7kFMeH9OQDOxhYy/NGzFghQD7eQaoccvB33ZR09y9J1sItx8qTcsJyniUHdVjli6atw++bCnF3zHRcs1axJFfTVQYY/ySuiCwlh0K8jQUVOhaX44+X0qU3NceQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DYRBArv035U6vYrXuHYu1Z4x2/dZlbUUPk6aU1x/2eU=; b=YbNpmzg1fk5RTsM8xbu9OWyZo6McaVQp7Jxz7vtaG6MNuuOtCe7zFcbpXOkuObLoC4sk73XL4X7CuOIOGs7++r0fyhl7VSUMPXu80KNC6YP9H1DH+89uaKzHeyjnjftFqTrk6WjDLJ0NZD0tLLJdMZo36GO1VO7QgEey6RgZIwM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:48 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:48 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 05/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_system_trusted_or_ca Date: Mon, 26 Jul 2021 13:13:12 -0400 Message-Id: <20210726171319.3133879-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:45 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a147d2d9-01f5-4063-3c1e-08d95058bb3b X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3631; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5i8U4M2VXGZXd7ZSoOJAWeiv+ldy2xsXEYUdWt9wktbsEZEsTPx1ft/oqxNVi3MWVug+JvbQGZ6m+AGmxT38mQJA5USYcVneSvCP2TcDgLr3n6XvODxgaNpI6w21JId+W6TTUKNFxgpxKkPFmvmhb60jOJXfVrLVajooyYWwFgWJ1XFHGWp7S2ENVpc4dICAyneoni3/ChZme6uXiwBfwRBZQ7Kmyy8GE8Pl8ke1tyYEgoY14pDX1AdMSyV5UnG1LXKz+FcTLEdHU1xZAUt7lwWggteCT25RKVxKyooOOVG4r2TzlJY08950Eud94+TNJC0nshkkeQI2lXY8yeGG+45/IhK81i/vcHmgtbHTJzXI7NIHTwoNbhw6d9r7Hh66t0B2SbyBswCSAR23aXGb2s/HvWAWomEf8rMmY9VnDLt9hLxFFYMuvM1yyoeNScDFr61AgkCpp9BtxcnbUcN0QNMkp0T258jdO5WH27zAoUcHJ4KGY+RCValKp5soyuKqbp6IH3HRN4Ur5D5tuRv3rRmM4DMlg1uORDCkly8yPLmY9IiVQ8F1VNCj1fapnl8OQb8GeoB16JP7kmhGhJZdllBneQSbXpl3ndklDC3ANJCxQUNnZIhECfaWdaIax2DjzKXkZ+Obutj1XzxutcdY+BGTLYfLoI5FkzQrcqKOtU3V3wTW927Glp4T+PprnzWVoIV+uXs3jhTA4RVVlZ5Dncb7BdTlhtOCCI6u0zYJbcQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XDk7w0Ntlc96CzqCCK+1zmPGdPgkaoFqV1mSXx2zDm6fKIOItmwN1NCXs/Catx9MgzTUIHaahlcIv6w8GoXYM8g1C+IrD3zdLyizTHxxOqh6Y6z4+igaDwfn7/qopsvAlY7fJJGkGqVfvafaLdQd5EEbjWrFUNuDUcO7fn2lXlfONeibqUtfUZ2tU3TmQVs48TkliY9rYDBlhewktbkNlPiP7abyi4+VA3HcPxN+DOzQxZ+QfeFv7gB5cN5ABeKxz/yrROFYeAUbZ+G3p4lW4k2S0N/KwChX9sQWmcav8tThCzFviMOHZdv51jnevY8oBcMd6PWGwaN2sInRlVf1dPTUWYrlm8az2GjwtA/ZX5ifNIaa6ELY7KbGsoO5obvEJyrdcCh8mBHbKhjxaJOUT2DHBYgO39v1R1t3DML4iSROT1V5s2ngcXJ/JKMf7AtbUFWBl6vIdq4WM9ZX4mXhCIyqUcdTbJCHbdzsA4kPKxzE3+7NUI9MkRJBT4Gf5B/Lt++lCVT01BuiCOxGQnHp15r3UrSVJzDHM7W0aASVbgbS/cFAjXgewtwR4AWpzrWZ3ieaAFHnVDHHGT8vRgp5vwt9clWl17EBVZGA9jOGj+tV83TS+JGyVV0vrBL/k7eGpnNhiy5OrknILZuJ6kPyJxrGX8JZa9gupl2cFNXXYjL6ZEMQOK8H4Pme2qE9WwW4B5AeO6f1zMfC7IuN9Oxd3eA8eZUlcEmvAm4yto9KYwUkR7YsCrQsHtyVqlf1eFTh8QXHGDB7iZzrwKNE8F91QmRTfCYfr2myQCdO3BuDDbAk1Dc3Uz9HUCibktEGiN6rF8yIN8c/O/+OkQha2CYZmrQ/YeF0uAJi5HgnuWV1j0PQzQYbhR1IlKnpfVYJnR8olVeni72jv68TILHKu65nEzipKDO9x18laMgdcSflUkF/HXhut8HEpCHb8mLG4YOo6hgBd6Fz8VhNQhtmj5hB1IL8P3SAXTYYXbbz4HG4tmnSWOE3VkDl/e19l8XyP+xn7Inw5ikBqlr+7WgR+HHzxl0SivYUs1GFxH6QkjLY2HMTd6inZBX7/T0u/4+akv51mQboze+oVTB6nwKMC7FtjibnIHzVQQEJtnx0x6Zp0c+jn/IFkPWpJwp7Cp3gBRsWOjyXJNBJODdORnpicxyjOHSZOZhwKl2AlAywVhGikqjoe3jw11BuSF6eMbIKZyM+vofICKVbOtrHeiPiGxxmrJ1FiyUSuv/jZ6zEVsucLiMhMm7zFgNX9WpXeSKeQ2ZESWmfgGwBb/pQ0RLiTOM7Xj1D9157Mt6CrG6JfjzRz+WQ4ycqutDyUoL2SauFxhZA X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a147d2d9-01f5-4063-3c1e-08d95058bb3b X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:47.9804 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: U731ggQdGjoPxAykGF+FMMW3xLujdsyhPm6mEx6Q3y5jQ0clA+x2HR/d0PzuDdRMh1QXDg2HnM6njIarAla3tAfUCnakCODDD8Yr2iB+PiQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: NWyThGTKP-MJtqFcVKfJIkL8WZTgY1ba X-Proofpoint-ORIG-GUID: NWyThGTKP-MJtqFcVKfJIkL8WZTgY1ba Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_system_trusted_or_ca. This will only allow keys into the mok keyring that are either a CA or trusted by a key contained within the builtin or secondary trusted keyring. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok keyring gets created even when it isn't enabled --- security/integrity/digsig.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index e07334504ef1..2f6898c89f60 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,7 @@ int __init integrity_init_keyring(const unsigned int id) goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MOK) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); @@ -140,6 +140,11 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_system_trusted_or_ca; + else + restriction->check = restrict_link_to_ima; + perm |= KEY_USR_WRITE; out: From patchwork Mon Jul 26 17:13:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D49DDC4338F for ; Mon, 26 Jul 2021 17:15:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BE5456056C for ; Mon, 26 Jul 2021 17:15:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241798AbhGZQfQ (ORCPT ); Mon, 26 Jul 2021 12:35:16 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:1806 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241290AbhGZQeR (ORCPT ); Mon, 26 Jul 2021 12:34:17 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBn6w007952; Mon, 26 Jul 2021 17:13:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=caSiU5a68S9JBTzS3b2dMJ1tHXwt2FDezGnrMdTzGSw=; b=rC49gI7B+p/80IyqPo6KGCgw1Pcl+U7eY3CC8KdaCo0DwEbZkxQ/NEkivbo0/sg6ugRn 0xkPyCVzDrMR1zjkKRwpNE3NzklNKl/lAbRXyviJAgqi7wH7UrvguDc/zIanBkZu+bVy QaDq7O7nX70QmvBI3byefrLTNs6CcncDm5PwkGhsHJYIwoR7lI9LfQVGciHbgKxmv3tv +5GAXJVrTnVDchC/5WiMLy1Zm87wY9kxtoG/970cBgGi9n1tNP7/jeRllM3TKE19LaGX IVc8Ofo4ZCIe2FgLffnoCmtYmSstHGD+NALlUNcrQ8+ZcWKEqu2Ri2yNbpsmOnUeXU3h RQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=caSiU5a68S9JBTzS3b2dMJ1tHXwt2FDezGnrMdTzGSw=; b=KoDH1uxNdq8QMkzqGE8zIJGKtWxHGYFtcdwYxNF2N6DPDgn5PBoezhJ6pe+JrJuzjAoV l5wb5wOlCap+2sJ9tW7EV8D253/tA6b+xN4KvOmbSbFUGnFAuRT1Wdn311mGU5ZwOO9O niaPXHXWFHgaDOb3Ctd9qremDPTkmaFF9j+VBJBdrLnw3j6rT599hSbVsAslTHH/xEGg 3rd+wF4C2sPJ6IpghDxN0WxYV2tsKu/fasuU+F+maC0djK9uiL9xDOzaLAfhdaTuS9gh g1cAZWUVQgP5bwEY34XO8LVWcJ2DlP80KfWJBLm7feIxhXxlkJ+wrm1mgPDNoun3r3ia cQ== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:56 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHAt85089469; Mon, 26 Jul 2021 17:13:53 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by userp3030.oracle.com with ESMTP id 3a07yvvvkc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:52 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mdnyjW+K/WhhAuAu2QSepTtUsNDsYkJqhtDiapZg8s2EL5RMsp+i1tZj5tsV0diqFWS9so7PHGzsePUe9EfMhNhdk+YcIbmS5pDsyMDI2MxPx5SARoH/hmKH1uawTVJFmySOSNkyqQVWXmmTCD6Doq3EM/Q2aTWhRTMQm7CjCxM+dxRzynE/gxbt7mNABkOBePEDpQCPO2ceFmUHpTcTvZzihKl5dtsKJ+MrX8rEdXdV4E/BJFL7v3srVeAbI5s2j0TFPWYpfy4k+pES/GBXEMiufU2qQr6RP46/paPihWohWScfAtEOWx6JFy45WDC6U3HtaQOKruBe4RYnEu8T8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=caSiU5a68S9JBTzS3b2dMJ1tHXwt2FDezGnrMdTzGSw=; b=IOhlBcLeMXig8TcCcIYUuBk0BJ37ioW51xoWZYdDh75P/lwIssCUadywss/oucnqWSpqgs+mKNwxDJXJLhTATv8AqAAvp8stJQljoADHOpEvf1gn0gt33huQUlKsIgHlX/CFBXd4STixrDF+sRT9aeEeBJgT5xfP9OieWNGJcfo4G7lqaSQ3e7meZ2GUB7c5y3RTBHNevK7YCuS3RB4AIqzUJTfNLIZ0J90g9qbp4efILrqxkb0IYv5z4YcL+vUpubdXyEtvSP2Jc40diu5JuZgVGUWbt7Z6dAZ0W+dJs/YBCfurzUaFfaaBW5CpILVf2rcrlRl2YmLUiUeXbDm7Aw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=caSiU5a68S9JBTzS3b2dMJ1tHXwt2FDezGnrMdTzGSw=; b=y+pu5MhWfQ9Y00ynnv2EwKxK5t5wELkl9odVaIBn2Hdd98cqfk+dvivfP227ekEc8mMTZ/NzTUBFyR5lkNrxsczt3RbmI0rtXk9611XDPvu8iJAL5Wnq9GzZtVGU4SMYbMZ1Xkrm1l12y3ifebXFQ/emZEwEmFRa+RPdzBbukFw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:51 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:50 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 06/12] integrity: accessor function to get trust_moklist Date: Mon, 26 Jul 2021 13:13:13 -0400 Message-Id: <20210726171319.3133879-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:48 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 205f0a9e-9688-46be-eec8-08d95058bce9 X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1728; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gHWNVPICuvYGy8s6V97CeELAU4CQKwqOzWT+m4B/tuaC67hl8IHFZMPjSTycztvrmGeCTntMnA9NavN4WsVHAGKkXXupafigwNG8ALlzuDo4K24KlKBWrqo7GYs+jgquqW4zy0Ftg4rCTgFG98djFXXBrYPFAH+Q/2k0PGoOsazFMN3zoBO6aT6lO6zRwnDIFr0Z+J9v3FfeJ1r+nRfXD/gM21XTtocpWUkIFAEYPHxIen4C/kvOlhWSvjSXGYBYJPWXxdS00r6GTt+69+SvlacestPCLv92SQEWXPddkR94eI6dbg/2yC5RpY7SO06PHmp9mObuXJ1GMoPRxGpQ/xiPnZF9hKWD4shjaBNEycxrJSMZ7CDFC3wEbLSc4mKKfeZh6DfI45NR52NV1BFqn2VwUnLaNxcujgnRHDpFiZs9CcPCp25Mh/YorS0VK0ADGEwOgna7OpKEXm8riehVAQRRe2fRARq0AWkmT7+Cq1H6Rp/frLdXuCnyvCgkT8+jbc3lhlVbmWyTKZjgqhNTZz37DBVRQa13u1wN8UMIgSQ/912YEzTbL4gZV9rxUez2VnzPxyELzYGZNaaxW9EVappJyZHDFyPnhvz//FRHwTBJLBgPSaSOjMo9NTDwudi1KlELRj1ArhGVVpNOlfpRthffcGqhSbq1E22aoV1tdSuFWmBKCjYVAlUmgBmC7Gxxu/CYsmTdKC+dpx0sM02DQK7g11tu0YJzIEzoDpjjnR0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: mgKCrEMoTE6RO+dUwl/Yxhbgac1/SBvuOtGGCu1/JSwu5zoyTfiEuD1VT9ajWUgg1510CWEnCCFkZAGHpxFQOMtrJMtIIeIyHxqJeJIIW7hp4ZX8gcoWgoZhI/aeWdjMETNnMZ6pxr2vEpNeWyyeG+lA8xbCsc99JK6aAFGYDKUKEMpTpxdSxxs23fscVaymTIy/OWp1kqEYlZgcvFl34w9on7RnVFqFneHY5w3utmpZskV/8s4hWBHxJvZ2P+9ed3so3Jc7/OvRhRSx+Ye1aGN6H1mFYqvrSgoRhIUEhxFf3UwnNBtJmqLNReBPqPBWbZssKf8MO9npHn5t4UNmxnh0G+roAXCEDe/MD6sgFCApzMkGJaQywj/EhjmI5epBJ3li8id8r18boiDywPvCZMQ+1EH/Vr2cJSJhnR8VCWTmR+5zbNHekj2YwtdtwgR1rj+f+E9+Bxh0/QGVJigaIm8OiDYXhHGA3yvXoBf2gBIupK7X+Lwju2HZ7eekEDBEIMOPlG5Q+Eh7qLIvrmavW/Mh2oxeTf8duQIgiBZwip1ycnl+gw4yOzJ3Zst0Fvtja6rSft4Zgj9cT4gwDnu0rMoS4WLXgoRT+pKS7UZQbOPABN2Oo3BtIqOWhVs6v1J2KirDuBKCzSLukPHWoDxq/gtSmdV98mZQYXM4yX/71IGm/3coDQt5fY4/GFcSIygGcaUHZ9lpkuMR2BNKNpePyWoWJ7f5llVTIBNTHtpznqN353E/ZBkN1S7LbK89JfxLUJ2GnJxVDIQat7X9TJSSpCdQ6+AbN3SBj/Y7qdMtSa+FE3e0Mpjr4UoO9dQnt5KnWbFiQo66VzXm1UjnaLHqS/UWj9HCxDZhh/HJSus1i76/ZTEA4cJLb9IiqSwNHhC5JnQqpo6IMeG2s0eWGQKinW0VO8oVmG+rqWKhNA/IYR03N/2Q1VSDQuPqUpXGd7gWFR65/MD5tGpkO+J9lMFO3Q/A68Lc0B/WPTHMpZ2T7bFhlmiD5kAaulaZdFXrrP0iUBolSzxZRgBD52EF5MxAD7cACQgVtz++Zeu5eMuXRBn8Yq0iSlybdgmw24PRBRFLK19K2TGKBqAKpy04t3lGJjqSwIk27uQqqknrZYZFcVPdDl1wjERzeQRz0KAlWozVTT0Oh7XNGTyzP2LgVkh1OUi1Jql+Alk0Y3hcuDgQ7Bj5HPBbVC3VvuC/Bvwue7eYygVS6nBOrJUN4HQhMU47RoWbESa1bi9bSb1RG8xGCMMp1YeS9l8wHOPkKD+4drAOaJ5tqZQhFI6TpTx039UAnNZvwaIe6vP82SMRJgkSok63T7DGHpcxxKxlVipSNtj4 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 205f0a9e-9688-46be-eec8-08d95058bce9 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:50.8319 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yzP4LCBATADz8DAoa2ohUQPMsQzXYm2pSdekC7mRinIafpLdfv3NVysa9qEokUZSCRyiJk5a/uP0Crv7x/TmJrpk6VbZyijoj0dVxw20VLQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: lEaJPWbLI6Xab0iryMilh_UeldejVfH3 X-Proofpoint-ORIG-GUID: lEaJPWbLI6Xab0iryMilh_UeldejVfH3 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add an accessor function to see if the mok list should be trusted. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added trust_moklist function --- security/integrity/integrity.h | 5 +++++ security/integrity/platform_certs/mok_keyring.c | 16 ++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 60d5c7ba05b2..1fcefceb0da1 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -279,6 +279,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -287,4 +288,8 @@ static inline void __init add_to_platform_keyring(const char *source, void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index f260edac0863..c7820d9136f3 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -8,6 +8,8 @@ #include #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +} From patchwork Mon Jul 26 17:13:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400317 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B8F5C4320A for ; Mon, 26 Jul 2021 17:15:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2E6D76056B for ; Mon, 26 Jul 2021 17:15:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241228AbhGZQei (ORCPT ); Mon, 26 Jul 2021 12:34:38 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:25816 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241043AbhGZQdz (ORCPT ); Mon, 26 Jul 2021 12:33:55 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHAhoa029721; Mon, 26 Jul 2021 17:13:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=YBc6uvaj8rzXN3T8X+MdC5O/paqVTYb2tSnKsOjb1+c=; b=HySsgwsAzuQGeU8wIJvojls6Flwy8dZbdbgb7azaYgw+TIrPkHfE6KyCUd8QNYDRtHSr /r1apJeGgiGbt743FEA/iCp5/f86MRPgWrzrZkhlJYLhdOPShLQOGduS24Am1swZ5sCz s3XTyU8gkgbSb+pNA1RYoXILsEHz65HwZrfbtwxefNKtSGwni7lulBwpCA/9Fmy1QaUK /wgAc73KGQMoPS7HgkKQr7T0qRGpdCV6eYfGc5OFObu5xVNBpfNBY3P2KzgwumlDycCQ wHaxaJaUkLJ2XEaxLSpsvhSHkEpd1pwwvJXgG3uUiiDKs4qeV9vIhUzQ8BRNq6QRuEpS CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=YBc6uvaj8rzXN3T8X+MdC5O/paqVTYb2tSnKsOjb1+c=; b=sm2hPACZiV92uYZ9lAs6A6fHVfKqIDQM1JDbvxCbTuXrjMiipQTi6jv+kKl+Fxcjpzvm D7XAcyrlWSJetS9rVApdvKK+zMhGAeaJkqc4mNm+8ZzLQLgaMYQFqQj1Kj1a5jHqQuAI p7Tmlem+x5091gPXDT2Cgt5FqFZYeab3JgA5IewCM6ajzYCdkHq0GYiq2+qCtSwqqV9R hU2lft83eoL1qlaAV3sl7dtYxODCLdB6KB6Dw40WgJJd7hqCq4HBtwajA3QZYYUKz2c3 BY/KgnHdoy9omFDgGLK8yiJA0O5FqeFxivJ/gel4S2sBfoebAnm7ifQwPseaL3Qfw6/i Uw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1cmb22mg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:58 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHAifx005220; Mon, 26 Jul 2021 17:13:57 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by userp3020.oracle.com with ESMTP id 3a0vmtcvm3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BFbEMfc6k6d427jowBlw/Nf1ByWCASEcU0H3BlWZOG8XXxgwpiQeir6KGttpFNBDgLByV49QYQCu3RH6aT6EyHo2l1VYZqUntvuRQvYlM01p+noAHBJYvpu5MtVvO7K+AxgEEbEa4AFBvQEoUWRuWzi1sW11JzD8L1PjpRqGFYGuV0+H45DM1o/Yl2lpYzRs6MqKjoh3MMIe20fFlZ36cB0LNqM7W6DzQaYi0/gdGqKSIJB4mbScvrUtr0sB/gtTpausP0MP7vG+i9pdzcUdWsKOs3HXQkr5vNAjQtq5LUmzTY+wWPVZnxylVv5gZnAxsFJb5gajTPO2YkKfK5802A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YBc6uvaj8rzXN3T8X+MdC5O/paqVTYb2tSnKsOjb1+c=; b=jTKl4alXCaTgc8N4EdiX69XpOwWkZGeiKvgWqfXaGHlKLx6e5vDZDhNTGQBmAjos0xofjieUWuzDxTcKDzv6i2FY29vFq2n8DYHWH0tB+6IroKwk5oG0PCQadOuYByTpTE1Ut1T12xAW7BK9Dzpv6sPfI7ss94N17/KgKGjK0VH/oBqWSObtmYNkp8elttb+eGzhzT6t7TqgZfCEmHrMpehqA84h9yLrdf/3WQMPcZ+dWilwumc2h49dDsIG+5tGl9y5lhoG7S8pYm2MSj4rj2J7IowIC/c5gjxaMqHsoQKdC7/f16hodoXAte7I1pKGesN0urXSMgFoMTLoCALijg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YBc6uvaj8rzXN3T8X+MdC5O/paqVTYb2tSnKsOjb1+c=; b=AXR5O2MjnmmOlsjBRRDno+1sIDFK2yPpfwX/1YTdaFdaCGQbMSQxhrR8bQT5FpCmbmIjsi72IMF15mfOOUpSqXkiS3Tuuhrcogs9ksbCoINyACIc5wFge6XntczXOdH+Tpf160bmt1XNRSJUexQuevZZR6RLP+gX6Wm3CfFVtFc= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5211.namprd10.prod.outlook.com (2603:10b6:610:df::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:53 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:53 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 07/12] integrity: add new keyring handler for mok keys Date: Mon, 26 Jul 2021 13:13:14 -0400 Message-Id: <20210726171319.3133879-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:51 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3e30fc90-8b85-49c9-59fa-08d95058be96 X-MS-TrafficTypeDiagnostic: CH0PR10MB5211: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4j2hE7J0NYJ2K7apruLJytgkUrE8raIkwgtgNkkJ3bdfTzENKa9MFOdXf+kjzx364qGg2VQJDaLDMUI4IqbnCt49lhO5hQEdjy/NU39lWZB7XUgf3WM88Ywz4vV+bpN9aq3/xdEpHW/eOkGKlgAf9s1Z561BUv9RpRfugjV0vD2FTY2gHu2b2H8iJ5D3MF6bUlLcjoMCEnAH+XTxdtCEs7NBIq6oGh60Wrq2//sCVSh/dKFW1OkI/l8cEt5VJsKmn6nRjB9PgH3vtPfZVJGepBT2S8qYgtxipTsvMW7qbho9nf4WqowdOORevpBHm7YDru7RNFNPUnisYcvV68+nExGuKmyDY/7tGzhJ3BYtAweMjbzFaVBpvp0GbNZJWROQk72kmz8VnvYf8VufdlW6eOfR414QFd/EuSRGw+4ynfl3mzXCg8O0d22h+BQTE21SffBJTZIO6vWC/nh8M6xQV7mGdltWphWCMmBNMWpHkK+VECeQvQDjm4YKMGUDYzGHfSuhHCQZ2Ohy+oRUqRcGuAs8ji4gIRfq+GYkHj1N4HKl3sWS753eKZez+bMyQsSiWsaYByraE9gZkfm9Xcdi+UCv71//ZmDTDiR8wYEIwjcQ2uP3DrWI5m1BNXjSslb7YbkBgck6S1x52Chv86MUkCS/IqBNTbtjDCv0ij7DQTrf2tbdEISsTPIcmL5+E0rJm1MuXVa8G8FwoijKP20V1LzocMVNr4YxKX8HuxQIst0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(366004)(39860400002)(346002)(136003)(396003)(1076003)(2616005)(7416002)(52116002)(7696005)(44832011)(478600001)(36756003)(66946007)(38100700002)(38350700002)(186003)(921005)(956004)(8936002)(2906002)(26005)(86362001)(8676002)(5660300002)(6666004)(4326008)(66556008)(66476007)(6486002)(83380400001)(316002)(107886003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: QilQWe5F8/DPAxGQSQkPNYrY2M2fVMGDInFHQQgltPPsdxh6NwYrdKF1DbjQaQNzQhQopAMaNsechQnmlr8xAqHdwnpP1sIxIKwXy0pGRRDnaljudXasu2gVgQV/ZhJg/Wl5Ffc04R3uBVKuU4wBphVIc7CICVI8N/8pNRWx8Z9EWBRexMGvy5HM/yBf6Iz+4YHzMzC4y2nVmQ1VNoPuD8Bn5BKm9XtWSrycxfAxnYqYYH5wK7bbXcAWpEnh3fotTsK3HHPNeUyKBL8otjHDtFAXKpftLP5y7Kwyawrs4A6genk1x3hGMW2PTwFdzD/tf1wfSldgrSDvRVQuc2deknw4A5+p/gTWAcZVQSH4B2ub0qyu3kXvsHFUoCNSzrnKHSHAhT4/lAn8G307CqYw+vuJfDcHuv8mmbAJNoDG1Wd7NcjA6lifQQO/ZH+qfLxv72ZSgOazIiaW1YsMMayv8PeF4MGq9iCVZ79SXkidbmCNtYD62BMvS399T5mRNtD2dIYy+2l7+F4TJYo592DERVglduv7bUEOPhW6Yzgvn6k6ud+RunoCKbXS+opo3juqfnig88BOoSyykJAoyF7vO7am5BZQfMx/dBR8IcVwPkAb729zfbbK/VXBy+cELygj/jDtdcP+tQYieNbVY57uwB6GVO5iZaNgxVfBVRsfnZb2OoVdXu6oC4gVJlq/pO2YvIyNBBVw+TS62H7TnswIQe/GEkeRvxAE6yDocfI59ai8yRhMCsrlrkqG/SJHswFYwaRGM3Si2XJBH7l+4xEWyNmd5k9tithz9BuBd038x7KYso5wgLNsWtgXIO85uwIlQOXgIHBfy4ZesUZ6jt6lQ4S+vCqpEFYjDXJ145C0dlrAmfUC5KcL4kMGU6qnWag/cZ5DfV3AsRLabaTLBS0JZ2Q18//0GPrjjThv9Ae9ASVP/uxKF6hVTnyTF+eSK4phyWwZtMtYZwfvoWbZGfStPLilPbZo56AyP4k0RxNrzI7Oy6Dwv7NCiu9nldrjU/pPa+XHs+egpusHppPSvKCaB/wgc/Ju+V+Bk7Rll0liA0zGHvmvIljUr+UGt89N/1kPqox+XhorHypa97EqfZVb/rofsnys0+9h6MXPxACwS8iSNTN5tKRRlb6ro5iQ9o7eRHsEPmGJgvtlBnfEG2HeNRc5CgG+s+Stw5PViV0uc4ebR0Q5oniL8f5V4J3RgVLUoDERWIkHxz08gUXvtHTD/O2hVm4P9i/b4Sl8ukBSXIjmyPg37rMbD78zbyQ+zHCShdeQCREycaT006+MXu+xt3kSEisjSlj6v3YnkZIP1OdB3ZypbhNa1pIRb55Zywsz X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3e30fc90-8b85-49c9-59fa-08d95058be96 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:53.6545 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QPvCF/w4WjrBnE3n1RktUtref3qQyClplXZmSu7/f4MMDhyDPnK6oPDeuNfmZqhTrazWV57LUYIAvF/6nh4MXht9BB25F8cSMfWNXcucCHs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5211 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 suspectscore=0 adultscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: ZesyQwlWtflNNC0QERFzXowfQqvnhLLv X-Proofpoint-ORIG-GUID: ZesyQwlWtflNNC0QERFzXowfQqvnhLLv Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Currently both Secure Boot DB and Machine Owner Keys (MOK) go through the same keyring handler (get_handler_for_db). With the addition of the new mok keyring, the end-user may choose to trust MOK keys. Introduce a new keyring handler specific for mok keys. If mok keys are trusted by the end-user, use the new keyring handler instead. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Unmodified from v1 --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..1e15b65abc9f 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (trust_moklist()) + return add_to_mok_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..c1bfd1cd7cc3 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Mon Jul 26 17:13:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 113D6C4320A for ; Mon, 26 Jul 2021 17:15:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F105B6056C for ; Mon, 26 Jul 2021 17:15:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234994AbhGZQe6 (ORCPT ); Mon, 26 Jul 2021 12:34:58 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:30894 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241074AbhGZQd5 (ORCPT ); Mon, 26 Jul 2021 12:33:57 -0400 Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBeVC006257; Mon, 26 Jul 2021 17:14:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=Rpguz7FJSExcSTBbcJvZ00lTubl9WGEkNdv5G6GIUnk=; b=lrcHFWoPyfwrmLeXToRzGozTl2lRJEzjJYyFZXSXtHYSNxQoNF0vJK57ld+BuSwLUsC4 1QJ+qqsGvQcaeof38onK13nh40CS0BQ278owzq4HQuH3gcCpEquJNLE15XJ8Lt2PJ0Nf BiVejIvDbzqjGGQQzIIiB6+VrqGCmC8t2nvMFGyFcRtyZfdV4wBN/k8zY5fD7XKlZrzo iXeLn97M6XQ86Bos7n+/rnKxJq3tdi/kKA2WCtxHzGzgNcQfBYACv26c12axzDffbJyx f/oMYPfGMFdG7LivrqTltgLy0GQAhy7zE4EELq1gdCwwKUIHNCyoaOGDbU973rf+fGG0 qA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=Rpguz7FJSExcSTBbcJvZ00lTubl9WGEkNdv5G6GIUnk=; b=gNn+aEov5h4E+gcOEj96bJ6A4TB6q6xNpHnyB/EWAAyC0nXdkMkbbETBm5QWSddKhfx8 DfkQPP3fuZjhM3Sok/GAMj0Oh2c4sKuOQQooa+qXabYNPK3bB61w90vj0htWdcuekvxa A1a5aImZtydQwwNIkTltRNGBGtPYdrj8OS63uXZLCpwRks/1PV9fCBDJMLVdQrDPaARR r868tolmxSg5YTSpzwZUfwebvRWFrEv+5BICg56GI63lj9N4V1on32LS84PbuyatT88J 1skq/4DOg0Zm9HAdfRVbANGeoG8fQNLfvyXmBa9BMISk37WIkjt6ZIJZSCOhOyK5Ji4j 9A== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1vmc0u8p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:00 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBcn5043683; Mon, 26 Jul 2021 17:13:59 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2045.outbound.protection.outlook.com [104.47.66.45]) by aserp3030.oracle.com with ESMTP id 3a08wewwxq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:13:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pt1EPvUgPjTaUZxSXCFZLg711O94zR0/qAHDkHqcwwdBlwF4Shjyx77Zf0wSjUHgpT/iT2F+Uzq9Tgbu3chKEtWfn2M1NGfGDUoVCgOoQvEVwhggeFV2w4WkiL3xbY19tXLtCDIqkjO7gm821oiFDyFrL0DpxdPSedFeKy24BWV/REs0jD65xrIy50zFfzGkYtOaLPkT7MrY4ccyM6NbRIJpQW6yeTjGld7jjpfnIpMMhWu4adOOD4e2UtU4YMjMqC+XBM6TItX1SL06fFPi6//D711PTOkQsYCvoDBfEjx7hFInT3/CtA0ADSvOun7ai4viqI46RqHrbJAxNgsGjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Rpguz7FJSExcSTBbcJvZ00lTubl9WGEkNdv5G6GIUnk=; b=DPOPNyDDI6I3uc9BJ+KBbO+lVQPJYefORbohsy2cfm2uAmyyZpVl/vWrs8Cw2N5hGzVMtd+EaltIwmfeU4LUAwBhEpQ2cVfw8TrD3c2mVWz6yJdt8Y7LMDXplP0df4x/5s7rvU0mVaPzg10nM+MOgsj0LkWmkD813+ZGRv3/AA5TcPr0SyqC4BXnojqPAKW0KzKA3rajylQowElCt2omxSEu3hiYui9eGuaPkFlafBbX818E7VRJME/Bh5P7gH/a+dRiDmR15GR70Wn/SPpKsp/m+wDsul2t7HuvpxcUxy0UOvLcth5X592TB0RBFtk89+IlFXzg7jBiuVsk/MPQ7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Rpguz7FJSExcSTBbcJvZ00lTubl9WGEkNdv5G6GIUnk=; b=EybOo/WjTpupPk9VKxyWs9pi5ogokdl8eLYpqtWFKtjSzadllCqCtYeJcUXTMvHap1KddFZnl9UHU+GWny8FbpB2ekN1QSr7g5/0uyRfx9DPxhyFFukkRkmCfYthbNX2vDxa3HoBa7zpDNLSHMiAWr275qjPmQl0Mc/Zb0K5ZtA= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5019.namprd10.prod.outlook.com (2603:10b6:610:c8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:56 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:56 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 08/12] integrity: Suppress error message for keys added to the mok keyring Date: Mon, 26 Jul 2021 13:13:15 -0400 Message-Id: <20210726171319.3133879-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:53 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 75cbc9c7-4c22-4efe-5ad6-08d95058c051 X-MS-TrafficTypeDiagnostic: CH0PR10MB5019: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: CDws8pKbUgCbjl9ALAkM9osOEJOBWyt+45aTbpMkw49kWwdHWvFNBoE2g3Ae2U8Oft8uTg0S6IpbWWXaRR55ff8oEh0qWOwu5UA0q5bnckJjlT62QwMRAX2Z07T4NSvYJh21bgMKlr1PdiejHuGmKoz+hvqsY6A51jp3jKQSBvdcjbz6gkxTPJPu0PPBEJ6z27RoluEcDbfxCyuDMMgUWSL0c5ld4BiKALhkYm8K6cjWYS8+e98S00HSOMQLbBkrXy/OkWjmLB1B6cVYQZ9NkgP52H17ODudPt2d2NxBe50drkTspfyWvkEgEunuQVU/6Vc5SZ/Q9vAy+m2i9A2UZxK/QweayLSGPS9kvQxrSel24XZhVMbj+bsSUruqIOLNfaPhzCKTCRkI/l275YMYNrJoN3DnxUgGBKds1mZGtpItX8gHzc8Rc8svrLWELhdpqFfWOcAtuUJJzEFQYPSmWLcMHPUHc1LPGiHxcqniyQQPHqtMCX1PjP+JvkzzY/sGvmmap/PSXnJ6l65yP4Jsrc5QHZSAS4Rz/liwjKI1XmTAhEBDI01r3PlbqEgxWleFxTse/dnSCrbb7rIBsSn9YAcNtKBFicVS+kkq5MIi6Ng/3B2QPwwNMOFUltcpA8x9MVm9KzpXDV/9PxUrZkr3fhAGAeAB4WygMJqD2S0iwc91tednGc19cjxb3sVG+pPYVyLkkUiwEi6MT8/ykHTFtqL8nfgoEkVogJQVxK6eWc4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(66946007)(508600001)(8676002)(186003)(2906002)(15650500001)(4744005)(1076003)(4326008)(7416002)(316002)(956004)(5660300002)(2616005)(8936002)(107886003)(66476007)(6486002)(66556008)(83380400001)(38100700002)(6666004)(86362001)(921005)(7696005)(44832011)(38350700002)(26005)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2zCNqCcw8/cDJJfsm2zi8WvR9nu5F6vFECVkoSJZDBrsLJgUHYVW0VM6XDXg1Vcb8ubBKYUWc5l+WO3GTMqN/z0JawfTbkFwEA+kgQhs69xoy7NtR4bq97P1QHgVWsnnwacldMQk2+SqqnhXxo6CaocWYMS4zXvwVEBEVlUSIDhQHLsMphblnE57A9n0dh6dULD/35n2uQF/RS3oiEHRWynFt/Zd+fIvuS2G/ld+GSj+sBNro5aMU3U/AlfmvhK013XZO8Hujs00IQAufQ8i6zQLWgnWR/3HukEY6CiI9OKXVHdOoSuBU79YzQjhcooMfap4kDGuInUkhiBe9dbj8PS4oaOz6T5eFePcWWXXxrWHC4Ja8AFhgfQAqcB7NQ9/565iSY/rXhAFpTjkVDEvk+mPK+ca8+b7JBTfWu59V+mrPW10wV7mwcO44b6mHHhsMao5+C/KXQV/e3ivF3MluLEL+kkJhw0pbeHSB6nijtmZeQ/GSPWV/ftnjf4CJCUaA89GOF8BC4ydldASmZoTpPzc8Vg3WPDTEMZrDoq94z8D0KyaPUqENFtH1GmNPnOCeXCfV4ytliKbWDQhL3As2+PnUgLNMQjMWceeyPYkI75WT2Z0XXvlncNQS/nNF2VBe+e6U5HSne3nWV8FmrtDgZshG/ZlL0wIDIDQSxQy6BYgJT0EtkOsf/Y8iuMn3YoMQLUjfnIVo3jNZmKpvdvcVesI5z1nR/tDViVInTXeCVybeg3mrh+4QD/5EQRqj/+Hh/7yQMfRaNjh2vM9+jbRtKQjCWdMWzr5ELNDCEXQM4au8UC0u3GogcUtF2w8q5A8R+bBB3whL0CM8ng/zQnam1wBXuRJizHuilMhjA8w/8svR7PyT7jGyHC9wrnjGC+3lWnMdxuAF+sndujY+MGtUWGareIO4Tf3BQ2fFHSKquIhTDHPbGpDnZoL1/8QYrmGUeDDGRUYv4dbdHtpHMbOm+y8t2S2iS62FsF+i5l+KX3Ef6RBv/L/RzLutWdqkCM18+MFnR8kdDh/pgV+S9vUVCpXf4q4cuTsrY6f5cmBgb7IkTv81ZCzREioCFod95ZptEqddNWbO0s41t5oGAm8wxrYGQnmG6O8g3f8EDj6QIW0tUUw4RilW5ZK+pbO2nN0QX2250loYmsjrC/3nOmSAnp+ES8EF4F4fHFRfMgibRs1gtKXX/w4yGZOiT215W8fclmBlWmK9CrMLxBDfdOGsW6az/6PWsDPozCoO5o2B0yCR3yD6i1L4WLsmzrU6Wp+5VnXaiJE1jFRgBR8q+0wdoM7siLKh5pw1dcDo5lbiKPu0tzIZ7VV3TfU3laHF4X4 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 75cbc9c7-4c22-4efe-5ad6-08d95058c051 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:56.5558 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AvI6lrAjKLfp+I0B4lz1dAvqPAUUrQRp3zoK9UkpIPDALqlL73tLCFbylmzew1KN58ueyaaKUdqrGnVlOlIM4NuLBz0hXf8aLni9jvaZErw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5019 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: _86nVqApMhjYG2Jv8hBD77lvvXpFfRf7 X-Proofpoint-ORIG-GUID: _86nVqApMhjYG2Jv8hBD77lvvXpFfRf7 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Suppress the error message for keys added to the mok keyring. If an error occurs, the key will be added to the platform keyring instead. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Unmodified from v1 --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 2f6898c89f60..be4860c596b9 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -165,7 +165,8 @@ static int __init integrity_add_key(const unsigned int id, const void *data, KEY_ALLOC_NOT_IN_QUOTA); if (IS_ERR(key)) { rc = PTR_ERR(key); - pr_err("Problem loading X.509 certificate %d\n", rc); + if (id != INTEGRITY_KEYRING_MOK) + pr_err("Problem loading X.509 certificate %d\n", rc); } else { pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); From patchwork Mon Jul 26 17:13:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400333 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88E4CC432BE for ; Mon, 26 Jul 2021 17:15:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7007B6056B for ; Mon, 26 Jul 2021 17:15:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241754AbhGZQe5 (ORCPT ); Mon, 26 Jul 2021 12:34:57 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:26272 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241044AbhGZQdz (ORCPT ); Mon, 26 Jul 2021 12:33:55 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBo33007955; Mon, 26 Jul 2021 17:14:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=ArJ8Js8eXO4MaNN3anffJYD7fPrtR2nkQGmjyxPvpF4=; b=gtImzQq3SlUsJRziEYoWrjLUeERyLNhhRYw7dpSQqaFvYa3W9vDnuvvqWD6BH0xh32/v +hCCNEJzddKj2KbYuuwOcFq1h68PiGrm63HmxkI/EMP8PRzxP2tzYZblZXlVkjeXqmBC Kac12TbayNMEQ45P+jqDyY1/KLwjqTIwXOQ/SJpxJbRGl6NwveQLFeEqjsiP7z36XJLj 0odEzDDhk92qd0zBt5eX8ChbEqXKSbPWZ7+iHv6HrMf0UOT7f3rCc6gNdiloTbwBwGjo /BtY82OKv0pRNn1N4BzTc23UCO5t3y2mRCpRc0oPZ6L3e5esjywEqnxC65+iaDG3Nw4D 8w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ArJ8Js8eXO4MaNN3anffJYD7fPrtR2nkQGmjyxPvpF4=; b=Sf7FQwTuUTAWeJagJ17zjb0SEHV+gbvVklrDDqRqHwvKpS+0Aqd5Yf5YJJdXNE28VseS LQ0Vj1CMUMozuwHrr+g73P+zmRl6ETQzIDrTJerEXLeNASqDRjr0H/ITCHjJtAI2e4G1 v7iTFjHbiG5BkYNd2Ow6BNdfKUO39h90hNLF/73bR4Tzt6Tq+nsDe7BfpF09TUuyWUFT L6+SmAYSVYnLfNMPrKSon3s3mUxBH8ZVjDSnyqWoYzCZELKupbg6L8O77PqpBVnNQR1u BGj5SeMRjRGBVAlmVmydMrwoF4lGcEE3vvNu6y6wWq3CPLcQWZ7Zj+6hwbJJi9iKAPc7 Fw== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:02 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBdED043758; Mon, 26 Jul 2021 17:14:02 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2048.outbound.protection.outlook.com [104.47.66.48]) by aserp3030.oracle.com with ESMTP id 3a08wewx0q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ceini4Kem/7TCD+HyIT+3uuqiLiOnXinPX2oqXQ2PTUgDBUP5y6E1NLIZMqX7hvY/HRvc8NjZ5jCg0o1vbA31SMSk/QD1UL5X+HkNlzcchVk+xOje84jDRYO3MNRWOfCC9Vuuulc20mc5tfTzO41KyKMkcBYeAa/Eg3XbrkabHhOez7ye89/PaYqlXOlhNdM2Hf8H1tIRt0Bb+I3ayL4gNgsCvYHVwxrIM2o6gPkEe7lEJrVs9w3MAftQ/IPRcOeTrVoFzPl/WTeD/LPO8OBQiEB4Ji6KPF2emrJsSghtGEQWO8hWUQRezfLfUT1q1xcQib/ynCc6RjO/XEqrm1LOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ArJ8Js8eXO4MaNN3anffJYD7fPrtR2nkQGmjyxPvpF4=; b=ZGgrlYalSbqyaGHFMsERiV5GWi+TqSPh9Wy3t1TbVzHjxy7yqLpJBhRTbelXkid/8TMgRzBs5P+RamvyTIFf8Y+NCFpOf/ilN3a3/fb+Uge0dQRpetvd2hhuqTUTPfgfuR42xeVgmERb3XV2C09O8vkALbV1KHR11vcMrFt86yieyF5sbJOecXdhnsdkwJS4jPuXN4C9he5fnZUcohfyLUNT3/x5688tOAjgIUl0X8QwXMzKfbcYDrSw9zHkbOQE8bI5PCpsviXfKHRKIZTWwHtSeYp6sig9euCmPJJHkH8Tlj6SFVwP9a16yoNR5mUEieFutXrjeLgAuTclGRf1hg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ArJ8Js8eXO4MaNN3anffJYD7fPrtR2nkQGmjyxPvpF4=; b=I/6ltUIC7q2zXnR2W4OpT02813XeIE1Z3wkdkvM2cVrypq7TdrC1ZNfZ4KJaNeBaXVth3c5qXDNAsX2FC3xgewio9RdTtAKEngI0S52ZC/Ebab1IILdTOXiNaTaMDHGan96yG0dNlsgkl8q1YiEvA8rdyKtZSxeg+F4Kf5/s++I= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5019.namprd10.prod.outlook.com (2603:10b6:610:c8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:13:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:13:59 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 09/12] KEYS: add a reference to mok keyring Date: Mon, 26 Jul 2021 13:13:16 -0400 Message-Id: <20210726171319.3133879-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:56 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 14d8a7f9-ea8a-46fb-bfac-08d95058c1ff X-MS-TrafficTypeDiagnostic: CH0PR10MB5019: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GqhlRa7mU9XY41YWlu2HkhH+D0hWXeZhn9R59/DpGiwpWkKh03Z4ghRJHXggJiB8qhd+ugrM+g4KYT1qZyXUzpIpPwN0KX30H0pXWTkqS+iQsi4XrAy54YDKrDvWzO/A5MlDt63zM58aGY0Yd21vqg1NxUPfzASbnD0TrU04BynjbdESSlV2s4Kxu8+UwEzRdEys32PFaK3wq7I7ORXd1ySct4P6uIkA+cSjJLpwi0UQYQmxutWEq9rwRmD8qXt+nXkqzkPGHPEguaCawCT6NI0qp3Ivr2WdqT6KZIpo/eyRSQPjJunMdn7fNY2/lcHPg5PME7+0xx6jECT7gsu7YKVxgCW9H/q+M6bWIp6Un2XkLgOWtVQVNluXZW59RiWrEftMW6TB/5aFzgjIyBxn6HiGsQo6Fqqtsn4EgDhfQiGXRplfZCcH12Rq+2h50iRRaLZxcnN86yemWPUPn174hj4Tm1i9yQYIbKHWIe4nUFdVub4ZAH1gudp9jztFvbscg2muMtvWrcvTy5th8kXO/KrE2k4Flw8RIiowDRMDD4T7/EOY5otV/4e3ayVP+06qVl6avRKC4U3QKMY4iHLpZ8PH1S9Gc/0YkB5f8/BQVmERfRdrgHXu4cAVRAKqxzBR4koBuuSdvZCSGRAj9IQXKj+Tg3pgt2dmW2QmFVe5n6bUzb+b9lN+DH1WDCsuu+aMfqMxeAQ8ENYeXabI1KegjsufKt09I0/xh3ik4LOHfTY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(66946007)(508600001)(8676002)(186003)(2906002)(1076003)(4326008)(7416002)(316002)(956004)(5660300002)(2616005)(8936002)(107886003)(66476007)(6486002)(66556008)(83380400001)(38100700002)(6666004)(86362001)(921005)(7696005)(44832011)(38350700002)(26005)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MsnjLdRcl8itLJzx3DwuaHRcnRtmobkvH1xOO90KPfVy2zCWgqAE+Tl3bqQVd193OpHvcdGLWP5QQNgPkL6WIy8i9yFFyPdSKdxBbImdH61OKNU4mDy0GgXBbbjdEYQ0pakGtIgH18kIw8BUtX8lxysSTRIvH3onjz3//na2c9HTDRy9wa+EOix0cZTV1maMRBxwzJRV+nsSHeruJynuNvmy/sF7/iU939AH5x8+RQ/+7Ifv8xbX96ZEgax3tDNCI8AjTjQqDGD/otcMbtLqpJMTgZ2Qyc6NumGPh5OxrCMlYmuJJiJIZ1Et+wTi1gzx2pCb2vsJthZwU7F+szm/KVJ/92GlPnv8V/7pYsrqNrb2p/8sp+x5scWdMAQo/eOi2Bw8JlRI3p8Jn51EhRyz+qUYnK3dv9PsF5BVDzJAFV0/ajk3jREYMdgddcHuvyeIywVGx+zGd66zOH5xMADB9co5lKlMlTNQThyHh3GqfoYl86JhVXkdEb9BJk5VB/yxR+ON2auD3CyjcAeeNm+RN4a8l2Id1uvOjEgaO1eKiGDxA4UwbaMATVastcl3rycKbKgFZT4aERYoQ6xCNhjS3L92g+a7qDTlWuXj7UqsKdf3aRJzyd2Hnzc8xWW9NRC56sSanHlfo50hTo+C2X8hJj2xnrpSVrPsy5CygSV+26mXN6uZGGxKHFzgVcGWfKrRdSWbW6uO+Jc0u9tzDFL8s1Zo8nUdEP0VP6DgFsynbIJ8JKmTW06N+Utqi/JOdsZo1oKSf0hNBcSvVen8kRQI7h6cij3Jf1DjsJKbCFwnJkKWPhK7Q8o5kQvLzmWn6PY+92Sd0nzKTgcwouZntR+s+cHMy09YwV0ra/jxcpEqsikcOWrlmB/RqyDznbruA3x+pIyb6jz/3kLdvfHZIAJkLigdeOoH7ZUcvreONuxdztWJo9Hk2hMwuEoOUAgHobdwQ7LjjoaVTAp5HaMo4U0S8OlEbtp7OaftjBXouqb8Are8nv5BpHnLX4d8HJu0CHSVdZcUxjWOrFG7/XiEsEqzMWW/u6Vty0pxbF6O6ARMOUCDJXE9F6/VXG3k53jrW9C72JWjqdM1ld1i1vjjlFCH0W940L1zieNJ1uY87E8qPAwJ2u5Tw/lPHrOyf2uccCpfm29bGMvXU1jdk8jz6WY7+YA8l8Imosdfs4cIwIPVcLQL3tYNJkhs37gsWe9Ug2UzzOc4QgxOYswlrnMsL4PJl4S6KU2XhP+LhhE2JdkmzlEMgJnSyUoW0yK5ARyWI3dhES2qaa0seE9lwrZXzOBvpM6o4aBXcmGqoBHISo5mYOvCOTJ01C0crRsKAjk+0VCM X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 14d8a7f9-ea8a-46fb-bfac-08d95058c1ff X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:13:59.3645 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LFjssuiurGB7ERfqfkmKZm/Vd4VQ7uFMl7hfXDHZir3vALul4XJFaYqXyFHP2iA9k1wCgFrq/icj+1FHJ5+IiQHwl9wyp3dPpIskSBFu7+A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5019 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: v-TVcDafSUTF2YNYqYvRuV7GtK5ZgHSz X-Proofpoint-ORIG-GUID: v-TVcDafSUTF2YNYqYvRuV7GtK5ZgHSz Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Expose the .mok keyring created in integrity code by adding a reference. This makes the mok keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg --- v2: Initial version --- certs/system_keyring.c | 5 +++++ include/keys/system_keyring.h | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 0a7b16c28a72..dcaf74102ab2 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -27,6 +27,7 @@ static struct key *secondary_trusted_keys; #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; +static struct key *mok_trusted_keys; #endif extern __initconst const u8 system_certificate_list[]; @@ -317,4 +318,8 @@ void __init set_platform_trusted_keys(struct key *keyring) { platform_trusted_keys = keyring; } +void __init set_mok_trusted_keys(struct key *keyring) +{ + mok_trusted_keys = keyring; +} #endif diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 2041254d74f4..1adf78ddc035 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -94,10 +94,14 @@ static inline struct key *get_ima_blacklist_keyring(void) #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) extern void __init set_platform_trusted_keys(struct key *keyring); +extern void __init set_mok_trusted_keys(struct key *keyring); #else static inline void set_platform_trusted_keys(struct key *keyring) { } +static void __init set_mok_trusted_keys(struct key *keyring) +{ +} #endif #endif /* _KEYS_SYSTEM_KEYRING_H */ From patchwork Mon Jul 26 17:13:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99185C4338F for ; Mon, 26 Jul 2021 17:15:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 767906056C for ; Mon, 26 Jul 2021 17:15:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241652AbhGZQen (ORCPT ); Mon, 26 Jul 2021 12:34:43 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:41292 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241117AbhGZQeD (ORCPT ); Mon, 26 Jul 2021 12:34:03 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHAZ13029680; Mon, 26 Jul 2021 17:14:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=eEzX9cbiU+OfXErfg1UBDrRm/ODY8qsUIUpjmrXFtIk=; b=kvwowQ748TLEKIkTIQ3kS2gqu0wDn4nyC157EYsiW0dKs+IoP3l0Ur2ibguXcIIfanG+ uappko8nWKyYsiWC8kqh7Nsc/pIwGlnWcu8ECArDM8/Drrcge/oorBzY5zQpAvb1aI9a P56bNhgqY/ngc8pvNnlpVQj/qlXbbqf3ZZ36gUhXokONTI1yxatfwcx0XX4DAB6NDm/O CR/S5I5VZwvQzFu0+XUh4ftQ3FLCnx6RvOhUW2ZJNjbiP0S3qVoWkCf3Pb0CXfLC+nNL pyHlHwJPhj569tef6Z7n53UPGBny1iuLeYliDBcfTxtA1I0AVUl/zlwp4JI6ww9c+y4L mA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=eEzX9cbiU+OfXErfg1UBDrRm/ODY8qsUIUpjmrXFtIk=; b=EbO2I2cdFwqniXe96BKF+QUs/HWPSqZCCDg4VN0qPLcixlnGT08ay1T+8UBOMKe2wQbm efGssEBy+FV+D1bSDykR94gvesAN76yLLV9+HioCHncRQOKJkL/bJbg6nwQ7B7nLne1O I48+FEd5rzvlkHOjSMFlBy+wge4XwHteY1xHFdMDLdN3vlXY8kHQXjjgjQBmPiJki87F sY/TX+ihTGY2/RSzKaVLWkvGhfpu8/pPXJghtZ6KDzR4ZBx8P6zqj+hUEcCW8szGZXmE laMbZ8CRp5ne7pptLx1VSnFsmgiNO8nyUfcGLwu6LWZf7E9z7sfCFuEMDOfhDso4w0us dg== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1cmb22n5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:05 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBQ9t160200; Mon, 26 Jul 2021 17:14:04 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2046.outbound.protection.outlook.com [104.47.66.46]) by aserp3020.oracle.com with ESMTP id 3a0n2gcpjc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WMp6GM+4LxWRYAjYVbHwFJXDcnmv3DP0KJP2Id8eP3W/b1rbHokiKr3zBUmKvusELOcxxKpiVYh6xSqj7gi+9m8I2A6prw6gaGrpuVDEEmr6y6kVCVzzFqtMkxrcDjnAwX5d6QoNjaAiRly6j4RRkAyOenNTjQLXLAhRzK+np6YH43gUGHs5hZH02TYvQvoygkkk2OWUO4n1XERxjlmruHIm1DuegNYtMoiDMoubiADkG6eP17FmVuCAlE4zLbtKCIS9Z8V4Q5C0JPysE8KA0MKuB2PqpciCQtUsx+ZRwpsQgUg+X/VY4ejKHARFvWL+2FIZRVqFkQiijASLiwdRlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eEzX9cbiU+OfXErfg1UBDrRm/ODY8qsUIUpjmrXFtIk=; b=fbw65L0c3e5JENNvPu61O5zlBe83edutdBPbkq/+muWFUY00Imd045xvZY+UjqBNeJV++AmIWrjMo2wF2EevTbKIMz0PBka7kGuLXIjnfslPLi/o5gMc9COzXoCSM4LQl20WC4uHcnMUojqZZMocoaA+T0akaxkWaDS34fGwKvbLJdqMFGYa7Kxb81mIjV8+ocfOkBa1kRA0oIIrsc6QpseSRtwuwZGpVmlyk+BjE4lkzI+iuLlr8wZCXh0axSA4MwHNjo6YcaOo8RMANyvRL10PiG7ZEDNzFY53htMpQ9Y1bHI8c1F7hOog6iih3rf+ZCEOW4X+WFrJb1a+wa4psg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eEzX9cbiU+OfXErfg1UBDrRm/ODY8qsUIUpjmrXFtIk=; b=iFxVlLsYnmi/ZXbDC2NGxWoI3xMqHW4m0h6OA2oUHt9pytw3KSZXV+p+pI9h7NNhPEoNURmVO1u+s/4zqOT6hejLz4gS1tPaNfTqxtkGluSSnHjmc5zSzDm6FqtvC+Bnbg1/6oQUy9iOhrntQsmmISaQ+vIz/sRtDPulmTHc2eI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5019.namprd10.prod.outlook.com (2603:10b6:610:c8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:14:02 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:14:02 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys Date: Mon, 26 Jul 2021 13:13:17 -0400 Message-Id: <20210726171319.3133879-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:13:59 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3c3f04f4-893e-40a5-657a-08d95058c3b2 X-MS-TrafficTypeDiagnostic: CH0PR10MB5019: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: moCzLGclBh4lZtuD8kc8oKtpAGKL3XTdJ4aWoiE51uhksRgZr06USgiEXKX7o1+YatD79gfAf7JyLZsifyjJGG6P/eL6ZB+vyJKc4BskSjcASWSFe0+ApUajrTd1eWoeLLuxK+RAFPedT4I/0wLQOc0/Lb7kec4K9DSnKgO+kNxnwTW6bTLA2VmXblYzoFsTCC6pTc1pCj7ny5Kmyjl1QXpISWYb2fx7/2uxk9iI7N3bpCsLpBU7QKNukDOH/nNsGU9S94GZX3E9BEXKPJ0/z1bMYWQDqp3jr1WsWqcwjBcaznzAG1v5HiasbZ/9dHHO9jN6MPWzXFZz1UArgFSOIf6MZQcVtrfnjOk24afnNqGO/Gvv039RlhQcuPWtmvWq0bBLMS2lfJyFw5AKCcx88MvgANtt9IZnUDxwM7zLrjj17gIdOcRfM5inGIeKRslI8JbrQ3+U1joKRKCWWGT+3Qaqx+NxW6s0wiuebi/UO4uEDWSBJQR8YqoVuHMhc0pIwITfvnIKLy7k+EjA/2WG8IMrwqMT+Rgdd4Rtur+afY7Qkpmn5qVE8U80vsW3qS+b1O6eyFKgujanKhZaGsUES96d295hHaAF2dG1Dq5GE7l07HWGhQFanHj3OCQsZOkeTwN31MkSCEKsKl3DFZ+gtOij6nj/PHEYEvLT4tEDKXTMFlyf8GXyIu/JhwSDv/U/cOLNs8cgOhdli7U7+No6fQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(66946007)(508600001)(8676002)(186003)(2906002)(1076003)(4326008)(7416002)(316002)(956004)(5660300002)(2616005)(8936002)(107886003)(66476007)(6486002)(66556008)(38100700002)(6666004)(86362001)(921005)(7696005)(44832011)(38350700002)(26005)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 12K5s/JY9AMOxhz+4QzKvP9soP49iR37LABn6GB5PVye9XlptALNBmZqpswEcr6RFgkFby4rUN/enUw62XW/fuSkrYFrh238Pl7jqUVC3Ldy+d/23S763s34cnA8AGq8cl0a+2URHdhJ00v5qRmQ1UaHHZREQvqPqPUccYKWV1tl27fYczgzR4ZqI7F1MX9edobhh8qIDBCmjDXq8GiQ+ADM6Vs2KlK3WttGgXDnmFLl/8XI7haeSNV0NBrXYp39NxrM/qd66mM3jJ0mRWCFWKaWBriL1pqluheNsDYN4bMHpB3KGm7uqRF1fpRmlRw+W3fDLHgclcPBabTcSDIRXKKviw+Ax2szAOMJtz2IZgfv9+LtV2IuzHr0enkGxJOkznDw5IbkjB075afm/S++l0OTdsQbEQQhJFE567B/LbUMP+0Sh6ZVjwo3sYn98FJ7IxQoUmntHHPYOTu32Y4DIltxAJ64mnVZVJpmXdY++Xcp82veWdfooNYrHp28oSoW4K48ps8P0oP1YN7ezeokOGfKav7dfzgSVnpbwu9uPozxR6LHNiUUSW/ZeInNx8lnsH21kP2fGC56xbWdfAiGDGa6TgqFeHXBk/0F9tfIRcJ/8PRBO1O45iSwrw40PTdXgg8rACsZnOVRrGlY16DupBGxdakT8aaRdiOEXB/etLE6WXW12AaTcVXAPA3Zuo6pMJinfv/wWGje2GKw7OI5tGhKvH4xSfUHasGFn7XZrklLgBBE2mg8zbIuVeYA00y7Q7qjjyUAek07rBFkRMnEA5qkLh5rYyS5rcqV5W11pBXZEtT3C1IXKwgz8NEgBIqck70+uCkeXWYs2LgKppS0HPowJx3OVvfQacqGzQewyYYofJsgxh1QcBZD5HuvxLp2ebTygpQTSowsZSlcQzW+RE9qL/MkTIvjXloaKZLWqzsj7qlkGPUSr2CibNAx/atGB0/JT1W+0XSyw9GdiWps082E10zIXEo7Y+/f9MokWsTBK8dpyF3QErc90J2D+fTyqp7itQ9zJRovYb1gdQt84gkHrjxDJCz5q/Q9BSeTpRjnMJ6XPGWPGhxN+VYXbZqF8XlL34K0bgMagxZQydlOC85KFtlqy7nrrdr1ypiyF2biB93LG8lDSRKnCI6VTX2rZw1Wl088DdpRc6qzh2uKbytfPqENC39ezOsFxVgr4B1IpJab9Qk4R62D7GmjUs5iVrNCIxh1QSICuldr4UD3j9Iurql6X4TwP64G6oY6N4sDjF3p8pBseO/pVMK5IbFiiSuP8ObFFjw5h5pIgnH6YaKaRO0ay7S0yTy4q7eJScyCy1lGl+IFjCOtqXJzo2W9 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3c3f04f4-893e-40a5-657a-08d95058c3b2 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:14:02.2060 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JFDexkohmRgE9nNUBMqy5W1awoeY1XbH2O1MG52+HlyLPQ7MelvaXZJs9kv+XC4Ubir5u0uAeIk77TNbSjZT4DqyuUnhyOo6Y29w8hL24zE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5019 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: dyXPs4imPBkrC_xrWGDyhYBw5OdqNJBR X-Proofpoint-ORIG-GUID: dyXPs4imPBkrC_xrWGDyhYBw5OdqNJBR Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Allow the .mok keyring to be linked to either the builtin_trusted_keys or the secondary_trusted_keys. If CONFIG_SECONDARY_TRUSTED_KEYRING is enabled, mok keys are linked to the secondary_trusted_keys. Otherwise they are linked to the builtin_trusted_keys. After the link is created, keys contained in the .mok keyring will automatically be searched when searching either builtin_trusted_keys or secondary_trusted_keys. Signed-off-by: Eric Snowberg --- v2: Initial version --- certs/system_keyring.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index dcaf74102ab2..b27ae30eaadc 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -45,6 +45,15 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, const union key_payload *payload, struct key *restriction_key) { + /* If the secondary trusted keyring is not enabled, we may link + * through to the mok keyring and the search may follow that link. + */ + if (mok_trusted_keys && type == &key_type_keyring && + dest_keyring == builtin_trusted_keys && + payload == &mok_trusted_keys->payload) + /* Allow the mok keyring to be added to the builtin */ + return 0; + return restrict_link_by_signature(dest_keyring, type, payload, builtin_trusted_keys); } @@ -91,6 +100,15 @@ int restrict_link_by_builtin_and_secondary_trusted( /* Allow the builtin keyring to be added to the secondary */ return 0; + /* If we have a secondary trusted keyring, it may contain a link + * through to the mok keyring and the search may follow that link. + */ + if (mok_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &mok_trusted_keys->payload) + /* Allow the mok keyring to be added to the secondary */ + return 0; + return restrict_link_by_signature(dest_keyring, type, payload, secondary_trusted_keys); } @@ -321,5 +339,8 @@ void __init set_platform_trusted_keys(struct key *keyring) void __init set_mok_trusted_keys(struct key *keyring) { mok_trusted_keys = keyring; + + if (key_link(system_trusted_keys, mok_trusted_keys) < 0) + panic("Can't link (mok) trusted keyrings\n"); } #endif From patchwork Mon Jul 26 17:13:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400319 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4AD1C4320E for ; Mon, 26 Jul 2021 17:15:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A887B60F58 for ; Mon, 26 Jul 2021 17:15:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236467AbhGZQel (ORCPT ); Mon, 26 Jul 2021 12:34:41 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:36162 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241096AbhGZQeA (ORCPT ); Mon, 26 Jul 2021 12:34:00 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHBn76007952; Mon, 26 Jul 2021 17:14:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=LiFO4qmfHwFk9iYsEi9clU3XuBoutT49lghhLOJiNN0=; b=l2mjm8KctmJ7MKkDfsmUhCiWXEQ9Whz/2KqEli0MsQjc4yoncdIFfGiE6UBpH4aqSS9k j318ouzLRsRhI004wGQM2OLT4dYl60w9r0wLujuy7tgHpK85rQM6jbjz3MTX7fxor5Jt doTTXeIquoM31vORAIv//ZlzIktiCW8yQXVt8deHPLBlaGhrOSwd7LFJVMeLyJCxs5vk efSNrPPgLT5axyYzeYgkoDLkArCCy57W+h3Ur9keAGeEmJH641NnBtMQ+ctN/+Vxv7Oi upKBhN2M4daOb4oICjOLYXU5SVD+O1FDd+x6OiGQfLHaBHPzDTjD3a87JHoiWndaO809 3g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=LiFO4qmfHwFk9iYsEi9clU3XuBoutT49lghhLOJiNN0=; b=jCwmzP9u5I6XLbPmpTjBZ5Tct5vH24B2e7ciA8VAIVTOIxx2pHrZtnjeqI7X/okdQ9Xj zkthbtR5oBlXCATAZPgT1gYNrqxHoZshUUHdsnHOll8BIwWB9cvnYhBjlxspRvgJqhj9 u5EPkhFckLg9ZwBjNJ2o3vPO889gDEowR3DCheWbWyndRo4O/bY0zuOloHBj3ht7kxeQ r7lhK1zyBoPPbiNUOgD+7imkOpKYptKX7vcRYxZaIy6oVIplQCzA8e+XVa821lE/ArOI IAPOWPN9oLoef7hPuYNLZFHESvBUST0CcfGraUDnFvMi9963R1liI7ePfWFrfkHpOHcA UQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1qkqsk3r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:08 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBRKV160219; Mon, 26 Jul 2021 17:14:07 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2045.outbound.protection.outlook.com [104.47.66.45]) by aserp3020.oracle.com with ESMTP id 3a0n2gcpmb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:07 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cUl5VusTvKnjapm34tADr249qQEjzvYynK/7qyI1Ins+zmEwazpu5BoE4hoentBG8RZjZhT1xEljVuQneox0Hr/xYNwbYZOflOUCm/QsFU7Mztv71RlSiymcj7tFkehTetnp4IBcIK/2pl1ebXXxbiruPXrOjdPVD4GLmp6bWmYynQzObEsl2yZQ7MN1qMZLkWAKOnaEZb04tCMkdZblzp/qMrxP+TQb3LAJ4Nnma4K5Z23Mjq7e4h55WaBrM5QemN52IXiTc3BO1gcdhQxJP/WEc7xkt0DAcSBGHP+sNx71yO3mFhahzLMC4I1EQGh+fxfTPILN/Rp9A8BbCc3c/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LiFO4qmfHwFk9iYsEi9clU3XuBoutT49lghhLOJiNN0=; b=TRIsIn79OgDLDwIyrekWONNdQlMZzPQvVpVsnC+bK9/FFIGBpkY405HFnvpocB6jyHHvjQJ7uXNyiG352YejlD3DHhYBZNJJ3e1AQWcVn3EsM6YoipEZSDQt8ROdJKr2ErIj46FRKTSDsGcp09fSFbxxNlWjgrCA56+TLXQXSzbfqNINcS1OD1Ezs2jzCAz9C81kP6GRp/AAu/HxqU1W6DBDYRlpDIxgiqcNLs1GwOQA/yIJ6lOzuwJUPmMOfk9aDFvGm8IgnHVdsujsg0pF3cDp/TFvUqKhXhZgaW38pbjKkt4eiz91TlA3Jbuaqum0qyrD2+iJBTBHGIKibLfrEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LiFO4qmfHwFk9iYsEi9clU3XuBoutT49lghhLOJiNN0=; b=dt9AMMxL6dwdvK+fVW+Ly9RwVFAXcROKx1oz5IpZZifSLJC+EXfI5C+qSdDMTkTnpdFHrbxGjrbRvGepKovm7C70+LWi+BgXYrvqnzcQpsM2qB39hBn+U1booCEfupmf33RpC5BuyLek4Me5eXQSP66HsE7Nafg2u//F6sB/UAI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5019.namprd10.prod.outlook.com (2603:10b6:610:c8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:14:05 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:14:05 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 11/12] integrity: Do not allow mok keyring updates following init Date: Mon, 26 Jul 2021 13:13:18 -0400 Message-Id: <20210726171319.3133879-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:14:02 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6c1b0624-980e-425e-48cf-08d95058c564 X-MS-TrafficTypeDiagnostic: CH0PR10MB5019: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2733; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VUXF2mfMdrzleDXwGJMWjkp95uMo0vW7ZoUOcW+ZeuFgyLxVQ9aEPB0yBkQpGjfcUy9oFWFNSgVqUjygSeZlPgrTe4vHVC3VZYQ8endS1M1Nx5xV31laPkbEYJ0R5ZuYhOmEM1iI9lQy7sjQMw5hgD4Q1MXE2eIWqDXl4M1i0Ay7NFSRi/YeaYwV7tWhzAJzW+jArE5fT2sgOOLZE0e9+W211gQjqYzDgZZkfuse6ZvWBJalyE8mxFWi3IsVbiqEd2HCcBSfzqnGQcRDLFklbfrON07v2b2pIruOxFFLYWiKAF8/QgB63ckGH0K6s6WcJpzu9/M3nqiYRI51iHogGlmbvs2jKZdJwqu7ymBObgx/0S7Vk/WP5/D1S0QTkCfFJP1pBszN+ct+cRZ3kmIl5hpKpvxUKjSAJ+nhB7eNaBPXvk/kBQO8rgJMYH8+axg/y7f3fwflailgn1lBtzeNFyTDhOvji+d0UpQR73asW6NJ7I+51qlUeiulmGAcvQ+7xYTR7iuPlwLXqTY+VNk0ucKpmTmiOi2xELDoVx5GsjVCKNwLdgHH50SCt7LEPTCRb1X/7lsJz8xPHPA7kjk1beVepNAVMKDoDv1JPr+mrUTvG4R8gN2tUV6B+DOesaD/3NaXHzp0X5KXTNonSqbSly8OJblRgvMU9pRMQvuve2B1Z52QQaRBPukk9PaRnOamKA+mux3BnGIsmzbmII9QVhJALBEtjpyZ7+gV4CySjPE= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(66946007)(508600001)(8676002)(186003)(2906002)(15650500001)(4744005)(1076003)(4326008)(7416002)(316002)(956004)(5660300002)(2616005)(8936002)(107886003)(66476007)(6486002)(66556008)(83380400001)(38100700002)(6666004)(86362001)(921005)(7696005)(44832011)(38350700002)(26005)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: LK3XdGQbo+wBtPUwrT2nqoY7PIqP+DkRyOvwmSqb1/fQwSQnMZJw9shVujHv2jnB1P/Pq45xtPg9hC+6RWmQHtVLrFfiMiwnrUyZ1gAWwgjbQZuAUyrBCa6BSEg+1/Dfq1XI0Xtzw3FNxm4NDWOhd3Dd9oe8BA59ME/yfsf/H0vstp3aeZS49dhXCNqgXp1YxThB0aCwczHKZDtRT1t1SAF+sMCcApCooxcjbsorstuAILZ87I2TwPq4jhexoa4ehHACbsijF9RDerv/TF/+J+kxCVJYlPG+a3JO/21oTwrhpMnuIHesvFf1IJmwyRMXNHbjugefpYVeyAWuuBMn+6Kn0zCO3vZzWZHucsj8OkbV1stKmngEBZV7CUOVlQJ9Q3kJz0Hx4HX/YeOfwJHsWeF/akOq5U65sdMUVUn6TwnDPWQNybJ/zyhZQ2yt1wzxkUExH3F+1RsI4UWMt7QoQjw1I0Bjif+rUEkE6I0g6+SK39rhuUi2S/4vhOtUGoj2LFoBkJ74S9x17TDKCzTsJPj6+YsTk41oJ4aTW6q+B4QN1LsDA/eHmCOrXfFfyrthr+iwsKnbrbOCCB2eCSmxEzujl2PxnqcTtDRXPEK+J4Xwu2A+XHWgDDftPy2ltlagugL+begthGY4u5bjaW6Znubh3xoPFiYmx2D9p7py8O9Rl5bGrhx/vwm04O3OruD1QLwLsUAkwe2ESRzwy7gwb0rAcUxmCru9xrFll4BLzrGlVfFzrFEahTVXZ2hcimmcPrkUvRcJlyk1z4eKANj0fiKME2PfEM5Y6ugz7owgD8d/+UdgnzgdBKonu9ezFbR/KlMYL4Q24zBSCON8hUGCdYgA4O5HzG1ZjnVnKGMMmaYWuAa6TA4dhkI9fPsc2UmRZJb/58qFu8qPjrpJZqaiynhqN/Nfsq7fI73j49Rdnm2yzhZ6dXTpY3NLRTqrEtl1ZapBYMfbwPiczqeoquplsiLOCMCc1IIXUIoEmYamgxhOixa2UJbhIU0v6eKW8u2jKe9ni/BkUfLrFCUBd1P/ZLEdftD3K7pGpI/43FiQ3e7aGI+v7Z4Km+tchCkhxV6h5VJaNEnlmfWfja32Wv4S/oxvT/w6yx3TqU3fsVE3j84ZUO5fTVNv8jgOYyLA/NwQUg7aShoKjWK41KLhjPwQc3IHzzTMhOvRkhxbSpF8+NaKu3QCQ2GQbcgnhp5tqqTjCyOEMWXez2hkPoZVhvJ5fCZdwlokHW+fckLaHHRMbpu0HPvMKkFbv0DPgmoBBXRekR5be2wwBGqF96yGnFkWxHqa5lHtPmx28C2DbgLLSw90Fi4TLGcjutAD1XZ5+nuV X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6c1b0624-980e-425e-48cf-08d95058c564 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:14:05.0864 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6z5ygcP+kR/KEyBkuPm/tWHMRBtu0eWQktQUwrrSnkSE/+CXl2P8GbOnkrFNSMrAMwWIcPue1dbyJ7g5ypzRE7qGstU2UhniopETl1l6jQM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5019 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: e7jeE1Cf4FoaYQgzPEh6NbxuVtRZPpZF X-Proofpoint-ORIG-GUID: e7jeE1Cf4FoaYQgzPEh6NbxuVtRZPpZF Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The mok keyring is setup during init. No additional keys should be allowed to be added afterwards. Leave the permission as read only. Signed-off-by: Eric Snowberg --- v2: Initial version --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index be4860c596b9..3a12cc85b528 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -145,7 +145,8 @@ int __init integrity_init_keyring(const unsigned int id) else restriction->check = restrict_link_to_ima; - perm |= KEY_USR_WRITE; + if (id != INTEGRITY_KEYRING_MOK) + perm |= KEY_USR_WRITE; out: return __integrity_init_keyring(id, perm, restriction); From patchwork Mon Jul 26 17:13:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12400323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C768EC43214 for ; Mon, 26 Jul 2021 17:15:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF6F860F9C for ; Mon, 26 Jul 2021 17:15:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241661AbhGZQep (ORCPT ); Mon, 26 Jul 2021 12:34:45 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:44618 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241131AbhGZQeF (ORCPT ); Mon, 26 Jul 2021 12:34:05 -0400 Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16QHAZ14029680; Mon, 26 Jul 2021 17:14:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=hc6NAJ+mx3y4y5mytwM7rS18oWRfVslqx6Sv8e96WOw=; b=rp0XgBwBdc8zhB1TzLJB+JSmIIH+JtQ5z1iw688tEPZKDQID+w/3rDh/88+TxVzA+uxw 4AzdO8uCAx/t28iqD6wmRAYgEXBRYPoaNClpj/FqMXUTGmzZRKGu8+3S8QISAKgjLOlP lLpA44XIthaThSwIb3ZYo3XmFugvB+N72EYrl+1wGNLT6PYKbyzrsyqLq/pD5KOMMoKE NKwjLA2cT4FZosOeINhvZp58iC/y+MTTXY90C7GUc7yUKudMck2Jn0baBG/RNfV8A53W BJigsesLTN4V0nJ56kDsRCl2ELnG0ye9kUMBelF4GDhQXoHhrR0sqdBVHoGw447nCQ6F Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=hc6NAJ+mx3y4y5mytwM7rS18oWRfVslqx6Sv8e96WOw=; b=yY0gILg98V99D09cGkQ05priAmKf3QEloxHJrFcxhCiV2rIjiCszTE07iCXUFKRLaQyo 4W5jaw5HvBAys55x1nyE1dPhznwBWovCbM3+d68hengdpWD/BS6KprSbTzwfr1PDKM6E AC8uXBqKhVbYh0tStlvaywENmQ7pKG2G/dElhVc0mxzqcKJmkOWaQiXC+XCSDB5a7wHf rjSAiJgO5UHwMBzIWB93KzGZfkh8WrqPoy8MSyPWlSU3jNQkljn8H0Wlx8GfJhP5m2sr WomZW85LyPpqukogcFwv56/pUl/mq7gyUQODtEZiBn8FURp2nzPeV4PCKdmoT1cpGzqg nA== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3a1cmb22nh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:11 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16QHBP0Y160169; Mon, 26 Jul 2021 17:14:10 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2043.outbound.protection.outlook.com [104.47.66.43]) by aserp3020.oracle.com with ESMTP id 3a0n2gcpqc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 26 Jul 2021 17:14:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UeB/00VpjXdqqpa7y6C6MOo4xzV6VzMlNAcWlbLX8k7vqDcHQ8e8xm0LIdTk3Y7fPB9UNDil9eGSZwW14jjMO7+UU52rTy5+2fObHK21AhNO7rruqeXW3x5O9VGBtkznAs7C6mLVyZUYRnN1wU72bZs1RQUo7SFyBGxLkABHtzxDXaM9D6HrcyZhDw7KZdnzBdE/8DFwJKuQpTG+36XzflnM04fKS4aVrA1gvpwSRbHyDUmebcSDVXfTTGzX0ozVmdRhJId0kVGLrtNpEHuHd381oxY8vTrCLcK/n+p5JiSGijgX3S3x41ASJRXJJpTA/vgbaZVQa/baVUD9orpRHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hc6NAJ+mx3y4y5mytwM7rS18oWRfVslqx6Sv8e96WOw=; b=dRXn2EZn6TUDiqw/GKs9uol83IfeKkbMLm3SyTqDwPFW7Yc36ZOELjU1C4GKe26OwVe/P9xTHcvBOPRnRRq2jXGirM1S0mRA9/Cfw6A0YY2j4LOMgIlPwaiU8gob/mjjnTuRyDtJXV21+278CTXHpXa+tv8axKMX3mma1d8y7B17d7EjGWiXw0YI5uROYVnuLni3tVhDr+ccQPj0P162G7WQ+dfYwSC35XVlrnh9bMvzFY5h+QsKUKAeIgbH4vKv+Gthi51XVqWrJmUcPfkshIHC2wh16d8m7nyhOzu2PCsKy0sfZ+fYe5MrgRcYHUdIxzmYb8VhLX8nuiGhnqRpFA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hc6NAJ+mx3y4y5mytwM7rS18oWRfVslqx6Sv8e96WOw=; b=aOTeOMXAbTQ3Y9sNe+e8uIX+QYOGrr6XloaABhZXDlvFXlxbOKmREH0flbNxe6CKhkufmlhbq2tHQW0XTUtY7HD/KYF3GbYNzYmM/2/fSPi3u1n+w0xLVSX7KFZ+qzREH48KXFTDPJhDuWV6UwQcJ7kq2zuH8tiTXlcYAdHhmak= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH0PR10MB5019.namprd10.prod.outlook.com (2603:10b6:610:c8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 17:14:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::1d17:4a7d:92cc:8fc3%6]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 17:14:08 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH RFC v2 12/12] integrity: store reference to mok keyring Date: Mon, 26 Jul 2021 13:13:19 -0400 Message-Id: <20210726171319.3133879-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com> References: <20210726171319.3133879-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.11) by SN6PR01CA0004.prod.exchangelabs.com (2603:10b6:805:b6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.24 via Frontend Transport; Mon, 26 Jul 2021 17:14:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5fdd029d-e686-44b4-d8e3-08d95058c72f X-MS-TrafficTypeDiagnostic: CH0PR10MB5019: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6430; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: q5HkTeIpED0zfrNbh4pWkoRw2FZ8qVSXpVrsQmgEq3KEQ4mEvb8NC4X25Vs3H3z3DPstHJ8D6kr2cT23XtB3OqnXtkhZz0OQZTtpzlcy+SgCaf1Qr901QLx1qPC16ffK7JJtxvLKDYvbYjigmzpzR6TBeTUrYkQWyEGF/LIxy28awh9VKLH9hW2D4Kww7+GEWwMu3TwKI9saEDvaIOuKX+t5QgG3fdxRvfI0m+8k9MvRuS021ShseNy8yGYCW0GePSGNIk1+DHpN6g/8QBT0FFdl7ew/qzpA7MrKkqlcRRd9UHOdQSZ0/FW2/Fzgtf5/UxQmlCi3mTt89ksRZtGNexAzXNgsicBPuGfsQX+Fw626SdK+5ievMEmuOyR0FWxGRzPsUgR7M+LAD1jB1AVGNUAjsa3x1vT1KdByjQburUNGONw6YKaPGQ1ge0qpMB3Yp07X43vPMKDCzsqVXHAswPJBAw8PYAbLtPyW8Cn0U+iCDlc0BqZJt/Bc8jIWtXU3XPeOGdL9h+++TJ3cB7088tKuvC/FZJz41JQVvz0VAt1Fx7i2kOYYUd1+xE3gyPIahTiX3MJ7TugHitgK83QtP6jTjMOSZwJXNDH+i3VfMO1/CvfkRwUDUEwBLjC9/vyXzEmniqKIP2XE8b7JVTEbQHzLRD6foXffumn1rqMdr+aSkPAPlfMvZYGVIz2Wwq/mF0U1oVb/PV28jwlCfvk7cg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(36756003)(66946007)(508600001)(8676002)(186003)(2906002)(4744005)(1076003)(4326008)(7416002)(316002)(956004)(5660300002)(2616005)(8936002)(107886003)(66476007)(6486002)(66556008)(83380400001)(38100700002)(6666004)(86362001)(921005)(7696005)(44832011)(38350700002)(26005)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 7jAoWjPsab0vcZsDbV5FJmQNVxLRoYWMSOa6OiyozVVZ4xBEqsN0bxWAJmGf0/FuPHNH9Mf+bDloxziBIPWjSnd31Ek7cIAkO4X94OK5OXcvgZckZN9OEu/dTL5cwmPSYcHa2OVda96HSMwWekmZO1HxARMkToqhbug0RMWIto3xg5Y+4s486E+oG+DHpZRhpJasojn5/xmdH0pZHo5NDhBjBojpX/gnAydqJ67/931t9w4nGQlFHaHhRJgMkRUuESpkNBbHTaRIUygBa26T3jJ2u249GiVaNkELt0DVO/v0b4qGKRugbjU0qSlzzlM5nOwS1wDge7N1eNMx1Squ2ADxESVNugkmO+DHwXQJ3lMO3e0knS7/5Mo3lOmeL0ELWly9/lK6HVp2ySiwmYzo18AVb/E3uKFzCPUUxyIQNWUf+Nj22WQFiHwQqDAMh81bbp5KJCAkORX4E4dpRHALaFDDMUllV7Wj6kZQHcv4WHv3L9WuB3S9YKrfnML41xU5JKWpSE7PKx5CSCbsfObEdBB7DqtKcWLiBDXCNQf8b7hAPRjdtMwwW9P7IoZQgfq34VKwviyyU9/mX+10Yy7vYzRCcc9oopwSO9G1efb9nESYpXV5WqnXXKOh8sTFJXmcD7R5nC+goAXUFnJIhpGFjSkuqKSwzpkS1byqxKTYB5HliLITGuNtPzrw8Enrp5r4bggJGxVJI56TWIXHAHLHrCv/hejYOA4IaZQI5XsICUsNNGOHiDk5NKKBnmvevvXgxMJQeHPgD5R1R2qgf6sGNijhBz1XruaIUaMlBQ+ecy3tgMrQ3FU/BBw88P1hoHL0kgXiRPH5Q8frQ/sOLYKlcBY8KCFBoP8zshqT3dl30wxIvUQEXKyRhEtMBKT1VtKOFEsXMYhBMRHfH1VRhFQlYql7rpuPv028SEF7XpuWb/M0Y+7KnKbtcEO16tlmwaY8aIHqRe+60v4wMR8pFp4tdnwnNAgwMX6Oy/pw10myYFy6tAZTJgMp1hFkgmCom7H8ujb0U4LSi5XUztMYytAoQ7jraHBv07RyyR4wSWhPzQNDt+QuwERvqwPWbCZZ2hiE78sqN8hg7u5nqJYfyrTaP0b+iZAipGRKYnKZUo4tg+I6OMHzYc6Wb/K+oHNHNss4wxEJIwUSGT9MjI/XU8HRL+LqwoSq3JjDEejA6Jf2eLf9PEdke8I6Pa2EiiAeX+PEeRb9y48moE1ZiRxtm7+gEUqfXz+BA6SO/hrtmG1MN866FcUs0IB6s4PKDG5gSSCWyN+Q8oliwEM8VZdbuJq9fCfAoIYWu8oxmDw7Wd5VtLASgwh6NpnqLRYWR+JiJL0l X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5fdd029d-e686-44b4-d8e3-08d95058c72f X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jul 2021 17:14:08.1071 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: UDydVXtCzuOn1myMZD2XrOIB6pDjK0t5tuCFyeTN6zJFj3IAlFyuZHlYqlirkhT/lP8CfxUlIotwKdlXvIZXr/ZzLmiZAbTFdWTXK+x43Eg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5019 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10057 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107260100 X-Proofpoint-GUID: EG8YooxYCUP8gnNpcdahNNxloRop7g5k X-Proofpoint-ORIG-GUID: EG8YooxYCUP8gnNpcdahNNxloRop7g5k Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Store a reference to the mok keyring in system keyring code. The reference is only set when trust_moklist is true. This prevents the mok keyring from linking to either the builtin or secondary trusted keyrings with an empty mok list. Signed-off-by: Eric Snowberg --- v2: Initial version --- security/integrity/digsig.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3a12cc85b528..cf13f4c56517 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_MOK && trust_moklist()) + set_mok_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); }