From patchwork Thu Aug 25 14:23:11 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chun-Yi Lee <joeyli.kernel@gmail.com>
X-Patchwork-Id: 12954802
Return-Path: <keyrings-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7F28AC64990
	for <keyrings@archiver.kernel.org>; Thu, 25 Aug 2022 14:23:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240221AbiHYOXp (ORCPT <rfc822;keyrings@archiver.kernel.org>);
        Thu, 25 Aug 2022 10:23:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39106 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240437AbiHYOXX (ORCPT
        <rfc822;keyrings@vger.kernel.org>); Thu, 25 Aug 2022 10:23:23 -0400
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com
 [IPv6:2607:f8b0:4864:20::102f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B946EB6D03;
        Thu, 25 Aug 2022 07:23:22 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id
 t11-20020a17090a510b00b001fac77e9d1fso5098888pjh.5;
        Thu, 25 Aug 2022 07:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to
         :cc;
        bh=qJZNpZs822e167cNj4VwoEt4GRcumhG3qGUAL/pW/hc=;
        b=j9mSZG5WB5yPZtTLB05OTiqTaxaonHkBD+PtcWdNLR+7y+28wxHmTCdnenT6BjSKwp
         F8oW6NgsECZK86jEDdXI6/OBmVdoV9OwVJF4DM4JJ4/2UjWjRLEpF/RCYZDWgR7zPR9n
         TOiUAB+orox1UWS7fRLvtAl9B/yzYan+4PMPCNpvEgk3CEqPSWY1O0tula/Oq5YM5BUp
         OtkClldOQ/Vehkc2f06pGRhKXeK9o5bas5K97WrlVS0YTPgPggrgB4rXXVFJXv1x2EwL
         deT9ALBTHqfz6KmJ0hQkm5aGPjGkGYamLXn/ZTU8nE/ZR61njCXcoemvRLoQ7kPwQaMW
         m/7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from
         :x-gm-message-state:from:to:cc;
        bh=qJZNpZs822e167cNj4VwoEt4GRcumhG3qGUAL/pW/hc=;
        b=ld+tZNkHh3PN5wjd7a/AtpCNMSOaSvSTmVdkk6ZiRZMzC4C5tBBDwZLDywxShvK4B0
         2yNQVWP0XvjTv2nXKgEKRYuT1sro4B32y4+YSbxFOj3yL5KWbjLf6NElG3uQj7rT+Xgh
         iJrI8z6o1wnXKThw9kv0ue/ig6R76YHeIdSbb5BmIuuaD1JY/LBnJlglyhXX0gyg0soF
         CIGyy77DumW/pIHVatFw2ZPwZi1gSUoBJoswzxDqIA/ZSuVTFZE/w3eRpAeYdIZZWTRX
         x2rGFkkgBt4p7tHfQL3ClZHIvFlaA5kbBnM7nnb2wZSG7dcix72leVl1koe/8jhgtFj3
         oLwg==
X-Gm-Message-State: ACgBeo0Wj/a46TUbRLsgU0Wu6vnKQSn7gFL+hnRViyxKxNGxDJHw+ecz
        TDJa7enGuJWBFFi3NqEBkiU=
X-Google-Smtp-Source: 
 AA6agR53fUwkcGWVqEeNmHHmmegg+cjYjN2LQNiNus8alPJTZA1cG0slSJbx+QhfIp1VuyME9VS4Qw==
X-Received: by 2002:a17:902:b685:b0:172:d097:fb54 with SMTP id
 c5-20020a170902b68500b00172d097fb54mr3947341pls.161.1661437402325;
        Thu, 25 Aug 2022 07:23:22 -0700 (PDT)
Received: from linux-l9pv.suse (123-194-152-128.dynamic.kbronet.com.tw.
 [123.194.152.128])
        by smtp.gmail.com with ESMTPSA id
 l15-20020a170903120f00b0016bb24f5d19sm14962803plh.209.2022.08.25.07.23.19
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Aug 2022 07:23:22 -0700 (PDT)
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Mimi Zohar <zohar@linux.ibm.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v9,1/4] X.509: Add CodeSigning extended key usage parsing
Date: Thu, 25 Aug 2022 22:23:11 +0800
Message-Id: <20220825142314.8406-2-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20220825142314.8406-1-jlee@suse.com>
References: <20220825142314.8406-1-jlee@suse.com>
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org

This patch adds the logic for parsing the CodeSign extended key usage
extension in X.509. The parsing result will be set to the ext_key_usage
flag which is carried by public key. It can be used in the PKCS#7
verification.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 25 +++++++++++++++++++++++
 include/crypto/public_key.h               |  1 +
 include/linux/oid_registry.h              |  5 +++++
 3 files changed, 31 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 2899ed80bb18..1f67e0adef65 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -554,6 +554,8 @@ int x509_process_extension(void *context, size_t hdrlen,
 	struct x509_parse_context *ctx = context;
 	struct asymmetric_key_id *kid;
 	const unsigned char *v = value;
+	int i = 0;
+	enum OID oid;
 
 	pr_debug("Extension: %u\n", ctx->last_oid);
 
@@ -583,6 +585,29 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_extKeyUsage) {
+		if (vlen < 2 ||
+		    v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) ||
+		    v[1] != vlen - 2)
+			return -EBADMSG;
+		i += 2;
+
+		while (i < vlen) {
+			/* A 10 bytes EKU OID Octet blob =
+			 * ASN1_OID + size byte + 8 bytes OID */
+			if ((i + 10) > vlen || v[i] != ASN1_OID || v[i + 1] != 8)
+				return -EBADMSG;
+
+			oid = look_up_OID(v + i + 2, v[i + 1]);
+			if (oid == OID_codeSigning) {
+				ctx->cert->pub->ext_key_usage |= EKU_codeSigning;
+			}
+			i += 10;
+		}
+		pr_debug("extKeyUsage: %d\n", ctx->cert->pub->ext_key_usage);
+		return 0;
+	}
+
 	return 0;
 }
 
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 68f7aa2a7e55..72c0fcc39d0f 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -28,6 +28,7 @@ struct public_key {
 	bool key_is_private;
 	const char *id_type;
 	const char *pkey_algo;
+	unsigned int ext_key_usage : 9;      /* Extended Key Usage (9-bit) */
 };
 
 extern void public_key_free(struct public_key *key);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 0f4a8903922a..460135c2d918 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -140,9 +140,14 @@ enum OID {
 	OID_TPMImportableKey,		/* 2.23.133.10.1.4 */
 	OID_TPMSealedData,		/* 2.23.133.10.1.5 */
 
+	/* Extended key purpose OIDs [RFC 5280] */
+	OID_codeSigning,		/* 1.3.6.1.5.5.7.3.3 */
+
 	OID__NR
 };
 
+#define EKU_codeSigning	(1 << 2)
+
 extern enum OID look_up_OID(const void *data, size_t datasize);
 extern int parse_OID(const void *data, size_t datasize, enum OID *oid);
 extern int sprint_oid(const void *, size_t, char *, size_t);

From patchwork Thu Aug 25 14:23:12 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chun-Yi Lee <joeyli.kernel@gmail.com>
X-Patchwork-Id: 12954803
Return-Path: <keyrings-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F0043C65C14
	for <keyrings@archiver.kernel.org>; Thu, 25 Aug 2022 14:23:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240733AbiHYOXr (ORCPT <rfc822;keyrings@archiver.kernel.org>);
        Thu, 25 Aug 2022 10:23:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38080 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241596AbiHYOX1 (ORCPT
        <rfc822;keyrings@vger.kernel.org>); Thu, 25 Aug 2022 10:23:27 -0400
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com
 [IPv6:2607:f8b0:4864:20::1029])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BA3AB69D9;
        Thu, 25 Aug 2022 07:23:25 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id
 m10-20020a17090a730a00b001fa986fd8eeso5138549pjk.0;
        Thu, 25 Aug 2022 07:23:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to
         :cc;
        bh=usst7kyrK1cFd/C6ZxpE7JwpfKQPx/JElE5BaVa3e/U=;
        b=fvbGPbaX6w7mccf0nprjMQzAQlOTqf5dy+PKCnoFfE5plxz2kTMxNzWtbp0CYKZJU3
         C6xIKuBvefvtOM/E63hBDexliSjHTwr2mMofBqE0h+fEHt1u/T9rjeSQwDH3O/YeyIMJ
         LGU50fUpKbTSwdIwaBxT/fo2Cqh0FswlA0/ZXn3ZvSBUQLmZgI2/xbZv1ZednTJHczUM
         Ziu1IuZxBtXbUG+oge2XBDQGZQSP3nj624Y/57w3zINwkm/CcoShZIMppyx/MBoFunhy
         YnW+TTHVEPwO165fX1NmeARt7dGEEaTz9EB/n5QqfW1+iDS76hdHKuV/PWisF6YpRMma
         N/TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from
         :x-gm-message-state:from:to:cc;
        bh=usst7kyrK1cFd/C6ZxpE7JwpfKQPx/JElE5BaVa3e/U=;
        b=TAIhD3F4UAp0d88lBXMfrIzWlb0Ulj/iYPqrV6c5VD8nmZ/pkJxbo9h53A4fqafqGj
         sofX/OYPvA5oKnvJOtbHUcxipUtl4MT5zRpcIEStHXtAFoS/drpeAeKRlEv+CnPvCtmQ
         3GqaFyJsSlabEN9AGw8eSQqD6qp+c4Rup5DI4IRSfPCO0g929IWZ3qPR8MvxdlMdPCmS
         5lMTp2mDPKEnCE9P3FY62Tv9X9QzO8YD7oarR/7oCX8QFY0ZqLYx57Dl+Xs3Y/kt5uEl
         07dThZlVuPMB/iGw2I6o4x4ECUG0LKk/SQ9KyaV6q6GPx/I1mjULePN++8XlyI9tXeiI
         Jefw==
X-Gm-Message-State: ACgBeo30gRJCo1QKk2E1vb0xi7f3bSwRpUcheOFYoaQH1tW62VighuTA
        VLDCkjzVoAMBjJ1zsgJdXLo=
X-Google-Smtp-Source: 
 AA6agR7WR5QytOkUhjTd2gVhSld9wIXOLucV9txUzlBC9Bff/gmw2xLfEznG+Tb3nzVambT+FlwXCg==
X-Received: by 2002:a17:902:c945:b0:16d:c318:4480 with SMTP id
 i5-20020a170902c94500b0016dc3184480mr4222480pla.147.1661437404922;
        Thu, 25 Aug 2022 07:23:24 -0700 (PDT)
Received: from linux-l9pv.suse (123-194-152-128.dynamic.kbronet.com.tw.
 [123.194.152.128])
        by smtp.gmail.com with ESMTPSA id
 l15-20020a170903120f00b0016bb24f5d19sm14962803plh.209.2022.08.25.07.23.22
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Aug 2022 07:23:24 -0700 (PDT)
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Mimi Zohar <zohar@linux.ibm.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v9,2/4] PKCS#7: Check codeSigning EKU for kernel module and
 kexec pe verification
Date: Thu, 25 Aug 2022 22:23:12 +0800
Message-Id: <20220825142314.8406-3-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20220825142314.8406-1-jlee@suse.com>
References: <20220825142314.8406-1-jlee@suse.com>
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org

This patch adds the logic for checking the CodeSigning extended
key usage when verifying signature of kernel module or
kexec PE binary in PKCS#7.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/blacklist.c                    |  5 ++--
 certs/system_keyring.c               |  4 +--
 crypto/asymmetric_keys/Kconfig       |  9 ++++++
 crypto/asymmetric_keys/pkcs7_trust.c | 43 ++++++++++++++++++++++++++--
 crypto/asymmetric_keys/selftest.c    |  2 +-
 include/crypto/pkcs7.h               |  4 ++-
 include/keys/system_keyring.h        |  7 +++--
 7 files changed, 63 insertions(+), 11 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 41f10601cc72..fa41454055be 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -282,11 +282,12 @@ int add_key_to_revocation_list(const char *data, size_t size)
  * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
  * @pkcs7: The PKCS#7 message to check
  */
-int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+			      enum key_being_used_for usage)
 {
 	int ret;
 
-	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring, usage, false);
 
 	if (ret == 0)
 		return -EKEYREJECTED;
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 5042cc54fa5e..66737bfb26de 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -263,13 +263,13 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
 			goto error;
 		}
 
-		ret = is_key_on_revocation_list(pkcs7);
+		ret = is_key_on_revocation_list(pkcs7, usage);
 		if (ret != -ENOKEY) {
 			pr_devel("PKCS#7 platform key is on revocation list\n");
 			goto error;
 		}
 	}
-	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+	ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage, true);
 	if (ret < 0) {
 		if (ret == -ENOKEY)
 			pr_devel("PKCS#7 signature not signed with a trusted key\n");
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 3df3fe4ed95f..189536bd0f9a 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -85,4 +85,13 @@ config FIPS_SIGNATURE_SELFTEST
 	depends on ASYMMETRIC_KEY_TYPE
 	depends on PKCS7_MESSAGE_PARSER
 
+config CHECK_CODESIGN_EKU
+	bool "Check codeSigning extended key usage"
+	depends on PKCS7_MESSAGE_PARSER=y
+	depends on SYSTEM_DATA_VERIFICATION
+	help
+	  This option provides support for checking the codeSigning extended
+	  key usage when verifying the signature in PKCS#7. It affects kernel
+	  module verification and kexec PE binary verification.
+
 endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index 9a87c34ed173..087d3761d9a8 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -16,12 +16,40 @@
 #include <crypto/public_key.h>
 #include "pkcs7_parser.h"
 
+#ifdef CONFIG_CHECK_CODESIGN_EKU
+static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage)
+{
+	struct public_key *public_key = key->payload.data[asym_crypto];
+	bool ret = true;
+
+	switch (usage) {
+	case VERIFYING_MODULE_SIGNATURE:
+	case VERIFYING_KEXEC_PE_SIGNATURE:
+		ret = !!(public_key->ext_key_usage & EKU_codeSigning);
+		if (!ret)
+			pr_warn("The signer '%s' key is not CodeSigning\n",
+				key->description);
+		break;
+	default:
+		break;
+	}
+	return ret;
+}
+#else
+static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage)
+{
+	return true;
+}
+#endif
+
 /*
  * Check the trust on one PKCS#7 SignedInfo block.
  */
 static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 				    struct pkcs7_signed_info *sinfo,
-				    struct key *trust_keyring)
+				    struct key *trust_keyring,
+				    enum key_being_used_for usage,
+				    bool check_eku)
 {
 	struct public_key_signature *sig = sinfo->sig;
 	struct x509_certificate *x509, *last = NULL, *p;
@@ -112,6 +140,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 	return -ENOKEY;
 
 matched:
+	if (check_eku && !check_eku_by_usage(key, usage)) {
+		key_put(key);
+		return -ENOKEY;
+	}
 	ret = verify_signature(key, sig);
 	key_put(key);
 	if (ret < 0) {
@@ -135,6 +167,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
  * pkcs7_validate_trust - Validate PKCS#7 trust chain
  * @pkcs7: The PKCS#7 certificate to validate
  * @trust_keyring: Signing certificates to use as starting points
+ * @usage: The use to which the key is being put.
+ * @check_eku: Check EKU (Extended Key Usage)
  *
  * Validate that the certificate chain inside the PKCS#7 message intersects
  * keys we already know and trust.
@@ -156,7 +190,9 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
  * May also return -ENOMEM.
  */
 int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
-			 struct key *trust_keyring)
+			 struct key *trust_keyring,
+			 enum key_being_used_for usage,
+			 bool check_eku)
 {
 	struct pkcs7_signed_info *sinfo;
 	struct x509_certificate *p;
@@ -167,7 +203,8 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
 		p->seen = false;
 
 	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
-		ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring);
+		ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring,
+					       usage, check_eku);
 		switch (ret) {
 		case -ENOKEY:
 			continue;
diff --git a/crypto/asymmetric_keys/selftest.c b/crypto/asymmetric_keys/selftest.c
index fa0bf7f24284..756e9f224d8a 100644
--- a/crypto/asymmetric_keys/selftest.c
+++ b/crypto/asymmetric_keys/selftest.c
@@ -212,7 +212,7 @@ int __init fips_signature_selftest(void)
 		if (ret < 0)
 			panic("Certs selftest %d: pkcs7_verify() = %d\n", i, ret);
 
-		ret = pkcs7_validate_trust(pkcs7, keyring);
+		ret = pkcs7_validate_trust(pkcs7, keyring, VERIFYING_MODULE_SIGNATURE, false);
 		if (ret < 0)
 			panic("Certs selftest %d: pkcs7_validate_trust() = %d\n", i, ret);
 
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 38ec7f5f9041..5d87b8a02f79 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -30,7 +30,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
  * pkcs7_trust.c
  */
 extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
-				struct key *trust_keyring);
+				struct key *trust_keyring,
+				enum key_being_used_for usage,
+				bool check_eku);
 
 /*
  * pkcs7_verify.c
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 91e080efb918..bb33b527240e 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -9,6 +9,7 @@
 #define _KEYS_SYSTEM_KEYRING_H
 
 #include <linux/key.h>
+#include <keys/asymmetric-type.h>
 
 enum blacklist_hash_type {
 	/* TBSCertificate hash */
@@ -81,13 +82,15 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 
 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
 extern int add_key_to_revocation_list(const char *data, size_t size);
-extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
+extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+				     enum key_being_used_for usage);
 #else
 static inline int add_key_to_revocation_list(const char *data, size_t size)
 {
 	return 0;
 }
-static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+					    enum key_being_used_for usage)
 {
 	return -ENOKEY;
 }

From patchwork Thu Aug 25 14:23:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chun-Yi Lee <joeyli.kernel@gmail.com>
X-Patchwork-Id: 12954804
Return-Path: <keyrings-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B34DEC64990
	for <keyrings@archiver.kernel.org>; Thu, 25 Aug 2022 14:24:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241846AbiHYOYW (ORCPT <rfc822;keyrings@archiver.kernel.org>);
        Thu, 25 Aug 2022 10:24:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38848 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241383AbiHYOXc (ORCPT
        <rfc822;keyrings@vger.kernel.org>); Thu, 25 Aug 2022 10:23:32 -0400
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com
 [IPv6:2607:f8b0:4864:20::435])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 443D9B69DB;
        Thu, 25 Aug 2022 07:23:28 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id x19so17151469pfq.1;
        Thu, 25 Aug 2022 07:23:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to
         :cc;
        bh=v+sMBqp6ooJWJMiKxkcuWRrYdEMc2s2mHBQ5ff60zrg=;
        b=aqONtzq4v8lNkN7/AZtz/OM04ftwYclpxAZFb5bjDTAEHmIW3f10dOkk2Us0+N7dGH
         LybjuR7q4oPU0n3svdIUtcPwaKSGjbG5jC/WGC9tQkSBjkOxePso7UZpLx1mvp7bIOzr
         nTR+5BsgFlDqGxacaFV+YuE9E8YBcOUWVvR8VVp7lNX0j9bt0KWVXoPDoALEaXA5GrMk
         zjpGbEq19POBkk0i7x8MQA4qBjcMmndgsfBLedT+pHPuPii0z21bM+afAfZz8ZYbc4en
         CxaqWXvIAAuW3c6WrFYSJ+Xz4YdnyT8U0L44ASwBVPomFjxC1TpjLgVYrWn9RiscAxTY
         tN9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from
         :x-gm-message-state:from:to:cc;
        bh=v+sMBqp6ooJWJMiKxkcuWRrYdEMc2s2mHBQ5ff60zrg=;
        b=mfHroW1Sy8JMBYxsWm2wBYJz2JYVgYmTSik5GWCeiHimmhgQwTgmET9jlLeAJBB752
         ySe8so4zo92E3eLnlz3DV9KSe9AOWPasqONhlUDpy9OTy2UbYqkRIvRNxcHQOCwzOdR9
         /bncKAz0yV6rOPlYTbFHaEjidnxuyQFVkPBIPQfPmsHu/I5CZ1uuEczLqWuUx8L5qUe+
         nOadxzbISbQXjRdQgEBvgH1EixRCMXqeEASFRVqVRzd4Zk/uVqJzwzIrbHSxNY3kb8AJ
         zmtkFeDJSG1lLTSH/8tKVjH/2lloK+96KPOD6Wu0p9mCOHixP1gpx2AY9JgNhEPXsYbQ
         lPwQ==
X-Gm-Message-State: ACgBeo3Fni8zxhtjD08y+TVRcWQ5ujdVWmUOKrnci7YL2S+VhPDaEqUo
        cVBYgz50w0gu7CT41lkb4yo=
X-Google-Smtp-Source: 
 AA6agR7LdCPU1ainH5U6NUSnAfqtl2SiO6dWge3vUf+JEiZAOhGdyvz6CJQducsSjAErbZF1uPeDmw==
X-Received: by 2002:aa7:9692:0:b0:537:2562:85ff with SMTP id
 f18-20020aa79692000000b00537256285ffmr4362938pfk.35.1661437407922;
        Thu, 25 Aug 2022 07:23:27 -0700 (PDT)
Received: from linux-l9pv.suse (123-194-152-128.dynamic.kbronet.com.tw.
 [123.194.152.128])
        by smtp.gmail.com with ESMTPSA id
 l15-20020a170903120f00b0016bb24f5d19sm14962803plh.209.2022.08.25.07.23.25
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Aug 2022 07:23:27 -0700 (PDT)
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Mimi Zohar <zohar@linux.ibm.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v9,3/4] modsign: Add codeSigning EKU to the default
Date: Thu, 25 Aug 2022 22:23:13 +0800
Message-Id: <20220825142314.8406-4-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20220825142314.8406-1-jlee@suse.com>
References: <20220825142314.8406-1-jlee@suse.com>
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org

Add codeSigning EKU to the default X.509 key generation config for the
build time autogenerated kernel key.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/default_x509.genkey | 1 +
 1 file changed, 1 insertion(+)

diff --git a/certs/default_x509.genkey b/certs/default_x509.genkey
index d4c6628cb8e5..53be501ce57a 100644
--- a/certs/default_x509.genkey
+++ b/certs/default_x509.genkey
@@ -15,3 +15,4 @@ basicConstraints=critical,CA:FALSE
 keyUsage=digitalSignature
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
+extendedKeyUsage=codeSigning

From patchwork Thu Aug 25 14:23:14 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chun-Yi Lee <joeyli.kernel@gmail.com>
X-Patchwork-Id: 12954805
Return-Path: <keyrings-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7DD2EC64990
	for <keyrings@archiver.kernel.org>; Thu, 25 Aug 2022 14:24:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241393AbiHYOYY (ORCPT <rfc822;keyrings@archiver.kernel.org>);
        Thu, 25 Aug 2022 10:24:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38852 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241339AbiHYOXf (ORCPT
        <rfc822;keyrings@vger.kernel.org>); Thu, 25 Aug 2022 10:23:35 -0400
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com
 [IPv6:2607:f8b0:4864:20::534])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0875FB6014;
        Thu, 25 Aug 2022 07:23:31 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id 12so18037027pga.1;
        Thu, 25 Aug 2022 07:23:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to
         :cc;
        bh=cVU0VI6SHUHssnCSIRaLHSdROjTj9L70izUE69+SVQI=;
        b=iyeuTXiHSUNy2JLfnzmnkGQBac1RWC4oduQxuaWC+q+SJbRjdpKqlX0/4EzSoBVRgb
         Q+0KkXZ35/EWiIxymYBc6rZ53bXyImV9j+UTHri6pA8gSyXS19kub5PnMoeRf/Ab5HoN
         8o4w3ilhynUVrB4sCn6Yo6PVAEGi7guxxZxA5Ws/ypvwkKOOY4NQJ1NYORW/G6zgeFAJ
         Tlv/bG9T/H0f6dL6YCW7LSX7n4ej9R8ZteyIhqbjVSvZr4VBpEO6+953FdIV/P5Gcr+i
         Q/7sqwCGhvojVOxXSIofPwZHurCDXFekWIATZC02M+p7i1zKzWh4IxjitDpGpYsOvlKj
         7kmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=references:in-reply-to:message-id:date:subject:cc:to:from
         :x-gm-message-state:from:to:cc;
        bh=cVU0VI6SHUHssnCSIRaLHSdROjTj9L70izUE69+SVQI=;
        b=Y4a66fE6pdwGEvDn2qimzNX+scVuaeN4+xMS80tUAfCy+aHvWFzSvtBCtgOT9xs+s6
         cdDaYhyB01JgVvk2CgBUPddU/CC3DoBI3vWq/FszCz0vwHPjruDf/6UxeOnD/5mSqb/e
         hnb7MOQTpVrxrWht8O10cM8bYTtKmuHkjxm7FNCCvn8B/qTeIr4gvhd1VMcRKre5ZfLL
         aD0y9ekdixKP9GGcvOqb6AJljZ/1csfQ786bSa3Inv9nSPg7sg4LfeZg2qHGzPvE9XAN
         sR1f+A9zsOserQ9jo+37fQ4ooIcSgCxjvEx1E0S1Zl+FKGTOLzvqNwHHbuFAN7edjbpI
         JfJw==
X-Gm-Message-State: ACgBeo3C2RiTCILvNS36QEBlehKiatl+bPzt/4M6zmlyQtfRBwG+AASA
        GPjxvBXkHHHbkpt9czpLKHw=
X-Google-Smtp-Source: 
 AA6agR47nAW/DbDYMnn/wzQQJNghFOEv8l4oZniUR/03+jNEV658GYe4pMs43MGah7jY4Rp48X4PSA==
X-Received: by 2002:a05:6a00:1402:b0:536:bf1c:3d16 with SMTP id
 l2-20020a056a00140200b00536bf1c3d16mr4516591pfu.20.1661437410518;
        Thu, 25 Aug 2022 07:23:30 -0700 (PDT)
Received: from linux-l9pv.suse (123-194-152-128.dynamic.kbronet.com.tw.
 [123.194.152.128])
        by smtp.gmail.com with ESMTPSA id
 l15-20020a170903120f00b0016bb24f5d19sm14962803plh.209.2022.08.25.07.23.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Aug 2022 07:23:30 -0700 (PDT)
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Mimi Zohar <zohar@linux.ibm.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v9,4/4] Documentation/admin-guide/module-signing.rst: add
 openssl command option example for CodeSign EKU
Date: Thu, 25 Aug 2022 22:23:14 +0800
Message-Id: <20220825142314.8406-5-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20220825142314.8406-1-jlee@suse.com>
References: <20220825142314.8406-1-jlee@suse.com>
Precedence: bulk
List-ID: <keyrings.vger.kernel.org>
X-Mailing-List: keyrings@vger.kernel.org

Add an openssl command option example for generating CodeSign extended
key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 Documentation/admin-guide/module-signing.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..ca3b8f19466c 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -170,6 +170,12 @@ generate the public/private key files::
 	   -config x509.genkey -outform PEM -out kernel_key.pem \
 	   -keyout kernel_key.pem
 
+When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl
+command option should be added where for generating CodeSign extended key usage
+in X.509::
+
+        -addext "extendedKeyUsage=codeSigning"
+
 The full pathname for the resulting kernel_key.pem file can then be specified
 in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will
 be used instead of an autogenerated keypair.