From patchwork Wed Apr 6 01:53:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12803255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99C7FC4167B for ; Wed, 6 Apr 2022 12:02:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232281AbiDFMEH (ORCPT ); Wed, 6 Apr 2022 08:04:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232593AbiDFMCu (ORCPT ); Wed, 6 Apr 2022 08:02:50 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A325B435BD3; Tue, 5 Apr 2022 18:54:32 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235KQqpW012558; Wed, 6 Apr 2022 01:53:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=dGiisuzzx/uZydxF1lRej1A4fpAGvoVWi2s92L0Gv8YG1EepOZwJ3Gn6BJzSGSr63QGm FPs+QMLMv6mP3yUC+D9uXTGTmBuhjenPZ2cyUFf8GpR89GqSx0E1mp6BpSJIqY1oibFw ziguzhvja7+FrZ9iRPifxZE/MmYatGpLqB6vGYcGUKRBJWVr1VgLNO2DGRRN6fZS3nKQ 6vIyZZRtW1DpLoGn/sO0Tgjcd1hweYxyU6kYaz3IXxcb7BsuHwfv2ltrKHCbZd7mLMDk y8nwW7HquheuB1pnAz8HudwVkcsfT3GN6/nPzcO/LbUbl473J99hrd13U7/tLolUcb4H Cg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6cwcfdkp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:53:54 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361pbJd040778; Wed, 6 Apr 2022 01:53:53 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3f6cx3yesp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:53:53 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=APUU7O52+3OCCjpMSe6qc18gPf6X+f7S5JhT//79xj/0NwLL6M5sCcNskT0iyDewVJPaRopqANDRbrNhWpoIlpc4Wr9fhR9Ws6m296+DfBHvQjxE0gojrKMe+iwk7zfwsed6fLo1I7vkZdLizNQcsZ/CrlVaB5LA+I9TLz/mXMbeIvOh1+OgZcvcnpZvEaLx4K4REXQb3pWj/dKQAgaOT6xAsTt5q9WIs/p39KkBQxnOVxU/H3c1bFhGcQQRqHAvXdiDvsWN+AEe5UqdjeD65pX76NaExzpWzJm3cn4maYk0lSWf3S4rrdFu5XjGSf7tV5Sk1yd35eMcxW2Wd/XPpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=KC/3yHNr+tbJLuZ8EF/fJCkmzp/ti5vh0HUyQYeBgmgfy/EtGpw5KEd3qjzyrclTaznpm9IObygJSIitWxEb3vQDR/SnBzte8TwoMb/BIAe4FZf8w+IhCCmQKHvINNInLKZgNQiaZdNK9wYxBbDy3qkvA2FD/oGb3mTz/6GCmNbdlTtNgMtUPQ5mtMA890CaH9t0X+YyWeaFttjWn4jBowYyRd49d/OZzVajnmdm/sKdQ/QRRcFS+G5s5JzIW6hV8eZjtxhpR0hWvYx8iaZZ7TCX3BATuGAyi56NzHtA4Tc95tXKMlsZBwPGyzZv6opcyNTFxIrHgaBHMP+n+5cC3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=Ae9XUJFGuhH8vNnGLsGjD0/i6tz+ZgUNtM/SiFEHd0trpEJdM22CdSusxCtl5N5aVomAOmFYS+fWTgTnCM8xzU1YxCMrz7kl2e5v7XqhRrsI1V3Sagi0+3jo7iVLZNN6W5PHuQzZZDtYAVjdeJy1r5amQIMh49KEFAqvUCHSG5I= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:53:51 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:53:51 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 1/7] KEYS: Create static version of public_key_verify_signature Date: Tue, 5 Apr 2022 21:53:31 -0400 Message-Id: <20220406015337.4000739-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 613530dc-3bc0-453c-2e69-08da17704c8d X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EbzU6KhKQTle/ZtiYByJRvS4rEDkZ/NXz+bzc9/BnKzNbf1ZRqU5IW1UG7Gz4H80PYKZDrnYaqoDUmYiPN/tayppwkU6+iEOLmrtNmngYITWvwAK7aX6CNsIqobvg6PGxBf6ZZVboWiigBgd+LsEXMq3Nu2swSg2dMmIjv9iUhcGJhB+lI8hrw/6PQhykoH7ayj9xM7Y6wd/h4C/A1w4ppELpGry9Aw8pslSiG6ceIyht273Ch/DL6z/4yDRxxHenH6wLzJQMBl/gKlha+xwpomWNn61dHp2caPUeGwwfqMYGzVp0LdSFy22hxhb6Vbm4FDLpwe0yylvu36TWBQP9VTFuO76K2nkPuQ0TzWfVIxegWPSrrXUVgx9f4/BusWSNX4mTlHNvEvIFD4gvQqD57DaNaujwRuSaaiBLuqW8tDIu1VKmCio3Hggpo9JkRd1gQlYDvoeIILGoYHygy2gwhzaNOn0CeLWM/3wMeRO6gRnnanjYwxYow5LMaDRMhx67JOiG+Fm69Y8yG6x+/OqX3S1JYC/HJWQhVUHbtrIhXdokAdt8Qak65p/03T+HR3YH6RLqStK7cZQQF7yibVg0kqvrzWkKZCBGctXxC/ADXMYgjwwSAhUHCqPj1uIwLKoIpi9Jkl+6RZ8JSdDTE3FpKOYraVxNoaSqZucmhJzPSTC2oU+Ryfq4JJTwfkUnXaZehetzj84L/4BW/kTF5ktzg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 9UtCrPTYc7ydZo1oq/iqqHvxV7//E1QLAHFDTJhHeeaqhqb7SEAIVurSB5/p6isNt8FXpXCI6cfsN8WjgFP3ek8fFk/l2V9k2LCLWH3zhDEwN1m3OHW4t2nu8Qwr0gCPnO9Rfmf1huraJpoR60NWJ0F/sWX6VaRudvtuJA4aaNh9k6JLfw6HVzr+bCbbu5tM2W062+tfmFNMf6G/rxmZZ6mYF+MdKFKJZIcYv7488Iw1uluwgL7tRSzX9eD/WvESkyO4L3rEwXaxA0hVL8H8Yh520Oqf035a/+j9eAoQdl/JuVqbYbPnauN/8HvONkZw/gtnJZheCfqRQyoWtN3A+KkST4DfnFrlvUwosY3+Q3nBpU0+WzNXtaZmLFxutUAJ/2a3CxxeJIBkMURIfbsEdsxaYjuwXUXqxtxin7WjgbMO8PkEqXZDuj31JqHLaBPTLtqZq8grJqXyLPZ4WnOw6YF0ubMMAnNlGI0eJ1BAlGM9vcgnljPuCREDlgghCU3XvY0tZ5Kv8XQsbYDD4TiWs5l3FQr6JwM5ciL+9rp5zL4A9eImbPmLNSDwSfdTbPfxjrjjz/YnbQByySzQ+KE0gAF0WlXvYueOVCTtOC8kxblrc5PtR67e2rpg55lF0M79POxMMkFDsFB9RNKmKUA1zAjdU0emTA5/CLTHTje30wOGzjoH5oA8eqOqt1iTWbe/k/K3OQZZySOqkWm0Q/5vOp+oxXXyN/ISdQOujrBVWg1VbCQW4T1aK090suIRRcuDAVEqSQRo81pvpdkvVcQjneZgIxDmj5X/j2HBwz/rYgflDkE0rStM5BoW3P9JrGMDjItzzVRMZZh16mA9vsEce77CSj9Kr0bXmAmD2frVzzKGQy2F6qClnU36fT5NVOj+Nc3XIyLzSArJFru8m9rJ4APE3lvvc2FUuG18Cj1Hq6puFdy+MBpBt1xHT+zrUo6FmC1+/ditjGRAlV7dmya1PELZ626AH3vl3bwo9KeUlkO6G6B/k/BUiAKF60M7KlsMjGpWc/OlZyJrDyCuLU/Q+JfGhrZ2xwt3vcHy+MIN4NLiIAxLcXrEWolRcDyrJK7eZ4aeuSkmzCcqeoLFMvzfKUBiov4vLXSVvQ2h9W70Bn5TRtZ3tPYTrxJiH1+tj3uvy6tnBbjnui9YvYl/ockKLsq1Ov4x3xbEVpW58M7wc4h47pSnXGvQGE2Y5gRW99gTeDi3n41qNjpUVLzTTIzyznX9Nftfq7Ml7tRQvDATPhTqaJ+DBL7jMAaOHhgHH+YW+rVHiW4wK7B7iU/0go1fGqJarlv9OJnMJoXljoBdpAHTUzcbCEAcii6Krl2iqtRihP6y1bKnQljM3TdwnxbXuId96Df2JLYO8W4bMADCDIL8OH+8cP40P30BXgG87utizIvTsvVKjNx0eMAmsxId/DQe5AtsaEhv/OeyNTa4dME2SKgp2bke86FzcSPPHrTfjMopwqZ1o5HYRGmLKFORBBulsjHnstRXtZrkBmuYxZJ19kn6+NbQiWRil/bkcD9BmNwuidVGcHu4P+y/l9lh2RPNrnXJuvGXEpB5Yt228pNvUwD2VYp+GYECOuPCOKJoTHFKav9Dq114S8UlDONwvgYk2v/ElQP4b2EmcKf2YVTyV8aKS3V0JQP677tJGyEQq+G0P91Bq388jeTrpWv+iTm1wcQpmj9Y+zEH9PlwXKIp3/bRMstlfsCQYymW0oKN8FFzjzoHzNjeI5h8lnyU1P8412/dv4KpWb9vxWcQDl4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 613530dc-3bc0-453c-2e69-08da17704c8d X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:53:51.6786 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5dkLeFDFJtubh4HUbGi+coYeUadkma02UA5ZcqdjSaMX3wSQzUVmGTn4HNSDlyFSYDbQP+KuM1E03Gnbg+jbbHxHMhvs7Xw32eAlEIDUwvs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 mlxscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: EUtiOETVl0IrhhHuMZ1yqilSXzsONKeX X-Proofpoint-GUID: EUtiOETVl0IrhhHuMZ1yqilSXzsONKeX Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Apr 6 01:53:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12803256 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B9FEC433EF for ; Wed, 6 Apr 2022 12:02:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232354AbiDFMEI (ORCPT ); Wed, 6 Apr 2022 08:04:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232619AbiDFMCu (ORCPT ); Wed, 6 Apr 2022 08:02:50 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2AD5435BCB; Tue, 5 Apr 2022 18:54:32 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235KPK5u012575; Wed, 6 Apr 2022 01:53:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=o/zCn4Jl8NCicvbuQYM+5Tvhf3dsxlMVqbRsQbSVVNQ=; b=SikcTHpaVIu80RSMd1iP1936FhueJoyNAtPMSfj2I7tNeVwD+Ilv/DC58nZVTCM50zM1 KU2kLD5vb1XYHN0yyLeab9A3sWuhsQr8SNJW00A5OsvQ0aBt8/x7uU9N7jy1U53vYCrB /EqmnGeA1PSsS5+OQJyMGm+u9ZN66AmbSaZ6ZvsfN5LiCBPwg/gkFuN0fL4npWgtv6T3 4ObqjDlVhJnWGs/qwgmYXuDMVXId+wMRY4jTKw2X5iXo5Z55BGLFKglzN0Nklz4Pmlfx C89kvtQqlgEndMJwmB4L1eyUzUbCMpKaSeOXiw1Xxa/2O+i09kwqdsL1B5xU+xHVN7hf Ag== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6cwcfdkr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:53:58 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361oQGB003487; Wed, 6 Apr 2022 01:53:56 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2100.outbound.protection.outlook.com [104.47.58.100]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3f6cx42aen-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:53:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M/TUjZSdTOP1FDRQ05xKs2CHfVvuZQSsyEHCH6jp6wzutE24gIsBb1NL2NKUQkx6co/MMrJVLfGlVrBz77pp+VukI83s5AnEANhNDf2z+0sqfghKvM+ksV8LwDFHfCmwbit3XsfhOsbzzTOTWMrkcrDhNVMt8M+8+UrZesiEr0UvvWH7CNHIZAJEJVF59q+o4LYahepBoO8/eEEKGoIFJft2ABSNe9B4WJmUGCZ3MzilMspD94w1NUKlK3hZJ5AuUDHqqMTtXJKvhedghQm5lOhpxg0nmXeb3beisBEld+7QQCAPbRma/5rz1sUGC9aPHpVAqdvFKZ5sPw68X17Ouw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o/zCn4Jl8NCicvbuQYM+5Tvhf3dsxlMVqbRsQbSVVNQ=; b=kdEgeuWGifVdck/CG6LVZyORq7dMJAFgueuPrhrnXGJ+Q0lv0KvQMCQhl62DmVfmia/bTfQDE+s9z882D5QaVfFQxuTG3/r62vXvDasd527G0ITAiq0i0o4xuZEnIIHcsph0ePbneVwUcHO+KZVYhwqOmWn8jN/lL7r4GfKCIleCXbT8bv8lTpAMIIXvDpm7peTnBWVQAiguTOH9M95EiBBPnvyMvW/t+AN5l+9iAuU5HLjZC7fccwg0S+a0Se45/wvgDbweuX02Ku3UFzWLv+T7WXQgS4sHHyJmtG98aeKVFjwSfuuDtt2TWRLnAUReixyyIQ4wRH3VhlTDAki52Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o/zCn4Jl8NCicvbuQYM+5Tvhf3dsxlMVqbRsQbSVVNQ=; b=XlLHhGpYatyqzYgFfxHU5sMTjOn3lzihE50mpqlHatQIK35b236xsF2NRcbD+iE3cb8AOElOtj2Wk9W0jNw/UNyewPJeoeCsKJ6ltckm0aZM9BPkrU/2hdgt73JyyFClz5nTH+sAEFjKWExm2t6aA6exDBmmrvNg6PkNIaMKgjA= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:53:54 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:53:54 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/7] KEYS: X.509: Parse Basic Constraints for CA Date: Tue, 5 Apr 2022 21:53:32 -0400 Message-Id: <20220406015337.4000739-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 17d64086-39c2-40d2-2ce8-08da17704dcf X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ZYsslyc9ErXW2BYYAzZSMwf08sehVdEk4qewNb5K/+883gAUbBGB9BaOAfpgsr83rxQFRm13fpr2NEiKxyUCzb5WNSQMOH+KzrvMybzIs9HQyzjmdvOs+Pp3RKAPm8vPO8to4+HS0H3DHY1ecCrbi8XHY2YFGP+j6CZmOCeyx4bp7tVrK/55ql453PX3/jj9fYEe5sZWLaHFO71XRfpI05dGlODknWsEqhJvRDXXOg7KGt7tJigRapksNEc8WgMA+izZouH7eCU3Q723gaAFkdKq35OiThLMEXIBkTkVHHpOn9NEQb6owNXhE8/r4nJglDZSsEanDhQb82NbqdrPCickoZfxBVKJP3frQezw4RNL0dDl0hirYuUTmVpD2QgCjyj7A58Kq47BrY7RLX+B1Aa/yebwASqAe1pbdPDuFh/J2aoZ2dtYjvZ0rD79CtUrmkXIdWN2VzqThm1ai0hG28WHv7M4m3j11vNg1kQ4Jr/3L0yrpB9pRa0s01yUo1I0RoP39H9AG0Ha94horuWioc1xXGsFBaMuPw5wWM1ZR9B7It55/P1k+mVPdE0NJqe/EmygQUD6rUGyfY5Qw7EHU+EDUQDYT1Uh2Jp61PxNtt+Xlb8NR2asZHXECWaaINHYfRseaDze6ANzhmW5lAVjBZFIkKj3N9TaBut8CytY/OErNeEt53Wj8I8QHWQDN1x8BAFtrgjh1NjDNleURTaVbQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XamT7qH1du2lHNe34eNZbjNoxnxUab+Hsbj2Gk2A6jZZdU1G/CnmoouTpAeE5qLmJdJ3LBcVfFnhud8L87W+hONJAdj85tbPnzRY2yfj+4d4y47AkUYGjH4oeLwCpR9wjW0Me2DR9mtGAFUj4MnWE/fKtEu1qx63aKFkJAmZjGydQBo/lSF7Zz9sMLgDNUW4EElhByS8QbmIaoGE/a9bUWQII61q0UksrrDUzMIhhHU3r1sHCT4ELEd7Kn3D1hQrhlPq0+X0Rc+MquhUaL8HdwNn9OekNa3/vMZOHef1ECFoJuxVH8Dex0vB81t6wXODNaGpd+6H9IEEzy7avlAWiSjToAAba8DXYtVngzogMoke+A+VChwDhUzyCjAznmvhlazbTyUFtBk3wmEDDKl5SnKWBYjpAKduyDwyXRSkhw9+zPAy3nzP4CnXURq5O1OA5CrirepQsjeMgRvSYxLnDHWtt05ZkLKA25MTU+K+8825d0lWfHqdpa1Sa+DQEtYVMFXl1wUwc8zOYzbjIfs6/IGRov9gatHTIlNc1m4Fr4+TBoS9Fnoy3tuDx1iVm9EZQ0qIXkWO7o9KsvosUWE1MAwfqWHxtwghRPjmx7fTOHbtv3XZ8VT0ZP8cBso+tjNDq+J4ARiC8+ipHDUYyNMZ0Bo7peDLnXCTlLBtq6iJHeQHmfh0Jr1pzmUA8LcMER3X97GT2c+uPfK6RAyvWtHysja44mCaLt6RakfcPDoKiuP4DJG8qewqQWWKuqAEm6L+ee62EuJWJKBMELx1aMxMQGraAZCR9Fgc+4sH292+caZmmxnLpb41DDDoU0AVMC4cPEN23ReaoIqjavi0aeE912kUdAOrWrp22TrjNgg2VMBzvOwGRCc32RG8o6gL/He9fhKotpliH+AV7R6+PwDDMH13LEMgeFUS6IEgyWVgpOiB9nrnHaCXcPo4MGaX1TIJ7UZ0wSdKdqxO+GWZoPi1IWXWIdT/RMbOTvIEnMX3LVVY3B4POF6+ZIp4wqK07X3Nci0IeIpEdxl6R9Gjs/KIto2w7vb77xpVrAvQ68ULYOv88TRvXuEYEu0Lc5fCi2D9dOhN1GBvKUF4ggBYs4V13iGTg1fYOiOQsuiwOph3JC3mkD96ZI+D3ev15Zcaqx2+nr+schu1WCJP2H4UKDoJZBWxlWJbJHgQOvcSMnQUj+57g22fwX6Vgli1L2QW/XV/WcztunqYfzI6CtsPru81Dikjch5AriwPHGDFgn2gfa9q4u4XB55tV31ezwRNF6KJXnMHiSqSrtCGQrPhMl5uSYXH1UnuaVCWmSwoCGg6bD8UMmtnwFDTJWLpkw3ZpVRLMu1ASIQWaY2u0YbJ3ZAdcOwOS37clbpLIaYCIBLjsUXLCk2WC6fSmfYy7Yg5XXDgjbFywRJMs6K/omZ15gi9WyqrU6t/jcusZk4RSLoKbGy12hTtzflH41YJ7yfsFRZoXWa7VQ53tiqC42xWt1Q8axKJJICX+6ZDclHeyzpJAVDnirt0J5ZdVenlYZbf/qtEFxRTGX5kHzR6n/tpD0IkPUFPXFESK1IlTGefRk9XQ6B46vF5o00NGiFu4PCHuVScQnuhGw1IvvrYHZj4iMimmyq9vkZ3ODFbdndogAVackiRSncLHI9u2D7mK1heVsGe60qGlN0oFaSG6EL/aXgTEBWlBFiCtUiOj+AzAMnfOI6D3F0JHk68meV3xYT8r0acGHj+e+uU4467CiYlz89Ymt9pp2ecdchXpfIrNRRcPg8= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 17d64086-39c2-40d2-2ce8-08da17704dcf X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:53:54.7429 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: y++nujo++N62+T/AzVcyPixYyT+HPtsd9Puthhl2deguIRWQfBxvnDxPPchnSp/DWbFNFpEkLYzB5e6G4vsw+ndBfAv52bHX3GqgZgWaplo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 bulkscore=0 adultscore=0 mlxscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: e-rJVk0NhOkAdxtOHzD6PTnpE_4n2QDT X-Proofpoint-GUID: e-rJVk0NhOkAdxtOHzD6PTnpE_4n2QDT Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the x509_certificate. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 2899ed80bb18..30f7374ea9c0 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -583,6 +583,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (vlen < 2 || v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->is_root_ca = true; + } + return 0; } diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 97a886cbe01c..dc45df9f6594 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -38,6 +38,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; + bool is_root_ca; /* T if basic constraints CA is set */ }; /* From patchwork Wed Apr 6 01:53:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12803258 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E420C433F5 for ; Wed, 6 Apr 2022 12:02:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232680AbiDFMEM (ORCPT ); Wed, 6 Apr 2022 08:04:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232628AbiDFMCu (ORCPT ); Wed, 6 Apr 2022 08:02:50 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2F84435BCF; Tue, 5 Apr 2022 18:54:33 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235KWY9D012570; Wed, 6 Apr 2022 01:54:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=ooioI83J9ndcWeBkD13Hvh+2cbQGalhmIkEwiTHV0rg=; b=MDLSM4r7aVLFCMp5CAvVTXxmgFwGAtkTY+6nfyi3Hj815kOBpy+zZ8gsz0ZPzvGu7nFD bRIgPWHjnu8FxQFziDON5p++JYmjemI3fqR+Jh8I/PLRq0awUp4Qfhe1aD5JSUOjWVTx EVnborWz87v5pH0S8ByGWHZ1eThh0vRgFiO3jYta6+3K4LTQXFZTW2sCBO4gW5ODBcSK drEsUShi9UDoMXe8+4PhFmM5RwBMOVq4zMcj+OSdAKVaYL9O2BMif9dbPV3g+Tzs79ar 6pvHVebGz2tropkkUKFlf8ey+WnOUbMJ19WmUZ03muR16em6+n+w6DzLaZQFXbEc2852 zg== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6cwcfdm3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:00 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361pd30001674; Wed, 6 Apr 2022 01:53:59 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2109.outbound.protection.outlook.com [104.47.58.109]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3f6cx48c7u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:53:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JAeqUZY8SJlH+lqrQxQEyxnQH7Dm+DLFMPU+IQH8PlTwGU6Hq24IJr4jI/r/1HjxMeSSqMKUchde8TL91UvIznRjTpvEeclr6RpGJDzD6QvCsi+f4uCY+MfPq+YhkT3JJoVEg9bynxkVIHwhcSCIcUd3BSFeQsMGyn7U7RCTFiPV76NDcQvj04MRVwZwBMDhLjPrew/QU+25BlkTBwrP8QPsiVmkL1Qu8qwedYR1+rZfx61bYq9uzua2R8iADQuN9PW7bW2y7ukbSGrkA5b1XpNQSsB+6KUYJB7TYCyf568h1Gafbq/J3YB/c1iW11G2G+KAWQTi/0DSJoVoPymgPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ooioI83J9ndcWeBkD13Hvh+2cbQGalhmIkEwiTHV0rg=; b=bOYv4B+pd/c8WgFDMK+8tozhKJzqRbR/XjAUFcxXAmXpUioiFS1z+EwEM/bPRfCcW0OOASvhp5EZABJtizGccrsuwn/lquBX613cqcdEQV3brlEWm4iSX4HSvGLa0aapLSJIz0Tyuy4RBukiGt5iPUxJdxXmqLZopXuqZNu4uXqvrtPQOlnEtiClPYhFehNANM4mo17JQ3yzutwYQ5bL67WVE8INX2vcdnqY3P7w3zCSM+lJxxVwjQtqyg1QAdimGQwbw2aw0mkpEJqSbRkuJu7hf86LzAOgdf4Z3965SLJEcByMNunRFqA0XKFR+qQMBLtrJ/hIObuugVF1XdNR/g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ooioI83J9ndcWeBkD13Hvh+2cbQGalhmIkEwiTHV0rg=; b=YPg6MAJZRNTzS+bo8aOSHVRLwMzrN7euR/Q+hfntwQPfRHji2cuG213gTjec4qPF+dyViUHY78MLdDCOYquqW10kBGQ1Rq91iuQl8n/tfK71IHE8k9PA/nqobTzi69SAP6ii0grrQHKXg88olClNHLxPwlYZSqSjFdw5HGGkGwo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:53:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:53:57 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 3/7] KEYS: X.509: Parse Key Usage Date: Tue, 5 Apr 2022 21:53:33 -0400 Message-Id: <20220406015337.4000739-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9ad09be6-e044-4ef7-1220-08da17705026 X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Y7XHgyDugoqY1oErYAePtepnIyXcsOXkD8Ijd0koUzUCcZlFrV20BGw3sQLHSKMoJfnXEckqzP+QFSjs+GCXfpRX8QhFCIX3KeTKPxrU9I64Br8wM9mxhrnv+J2d0d+EpeUuk7wTychZeQDuo0DFRqVFfCdvKWk2NMmOWKbSdaagq05Uuu2d2QWeVzaVnH5/IKu3Tk/oEYjirjon32qCdAKpZMqtrC7zsaZ3xbYsnphq7BuNWgsu95AHQeqH9PLsznjT5rJXi5tbjhdPtJJQOco6Bpyq/uK9u8X11WKBzJxKI/mZG/91zJcjm3S9zW/vWEJtwqyDzRy3ewATxqp+8DnVquKhSRptBnPjhoGx8VAgI3DyCweagDfbQQaEajxVBJPRr4lzcRz76vVFXo4yxA5YOAkxXt44oewAWYVrMPvMzbNU//MCMHZbVWGWEpJP+D3wNNHWuxFdvhIIAWRmjETt/iUrrMEPfWHrbq/OhJY46AlxA6W0SqdqWXEczzLtKlCrXQsF1KRkh0ymtH4mephKYYRx8KSpWqxqFu9KzlactSn8jYAB/re+dpgPLFsXILE/lu4SeUfObm6LT3VYDxOfXZsnzZNfDRorLmTIU6QOO4lhtZl+GK/G5l9tcPLZr/DjIg/6cQrhOM31aMcaToAqUi7vCjLc8LaGyLCUNtC5AROmWS84yptJNHBpZQhiRNOZbtmbP7Wj2dpq/OK7ZA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: r615JfzC/FakTVKms9nMBuVsjkIrAT+W16zSocjnYKhoCIt9nAk6zGzbZ1CWObXYOcivH1+23puA0ITBLBCjhs66xjViQQiMCakbezKpSeAvm/YLj4s9eps8t0i4OWOrM+fy31KRnZDUVrzmIHdfBVVtYX0lirZF8G+8blu3y1BzU8qXYy6/SoA+Mh44PS9s/bz8OJstrykjmW5nZotCH+7vFqeJRQbo5/rvXXbk6xnMpps7v2RfA0V30AYd7gCh8HTQluN6hRw6VIGMyvaUx4Z8JKcB5plu/YxUptv9Zl7ZE/9b5vry/Wq3fy9Y5DOo3REjN5rvbs5KIcBt3ChKYb4sH6HS/Oi1X8iUYA1vh+GKG60nzqAUFveiXh0qbqzJS6znPNSK5w25GcBdh56sV7ux0kWQgjH9kKVQAlJ1nTZ/Jvshxothniy7TXnRCP6OcqYdEj9WYJry8njIMMvKC35NpV9ycwG/38PktZwDRnaAfd2bY0ZrrPgf6rVUQstvRjjoQD8M1J9HuLBXvjMnmUeV52wHB1XVvC2PglkPPYystdfKocdpWnY9auI896oSlMB/fjgrkYJzBRHMoRzF4BhVtJl9wYVp1DGTecWCpiYoFb0jlH0ygTdRrAjwZAn0u8h2v8+g6zPq1JGnojCK/C41PSuE/B9vwyh2kM9HVTlmLAuB6rvNLx/PgFyeIzwm3KEwSAohDNgkAJn6DvrIdRuCV+C8LdjPmUZpgPbMDA5DHzc7i53Fi5MpLyVLu3KIRIhpq8o4EiGj+imrye5qByw0yFuWFtqBCiTIb6a+7WSUy7e6f7WMKS34xSwB0Ile8esiEWYEjomhIamhCqDWXKaOmVvVu8jswEaCh0yFX2/b9oKLQgplXTGsCXcyVqtwv4FLm3Oahfg8fleQceqZTOx7yNjQijWaxJ7qRL+Tssy2Id5bPekrannTgw4DjQoCr0btzpXXGyqrhkuWD/4BOPsjqX4o7eNKRlr2JHiBpvjUkBKkEJcY1Rf005MPoLDMuKfjtnciPj/A5IVjLaZH2DUhb8IW8s3uSq9FtOOB6CeBvMaXk9r2neI8zmBaHHvG9PAfNKqrR5b/liWjJBE5JcXz3JxLGaLgdZc4pbw+5jzVjAuVT8S9wKOM01c+gOWkoGUFhJR2cAwwRtFar9zDhqt7nUDx01gvSB+4kfsssur+R7SSE7rRZJnyGVgiJEKEf5B2uKgweghQiJce2wUA5PpOVA0hJeDhK3R1Zf7lfeLtPLaXrTS3w49GhSP6RiI3deEA0zHPpYaUqh4Dqkdkes3tjb8G5ECufedL/2Q/aMwdC6RfCLpU6y/FeEYfEDohOcgkiMEM7gs03sFA/1KiwOPZQncOP7swP6bCSR60N7cqdBimjjNFKs97JPhgwflisNGE1MCCkunGzAk4NU1rK35SjydHnTDsM3vkIlOPBz2Yx0LAjBM9VS9N2iOE5nG5O8QXRGSo2Bk60Fp5g36PEZ5VnTe3W6M2Mbz8yFmXgRbDxhtOiCo7enlMDLAetIdbqJnY4RL0dOtMf5KwyWLAj0mp9EgXcyrwR3jE7BvPvF09fqCb7jC1neQpRJW4BdILWlewQdCp5LJYaVtQPKaVr+zg0+AVRJ+KlT4YFd0MyCzCotl6ayWUT+FHF62G1hjpOjw9n78M1Pw8v3JbH++I/mJzjWRrNSlEVRO+AryAR2ZDKdax1p6JMc5FFJ5kuvkFODtGKkdrySIDRLlQ+3r1NP+jnwG4gmUdLI9sYEK+PZw= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9ad09be6-e044-4ef7-1220-08da17705026 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:53:57.6825 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nLvSxYugDBQu1yTxZ1uzZFDe3ozlob2rXdStbtYtvfytgaJ6GVp0VBOYjc7fDJIZtAkptCGIs5n8xyBHP0EhaGtV2lYYM41YQs+T/qhCu3Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 spamscore=0 adultscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: b4d4B321FddoxuuwTp4qKtc7WLpU2rD0 X-Proofpoint-GUID: b4d4B321FddoxuuwTp4qKtc7WLpU2rD0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 21 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 30f7374ea9c0..a89f1e0c8a0f 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -576,6 +576,26 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string to validate keyCertSign + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing) + * v[3] and possibly v[4] contain the bit string + * 0x04 is where KeyCertSign lands in this bit string (from + * RFC 5280 4.2.1.3) + */ + if (v[0] != ASN1_BTS || vlen < 4) + return -EBADMSG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->is_kcs_set = true; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->is_kcs_set = true; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index dc45df9f6594..d6ac0985d8a5 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -39,6 +39,7 @@ struct x509_certificate { bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; bool is_root_ca; /* T if basic constraints CA is set */ + bool is_kcs_set; /* T if keyCertSign is set */ }; /* From patchwork Wed Apr 6 01:53:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12803780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C288C433EF for ; Wed, 6 Apr 2022 16:27:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237645AbiDFQ3u (ORCPT ); Wed, 6 Apr 2022 12:29:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237721AbiDFQ3a (ORCPT ); Wed, 6 Apr 2022 12:29:30 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 144D5435BDE; Tue, 5 Apr 2022 18:54:33 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235KWY9E012570; Wed, 6 Apr 2022 01:54:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=mqQ2mac3lIqsdluCix4jvAfSWforxK0/etC71ODPy+4=; b=FinYnLWuePg4Y7aelsaPNXxGMZfdLGsAL5Q8m1PXHDCemYNPV+ICSFJ2tR1p8YgP/Lay DfUVF5ohcvZSWd5uQoccdtJE/CB90gGKUpcv7gx7XDK2+C6GEvHphjEr9tNjKVCNw3ZQ JjI3zIg3cdZOeT3BWJPxs6+L66azgpxAz1v/h0vQFcpFUcs6u4ejJT2/jYusQ0PG5BAF y73nLJgCYgHAtHPVlb0wUB4rb0q3oDZ766Y58oiOZqbnv9iwSkD8iEiM9Ixlyo28LK51 54VYcul6qFN1oUY4myBRRD53m+0cz0Svc0nb2wjdddjUe8/MqLkBTwicpHsqqKjgpbia Pw== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6cwcfdm7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:02 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361orv0036988; Wed, 6 Apr 2022 01:54:01 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2109.outbound.protection.outlook.com [104.47.58.109]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com with ESMTP id 3f6cx43ey3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MXybUJUbnIJfzrl3guiDNpkmm9SzPVswcjuDdba7aeqWQPJxUkJV/K5shmidyNYMk/DgKHL600z0Uas8HUjmaeo2cS8TjY6FPvy74CP52Ij/Z8iA9IzsPzxNMvYniafWzpSmPa5ocWqUc6lMB5kpJpSpUz99gLPacjDVGsVEikXZ40d/1AjrSPxw8ETt74WElEIK104Fm2GAp9Kfkfj1e0Ye3H8GmRqEl3we6Gvi1EnCTvrO2eN6AN+QPH3LcZxVzqxPi6sxfMjlGXtIceoXBzgLMPmrfJ5SQMZllhKQ6wjrjHV2zJMG9SHXQEheSYqqUnOLvOq1raK97ZHic8mwaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mqQ2mac3lIqsdluCix4jvAfSWforxK0/etC71ODPy+4=; b=huQq3HnNir5VT4JsSIhovqqiwmB/Urbs3ptxc8qBgqMa03WC72c9sn755C/BsBqUGdfzNuHh/i45IemiKIdd6aWUjx4/m4Q5nDqxcCJR+Ds0+yfSLpJTsLovIQY7sbSI5REMGaWAN2lWoeekmsDyhvH+aYZoN+F16Iqgl4z0BWPn3mEz8E72vefZB0hDYIP4b5s55VwIMmBncHWQ/f+nn5P7EttcpEHSNJ3zrOghEYL8/vKZewTzVLuSkVzsgFN917aTfjLoXSpiWu3Pn9DVFxLo9hdeiz94zxhqc4b10Kq9kANLx+ngA887/LUfVrMxOsZpoWAA0OOsSa8/mxJo8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mqQ2mac3lIqsdluCix4jvAfSWforxK0/etC71ODPy+4=; b=epHi1l+IfGZ5rLzt+EoDOAKEtAodYr8G9EXPIIVhHkNvrLSWPvQWA0L3jlT23JGZZO5zT+ftu6yQZYogFKPyvwyaVF88TmpqNBp2atB0mBsX+oXJ/jLPQejms/CPzT2BN/ZP60S4xI8niZrTW+ll/MRrqZxcQc4JlkjWxhmw460= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:53:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:53:59 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 4/7] KEYS: Introduce a builtin root of trust key flag Date: Tue, 5 Apr 2022 21:53:34 -0400 Message-Id: <20220406015337.4000739-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c303eb0e-cd0e-4a0e-e987-08da1770516b X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: t/NQPDmTHrfB+MLfuJq0TMmLUSBpwR2L6T+T48QaOgUwJc6qTjkuhmYMpv9jKDUAAU2NGGDTThWA7sX6fmXunuY0Ys6BxFcZnYRKGMRVCpcSVRRpcBH9CBDJ7+/6UPFz1596B+WPS1NEVuUEF/yZMm3fz/2M5e76Majyv7K9TDAlGX9pGpIFFjkSj/sl7porvG7Kt3c/aS6P3GnfJXRldn6K3CWaarRIdWhJJRmCODXiwb+nv29cF4elSMdSKXuiBTKWPL2nTv6M1ej92RT77K9gNpxtxXdsTbr3doXJnHenICCyfy//Om+G4O2BpMR01ImeF3dkQJQq3gv5jxZB+Q0PnuIu+efbtbdaqJp4ISYCXsFPhwYcaLLykWUPKYZuA85N+9jEEpB5nBeiGfHTJ48IEMPZNyGfqrc7yobx4ULIXVHsZypf4Nd8Y1M7yW4vynP8Muy32JCexurGTPS16vhkg8hsjNlAxSvQ5rMtC9GfODmnlZ1wd1KXKF+ewxvV3rB0POrrsZ4UPlrkZXhRcnBmwVzYUTm2UoUC/Jupq1EiGnI6qCoVqOD9iSlVs4LaxAdLwOIkUFZcvqYaJuwW51UrCU7QUjx4rIBZwNSOC/jaGm7TiFnSH3YO1aEOPgfLmL8Swlus5NZQ20CDk8UeGEVZ6VF99RunnBl48NvKjPZq4g7Pu+nuU9fDyzirS0YikvLF2f+MDtp3GuA2dJpUlQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: M1BJJ7YmTL0rj2fPfUuR8QuxLLwTKpY29W7tCiXOKMI71JnWAkT/zEGzPYxB2Qlr0g0jy75MfipKOnyS21EqoyD3wMSJFmL8jaelQUIGOj0oRLWPd0ukQaF2a+tWWz/s872P5CiOakY8FXS696sf071tb/tVWYls/BovRgKdoCNOt/8gta2o8yZv0JuyHw4NlnAWp4AAVSGmPPWbdIdTVu4hX78HOPhxQ5etT4S+1ShvbZHx8VcSqotPqyRM6sk8jyoxx+aiQrRrNK1rpibNl+uHqCKpPyzUReti/+fFiJ3IKzZsJDDpG69Nv1E7NnjkkSkjuwX/+ldgRZFnZ8+ru/fzjJWSKwcYlr7gykfU0TTtzBjuPIISN6tDAtDmn1BQHJ8jrxX2GHxNcyeYKSeOIVCTW8NYRFbvshavUNZq5PfNYA+9K6wYs7tOfFBbsQX73xAxutPYiVapy2xwv2TSD/QeXywt+AvnIgsUZFaV8gdydqZxLbLGT1HjXOe0fvR10qMBgkN3N37f0+Bij0D1NgJxCUqv4UmfnYzPTQ4sJa/lhHFXj5W71zhS+iwrIDezC/HU6c2Wuq3HTm9OV5P3A/MuKcnKbJ/ezPKBAFe6LnaCe8I65A9qYfJr/mh7El6tJRVjeQdooN/UpoG/HZ4Gj6WAVrRkFDDxmAVwKiFTHAtAnSCvm3kFBEHBLMouyBCf3OND/MnQAIqN9XOFgBcqxDg/BUEH6BQXGHVXAr3ZCZOYRiUoAiSUj5sAutA/20sbxhRN7fTTLe0k8zckpQPfuNryVZPR+2VPEn/AHWza07OA/HKL6mZicw1OyLTorpUUqEtGz5pjHt2TjKpvdFVjV8xbyqxCvppLGWUQO3KhrHB3fFnAlDkdyHsR0tLOBkRXdunzVKbwzFI5QrMguPbpGblGc4Pr5HKITjqUmh1axDtFxCRRY6Zpe+Kti2UFDfXw2Um/LVnpVZsRX00689tLp8ng4ES6DP+WYn3asppm6MI6po0mhTl09pqiQdyJjRtW2RfIChKJSQHevsg4J4UnibE5pSNAOAC72lUBp1mf4wNCnaxqb8sHe3apALwMgJcatvN+j4ObLvFRRPgxZ/VfeAbxnaeTZ7DCaPaFULLSZc+qeuV3Os/GkmO2SCEsGQSlwMRpH5BPVQD0Wz09paOnySFSvNgpSu4dkplV3GeSNx2PuK9J6exFfKVoPwj8lvGa4/5BeMbsM0yoeE/MwJL4NGNUm5PMEQYXyjaRENQ1RP5WS28Tk9CEOWOhJTEF/qqXNts/6os514TGfRYhAdWY+ulqwLNrbBj/Kkkgk1fge3lDexoSVdcavG91Ns4y/P0arD3f/laDDhsrYLoaFkXOjs/kNSAKDb+PZpORu33LGvMR3oVI3jFXMG3HMW4+Vfh8Yl0YB8Xs4eJXq+/4Cxya2+zCP/uANVoTsGTxbdRAgBJV6kbltRQNfSxfLFtrNuZTyJlXL/32nNhaRopfsU835SBR5m/BQlJM54VUWPMBRYa5QwoYFuM74rhMKuqV4Rs8XZupscrcEYdwZItCKALgLQpqpUnlSt6H50DxA2apRCYhprDkxNEss3ghjifqc8fyFo+CrMm4R0dl/G2vVfg6aAoEJ5eCucS6wbXIjHNLABUF6Cml40kVXUzp5VjMAIhd509t4XwQkvUW7brcgIxZYDZZ1Vfy0Fx2pSwvQ398ngWKB74ANseSFebaZQhvd1JKJLxciZPRDSvc4dDUtbrERfmRAhGfzhYhmNNXO8Q0UvM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c303eb0e-cd0e-4a0e-e987-08da1770516b X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:53:59.7868 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JLJL38Fy2cdEwV222QAPx+XlYRhQKsM99u/Tj5AW7b5V9M6eg6bIJcCJJe4G2/F0oxX6n8kQPddosAaPBG9ogA9NdMewD0CprPfcfw2lxT4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 spamscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: ZZjSI025ueIaGdHmhHnx6Fdztx_d4xra X-Proofpoint-GUID: ZZjSI025ueIaGdHmhHnx6Fdztx_d4xra Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Some subsystems are interested in knowing if keys within a keyring could be used as a foundation of a root of trust. Introduce a new builtin root of trust key flag. The first type of key to use this is X.509. When a X.509 certificate is self signed, has the kernCertSign Key Usage set and contains the CA bit set this new flag is set. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 2 ++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 14 insertions(+) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 91a4ad50dea2..7290e765f46b 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -215,6 +215,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) prep->payload.data[asym_auth] = cert->sig; prep->description = desc; prep->quotalen = 100; + if (cert->is_kcs_set && cert->self_signed && cert->is_root_ca) + prep->payload_flags |= KEY_ALLOC_ROT; /* We've finished with the certificate */ cert->pub = NULL; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..ed0aaad3849b 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_ROT 0x0001 /* Proposed Root of Trust (ROT) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index 7febc4881363..97f6a1f86a27 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -230,6 +230,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_BUILTIN_ROT 10 /* set if key is a builtin Root of Trust key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -290,6 +291,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_BUILT_IN_ROT 0x0040 /* Add builtin root of trust key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..732bb837fc51 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_BUILT_IN_ROT) + key->flags |= 1 << KEY_FLAG_BUILTIN_ROT; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_BUILT_IN_ROT flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_ROT) + flags |= KEY_ALLOC_BUILT_IN_ROT; + else + flags &= ~KEY_ALLOC_BUILT_IN_ROT; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); From patchwork Wed Apr 6 01:53:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12803254 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BD4DC433EF for ; Wed, 6 Apr 2022 12:02:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232079AbiDFMEF (ORCPT ); Wed, 6 Apr 2022 08:04:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232585AbiDFMCu (ORCPT ); Wed, 6 Apr 2022 08:02:50 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A315E435BD2; Tue, 5 Apr 2022 18:54:33 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235KPK5x012575; Wed, 6 Apr 2022 01:54:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=dWcsCcC1YHYuZ51Y0qfpwf/LiaMyQf7n9q9aYmt0Qu0=; b=PJWwLoQ7NCAB88nMJz3adF+/DH9XSIYgx9kKHihKDLgI/qcRlBx+CnPgFdfLzwCz8ORO TXTxgKJ72GGBJern0kvM9akZasFMB+E03vqGfQ7IiQ9/lVEKCUUfTUW+oQrKffCNsdv3 pAiLgiN2DljFN1/cWL61FMqB/lCah3b44vStzzNC1kNBeXHuwuSKPICdrfTyYsZVdemJ ZhtDWk3JLWKfM9UFBeyXRSRq//S5quI7JuFAB2y3E7Hxn1uIAFQfeCt7NxMskoMQItOM CCDWbRwSUQ08jDj6uomMNuIQ/eIv0M1uopyCjIoDvloa4jlAHmIQi6wJWnrEAYDeACWk Wg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6cwcfdma-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:05 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361pf3m040841; Wed, 6 Apr 2022 01:54:04 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2174.outbound.protection.outlook.com [104.47.58.174]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3f6cx3yey7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d0RZ3a1oHyT1SvB6yDRXaPM+SCu9oAhE+Z+YkBOmZXbjScXf66lAL/7cXVzK4jN6rbnfFZ0jPjLuRc3bBtSDETcreRjGtaj7oY11y4yHLtOQcdJ+H3A+bliS8TPOswqmW7mjNE47NOK9hFtkn7+kObw+5mtfRpYzcq56ttm6uM0okImH9aUkcoQOx/W2FCXA6hV6g9hWVz4bXmCx47e6Uo9zqCA5hG60R3u48aY+ePdtuP4EXXPNMj+/Nmc4nmDcnQ88hrLs3Pp4YYAYUfVi/kOqRyLZi/UN3o/e1ZaqY2ONxalZQrF7/PaLJ+/+8ZjT+oLp1y/qF62aCtCS9izLQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dWcsCcC1YHYuZ51Y0qfpwf/LiaMyQf7n9q9aYmt0Qu0=; b=UN6o1eN43bHKuCAGKt7hppAnqvB+vvp6X3qcS+RbsnZtieg0G6APqFQyiyzEjA9HgI/kA2k+MkGTRWQrGn+86pHuANlWzRIllb3xzWLirACwXztkXNVqC4qz36Rr9kp9/aR+tYOH9hyhrUIvFgmH0muezbhjIOErO7cdn2NXLacA0REO155BtN+5j3V5kL8m5oXiN3F6VjeISeot3efl+O5HIT28k2RVhDP+5wqTnFFwgOwh6hEHz0e6dxjILoBf8qBoCt1aAxl88dFEGQXZnSRkn5CzNGxG2VpUcoiM07u/p5f7EcokqqOZlx89R/jGfW4VgV2adkztvms+LkYxMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dWcsCcC1YHYuZ51Y0qfpwf/LiaMyQf7n9q9aYmt0Qu0=; b=nWPyabhxUFswIfGyPMfQmRSTqKcuZVfcGVf9bRt3YrObQuZBZKmmk2l6DEkrga9kXRGwIKPE8mrsRtWyhOH0/QjkiC/2seOAfCwHB1BnyiQEbFMHA9dbhRb+lzJRQKO7y4LASdbTDv6l4YB3rZjLO8NF2sMZsQkgcRKNVuBlvI0= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:54:02 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:54:02 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 5/7] KEYS: Introduce sig restriction that validates root of trust Date: Tue, 5 Apr 2022 21:53:35 -0400 Message-Id: <20220406015337.4000739-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e9b4d791-62e4-474a-4cae-08da177052b0 X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Xrgw7ENo9SMckKj+HOgP7tsvjnv0tXmT9bPo2TxaVTSyBJUTOdmkBoxPnIoSPhL1DQuSgh1INC0HxwDg0tt9YJKtD2nsvfxoM5it8AeRwlEjqm4fbXSkh639vRVUzci4Oz3ym54/mCaf2eiQgCGZMYRW0Vo/sD9plWpVP2Gv7EzwDRNUvLiRXeyLCjl7ZT4TvIaAvVBizdCBWMM8Saa/Ahr9KrtGYmbzuud7dASAx3I0w8zL9QQT03hvTX7XQ0C6VpL2pXS3TX/l58Gqxn1nc+UdRXV1Kvao3VXVSoTOXIrgIdzsNGCrWKn5D5aWl1sPfOfsQnQW2HQZdQQjVagce/XGOPCTA7OllCp64zK+YgjONbJlBiN2NdYU15lXWWIJk1UWxt1vSG5a1RAedbZ2Qe/an16zrMbebGmM8rQLqx1tUha5F1B7TXlMGfYyAVC2fxEvgKlI4Mstb++ft9G6dmdT9zQSzKS3SWXFF8R6qArqEicoNw55Bk8gVmZjOYFukJ1fRHCZzJaSucOiRB53u+ByrOiMHVS+gqaXZyE/oGTKBL4qTYN+CUtuDnz4ZyQwaHHQA9cdWBWx+CHyXmQJieURzAYXY+eqNQ1U5mauYHOey1wN3kWnRyfggiH2OPL49eA5AvuTsVoXFBe1BfhOCYUsuUZ0Yp9fWA/fJD9PH04VyASJj96J16uOy88DiHwkoVQzW0C1cIlWO6iC39XhNQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(15650500001)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: MdEgYagNLWHMl50gaao2B6VoCYwr7t5yEB/gFKeW7xCIeMk4v/VAZtozpfQDEfyDHXX3Ts7rAyVlR6heCm+nCOrD2Gvx0JRsFd4v2uKJwxTtou036LcvZ1EyDEmH/f44n9YkJoxPoRgyTldHq8Nye89l9nN9tAOmb0RbI/YZVxpB5aTfEA7zhII5bGe9g5oxB7+oDqXktHz1Qw8EW0Zk1nmlLdei7w1lQptY9s+MJvG7geNLWp9jh04NeobR3Bgl4kRsvzV5d16H8hkrnIsvAX/yeLf109cdIW4lpqdcMqkTZr79K263w7b0pYRsB4pN9c6DZrcSrqfDZ/5M++3fM+9CMujaSXZloY0wIPcLghWrEtnEVMBKbIc6s+dT0rVGTxdmgxYi1n7r55SDBp7m+lK8iJzT1yr0VOMU5F8ahdMwY/HuZque34+uE9444RyEhyU6yXJfkKK27xFkiPsnKVgCiHrXLW5zbll3EM0cDtiI274JxOMuYx3l9uN65fOY02oGpb5CFMNvVUU+ZNWkkMdz88tlMJ8OxvMPijWsEVIcdK9J5jKPxpCD/7Q3THVqKQkQHaWHuKwP1LeCxR4ctlwwtmvlDWvLHCU9uRx5a41YrJJ4b8W+9Nz+a4Q7fpZ7dadFPfMyEdAK47eyNjc5fQADks5i5T96lKOwmQQX4Du1XYqLRaExyazRRq2cuWCBgUoWXD01O3Gb7qtEg30j0XOzt0Q/omv3k0uiujDOFavsvvXf8TRx/dN5Jof5PZN9BaqL8fyvUtWOQzfsX/UCLK96pEeP4NjhAHe5MoZz16LNZg1UtLjiRh0pjj7NhrEfy7WwsbdrKZlZy/Ejvw7yV6TL4GtjTQ8UAeLbXKMbwK/nenwLRr5laVso5ji+1aHSeJLplnwiO1Ke+CvjMZiH8wYnFydWr6s32NDcSMTYjtYQ/8t66T/BJ+2LreYpdjsKyNjGHnCDV4P+tldPSu+j1ZTKTJCuD61wTUg31N/pWBpFxdGD0riqEoXbCXyLPuYQohWDgJqN9vIdhKl1AJXaWWfG3bnqo7nHKLMQluCCf4FF/p5adgL7w+yvQZJ9e0v9owZNxIzWVOY7rwdY/Q8qUtRqG3bT+hFKDrNz40fRPX2tx1+1Sy7PcBhmEYUgaJYKgFmlB44V6Rt/D9Sx5mMmMpJFWywuqm7KdvM5ZpfhGwvzyubUD02i4MccrD3krA5OtrDcbLnlFAsMjKFclK/3/Hf0P8TtH3Z/HaMFdBz3Rf0CkRU0fah9KZEAYoxoVBajtzcAP43SQvDSWXz/cWX9vzRI3N478L56nARaA+QDtIAyEI8xxTtNHU/qiDsKbFB/MHgyo9voQTF/xsu15ttfQD+IHjJEaGSGbRBUQ0I0yibDFmeFsjWr5BnCO+ANq/FWbhlCCBtemPNd9ioaAX0ghrDWypP4BSGYaawq+iJm5m6khAFFuHtOx4fGtcaNubjerSZbViL5O25iPVJrq1A78T1L9wecm8NCWmoZu8f1lYUmlFP/ZYAnPUJ3hzwVJEw9DQo7lUKPslWDJEhdiWihJY0YXULAegU9luclvpcPWy/IMWsK+0z/DlSxfPG0N4vrdS+hu1whUHq+Ez6EUDVfNC2JL3wZOXxDsRFtOy/hyZFpQmtS7Ivb2DjqnisvAzWS/z0m1IT42+1SG3HrSBv+uRKs7SouLGyLZ9xs5jgHesYO+wK7HRrI1f2hCptR+05KHoECo05h5oG2/TIyhaA2aGZGrLpOMrRXrYzPI4ZJm9s= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e9b4d791-62e4-474a-4cae-08da177052b0 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:54:01.9751 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4V5rBAyYn/SEZArldj9jER/uFK77uCseKsx7J+db+Z4hmI4Bx58AB8XNjruoGuGOS544myCArq58d3Ysfd45zBeKC8QG3NMXrzyOHN5JUmM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 mlxscore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: q_xWcVwhFUd8ta2VdMKPBWTwBEJgJhRw X-Proofpoint-GUID: q_xWcVwhFUd8ta2VdMKPBWTwBEJgJhRw Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_rot_and_signature that both vouches for the new key and validates the vouching key contains the builtin root of trust flag. Two new system keyring restrictions are added to use restrict_link_by_rot_and_signature. The first restriction called restrict_link_by_rot_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_rot_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg Reported-by: kernel test robot --- certs/system_keyring.c | 18 +++++++++++++ crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++++++++++ include/keys/system_keyring.h | 17 ++++++++++++- 3 files changed, 76 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 05b66ce9d1c9..a8b53446ec25 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -48,6 +48,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_rot_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_rot_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -76,6 +84,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_rot_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_rot_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..840ea302b40a 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,48 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_rot_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_BUILTIN_ROT, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 2419a735420f..2c1241042f1f 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -17,9 +17,18 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_rot_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); +extern int restrict_link_by_rot_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_rot_and_signature restrict_link_reject +#define restrict_link_by_rot_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -34,8 +43,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_rot_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_rot_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Wed Apr 6 01:53:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12802989 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD762C433FE for ; Wed, 6 Apr 2022 09:37:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355739AbiDFJj0 (ORCPT ); Wed, 6 Apr 2022 05:39:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1584706AbiDFJfw (ORCPT ); Wed, 6 Apr 2022 05:35:52 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F7DE435372; Tue, 5 Apr 2022 18:54:32 -0700 (PDT) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235Nw802004892; Wed, 6 Apr 2022 01:54:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=VdPNx25G2dvg4epz8CwqsxtVGHhhQxextydbflBLWBM=; b=XKo9IhvxgfvrN2cnROtID0TlBMuofi+Qmwnts7L3CW8bBpGw/xfWaFkDYqstR9ANJber 9L7ffwre57oArs1jryCfKHFYF3Z+Ru/S8285sSGMJMKB4Q4b/1Ce+A8radnxLfun0qUW IMVFNPhC0jDfiLlitpxFUCuZDt7i/rBbasQqMgF4waisvcLYFs19Ai5CJCBrMuvAeI5m SmQgvNzigcPTJppK9GIyC8e7beNp/gss1kHwSk/V8bnH7ZXgdfU4tupqD7p+dsLTlwpz gIp1g+Mp9ayhvhKz7FayRgyIT/jslGst51g76uLcWe1fvwHfYpCOhwvvHYdL5YdA3y4f fw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6d92ykh1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:06 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361oQF5003498; Wed, 6 Apr 2022 01:54:06 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2173.outbound.protection.outlook.com [104.47.58.173]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3f6cx42aj3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q8weuBcPMpNtUIwOD0Hea2H2Qzba8vNjmyO1YmWsFJlMdEQqFVE/piLHBWaORPcOPvMWnBwo5Ww6FWoy5TkV+XdLHkwP+2+HwP/b/kojevezwjUe31+BGZupDZZTHBq4CkwLO3qQoGOn/FH5zBPOZdkHCmAyey+QraMwgOR/c5u4lA4FWMqP21O6uJhPNMzkQS21+AqQ02EH36a96iBCO1dCcU7KLTmN/fx0OJFvykEwsC1sW9jJ6cuFHOnU9g2kaeiXaY/2KX6OI4BuVfBEMoHxmxY67pVNrcPEjqhVdJ31LpDs9GPiPlqqQdI2lzS7Kei/gCO/sZEo7Dwj5vs+cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VdPNx25G2dvg4epz8CwqsxtVGHhhQxextydbflBLWBM=; b=Ffj90idO3TNGl3w0tjiClh+kVa52taslxZtJFcgn5Y8rczaS4IwnqQWQuzPzhLNcrnF2qji0jarb0dVzw4z7rlq4mTHcocg5bL+QrQI/0fKbMZ0t2bzfp5ldWK2lvd6BEp2Ey17KC9AP2DKc4D2auaA0QO+mh5PmN+mqf2tC1khAjvVtHWX9XhWnjFMe3I9fwCG4PvhM/itgydIhF/S+kh5YvSWwbbC9NLSGSVba8NnQNGFoIH2KnyGjFL8SVxPO14S4TDaxpImITc0Td5S/kIIzqtrcvpAwddbBt201uxdHXUg8ZImXRz1K0YC8bcZ92HNlzqI28IQV0zYZuUV6EA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VdPNx25G2dvg4epz8CwqsxtVGHhhQxextydbflBLWBM=; b=hf8h6WJ9LkpjR87lOrTyDYETO6L2MFdy+vptqOzNYdy2o6oDQQSdQr/F+QevfxETJmoMCwKw49SNYtCVF6Qkhq8BMKAR9Zm/sHJ5MAI3VBd464wMZfUlm1Ge4azn7+znE7AI1Th0StehBf+ucwD4dtmUo2VfCkjZvXu4Wdimmp0= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:54:04 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:54:04 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 6/7] KEYS: X.509: Flag Intermediate CA certs as built in Date: Tue, 5 Apr 2022 21:53:36 -0400 Message-Id: <20220406015337.4000739-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b50fb05e-acd0-42de-c747-08da177053ee X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: F+EyaLaZRr5QN/Za8jppd0HWyRHovu6YfCxR14frRXoSMaV1ffUeX9tSPWCPHM42zMrC/4idKc4H/wDo2AfVAiZDgRe9+Hf0Y3EM6il4ZZchKqxhcEgj3CRK7tdUlTXUz1N043hizPRU9Y4M5Z4cBh4T+K8A/hEhlNRbTnUrUOtUQOPmSHKaZOM9OUE8/NTult9u/VeIsasVqhKHaYq2dgMJFBH2i3/7OoTasIFvpgE+/79HrJfiRpT0OHB3o6IGhXJPhhVb7IG4w/SJ1euRQjUqzstmkYIsdbSXosUL2i9196OgwNkPEGwo0vv+PQs4lpTjlqzA2fJ0p257aY3U3RCPlwK5fn86pmFFvOm0YiL+T1JBZkFvZWtvYHNxELgUlsIhjVqD9mZW93xr7++fmxdLKUrIC3GNMgb2jKGnGHgzHaUZN7zsER1uv/vygF1jqLAQLCajipR9aDAKDGNnPeUwvXlJHmDj3vJtYmQvxtBBG4zHqpRGKaWWxRJ7uAW2dvLbbMIT28OVD7WJJChuchBu960Q+gpqEdg40Fr0rACq2PES+3YNizDRSDQGRFFGG94drr/a1Z/dvphgpkI+lh2Jv89bgKqmIeAfY9vbocUiX+JWnujZkSCEKrpcLBAOZ4g+PmBc1yvvdAaiY9+HQt18GwQNenb+tIEZaltqY4R8/eDd2ckRm9E/xx8ZD/6mS/Q/l9ZHFGu18jC03fD+JQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: uypl4AAb+0tPVL7pFE6HfnkPO3eSNwLKLPXo2IGmSZuM2Fa3oJf6z4ZGWcUfnNtx4dqgKUPpkAN/xI5c4skXsmaud31uO0JnC8SP43MHEGNNiIF1X8MLcfjVP8NfXSQ9vdDRv6O15uVVDQ34S++aMd/+6SdTFxQlE28dMa0zbw4ok1G9g28Qq0MQelnH2mExv4CRevNr7OLps2c8QZP9d6ASflSZRk3shUCUcWrFrr6T1cBchVZx32UGL1Z9TuzygFB4Df3+DjyQwc3feSyFtP5yW9LorG/QUYdCL4bsy2KOUrgfv9J1LmJues+hcnkTkfAFLXExq07I73RlkNZLV2pKYn5syFVEijc3llFC20EpzgQ/SStieoCe27z7AvUAF2HAlgLAIxy5bH5CIu4txYlDlObtkykWbOMJQWA1aL4+4XLDQca5UGSxMoc55Vz17nPjFGNbVANjrwd1Srb17JWokRTVaU8HctWc8RisOgN+/fe10J0ZXiwX7XCO3REaTttvBtf+/FCxfG7Xp8B05TyRyxD5jTAqao7DZQS76V6+7569b39EHJv9cO8q7slXiqc1caNAl+tKdV4FFJTo/VsJv3YSu9XJNDy47+lFfDEAhEzPQVJsXpUKTAGgXB4OibfuqzktLiwxo4ZhgBhOuZqBLQTSf4gRWeh4MrOmDXlOlpdD+qwhGUaHgOCQfWJTY887SBwQY3q2Jldsh/P3S/F4tBfmpMcB4iz1N46CZtZ01NKrdL0XHVKzz6DkyGw9Tvas3Jih3WlXjj2yqv2Fog3ieK3YkQyW3lRNJN/kB5jbJaczJJQ7dSottHldaEO3SJSD8cQAnoMtqZKVJy9+y7VQSu0b1liRXHnVZ0ZePoku98Fv7WcA/l+6rXIjke51ZcXrF9mJO6dCr3EUjc0VmZtSyQ22iHbDAZr14MJMjRmwlCgFWwnUwksfnoA1drrb1t8BtdYHtd5U3whiLt38IhUCnpAR0Zt6PFIzuAXCLdLY5Q6y1LByV4YHiHybqv5z1yO42zIb7GobVEiGWNCnrgwXXaZ5DgjCgVxOmsZesWJyFmVO3gINjdFDZaTDTnFBpmGMLbHzTBEhLfOVmfBVza/S8+j4bgoaNyk8nMT5VS8jAk8loH5HuxCdD+3fjBID+pzSgrRb3Citti78WZo1X7QvB0rQvoJo3deuSLfl+7uyvngn00i/wgMOMtdlWo8gWHDzddznsHLBUYDWVhvYLXp9aYtjxkMz1T0w9qdu4ufX8zhUYydc660YK5PsfFhHP1G7+LTsuNGiz+0MFMJO6v6uV9UYVAOmpiVZGpXEl/U1sahr3vkwk2hL0/C7v8axW5kG0NzxS/QAXib990jpDiFmRulkxsgbvE/N1WTtxrgBfQQCGjhHzaepcGhiTae+BeUBa1xW375ofRKzU+3B6Cvrb0Nw85RusKee/SHkqKFmij4oKcgunTdAHFX3M5WLOLLebXfSBYyYLZj/o9en6d8utYrAn8SKPssEox/TjEJ1uDlXu9wmKWxYYpmgnR1KzuPTE3EOQdMP+BoOYnQehRFOPg6vBjuLz4x2tdV+2gMZCwo+xX0NUnnLjvudrEtPVGZ+wkVXoBrv4ziQ9kXZcnapWHw8QzIRfDmElJhB/E2m7vR//xzzn6Vowa5YXM6FNNUd/6CIQNQL8YpT3axv/qkhqpXHTWk1Bstx/ooAcltmtIh2SuyQRaiTM+Ti1FK3D8q7zKhR9RGpGto32FcOFSXN03YdRLbUSZKHuhKv89M= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b50fb05e-acd0-42de-c747-08da177053ee X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:54:04.0310 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: EZ/ppRE+nEUaWoE2JgIcj0PgJldjfW8QL45Ru58qWRWC5TEs8IvkjNKaCXY0UmiKnrSUy/IxcDf4wvAM/Z4kkvAbdTmRHd2kk1RFLBOLV8g= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 bulkscore=0 adultscore=0 mlxscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-ORIG-GUID: UICZSiilHIDfhnbEw2BJ4c-cDcRayPW_ X-Proofpoint-GUID: UICZSiilHIDfhnbEw2BJ4c-cDcRayPW_ Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Currently X.509 Intermediate CA certs do not have the builtin root of trust key flag set. Allow intermediate CA certs to be added. Requirements for an intermediate CA include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and Intermediate CA cert is signed by a current builtin ROT key. Signed-off-by: Eric Snowberg Reported-by: kernel test robot --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 16 ++++++++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 7290e765f46b..9052dd761ea3 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -215,8 +215,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) prep->payload.data[asym_auth] = cert->sig; prep->description = desc; prep->quotalen = 100; - if (cert->is_kcs_set && cert->self_signed && cert->is_root_ca) - prep->payload_flags |= KEY_ALLOC_ROT; + if (cert->is_kcs_set) { + if (cert->self_signed && cert->is_root_ca) + prep->payload_flags |= KEY_ALLOC_ROT; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_ROT for now. If the restriction check + * passes later, the key will be allocated with the + * correct ROT flag. + */ + else if (!cert->self_signed && !cert->is_root_ca) + prep->payload_flags |= KEY_MAYBE_ROT; + } /* We've finished with the certificate */ cert->pub = NULL; diff --git a/include/linux/ima.h b/include/linux/ima.h index 426b1744215e..3f23bccf880a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -176,6 +177,21 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_rot restrict_link_by_rot_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_rot restrict_link_by_rot_builtin_trusted +#endif +#else +static inline int ima_validate_builtin_rot(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused){ + return -EPERM; +} +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index ed0aaad3849b..da09e68903e2 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_ROT 0x0001 /* Proposed Root of Trust (ROT) key */ +#define KEY_MAYBE_ROT 0x0002 /* Proposed possible Root of Trust key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index 732bb837fc51..c553040dcc02 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate root of trust */ + if ((prep.payload_flags & KEY_MAYBE_ROT) && + !(ima_validate_builtin_rot(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_ROT; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From patchwork Wed Apr 6 01:53:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12802696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC71EC433EF for ; Wed, 6 Apr 2022 08:26:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344320AbiDFI14 (ORCPT ); Wed, 6 Apr 2022 04:27:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232439AbiDFIZx (ORCPT ); Wed, 6 Apr 2022 04:25:53 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50E8843A67C; Tue, 5 Apr 2022 18:54:55 -0700 (PDT) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 235NhHn4006418; Wed, 6 Apr 2022 01:54:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=K5BUsp2UTk6loh0sMFaW0AUvuaEJlajn4DrSvHCIW1c=; b=D5Duthtyg52v19DwGKb8qfrcoWJA1YripZLS9Yyc8VFjzCr+A1qswDqHjQtKqOshQDdZ iRq8c6CO51obyLC3SvJ0sZ9N+l8nwYa/UQX7jzN5AB0s2NCtkpHH3yB/hkiWtnAfpROJ UW2LdxRghoKE6hYfkClm5N36kWGMSFuJqfO+EuDzgI2zznEC2H7kHfWahiuKWtJZh4OG wwjzKzmmMHtPSmmGvTQ0acK2jBDn7ERzrwJjZVhrGteoJpTinRN2NhVZYrzGCg6uF9Sr E7qQy/z7Q7D4fBbzjWdIto/d+Zv/esPh1CLqsmAhOIbmz/05laHiNa50szsGBNx24IgB DA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com with ESMTP id 3f6d31fmd1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:09 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2361orv1036988; Wed, 6 Apr 2022 01:54:08 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2109.outbound.protection.outlook.com [104.47.58.109]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com with ESMTP id 3f6cx43f0t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Apr 2022 01:54:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nPNlUhOj1QY3PXbA2ProDCiyenoewFYbOTK3iPjPoBNFQjfD0NjUKrAT70pQkPhgzBgwIrUtM673q9r+VjdNcD0+6y49UKZ6zOeCL8nJ7Ukn9ztW11Y0WrBkY69MYOoEaDkwQMeXWYFeSJWf0b6/lAZVj8miY4vTnBV0M/ZAmM55aJFaqnZho5KUoh2ifFNtxYRbdS55WKbTGKcS/KSNWDmUobsTJgypytjQG0fqg2BjykvS86TM9fHH+IePxzug/r25v9POGXFoQICo4vB5kt4QgYdentJ1tv6ATWhKyhKgrtRXXpp3nw+i12cT2/52qDMm+m4nxUdQy6x3Nbn+Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=K5BUsp2UTk6loh0sMFaW0AUvuaEJlajn4DrSvHCIW1c=; b=fqZKhSQnFTNJI4FVxj0L2qSLTHbKge+EoT/1TKxnLWbUAIlS/JFOgnBN8e9fJ98g2iXRg/RGo8Hf6TPl665REEFKPTYXW3XvmbcIRNQPXdEdk+aUqARB6qcgcEejzPSKQvENuIjMuQoUeZ0vCmwoSfFK12bubGdB4ouyUg2YWY85HAL66ps+HoSsFhHpZ9wmF5xmewU68CgKTNfb+aXTZ5f+MxM3CaMg1u8tTV3IqHg4WkPvDouGT3ozKzemQEp+FeCBWhUne9+yW83/WbyOW9wd1O5Hq+AQqzQA8tk3cmC+Hfzxi7WUTlndK4dOdTJ/g9lHFyVcsRaz4bg3EgN6EQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K5BUsp2UTk6loh0sMFaW0AUvuaEJlajn4DrSvHCIW1c=; b=XQKvuvu68i5yFjBDeG17hPW+qDhwvZ5wlfQDOiXWlvdGel/XGefSPvL4QeDGFqD8bs8/8wz8tNMV+fiOd/cS+974fAWYUFh2P2JKla+oZ5FRVuKgrLud9OWeL0gfJi85c2Do//19rDKb2YYio3fyULq1NsH92tMuFzVDmbOWsKo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 01:54:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7ded:5b3:a28f:2e55%5]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 01:54:06 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, roberto.sassu@huawei.com, nramas@linux.microsoft.com, eric.snowberg@oracle.com, pvorel@suse.cz, tiwai@suse.de, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 7/7] integrity: Use root of trust signature restriction Date: Tue, 5 Apr 2022 21:53:37 -0400 Message-Id: <20220406015337.4000739-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220406015337.4000739-1-eric.snowberg@oracle.com> References: <20220406015337.4000739-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0091.namprd11.prod.outlook.com (2603:10b6:806:d1::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c81338bb-f92d-4eff-20ec-08da17705525 X-MS-TrafficTypeDiagnostic: MN2PR10MB4349:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SulmLpo+6kGF13hoyedHvv451TMmnduH7JrAklDtImf/MeruejcdW+xp45ljMNVLVkY1Qu9h5IpurSReJZ6U28WXohEtDzG6G5HubvXOwV8MKqxG3FiBwKF5Y9nV3EOyoVIfJ16MjRrcfZn0o8VWxYFFW+gX0IfcHVPMYESbnNucEV1rJduGqxOqp9rV9f2Qkm+rL9CFJMwyoP4RPhjL/GAcjXpFPCUVwE5snL9d+988spuAqLFSVYJHJsnqjOVcnPLgusYMIhMzM20Yp75pJCSODx7h1MElRKwCeoO21F94+pnB/afHVWubTbhh5vgtweQgmN5sIovSmyTkcneuWPQOSOhDoeW6KAoS5I0pwECP9qplIZiPnnk7HtdZ3sYwBtluqbESXojUXZfB0Ul0Tj7HoniOBPG8fnFswdwgiDFxgt9Jwlnrsh54c9nHBSzTa08RpTkuOpnWRoZ5A9xrFCJWPYbqVHzolCH0Nrw3ALZjVVX3WlgX9sj8V5s6E7dtl0NytgVjMnGWzADYrS/u6vkQUqqw/qyoQhbC8dl2iipLeDJhN7mjMXzAtCXXJVSsMaWLd5xHXMLjw+QZr5BLTfIUvnIcndRdyZJOvbP2jhifxhmsvWHgqVNPUXFfz8dxsChIR9M9kvRf4CPxmPpW085btqh/3hasQhHC8lK2Wz/2IgdmMJj7q/1xBuLram7zdou2PBrbhNzVDbSo/PDqlg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(66476007)(8676002)(6486002)(6506007)(6512007)(6666004)(5660300002)(508600001)(316002)(4326008)(66556008)(1076003)(83380400001)(36756003)(186003)(26005)(44832011)(38350700002)(38100700002)(66946007)(2616005)(86362001)(8936002)(2906002)(7416002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bxpDFUz0wTLFQdN55G6vRlCAVnLXBmuDMRL8vW2Tv33kJmpBPyObhXW3Cd26bGgf1GPUnaQeaQK5Z1G8lQlqW53zIwMQBy2qIryavXkl9q33jLgLbnhnvHSmw/xE1+EXybLBLoQLvK+ZzyXgI4cimS/ylWJbRsZ5d7rFCPdO0I3hRFaoxVC4yatBCNSofY83ZU9Erx5/zHj8R5jz9limklIEefqHWDhCbAnTc439iZWBEGMmBGELDEBmuzVc1ClHPmpM4MCiPBy94STne7M6LUWPuR5OR8OfytVrCaGm18/fZXjqb2Eam/gFYKR1rLUSZifBpdRln/fDbhwLRsJLryeAWzvi/iZfHqoK+wZ4M07R+xkN6i/bkyuGybztBCIZlaJgPW/ALSsnGpdtB3qFlE5bd5k9f58g4sokxebrXVW6uPVI01FPkcdjuyT7ELi7O8jd7rDKqH/N4W+ABUOt/SuCApAhThZN76UPeHOT6VgutAW9Yh6a3UxbW+zUZoEwIS1Qq3Ps+9s/Eb2rGXe8KIr9zMXctJsc9YZr6Igj4SQDBM8YzDOGr3k5luN7O5lUmoQO7EaX4yToRF86iERicluCyqwCzOmONOJsWTuSBV8DYrVCh+qu+cmW5OlubksOA8x7fFt5QZAf6621Oa5uq1iO5V7ypOWDnfkdz2NFf7fkoAdq+slS7xE0wRpMEteHtpjcCVcMPq+GWIgNt5iZS7yK8VppLxZj/0WTo0Kct994SCxmiTnCfSE3+BiN0fi5B47TwBKKf1oqpzJZ4c0cxqk6eUmI3OU/6TkPVepTVvZbKSi3nXsdaoQf9S70o2oCibnSX99SETc7/+7tqXiWr4g8e97GBemc/BKjSF53f4tHf7NlRud1AmcqzEEfn8Bbu/eS3xTdNkZ7D92bYPZ3GOJbrwibwx8Bnm3NI5Jc4lZsf9Ezgt5ZC4tvE17FgNHmDi/zJESxkApyFOGIbbidb36RWVDB5UuM8nE6YgNE3EEO9rsvLTbVjFSvo9lkXxU7nKj2fT8MdHSByrgZg/AWLzvH83OoQ2vRZn7KmMMYhLFkp6wBCQflI94QcZ9sedWcWe18Xr9xJjotYW0ThXhR3ASTSTjgU3AUVtEMcOmKFY1Zbq4jyPZvunvnAif9O75cvPbs8usVPatqJNsFlU9aeHonQqeSivgFMGZKo6Frg19T16RB+yoLvnA09MuHRGQUufSOKhesCmRMNgnBib4PjXlWQyAGHvRkcUWsQ3OBzblaS8poDI9yUlPC1XbVT3qxGHgTIqQ0Y+2WVp3g7KzFyM0hzCo5pc6jWFo444YV7i157y0pWVXF3QRbAtYiusVNpAZRr3ZmT+Vazzlxr6WKzH7RMCtWcgU9lEMPiwN5SShbqa6pyHtpK2w7lP6BdnXybhK4PCnfa7V3JnlHQ2FlooBi9YLT8lwfPzsjcoUlyqV4jA0XHH7ij5CtzWe92j6FMM6gb7m1dosd/Rd3zZwMZrXeA+T13XZhNiO1gK/0FyuCmJ8m0SLHo+UpbIPbZg4RNKKb3lomdYy5R4Qe42rkirU2ObLiXpWDjiadglyOaWok/L6eYUi1QinZl4eksrmnMrvKf+7T/IW1RmqxYLJXegE2bZuBrO6dprkYqWFgcx/AZWhCxIl3/2vTB4FTB+vdZI9dzytCaMDX14zp+q1npckO14xGXjcHD/T5bfSpEOKlaNXVOnQkNLM5py9BTKIhRpWLAhz1RHeVmYvMbWmwP/R308F9ewWrNPYu6qRUVZ4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c81338bb-f92d-4eff-20ec-08da17705525 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 01:54:06.1743 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ulyK8rGWqtDSZR3JgBvf4AHVhvcQnOBLdMofMHYyy85RwL5evBvTzB7hJBVq6vdmnElsgdf1W/NQlSjF+A+x3Lq/QyNoao1KEJ0ncPxv1hw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425,18.0.850 definitions=2022-04-05_08:2022-04-04,2022-04-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 spamscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204060004 X-Proofpoint-GUID: jPDfwZ2a9lKHnFk0tyWrYYmYw8AqKcNL X-Proofpoint-ORIG-GUID: jPDfwZ2a9lKHnFk0tyWrYYmYw8AqKcNL Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Keys added to the IMA keyring must be vouched for by keys contained within the builtin or secondary keyrings. These keys must also be self signed, have the CA bit set and have the kernCertSign KeyUsage bit set. Or they could be validated by a properly formed intermediate CA. Currently these restrictions are not enforced. Use the new restrict_link_by_rot_builtin_and_secondary_trusted and restrict_link_by_rot_builtin_trusted to enforce the missing CA restrictions when adding keys to the IMA keyring. With the CA restrictions enforced, allow the machine keyring to be enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 1 - security/integrity/digsig.c | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..14cc3c767270 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index c8c8a4a4e7a0..cfde2ea9c55b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_rot_builtin_and_secondary_trusted #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_rot_builtin_trusted #endif static struct key *integrity_keyring_from_id(const unsigned int id)