From patchwork Wed Dec 7 17:12:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067398 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42858C63713 for ; Wed, 7 Dec 2022 17:13:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229850AbiLGRNo (ORCPT ); Wed, 7 Dec 2022 12:13:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229755AbiLGRNl (ORCPT ); Wed, 7 Dec 2022 12:13:41 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 256AA5B86A; Wed, 7 Dec 2022 09:13:38 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GDZlF030086; Wed, 7 Dec 2022 17:12:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=0a0el1ss31WGKxwEFsv29hTbNUhOlSRxOaresSxmB2SOamTqt1O+zfDiG+WRtijcSceJ jGN4B2PEyP0Y7jrQ/wofC6ODj+df979n92xJFYPC+nC5vew7A9s7KbPxV5LghEeKdzHi hMPI2QOYHWWyugQdmneoibAXAwH/U+94RqGEOt51k7qLMKdiKWQ/LsZhVRCiV2n1EFW1 0cMwnrYsAR/z3s68qrvTHBAHIPobuapGNSE1o8eFxowyURG5Ry66mhHuR6se5h2GSsri hjck5EuJdXIMNFvTrvjkYP/D3VJMwD0TBrEbMW3mVB+Okjzk4jlKkm6ZrLvhkG8EW3II qg== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maudk8vqp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:43 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwQZN017226; Wed, 7 Dec 2022 17:12:42 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3maa5y2ms7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VzJ4IGsfYndtpNhuwDi7y8Kv6BklCPaNYELGSDwk9T8T9SKp65QYWiZ1vRPHsixs5UIO8xHHciLwthGHGMZPq6Sl1+O95rJRGVgADGgM9SyKWhaBqfb8v/rk6jhoz6SE+1rZVyU/PC9eeSdWn2zQlEF1Z9JylxfEb2rzN7Dw3KK2pvQZg0Hl540+3VblyHH4NnzDsgpR5gOLA1LePp7uXQnVSRrmBRua+LFQ4YpP7UPO9f9oMwUaYbIoNPofKh1uHKfFi//xA+yQjPaCynUtS1zi69lZ8oHKiwDXswmdDKY3IaeMnjUv7Hj1VtZmqQtlwgBd7ZWcNvgucv6sAoRWOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=OICjDbZPFjqds9Xi8xP7hgJJveijfBtXZonKyYOexpJZ7fV8p0In4BluJ1nRbwoTfgpGLvHMDRBmrpGJ6vdTNhYnW2nHgL9vyeCrJ2vdH470HzfOurFQvLni6yArN0LDSizWfwnwwdapEBMU+XJ1fVqUqcMOVGe9u3jlnGQZgLcfSjIy40prKI51GNNRvnBNgBhfv0GyG2EP9tMa8BJ1wxz3YK4PHzUQ6Bf+YKpYTZtAj+lEIG48OYSzp50kN4oIsNhaygvFqaZ6zRyfDW61YynHLk1t6rg8yk3Ze+/mw8Qcf7ueJJDqkAXLRI45wFxa6RDEHiFiu+1bKaO9sFh54Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=qsTyDruoYNZl1APP6VlI2Mw5uHbVtbQ7rdCshkN5Xubigf3bK/QnKKNSnM9q21rwMRqKqJ0p02+xS1GCviUT4lGdVz/CMtDVlV3Un0vc61n00FzMz63cpLbh4JDpcmUcBnnbAZWMZ3UBRtFeOkqqq8bmTJqhHP25J2n8ULOtOMs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:40 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:39 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 01/10] KEYS: Create static version of public_key_verify_signature Date: Wed, 7 Dec 2022 12:12:29 -0500 Message-Id: <20221207171238.2945307-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR08CA0029.namprd08.prod.outlook.com (2603:10b6:a03:100::42) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: c4293df8-0c16-459e-ba24-08dad8763ec6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vvSt5wUrktWXiulyDT9BBBwnPfxup5j/LAnYA0a1qEhzd8ZNvog+Wv+U/4L/mupJcvx3hA10nGMGQtBDnwVNRsK1fSwJ5dHdEGRqYbG93VoXLn5bUB/hyCFAGXY7md176dOnfNq5gc8KPZOEO+MiSrrIqcjw3dbkYo+NJ+SxZ3z8zsuqo79LQg67djzMLa+MkbE75QpCjz/emVDz9XrC0aJiAO6sjQcyPPP26XT6iiXbTLC2veTNEwFXUAhYsPw1AO9P0aT11qr+a+1EHRiauWcLRpry8QRYuJltKtS6kPyCymjuW2qGvdEtHvMo9bUYV+Y2x+nAqaO2k2CV3NqVxmetOyvggnD8YsqILu85sDkGwiEy7tDyxjWjrQh4X9JcVHaecbuyft/iWQpeoXThLzHDNYVriOI0/QLiB3+fSbUssAmxvzAMX3f58CeNXNhVzjCbS7x4HL1uSkcUuFVetbbalumwGnTlt2QVYgyobA08jGESLF66Yfz0/ERXIPl2e329vSfH+zL7ytg6shHmgFS4qkd7NB7EzwjfsoQqgJ94OKNqU2hUTcxJVgeom/Wo/85khxR8m6tbT641Dq/H8B7j8yzq2HYipe2J2A+DxlQ69kyHWbfReeht1z3hTfACIq6wMXaXO2rCXWmIiaZvGQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YUXK9biJnZXdRaD9c0k4XUepRzkcdGPu2wbz9dWHxppzz2LGoAa3IB9Ugxnm1b/abs/1H0VIXi4dCU4syTFxwsmWNz2Fuv8TzhXVaF/b+cq30gPolTTo+pCPvlPPNsswDxCUMOqRBaLEFHh7HbGuxm6lu0Fd2su+9p9bK1yU0kRxgH1rmE7aGai/DWyjUTAMriW0t8qPY49wpnjJhTp8OsjaSl/fQbitz8g7I4XVUdl+jkrzC27nNoLWTuVbvfw7dHAaCbEaQANq9+ilOxWGP4NKLQVoat1uRlLVjLlP747h26wINSsnzniJ+Td9T72HVjcu0IR4kjpkUJMYyL+o9VWfpyrNxJU0NicCZYI9fUHTH2oFQY+cSS9n8lZ0Md8NVNTj+RziWfuAHuRDesbFyuoho2FqzFKSzCzWSkttO6K1NLtVN/SzWGLyHEEuCH6XwJdP+gSiR+XcKLttCAzcJCuiPN1RhNgPk3AmSM9/wUyOGPI5Wk/DPShaHdJ7HpVLJrKKTWKpcQun+OCx4RIEiJrNnpOBR/p3TKPQ2HBF1lHervBpJ+CuIlRzAyh0DMrgkOOk+B7Ad+Ok+AYnjx2Reaoszp/Y4pMFK8pHJf9Na0dvmw6oxr3GGTDSd3CPpXX5SqJqfjO6iehP32JaHw8lHtaoJXmMp/dddrHXqFphaBiD/wnQNf2KY9MUrYI+Laov8WRuMxMhU+Afv5MBKAi//tXIGmB2kpARHry1Brw0aH6k6TWm4KLgiKrxByaa+GLQeLaxj9SsKSuVwmQdAuDnrDbPZfMBhmDHWpkvgXBkp6006hvfJqSZ0aykvl79+L04azChPe/Ys0FmRZ86mWPSSxh9SUX0BTORvqo00/m9SEO/3e09JT9neH4Kv2QPnCPVzh+gBUEgUBSvmh/pai2wmH4O1Gh2ryAoLu7/1/SSohK4kLJCtlP0Idb9FQfI5Zu80u/8tAeGqTy1nwLXMJzdxssIHEU4YBhikJs7N9tH2hMz+Ozr61+1DvGpD3jYJX1398UgCfUdFhXZc77oIr/koNkG3ja9tnthgIwcrS3Hs2KpIkDxRNbSD4sK7cMlt5gXOlxyuMaHl6+UA2AEdZ6s3vq7SMo25QGUqcvr5RJguUZqM875ZuSfivpDLe6r5Dq+J8L9JpbL9rHN+sedFs6qF5d1o1qD3WoJczlr6IyjyiRvJ8FSRzXTDaCWaqApSFMH/gVw3kBvqgGIEDjoyERV1FsHNXjPcUPW5QamnpyF1K4Qo83x/2Xz2JsM5b9KAYs2JYPKNOwuj7YgTG3HjjwPyTcd4vIVgD4O8Vrv04vcIrDHkhrfoldtuiBmH8VGx0NsbiQ8GsrU6sLApP1SaXxw1foXdurI9JTK6P3qd4/6KNCOgFBeeZtWXRqt2BEMClbaXkgucV4ZtcEs9qIlBgh/0j5aI/M124uytl6xT8/ThgrcaFHCSt+K5QzVRohpYAlr3et1zer4ymmNnzbiILMKWl9inBdx+GbxrUjOqHqSuXNUSXcyNT/Ed0QTZxOTpph1fH4BwXiCA4IB7KgIqgYidjI7f5goiusRf/qMwAfM2W2nDAuid/eGpFLszn4jICTnTWqlyu72WNpjGXqqWeAIyCdXCzphCxOp2rz+qwcnOeg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c4293df8-0c16-459e-ba24-08dad8763ec6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:39.9016 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OQ1oVGZfThJ5IWlq0KUlTdM2L2dJ8cSOQsYB7f8f+oLYzpro0mb/3fF/q+w/m2UM0vyytnOAhYljSgWl71x2itj8KUWBmGEaovQqVL7kOqs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 spamscore=0 bulkscore=0 mlxscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070149 X-Proofpoint-GUID: Jtsj-gmV3TclrQ24D9cp3kqKl7nv8zNy X-Proofpoint-ORIG-GUID: Jtsj-gmV3TclrQ24D9cp3kqKl7nv8zNy Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Dec 7 17:12:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067392 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38B85C4708E for ; Wed, 7 Dec 2022 17:13:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229548AbiLGRNf (ORCPT ); Wed, 7 Dec 2022 12:13:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229507AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFB0745A29; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HATiH003855; Wed, 7 Dec 2022 17:12:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=yQ1vWqdZg7EpEp5cADc8g+IYCZmwu3S9FFxK4MDPEzgaGVcfrgR2NXJIuntAUcKOpCSx +2kFzIZhSwSJVJtDBgcIedeJvVMH1sIHyYAZJLo5CMUJWuSWPm5RtluLD3D7vpofrC2j wZK3NjfTLEU85DCMNUAQstqmjbskZSYc6Wn4azfddrPHS84wkkl6SNyKmyb9eLHazrjP V8SQNMGaWIZWq48C23743VEDQ+j7lflkDUjW7zC7zRPVkdChEZxYbVaOEnyBpOdR9Kha iHkfgLRqBU1lydf4aCVAyyWpsbR04s1bLHRpH0w389kw6OWQcAQXdIA4FdGywISuLS5c aw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:55 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQp009733; Wed, 7 Dec 2022 17:12:54 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:53 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GecwC0kkmOJ1UXPCspC3Ih3AgoFoNGCgy5E3IQYmyr1s9nsDLIGrISWQAcRxB3xnPxH5UvO22QaEsplx2JGIpD+uz9L5QYWds0vzjNnMild21AQkZ0sKqgydNIygHpSS0FzWvBD3UODZi+ezKElHN8xiPNljUBbkgWatGL++Cr4Y1TiMygf+cWFgSXK3kN+0fmt7BfHU3qtVN/YW5cgL88dQLIqIC2oSaSLr3ysYKrBq2IBpYU89C/TrsrqN7V9ut6KvCUGBqt3LaD9AlNz2OXylbVlfEv8JQa7kgDgZ/o8gM30vHPrSHDZyyg+z/XmOwGQU7cnv8vfCeWKQGdRTHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=hfiIAaxRy22cz4ntFD90/2D1xT7Bksgw+W5xdcJZef9VsJPQ2kAjQ++X4s8F6ueQiwO3q18mCEgwQMr32CsBlgM+KF9myFjeCdMtN4OxWisquPEZCK4oTpAwI8ejNic+9kRsGcY1N5zbmFoeBMO2ZhPLPKMR3iklgLY1tPCKNceVs2wwtijvvFWcKhz9BldKZmaJTImBU84ClXdmDuTt52pcwqgH8RpgkzwGWHNWXomHQJ27fm0MVrBlsm3I/R/cLODhL+ErEeHeDs3MAyZCNAT9KGeAVOr6Fl28LdLqKwN0QMFCNovwMWm4yQ6sjGAQNv0u2gmpsCp41P507wcoyA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=kJPIDETAkR4BUfktzATrv1ovvklsqflC8AdeEAfJDa5sdnmUQzZCfedihD5yqB29Tb0PcB90EZeT8LJ4FJbwdkGfLaj40kvbsechuV8nfhaQ5tiot0Y/P5Dk43l02IjHe0il4fJnxIBi6q+5iQEPnbZ4oN7gBar3mKoGbzbISuk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:44 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:44 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 02/10] KEYS: Add missing function documentation Date: Wed, 7 Dec 2022 12:12:30 -0500 Message-Id: <20221207171238.2945307-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0073.namprd03.prod.outlook.com (2603:10b6:a03:331::18) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: e92b6910-e9cb-4858-a916-08dad876415d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /Sn2zFUao8NEhLxllNk2n3iCjCa3zbeaOms2wrl2MrZzcbG5zFaUFNCyfi+aC8EIeKB8LRAxYwPYwERjYPh4+aZv3hSsdqlhrhJ+HvozpybP+lNC4/l4bx9XeXcJJuxa3lhQorsoenzirqmtVVtUVgqyQ6SAbvnry7tfXlD0Q1Nc1TmpfZxcJzIhFCGp4CdIG1Wea12GlYp3pTvzVlWL3L/xWcXdeWieDgd53hD1FfbXCFLwG1dlVwRib7XOVDdrlmB2ACQ5MDJyQ5swoBMZtGmcgyqp5jcHwSX8e8zASDRZCSzAi+uS3PMF+Je2VkQ5IbpP+YFSnApqC9Bx7JPQM4QoRalbNR6PsFcoW/I7kwNv4/kiyk0ud7+zT6wXz7Joa+f548TjuLs5lrLFA9QHWnwvmyT0s7alDaVkWwt/23GYYbJm7FUv4PS+AepbgfW9VbAIzZbVj8j79u0eCTBxA0TUxxq+bWv00XWJAXsA/VjkGLO5LFtuUN1Gv7+LlDWGBc5FSdPxcVR4nIH5j1gYKzQ4dZ2kE/N4Wf9zHKcehdvaiq5haQEO7fE1sA+C4FuWua9jszR7XkLqDyDriPJ89DKPCDrXYUHPfBGeYFXAV7H2rP3Di573mqfpBnlQ9Lhk0tg2pxA9o7ZPAiZ51adjRA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: s9KZVafvUgvnV/b4kc8aTSDNn+EzVt3yNlg9sLeLwnuTS+1V/t0Leil5NZoGJM9ahrz8/F8F1LvCJB/ltUw+vAfSuyOHvJ2mRqCVEJnq3L1XvsAzK/X5AzYmxCUuNjCxOutaq386/eC2qSpcxQbnxhJZ4KYzXSYM8HP9KSaU/k6kUYzYPqXeL5jpK5W7Q1OIIUeG+zt3xOWyVSAQToc3Sx+1ILj3hdIPoouui9UY0P/FbI1CkZXxxcUNNBiMw55lRPxCqPausdlcY+p2n7id3vWjaQSM4B4rzF7pg1TvfjMMrrPXbI0VLnUso341SO4QJnEIVv/VncU8Pz6EqXUwLvsFJZV65X1XSR939HNf6THaOXluj/HUrRMuS7W4UfrDsLg9TjHajNyh5rQpr2+xF79TJK9IeJXtiohGaHErlOC/F8ccmT+5R9FIiQGI+8BlzvlN2ez4kiA2tTkzPTgiWWQZDKwR2VDYVjT/4xXhPwUzgJG004uxQzvOEZdxFzmIxGHCGA+/RDgG27lsynnrjaeiuhn9XmDpPcdT4n0fsey8E19LH7JzrY6FCRGG7TrzYSYrZygXI1sk3A3eFp2NE7jKAR/HoA1nR9RRONfOagTTHJDlfl0GYZ2t/vCbaS28xLlZl49TxctgTDvxqRolAMhoSNFhyy77gApyXzDkMqzqOUrQtNX3BH8BQk1ScV10hUMjpQZpKM1ip+S+5idlpZSCxgO9mRGp1ujTp+dZHkGW0OMMvkKn4n7jyKHLECJtPgtxFRKnpgO6FhqmmOlleB9P0kvdLkB9E/MXZC5Yrout2XL5c4uGoDWDjNbnO6gTMGyA3rVLX9XqwFiG2ltlV9FuGqTd0+qUfLG8Njy7JOFEwfs1midDp+ScZvpWMQTl0y9Ir3uZmgVsGGYkmw1ObXWE6vTzLkAEe88DJ5sTJqWK2S7ptaZJfOd7m+E6umSm3IBIeqkfU5as0VByuE32PzndtOYDhF2LUntW0N21GQdgsh7ibTPwjK/PCJUJaw0dDlIJQ1KqwAezUmOtd+eCR0LqFNXtE+HPrgTzrB7I6hcfNXjhK6JyDzvvZD9anK2QZkN2of/9FpVt5mNBwlxd8C8E9yGW8GKeRPB8ZZw1BrXLwghtUBiwTZGq5sPNxc8FyDO4xqXNMjGDHUTyocvbVqgYYYQMu7a/4jEB+xQKGlRvYhXp5CnUewiVnz4AyFBrYQyI49JzeMZrRb3bb1BIdauGX0ZYgFli185wNCWcnNP7hkucHy4UAsep3hmc8B/DtWr3bZW1z6lvgaSbjoQD2BvdaewOXo4O5S5KTO0zPZVJpVF9CkTNf3qXQaCwqxR4q9MaDuYZCkr3b9WS2jzetS+LyrXnFDU5ilOTYRwKA2wpctPIZqpPksL83GTlVIORnnt/KbZwdd7vdRqI5vw423xoTqasfGhHKsIZ5liO21FYMfzmlkyLZ5I0spdPxr/Z0K2OebaXmYW+CfEpcCoLLCC3tHQH/Xd7uPGu9iSUjqPftVe/oYbcLA64MeYvMoibPuA138SDq2V5fJfo3xPEcKIcEyPsdEw1HsNFUaCF7ksXfYUj03LYnNbeZX3l+9BRVr6HfbHamVgCMWlEvoUfEJ1akvhRcmldO/YaabyjgBI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e92b6910-e9cb-4858-a916-08dad876415d X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:44.3568 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QRxNUJ/4W/0PaImZSjZThgwPenv5TjnNf7IwyuXwAKTqLBzaBhdaUU5oavQuq1Ff+8viu49Yz0BM2duV4O5U+kX9KYGm4INYzd9gmn05c88= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: TZMJXBMj5RoaNWkorOTnKHJNiPOq5ykg X-Proofpoint-ORIG-GUID: TZMJXBMj5RoaNWkorOTnKHJNiPOq5ykg Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel --- certs/system_keyring.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..250148298690 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -51,6 +55,10 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring * addition by both builtin and secondary keyrings + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Wed Dec 7 17:12:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067396 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D20DC63715 for ; Wed, 7 Dec 2022 17:13:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229724AbiLGRNk (ORCPT ); Wed, 7 Dec 2022 12:13:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229589AbiLGRNf (ORCPT ); Wed, 7 Dec 2022 12:13:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B831745A1A; Wed, 7 Dec 2022 09:13:34 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAXN4003892; Wed, 7 Dec 2022 17:12:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=w2ISjhhu3AyZbHqVpo9RV+X7mfjVTOaBY5szpPrtBT4w3Bzjsaoys0HRx05Ng5A5pKP2 JVIiU47CLOMi9wumkme+Q7yehEWxPTKzC2fnP98KYl7AMFPhQssGzieoMLDJiNkd5att TIqrz8LmkVedOCk7iAQILIQo/zegfWaKOdv6PM+3GrYvjWTJD909Z9of/nU0uuF6GsA7 q+gwCvpicZN6YyrbQ/E8vhPD+IhsLDp2/+u74Lsb0ZMFQsehdQbo6uNw6Gtfh66VhwWc tCObmmZx/EcD+34GIh72IwAoPU4W8o3jbly5HOA23hGCeDaqu1Wvj7iNzTmN+NJ9+B2T 8Q== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:55 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQq009733; Wed, 7 Dec 2022 17:12:54 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iBQcBd4iaspt3/GW/ARgMmadX/OFhbQ/Ym2R/kwplwbiDF8oGQus2DNcZ4KFPJIqWlXKVgAVgjirdKSAgJxHsU5aUj0ii7PGI1vKkDhH6gJrLV7ZN0pjFqBvgJD31DN4PKuu2bEHMIA/U7NI9YgZr43Um2lvt0o0lqBY7x8D9iIYueL5Wc9gkK8Zme5/q7KAlLF83uhYUJBdvfirZmjWDSMEzd8iO6rZgAbDdEytBFA+idc3sM+5ZmGT5syDryQI+te8ikCo7ctfxPNMuAiJDVF78KghtAOvt9ESelQdq77I7iS4ppDMF74KTx1Nxo0RILk9VwEQzXUVmDbh+kYssw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=YqqJcExiJo/mv96AHHH3AuSfICKYM+Rp4P/yWV93Vb/9BeivoSHV5m3J2hxjzQ8Ia/xj53PGP3ErQ3y4mhLdk4YSq1YR8jllg7CFE0GlgUzhXdo6yeoZcp1SL5pAHY0oHvu+ulptPY+pHnQZPcIJAFwjvhCzz6ZA+vYOqOB++Z/uor03ryNTerFFDJpMcBMDOrYO+J77ZvBeWlWKzddDGRvokAzhVIXqDh3hCqbTDKU8T0sBd0wcKL/RfTZFwO+//AuKSdGH02LNqsYYjGBdoiiEe+Vb/NHlr+TepcB2E9pvZBSYYfCMN5q39NE+Tb2vTcPPz+Jxdtnf+qJpjGEfGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=xPqHhn4XAJgAOytd859eoRxk36YWZ3fY7EstucvXKE3IL1kZ7YaNjfyos1l3+yqNJIi6kOpWC+LuYLMh5jqir7fyY+PrCI9wOAzQ7DOU00bRp0vtW+WZH/aOQEWH8gbP4v/PsoTPUM7H3biO3hRjuhK9DXVXScgW0R+WqTrYZ7U= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:46 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:46 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA Date: Wed, 7 Dec 2022 12:12:31 -0500 Message-Id: <20221207171238.2945307-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR08CA0036.namprd08.prod.outlook.com (2603:10b6:a03:100::49) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 526a0f8a-c812-4f30-4fcb-08dad87642d4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kD9gRf9TLkYOaqFK+D8LnfeFJIpxUTSNsWgkPXsDE+GaQ9uiCzseC22R+QH6OvSO58WnBUTMsf7cOLBy+Jb1IfQClZ8sZbwADt1nBUt/6WOIBpu6tOzcaNXUo7RlFW8LqxKUI5wVcBdPG/WYjSLfnB394VOXbtHosC6xMCxUZcg1YpG8AXjgxXJj0tSna+Kkf0fVv1pFVEMhypBaH0zWrKsfaMMBe8kQetqECjlECGwuk5SfAg+60xODYu/7mqnIpkR/vUXTFJhxKpho+ybV7IDbXftOzXrVJc50vqTXJcu/B9Si2thIQ2o0lW/aBilNtn6b4nOd5A/Zmu2OzUT3M7JHLNHbdZuhbUWYwk/QDxRiiX3fEyGQ7kSElkuEktZDr4Pzbx9aJsfBfi9d64w/ZI4ojjyZy8TWCHYLugNONZG5ofFfWPXM5GFFNfLo6tRbnzKdJF5oGWqa40rzR4R8lGkCLYdlEt86WKQ5xZCwqbMgH25OrhUKchx1lgvP9TBK0QoWFeF0KLeirlJqjo9FCXwShl/Ra6XsP9KMLLxblYvdybsJ3HTekq7vhvDfZt7YAZTa9J9DJ0JDwWiNidCZpdc6g+jaTA4i9at4NkTFs3Pg3r6ODBQ6vi/R/T3dN8dA X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4dcpQU0qa30qZvT//wNZAUcSPlZx4oDRotHy7Ik6KNX/wrP/g/E5+QCaUKx65zc8SOxjbI5Ycs8aa5kaOmVeUxxm6rDB2cU9Vwzd8N//0hLIE0DHC3K/go4oikjAaVzDK6w1+udGP7KqZrVHeRBXFcZnAl1Q0Lhb8GfVlEOsDOZTmPqwUJodk0BR/2u9aQ2u3oYNIOk9BYboAhsB/MtaOl06/nkbndTWQi5TUxj0p/Gp90BtKfACQugv1Qy8T0/KSFhd0cv8TPqey8f0VzhvZXuVF53lkC2w1x5VFulGp6yEl/Sbqwba6CII/iRf6vnpJpqflgWLpolPOkA1vvaUvBNpeZ3DIg6kQjWJyGARrnEboyjozCJAolCkLh0dxIyil01Bu68oHvBwVnm0LeCoMMcFhjt2znGwVwTEj606HCfX2DYPf16kBHLLYlMQwE+ZwCQqMUdog3h87GiQqnppa3/piY1NJu4RHOcaD+cxxOmvRBWvR+tMyy9OKJ5KN1sxb145PJqvQXYkbKf+hATkY8FWOOLTBZET7nJW9RisEczkuEkSh2mn+MZ4v2/vHrzA+qUvI7/VxTWfXFTNXGN6FMl0muBphgDaIqvBM5caLpIXLaGUHdIJz/RinvOUvidMJ22sNd/dDB4Hler53UE8+mq4mDf3+LCK2CW5rJjSOTnXnxJO7040QQriNzgr+BqLiYeGGPd8x8B5Qed0cnGJr5cajZM6L963pHebVw126r8cZMKgr0jG8UQpesk4Hs2ijdTKmEnwZKY0FUbgxtdAhg+R0I9TtRhNSjm5fVpQR9nagOCQq7Mm4qqEQdZLkJUmgBOTFMwi4+bNLgxz2NnBeUusl5hjImmv/8tFIO+6Agz3O+b3BNeQ4bXAO1slPmXi7yA2f8kmf8h2x09Q8wjjVQhE0bbzFTblTssWzRz/t7YznhMWIu0fnFtiFbKcxxC0Ysi3uGj7XQGraa/9WLigbQdKb7QcNETX0sT6ek0exHa39CSCO12/ZJmXJ60rP9iYzYbqMaul+r9BnT/wXI6+F+YWMN4Ij1xkhtn98xRJQO3CiwYR6ufdQOCBzyxSxM5pYRGW62RbL/nQYz+tjoXdiaV3B/jBpPXfQfk6FCHFbJc6x6r4HpWi73lKiOUUQ7tNkRPaSDj4szpLOEFCRCGeyDrtuusUgZJj15sX7g6gCCQFTgStnxGh1mRNJ+L64DGGuRj0n2yZnNYFt9XMsUyYkliYb+Hg1ifULl/lmxAbC8hLOq5nnz+toEFs9WwD8h7Ta8AjOnpFOGTyxFtuScNh6nQLduoiqv8B92ChVzwujZ0WwmapKf0YKdl6cV2fuTpqte1Jm155OwXKfeSf8VIDr6NRUIljTUaWL1NVty22qeYZyfzw2+y+vyKhNiUO++D5hC96v7xx1lNKFXE5h/9wnCTfAgykDDJYlkrGtM32MSGgkvmXufQ4cCUTErnmArAJenuGPdlrhQr3Dtm56jQnhF21OPTejbR1ceV0AIH7ZM3kcOPn8YozroSpPe3wrzVy25GAuNUyrC06OJHdSVZDC/ArlEOeXPGGQDkQr+CG0geLgMhzxmdm+uZPC07LsxZcacXSuxq5escFum8bVi0E5nNJSMY65HHoUDxGKGsEUYM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 526a0f8a-c812-4f30-4fcb-08dad87642d4 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:46.7015 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pD9eiMVPtipuD7KFUxjjHLIUUujllZkMWJb4hoBwoICwTF9Fof4hTVJ1exe1KsCs52QlrHLPSy1az7TVQ/XrcvbLxLia+D2Mg1RJn7c6pDc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: 3mw1D3Rx8jjSNpf-axa-cZNA1FsU0IqH X-Proofpoint-ORIG-GUID: 3mw1D3Rx8jjSNpf-axa-cZNA1FsU0IqH Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the x509_certificate. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..b4443e507153 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (vlen < 2 || v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->root_ca = true; + } + return 0; } diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index a299c9c56f40..7c5c0ad1c22e 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -38,6 +38,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; + bool root_ca; /* T if basic constraints CA is set */ }; /* From patchwork Wed Dec 7 17:12:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067397 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30F93C63717 for ; Wed, 7 Dec 2022 17:13:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229777AbiLGRNl (ORCPT ); Wed, 7 Dec 2022 12:13:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229649AbiLGRNg (ORCPT ); Wed, 7 Dec 2022 12:13:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9402C45A1E; Wed, 7 Dec 2022 09:13:35 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAZpa003903; Wed, 7 Dec 2022 17:12:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=wYKLPL1L/3kLBgFR63K9k2Hydx7Ufbc6bUtmemkYFr6FFaLOyGYTsNlEXbTDnkkCWUNH EOB6r6RBnmZiXqaPW/9FQ47JzzBjjNLby+kkN/gxpKAsqO5h8xVwHauHHxPoyve38Wfk b2afPcRQOQBzQM7ntzKbgWx/+4XIOoADC4YRTWK+Nk5OVxipvICYSRnUrjRT+xAP2M7T Pbg0QNTPcyIp//POFYN3rj6b5bW1zQOHlO/5WTTNin+xAw4T6DVgXzUYnHB/BSMLdI7c Jum4ZLGbwGIP3rY8QzD/mVLXX08EB9LtHGt4F/Hmo9Dvkmj4E32DVk7GqFEoqZWyxCgn 7w== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0br-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQr009733; Wed, 7 Dec 2022 17:12:56 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=arG6M6vlFRsjBDq4A9uFSdLD/eXw6C+wNdXBRqmvoOgMLQt+b7hSKt1Dcaf/1YJz4DjOGZDkHhIqUjoZ1ypl9gVye87kT8ccIIgIrBeClEB5xpJ+Y2l18A7+7NRNmwvKqx/61AvPdBjyHqkeuot9qXQjFkfkMwyUi9BlIDiW7xiZvo/0sWcx/zR/y2fpnzIWbBPEKkkA6YJBka7zAcnaOUUaHtK4HcsKA3sqxPRgr7F6BMw3QHyuGAEWH04/jwVgEiUmwyiZWUvPvryVrx+CA1bVojqE2s8Mw8/RoA6r/x9aa3E+PBU5FLM8HIHM0VB9guTHYd9/RA9SELdi9EN9Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=VLdXmWrCm5K0XpGS+dg5Pq5p8OyvloE1rgAVURd2KFzlpu3PxmRfBgWbMqHkagKyGcqbMBNC5Ygalk9eV7ltmkoGAuyHVipEpqjZc7sG0IJt4ldmcuG4DWWq5kXruaNLPrl5SKyKjX3OZbNmgmYYISlN8FlS/RIhbFs4VkAmRNDiY5WLi1sBqiYHONS2ZG654XbL3rT0NumZ58NDYcUzwdJZ5EU8uKcxjUyDice8O22oFND73FD7Ss+LQXyQXmemwyJurSQ0eqm56wWLHRS+94kOe7H3xJk7XqfqmeKnaLZjVGl6RvzOGXIazbuodks2xHraZl+xyOQVZ8J7WfQS8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=v0k42LRUf7JKSSP/KCseHZHRZA+bxM0Wpt4qxWoqlvfFNegsebf+KdIbp7aJ46G2eADEcqmQ/ksvzgWiMiF/NuQ7bmRLXoln/lJMdIhBiQ+K6zfw9feMWPdiWZVX5ecq77MJfzuAzzRKD1ydmRiW3FVzqlvj69PwHAU0U89BCXQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:49 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:49 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 04/10] KEYS: X.509: Parse Key Usage Date: Wed, 7 Dec 2022 12:12:32 -0500 Message-Id: <20221207171238.2945307-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0080.namprd03.prod.outlook.com (2603:10b6:a03:331::25) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 8dcd3458-1e11-4516-98a8-08dad8764457 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: moWBXtvRk7i9GRDikCjnj9n4Z+MJgDNV9Cs6EKACUefIq7rT6ORelo3g21IWB+tfhWP79Zqe7wmtzhW/YpYQFF0YNe3T3WvRQtztScQx7EdtIt64t/K5Byp1z738Rjdv+D5YSHLNc793dJSlVK0F1h7oQLeZyBMP4nmudkfXJ+b46RieLHgQ+Nn9SVVTE1Vv6rleS2vEj7x6kfm/N4aE3JDf5uvBLn8wlxQ9ib/uWCDdVkvScmOYK9uVwL6eFcCrBbx9tO/pFSQHO8KMC+MiUzwrdISU5/1fGF5PihLRwlu4uVh7ffk5zS+etLgJcmMyPXNeXjGzEiKg8aPakG4SFBOsaTGo6+AEIJd0S/0HeFBxIRYFa68HtKsLj4Qn/2i1xXE7S7wJJJeuqiorjmigoW5JrYeOqqw1gN/0Nu0ag7zlGe4aFqaKBFTB8MN8H5m60LAGAbKicEldhltZwfRcEwwxo8Fi4Nq5OtMXhRuyq5A2kconRisnSzqhVObRb5vSOn5oThuu8wPTBFUUreorPijwaE6/bLGoWUTb1Z1qffwD8TnN8d1P7i0FzTb91Pc72JtvUtWsZ81D5yuI/78g9FG+JHiTxRPZAZyzC05OFV4mlbOaKn3XcFq3V986BlMNYmbbBpQ9aVsbMGaCn9MCrg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hGdPgk9Ay+YwYuXnl5ySCdsEjZREpYaMdzhyKkbUURzmVFLUfhCrxhxRopZzWC0JmlPAT+Ccall2z8bjIo082x9aIfUS6iXuh0mgbe9Pal/dwBhUheBg7WWy3TY+Aq9nA7NVcyp97plRolNIEECwI9eo3ZL2xu8mYXkDsXOWZBGzu+1xTeOLM7lDBTLIpuCiE+ZHmAtgXDEdYCmld5pFeL9X79/FK+kJvt14B3BKK0Fd5bWL9UryBq5PGWvm4Xhb1JBC1D4+BJuSSgvB9qo6Lz3yzbUqpapUTOsNQoToOj8jwgGFd/38lbFloodFW915HQD95/2s0o7bCEL0gRPCJnSgZe0GebALTBXOutDsHxA8+EoLrzPsDwveFw9bHN+HtRBlwUwJP1G3DSyGElF0w52Fgu/I3ffNL2p1AG9KK2j3Z/6HqUsHqCkXQJ8CJfXx7eFCq3oS1H9qrlxR9BwgKoUo1xSClbJNh9PF6aisrs8rd71OD1xnQf5Dm25awfcUzJ70PAdvylD2mHvr5Gov7FRw/dhaESvrSK8U6rsmYoshloSdRFoD+f28EK5dkgzwYfjCkkJlsEfTaiYqOyKEyGeOdQh+PC1tkDvN40iOYkt8EYrd5dDqh6P7OXWdSFAlJcDwd4cOw3Arcbwat0PSuyTxeWqxtCbnuq7d6veY/o418pifvcx3TslepuaRy1FvWYS356z8JntSNntayHawTdV3IGInw/IPFzT74hTMIriXuiBCiBfiN8I6tE1R9XUoXQsiW+5LwDVfpvphbgnmuHPVYdM1EuIuMujsCm4tXiXKwCaasXE0tT+pXGDxWzTRkCSBgeICQuolcZfqpGyBOeB7PwjWBHsW56zy7AWjAXai+OPgfOkkXFXfEtX8IvhzJhz0Nr5KtZ6Oi7M7TCk4tPrGuq00ObJMaVnzh3pu9yATAWAw0i9r7FoH/VCGPiTEnnBhnod5Wr6juQIvA4KX0D7cHsoah83i1/b5elxYfwT059e2Hvt+ZGwrg1Vb1MtWrD/pbdZHho2yQVlxjtB02V00AZAFYfZvynYTTQBfmH8pLkbcD1ijliRbtOshO5OCUlvGDS0yu3weDABe85PX8cMVWtKz37q2EiVZiCtqp+sxiQVU4dkuVkVlSt4eXXB5BK7C5RR+4O0O0MX67bOUxV0g4UzuBz3PXPhn1V4MbDxPAR37IQKqyI3cII+IVSjMCJhe75/Xwwx0646GOiTuf9LxjHid+wpT1Op8KDAeOLRIUGio9Tw+RGi1qXSf7wLk6zx5KZ0fyUcAULauAB7LEowSpYOb0XNhC9WjbkN9nJEpj7OwcJsv1GCalo7UnzlyjUy3Alw1Ghn8FkgjkFPJsBjw4aVNEIhX2r0EO9Gcyt+Obx1dLbf05DrO1kNWSZis2gmnvOJKs9AvmCeCvG0gdAtep4OwwTHx5NfIAN7imiXmjqtWHIRgcDtplgL6SEUmxe/G8nXKrxHvI+xPq1YaVJ1KTsf6l2UE+1BGJAhl8iY4AGTmI9GztLjkmVHWTigOiUIaVrBqW5HeXQW6P5bnXFnEQxoI8ZBtBV9jydmOj2PIUHp54domzAbqbtjBOKdS97n+41CFmfqReLlYc6joKMrifVZ4xvClGmxN0Vyq7P4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8dcd3458-1e11-4516-98a8-08dad8764457 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:49.2240 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Dy1lZl96TAEjT8I57doAlm45cff8Og/cyclWSj93pKkcjuAvx1iwhsoMdn08uvrL6bOi4gUz5fNpqn+0zSff1MnapcTn81ihCPU4/imEuGY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: rkLOYZGQAMvLc9HUAf4quPYhdDgHgpJu X-Proofpoint-ORIG-GUID: rkLOYZGQAMvLc9HUAf4quPYhdDgHgpJu Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 23 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index b4443e507153..edb22cf04eed 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string to validate keyCertSign + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing) + * v[3] and possibly v[4] contain the bit string + * 0x04 is where KeyCertSign lands in this bit string (from + * RFC 5280 4.2.1.3) + */ + if (v[0] != ASN1_BTS) + return -EBADMSG; + if (vlen < 4) + return -EBADMSG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 7c5c0ad1c22e..74a9f929e400 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -39,6 +39,7 @@ struct x509_certificate { bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; bool root_ca; /* T if basic constraints CA is set */ + bool kcs_set; /* T if keyCertSign is set */ }; /* From patchwork Wed Dec 7 17:12:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067393 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67A1DC63708 for ; Wed, 7 Dec 2022 17:13:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229621AbiLGRNg (ORCPT ); Wed, 7 Dec 2022 12:13:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229500AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E4FF45A1E; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAXZe003888; Wed, 7 Dec 2022 17:12:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=WElDAYYm2enlwwiFj0ytOyYd8TOuqRjlwnu0wRtk5yh5d9Rl9/gTX8sEFY8X0VUCoKXN lPt2TNekNdsv1/4sQaNcErJnClXWocj8lyHiO7GMKEFWmMc4i6TNpBAN+nPZ6Ujm/O5X w00qy1TiuRY33nTQPDKNzUqV6nAB/uidf6EbCo55KsnZqV9Xo8LniGuCAggSS+8CY80M EqrFJHeiycKRhLkG0GatnnaPvclZJ9XLSnESX6JvIvHXU3ErYffPzTTbpZh9woD0mOJE WPq0Ws5bsKkjVMIl5jTlA9j+1j0aZ1FtWzSkmjckyILcwou/vTXY6xQPoNMu9yz8cuz4 FA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQs009733; Wed, 7 Dec 2022 17:12:57 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AGfAbulwaQBeWPJrdvI6Mb1G0gFkpIqn+Jj1yvfyakeSCkCqwTCestw5gt1M21VmLuiLmcB4tCBGW/MPrug7EbVnKUd1tmWTX/yQvEv+cdtFE5qTvM8zD+O0TYv48Ejfq2C3Ro0QT3whPpmsIx247PrEVLGAI0GCExrIu6AGidvPR8hnQ5FxDVVBIIGlyTIQQ5b9bHByRZqjkN8OQsIbMma3l26GIQQvlSOZmb5Lvq8myqf0G2s4kc4bIy9P+d4UQoNOcwiYHtD0e0c6W7OmPpRNFkke8rmFI/QncEXFC/Pos7rlCoAhyNT7/A3h7bsRisPvxv9g+m2heNwHdkoYJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=fdDP+FHzp2qe8siGl25K2QxgtlVKtqhhpmFKTOi1UA1ZWPaJ1yrFIa5wmxOgdBnADeUIxweoPUD9krj2NafjoiOWcuqcoZclTwzZMuE9KjYH+8+R3zUc7OwTkmps1+m2S7oYPpokD/4Dl31W1bppFwyvy3rSAEel1sReSKIgpmRXVZCMeK6YiPu0aAEooyfY7KiuPUo7AFdZ6jerVOG/jB01FkG/pkEpfTgyTile3PQ4oENX2h5ABUtLZnvlGzZ+S7G5DNUpMEduFjQdL8sSGqmK1HHFeHsfU4DedVzy3lPPzs8C7KpZzZR1gWJHdkKVzF+PI0sd2wU9qmq6JEfzEg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=HXFkqOsx1QbVPzPYFJ2aQYSbzDsULsseKsdwb6WetNpFNHzoeAQnORCjAaNwCj6K783t4wzW9NCzglBwettpPqKBJivaKKNYIHvQsI/v+5p8qPKi7WKdxsYHDesqOiIezaPE9d3qKohdASjS4h/FBequwvAXA4foXD2RPyCx2Xs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:51 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:51 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 05/10] KEYS: Introduce a CA endorsed flag Date: Wed, 7 Dec 2022 12:12:33 -0500 Message-Id: <20221207171238.2945307-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0169.namprd03.prod.outlook.com (2603:10b6:a03:338::24) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 8c2fa197-eca9-457d-5cea-08dad87645dc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Qr5kPVm5mpnlYG3t1APEjYZ2aHuE2OOErnPyxPMfiVgRqLm3WNHW+J+NdbnVdw3ho0Pz3QkghFNsAmfUxAnT/8vDHs+BgEMFkkb4cvsBRp0Rx1pBoOwxMCeGlXXQSo9R0x1n4Sa0aIHsc5UCfn2gLgZPoZVDuRwtxRX3sJzW0OERuTzJqu7DVD6QbWvanMmNSGflVLYzO08A+6u5orhikHkEuEAfEDShtoC9EZcfVV8sFNZmbzO4vnvFFTx3FVp6+zvrXawpjvZxQbua+SlIXGVyhqI/pJ+V8DQJDbvSeBTPJaPuGgTpME7/RZXiFI8kiym4u0pI1975HdfSfQEjlVzW2e/hIuQDQBxjalhrzfyFubBrG6RGWmY4cS04iDAj4XRLYMiZLqmTyuE8L9u5RnH1XOgFhGBExz1TgBSRsGTF0GnDpOgMNdN0a+khEUh/U2fDFPBSPiSp53PNvP9hVFraVu1dl81Mi4SiKANj/XFBzdSohx9IN14TTuNEc5MSWJmjmZeV0G02l8ee2fqUktQPhXepBWBpPP1TeAMD5/UjdOWIMs4Od3GvpjB3IJB3X/eLY8KDS80ly3HmIXK8cx0AIv3we92qPdzK75KlJSqxKSsiVVIS6tJKFkLvg/Hg X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: h4pHHtBCMl+n2uIALQTsAbH1DrZllVm2MRYXu8MyrtBF3abeKRu/VwBblnM9Am3HAfw1BcvSX/9EYhusE29EmVaoAaInG1i1XqhHdUbaI3nah68fj+l+9xkL57HFJZINyZ/IUv1nxp7Ej+3qaSGbaww8x+s/S3+lKC0AVj1AF+tRiIKpAgbjPO/IpyOQAS4Ooz+sXeGDCOS8zGYij1a9n/b7IDQtEzUHVVKE25RMpCjUq2qRtylYUgy3OQx1kr8lfkuMA59tsrs4vpJI3XFdlUTQfB6GhILgkVveVnWxPGRnzAfjIhrnqOagRYR4I9l+x4aZg4BGkzvVgXlx7ajR22sX+OCBU1busOvlIDpX/2yO1VFYRCwiqQNztARyNU+jhUD2ZLisQezUSaSuWejQMFrghj9Uo9GaUylIYoaaBr2n9C4ttFWGC/LcIKnhN3LW4H2OGaesI9dfQVAox/9YRv2A9hejBHTBXQAZGYFuk925yoedDr1gcLQ0Dt6naR1GFsa/5kZapHj+CdVugl49bMxz8u6xrB3S56UKFtVOPDoA5GDDWWqGzbCkBdGNSkymcOn3N/UeX3/3BGlMYJMNGtxR7yAzty1T+tuSROIe9/ZaJDXt3zCNK/0qnWWRx5GpoADkHTbMm3yxP8c7F0N/ejxDXO2H5bO96Jib2PD4xJiVJJc3Scq3FwKRmJJQgZvC9c4DiQxI6rK8R5IoFomqVHSrmQxYv+cPs5ay1xuavE8Lof0WAtcwAyEEoprRD8rn1rSkhQZtOjHspQR5poeZN9YOKbn3X7yvoNxBMZSVI+4Mu8vwOIWy1YrS2D5I2MWD6JGFGjRZCae/PB8UKjWtIDrZz52TKp5S7k0OVHTibepEOgGAriGG98oYU4b3I1RCjJFWyzqnHnPgeP2E5jUvp47UpoHxh3a0emnUl1Ao6UeYVSJMmSQPt76Bg3QhvK/4cRnUcZqCIIPFJPxKh4dwBuR+W4VlmjrpkRbPmz6rPl6s8wu86fuUYOcwUzbfRCxt5K6XAdPMRx/dQE9U3TBbVsP2LKU0hnVufgF36JKNUYlfMwdj+L+BKOlcKB2LN0CTq4oMF4nhJ8qAbylPQGKAr7m4Kn+Iz2edPpyzMgmtzjoVf+gmFkdHucwVzp1FeYGwnlM9XtjLXEV27c5MkZM6+h7u5Y8Izqf0LwvyQxP3t5AimU4KhX4Ho3+H9sihWd6WvXRwXnoNQVXVvfv33nqqCqSG/+Qk6sQ11rPWWWK9zt35axvgtmNgrrOWhNNC8/5JKAAIsPppPX7ky3V1FBS7WHoLkZldHeN0ccdP8iaytD8eP2x9WwAfs+2+w+Dv943RhFeBxh0kVi80I+1G9pMla2Nmeez34sPFR1b5K0JV0415KF6ZWYRIlwxSmNIPuDId2EL4PDXj9Hh9E+RguerlCsRW9QGgTPqlkNVCqjbnbKyPoiEu7S4FwyO2pCYuGf6tpeDjhz9vvQcY4eWNFAvWYPbjUjmkbADhKrpvrYteNW27XxaOnLKi/lUGAEie+qbFmi5xLvm7VVKmlN+FYrf4lhZH2N0bLZvKaY2b78jajWN9AT08Aondrm8KTDzGN7rbn7Av+yzRkSXZ47qFmGTGhoYENYCPXwQbovULrqXOGCg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8c2fa197-eca9-457d-5cea-08dad87645dc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:51.8031 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1el5TTVlOCxDLfUEkMy3FeBxHshvhrN4JLsdkYMDk6NL/sHlRTD377U0Q2SzK1U3NfzoAwB4ZWmLg4q1odO0FpcTU9sXe720FeB39HovP+I= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: nZnh0RXHzviYsynWwcqRDvXI8c4gLx0l X-Proofpoint-ORIG-GUID: nZnh0RXHzviYsynWwcqRDvXI8c4gLx0l Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Some subsystems are interested in knowing if a key has been endorsed as a Certificate Authority (CA). From the data contained in struct key, it is not possible to make this determination after the key parsing is complete. Introduce a new Endorsed Certificate Authority flag called KEY_FLAG_ECA. The first type of key to use this is X.509. When a X.509 certificate is self signed, has the keyCertSign Key Usage set and contains the CA bit set, this new flag is set. In the future, other usage fields could be added as flags, i.e. digitialSignature. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 3 +++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 15 insertions(+) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 0b4943a4592b..64cffedc4dd0 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } + if (cert->kcs_set && cert->self_signed && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); prep->payload.data[asym_subtype] = &public_key_subtype; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..0b500578441c 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..21d5a13ee4a9 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -236,6 +236,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..e6b4946aca70 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_ECA) + key->flags |= 1 << KEY_FLAG_ECA; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_PECA) + flags |= KEY_ALLOC_ECA; + else + flags &= ~KEY_ALLOC_ECA; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); From patchwork Wed Dec 7 17:12:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E78F2C4708E for ; Wed, 7 Dec 2022 17:13:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229507AbiLGRNh (ORCPT ); Wed, 7 Dec 2022 12:13:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229513AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 569E145A1A; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GAshN010143; Wed, 7 Dec 2022 17:12:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=e7ACvKlfRei8X5C3eVz0VkWhyJU8YgQsrR8jwVZK0K4K1If268sh54KGwjHVQ9Glw46v ALqRbepnxNfnW58iFhB/3S736zavUiyWpObq8QNjqqEzwlFKSn7L0iGvu/03FCR52DvR WD3txm4u8U3WP4n/Ov0mFMB9tX5fNwWjz/5vI8JLknxzkP5r8xTtzkO0gc3kCKWGRjlI gH4I55WV1iwmTGU4PsWtQD//o7RtcvlayH5aaiRs79wGRbWCz6hyYBN1qkptI2nhDd05 9sOyml/ErzQM4H+dRPidMKG5NK24EiooISLmpbglvSnZVosupxsF4eDfaUcjOJR9HgdX fw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maujkgt9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:58 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQt009733; Wed, 7 Dec 2022 17:12:57 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BKPUlC4IbYpUqiur+fWt8E9AO2qfwnpEpDuMN6PDvG8TJfMYlMKH6lDMn/9mMZQYyUFuORe92MWhj7RGlIiYIhZ51AHDiZYQpt+5fE2mQ02E84/AlEGPQM/aqG1/2SZWCseHfYLxE8tVAlRfvaIpt0mGaDWiKX7uILERkzOc5KgZw3Jo3bEDEtBLC+j/d/z0WQDy8clsDvGjxpwMWEb3JUcR4bIAeWIjixtuktqLVEuHwo1Z4gSBwKmA3BQvD0/MKmXxZHIoVcyG54kWpGdwwcouzsT5VgrFbRu7UP9gK+K37Ua9JUH8ZZmbFW0z3HyU6/nis9qvT+PhfNg00Byovg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=dzDP8MNZUdRxMmiuEY45VR5fEk9FRc1Rnb6T90tcyfbQCozDiJ4i+rxhj0j9tY5ahKOrPMCWI2b/IGgvi1sXydUIgh0hLHxh0rVXAlhwBrGnMDnXQ+PLkCPHsUOnNth5qK13JZzO+ahOO85bbU5rnTn18rkzE2WlYBTMzfl/Tm5yNnpdF0UL/ttTL40cInbulegukFSPDUNEp7tAODaWH3yV9X6atzeiR8DgVDpNxRZ82XM0ll6Q1n0Z1zykQWjrpy4JuW5dX4jZSW4NTIIw1haitlluMKoXYGlC7ZdCa3FswCXYCgt5Vk1bwjk4Ok75wUD0guFiNbJiQ70wwqjlkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=CH3oT6kEKeelbsDIWCdR6whbsjMRnDRkPVfUfzXRSPkzq7cShhHyE9f5Miq49V8Kbgr+NrXahtyISXB2DqhfWpx1ZEFoS5sBV3JpIzUoER85R9NgRSurr/MTgbEl3X6IPfiumEugpIovxQXR4UoN7/mUkS+fGNqP8AxgBbeJ1G8= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:54 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:54 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust Date: Wed, 7 Dec 2022 12:12:34 -0500 Message-Id: <20221207171238.2945307-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR03CA0014.namprd03.prod.outlook.com (2603:10b6:a02:a8::27) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: a25617f4-0df0-47ee-4f9e-08dad87647a6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: R3d0AfC50Khg1KBsox1oZWB7ddjIDeX9ecCmA07BBMMye0iWklHBLSq87IqsXGMGEYhipH8J8TVuShM4YQYXUusCVjOGqkQ6fcBiZb+gDWSC46T9yD3HM49BHglc+9dpAPvwlmtd5RHsV/5y9m85b5cemh9HfqV6++GbmiGy74ZgtoBG0apsmnUSi8iVrAU4UB1w4ICEavJ8Kx7LzogjzvNKiFKK26Bu6MrhTLwKFZatUpUnqaliJ85ICallovPlHnftAxxztqgiMqUiiBeEYlRqAcSLkvE7d2s6KIFApTxNt8OIhVq9YjgQ1jXWEdrorCw7JK+FPf5sPRWaZSP6zECTKkuo/jtXS8iRELY/HMsFUUzZMVUhXtdIC+zLQKZ0bnS+vWpjnOOcx3GhKBJtDDtXxS5EeANWchibeWqPNUYKHs/Z+LAaZkB8z2H3trAG/IE3CbEMNYihrwEcsgfzisR3JuaqKbsoKwo4MZNhSSCZPWrBhpbe5PAmLf6ln87zO1Qb4Ida9TldP0GfnLorBtQKD0riWpWnSXxCBpLnDu+12ULQqPdAitZutzhhZDghPRnofeJ/ITLaMRc4RjqRW44cAgjZQEzMgvt41UvN3MYui5iJK1rGHWGhGrgMHHBv X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(15650500001)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: pz0GErKT956OzeJtuZhMwmREfGAjpfwYD3WlwLYjh94kqQmACA0cp88XhKbAtPThGreVeZDatdIl8vpF2bXrxll1ZZplMjH9X5Alt3KZk2haGpt4w7USjXo/NCKl/kMY2Rd69Y3G+2GhrCWEsb+2yoUZQvHjaJOVw9M+H2ABg6VEW3YqfrPOsjFIo8WJmcmm7BeEqYfYKdd8B3M2z/3hpfRrndSW7ygGiQkDan7AFWTLV+784zYC8knAVf0voszIBQrjme1NE2Jyp3ON00np/AghjVVa4scCBM+BJD01Wxp4g5zA7ZnkE789JfEMB2sQY9qbTSGMZ1jIVvyzI709DN6vx65VB0XTpfnkz3n2eRdeNcgXtRFZWX+wofS+mxCbbkCk34RetH4TNRnrGQNvXM+x11UO3512QZOmarxzcDYvUeYM839NUEh6Fw2exFEgqt96bbc5cynEGQ41xYRl40wNjCfEansPoLDqMGqeAi8HV4rk9U8SwsX2pkY2tkWf8kssYhQajWKCy8vPr9J0PL8HH3R8EmUshDN5ZGF2SOrrsAMzqVKa8gRgQTuNDFSxIi5j8ljFOdN3iakwLz+9sDvpGCwAJ1xhzvsTrU1Ehh431Ms+p+J0mpOO8owhPH/HHNNWG8anLSGapkPrF6fk/wgvy4pU4TPZHe2ix0mJF7hc5y5XGbhzVnFnEP4k9LFeLApnISjxUPJcV4LDOEq1IzJDjA4d7IDFmACwu4Yq7/NgkoR2k20e8/8dZS22IxSyKec/C6xQH8RXRJTM7Ldyss+2GZsjkonLcQf0ZPGfJ3V99ZD5KGepmTAIYXJJTzvVWcO1H9BE2PoqIN4f+a4xFZnpky4ViiWn+mKLI8MxGNDw4RIxn0lKIRGezV5h8MvBw2oSXyimKK+9/aysQFeeL8F21BeL5SBSo+p2/GxNkiKA/BX6V82h6ueRIxBVZ3oWuZqNq2ZJ5Vl7VawdxHgh/g91W9U/Oq4UWZfcKrWtuau0gWFD5DpJsxdRBC3iDT3Lcv7nDbRl85QpqI+I94XqUzQab1ZLPiNtd0B7Gjqw/7ha9alIxnR0wFOl5INjtAgWNUjIJZSdBoKJt3PfvzNZKYsqEwiHJjDaHk5fY0PilLITYUr5U1mQbTG49LwHhCFYSTcwEeTpjZQns3Kn2AZ+DZ8cjOzts7vhjJ0NCgFqWSU2XbyqBbxIpqOMSvgo+qml6BRBvkwC3fSwELmtz5MNequsFltTmiAJXVKyjnsQylZzwWzlq/xUYbX22RhITZKvDWqojdx4gx4pzZvf7O6YKkszn8N46xJD/EiiQ+cPktxc7KIen6wnf3ZFeD496gmZAIBmLPFA0T+/jxC44ryfjSYeeUsa5Cz9ln/IpP3h4PUR56yQxAwIFpD4qFXtb1iaLvLkAL2pmS3942s+Bbnjf3cV7m57emUSNIoDethK+CpPP16RQMdPmLchosPreDw+oCXDDACIdW9kEX7YXqHnYXWMoqyEhBVFxlpWOwbm0qmYsLX+JYp83OFSMay9LyMY68yBJE4cHLBXXFWbGHMv7GHgl/kNeRfmkD08hcmp2IfcZXXRgpZRAziZODAGhY0Z6fgCG8R7auFNge4V2Z+WBmO/4iwAa6///J7EE031pFY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a25617f4-0df0-47ee-4f9e-08dad87647a6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:54.8042 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: f7j2tkmfMBWmmawmt1fq+bJ39DWVZzpnnODDgSz/dUWvJAx8z0BoZf7RLtv57h8hqvjBm5/yrfzKTHc2M/50Xbkq/6gOS5MAXT2+bXqHaqY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-ORIG-GUID: Tp1HIK1xCUcRWReEoYlU0sUCivubzGPo X-Proofpoint-GUID: Tp1HIK1xCUcRWReEoYlU0sUCivubzGPo Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_ca_and_signature that both vouches for the new key and validates the vouching key is an endorsed certificate authority. Two new system keyring restrictions are added to use restrict_link_by_ca_and_signature. The first restriction called restrict_link_by_ca_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_ca_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++++++ crypto/asymmetric_keys/restrict.c | 41 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ include/keys/system_keyring.h | 12 ++++++++- 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 250148298690..af5094ce9bcb 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_ca_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +91,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..005cb28969e4 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,47 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_ECA, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..e51bbc5ffe17 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..4e94bf72b998 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -24,9 +24,13 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_ca_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_ca_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +45,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_ca_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Wed Dec 7 17:12:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067395 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66FB7C6370E for ; Wed, 7 Dec 2022 17:13:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229720AbiLGRNj (ORCPT ); Wed, 7 Dec 2022 12:13:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229536AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9056445A2A; Wed, 7 Dec 2022 09:13:33 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GDm0U010567; Wed, 7 Dec 2022 17:13:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=RFIC0Q9NaZb4wepix2ryaEn2v1wQrP4XuxhIkeUKmwDCawCgfWYFZo6vdg9d5VC9lpB8 wkroSVAcS5F6cvIung2zvTwOPKtHCuL9DVr38Bn5t9RdsglH0qOzHnKigobEcbe5eu6H bEspk9u5f3wYCUS+OybM+w6tMIGk1G00k27lrO7HGOksE9kFrH6A1J+/aULvvZ6oxPJX OuVl5W36xSAZS5CGkbNpy2XmO9L2nZOMpcaeEhpnhqAoumcboliN57N0diWj1rrgjzbx MevhtQb6rjsbalfWuwiXQXyfOBCBfmcN5JYeGC20Rm9+q0jTIgk41NN/YDPKYFEitj/2 pQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mauf8gu6h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:00 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwN58021795; Wed, 7 Dec 2022 17:12:59 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa8g1kam-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z8pxplFIRP8+AENa+yJmMLYt/eecXzjBXhS1FsSHdl/jSrr9kUXpXTzkGP9cK/X7JYp3u2XobuATi4/uL6ojZGYE2gMnpjxEEpLj6KM+igxKKrqrysmcrxVeD1tGKDaEZKdxJ33rUP77I6KzMlxyfzKqaZby7TznD9qRhStZqQK9z5Hd384e4OFb5Y7W8KDmJDXwHoXhwZON80/fnl5cihUR3Vk3L/uIbkd6VUnauoZzW2F/hFwT5u2G6xhdDCc0h7BBk//cUscENfZXVyjluul8BAcVEPFW+YQRZ636WMXs0yvw0qwpeZB4vlWdNWqaJPYqOAdnmjMmvkwylusrkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=kflbYZyN3MW5fVDubJWlDZi8CXrVHW+XT037Zz7iFPifIwt6Y4SYbdLhsf3t2grvLdpVgBYGUukrko/RcsOqFmxKEhAl5yAs4WI8VOLFwQrLhCyyJB9j43obw1XjUlwhusTcW2lteTI1Moha6CMbF93xEZYq7vNOhJ2vWX82tZ2110yEhjAkBgu2sWUkfzpC8qbpwkescee7d6oHqUpU2JLKjfUquQJEWJg1GriB80Fa4MOfNOCfjCvXOVdq3GSLBSM5zW9H1U8N6b8rZEbGRX1eGin/sWKPWGnfP3Wb2uhB8O5qgadKyqIP6ebZI7hIy4FKfSVIQphZDHvl7a1cFg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=txj/vbh83urzLWE7CPPtpwCxQ0InFPrvxNg9CfvWHfNc4scii9W93MqWFVTnsdRA69p2iDC24LjBUueRchFyJ3tsKbaz2NhAPuEZIHY7a6JEf80C4e6SHYQj9UOPu9EyyDyrcgefvxpSMuq8BA5fxrsGmLIeMkMAnhctWb8RPjQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:57 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Date: Wed, 7 Dec 2022 12:12:35 -0500 Message-Id: <20221207171238.2945307-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR07CA0097.namprd07.prod.outlook.com (2603:10b6:a03:12b::38) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 43bbc110-1938-49b2-6aeb-08dad876494c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WfAWMuCK4gZePF2c7VAaVoB+4x5OjrmU6LfkDc5SfjEvvRT7LeqjUw+bJu3VCgBcskG6nAsZtVZc40q+dMUfvhcMjdEqUSXCd+RE3tXloHtK2c/hV9hbj8exQTIaeFbmteQ4Gyl0zMR+WMFECMDhscVZ1u2OhJP1u/pA1Yy3460b6p1cVte3Qh3mwlPeF/ykePyGw+2eTbuFu25TnsygYg+ppQuESDqdDZiy7CZ1plMULyAnBnPmhBls1Q16F8qP6eCqLD21sGjMiaCQFhptkYZNX7oX4LhN9sCnFT0pnjJjzGs6saVZzPRtQRVuusp+EjBtQ/amrtn8lNHqNnO1IxYB1IsJYP6JcxZ9H0ILh/aVo4/mh/tfSSuJReazoHawPL+jAg1NpLLWxEq2R1+STAjW2rh/ISbrHgjLhB6nFYGRBtBfQzz8yOnkUzkJ9zeM41uM5ZwCMt+M5FP8oKwzj5LH8VDXLmRqWkuxawRQZgyOBzJ+Iz44pmMd66bR1TJ4q8xRQ2OwnMieXEeUw9um9Uhg29es8HI2kOSZ+cCsVJuT1x3InNJIbg+vkuyS1VwEUAvlkbklpOLWkM9k0OBoYUrxBHo/ND9H5qXr0KqcUoaffaq9UV4od+vwB/WS0oqq6jmXRbeXizbTxaFcKx7eAA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jniyCXH7wQ6YR7fzrEkfilNLt4OCLk4dZ4qYwRl68Cp/JxWMbLuhp+uy5N0MXm5SOeZzC7fLGF75Y2WRvSO/fWZ2Px1MR6ju5AjR5vXmP1LCPCI4HVBIxv1GxYK6yWV4j29iRv2IASX6K/4Ue4RiCEdzfNaK+sCwjefgcTTxTWBWf2HH9DaLtlsMkcOa19Bn//VFN2HTmXhmdumD84E4VRtoh5da7OoiKIYUFVuUBsvv0/ZjF7/UwtY9t/5lQw731JiQJbuvGI9WmEkH0sjH3SDmH18aFJhe5YnjVz26eNxrmgVf4PXTFXQRUUrTwdX9Kc2hF0hnfp3ScwfgFeGh1ixqToAzAsoXquh2qZXHoaVJcCQzijavIzB1NypsUDk93WgIdg0KzpFGYTb5/vHO7SKoDRHlmjccg0OpRb+VuzVUUfRlMOlB7PprYckyULdUKA5OWrxCZgr4oqu7MEyv8vMRS6N2kuoawMMrnqvZ0bGOXEo26A9vvhY/FCyldQPUvYJ/xSWRe8r4jTY/QphL6FbtDLvgmZP6fl5x6a7pTFFEQvzF3MRYtsGLeo99tflmBlRvZhdiA1/tAQFWNuuefRz2eABMQaGVHgVJ/Etf2rmsnP/VsfxR4Z7gUAduurmfJZ/nxWkVKoJqcPt0YDJUSCdeDPE03S2DjVSPLHkmoHo0D4wgb8EadQWnOOlkF2Jj8lBpIlIEUUJkkmkEAOVahg6/ODuhk4xWdgyCV0LG+3/9er5uvqiibm/tK7h2dr5m2Ux7swOxP53+5HftQatsip/Xa+RUfuJRgv7K38qolV+uZmGsocayGXnoBYITtO8IcN8RXuPfew5Y50WE5Tn0d7P3IgL9iml3N3J5d55F2/wMa38SU2+YVHxv/W2+UmSRpwZNCoP8WQuz51n3rNDYFIsO3osWEgpj/l4GDDH7cU4g0zw0IeFm39bLhetRiiRm3LrUe1vPnVd6374Zv7sFOXsrVeg0Ie2KMkQhMDeeyFzphx7cht5LnINOzkVMBGqme5G9oq37+yzsjj37564t+6PAM6jPiK+MDVDC/V2LgX2ynvIjXqtxnmxCPuI3smrbaq13g7uHaAvPJ1OzKyU4VxxjayXjkWfvn341EMVHAZj7djgU8bbtxXLUfGNeHwGBwLfHheaHycFHml/cMB+DPPUM23wf4/OyL9hQJod0P1uD62GiymT+5jcsbf/WNVj9lhrr+skYQ4KD76xvjGOuE4e02HJ26wR6faCwcsu+agZfxdJNU0BiacnJ9UUddCRIIi3Vi5VzwSOG+iFof1h+u8wR+6owrUgVSwYfoIZdbwW75di8CflUgoPLRWtJ8qX8LmohSuoENoEHEw1NUEAwg20kmOqtLbUVmQ0F/ZtO6g4PvGlX1mCe1hOyNhF3kuPzgBrh1XKVdXFbty+ZE5x8msc5BdR3isJvk6n2nnLh6eLskvB+/Xi8J7ZFtvylZ61wywlRNMmx7VVkG8YOTGMfNjRbOkbMgJoBlnUX5X63tyTdbL+sLx8J7BGuaxoPnW82IDgIjwd0YB1vCNDy2xvcH/13BD0IfEuyDvboHXwmzLk4jrujTW/tCmmAA8Qcr3WfF5+nUUturXgDRKOFEQT0sO+lZO6205VzJk+Ir7xW4Ho= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 43bbc110-1938-49b2-6aeb-08dad876494c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:57.6278 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0oTKpJhIdt0/WIo2aQrg/R90ZFSPb9njUIyMwoW4KIIEyeQ7VJzP/ue3c/stScsUX6Vybdk3OrE89xWPTHAwmlTUCIXWPoBrL0bVAB1hRtM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-ORIG-GUID: g97fKBleGDtj43k3nyx2M3VxJyZi1u2M X-Proofpoint-GUID: g97fKBleGDtj43k3nyx2M3VxJyZi1u2M Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Currently X.509 Intermediate CA certs do not have the endorsed CA (KEY_FLAG_ECA) set. Allow intermediate CA certs to be added. Requirements for an intermediate CA include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and Intermediate CA cert is signed by a current endorsed CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 11 +++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 64cffedc4dd0..7a87d5c0c32b 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,8 +208,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } - if (cert->kcs_set && cert->self_signed && cert->root_ca) - prep->payload_flags |= KEY_ALLOC_PECA; + if (cert->kcs_set) { + if (cert->self_signed && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_PECA for now. If the restriction check + * passes later, the key will be allocated with the + * correct CA flag + */ + else if (!cert->self_signed && !cert->root_ca) + prep->payload_flags |= KEY_MAYBE_PECA; + } /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..6597081b6b1a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -181,6 +182,16 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_trusted +#endif +#else +#define ima_validate_builtin_ca restrict_link_reject +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 0b500578441c..0d2f95f6b8a1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ +#define KEY_MAYBE_PECA 0x0002 /* Proposed possible ECA key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index e6b4946aca70..69d5f143683f 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate endorsed ca */ + if ((prep.payload_flags & KEY_MAYBE_PECA) && + !(ima_validate_builtin_ca(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_PECA; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From patchwork Wed Dec 7 17:12:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067402 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55900C6377E for ; Wed, 7 Dec 2022 17:13:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229536AbiLGRNs (ORCPT ); Wed, 7 Dec 2022 12:13:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52456 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229820AbiLGRNn (ORCPT ); Wed, 7 Dec 2022 12:13:43 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 837D167207; Wed, 7 Dec 2022 09:13:40 -0800 (PST) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGpQ1016130; Wed, 7 Dec 2022 17:13:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=Cff0/X/M4eP/ih0cvaWAJR/qeEOfwwnk7TWuAqQFxvyA0/iV6fdnxHViU/Bm2GO9bnVF u4BZnyPHjsdBC4t81ePEW0IWRBHjsntgDJTFXMRPlvH2vwX0WoeOaOuHvUaurU4CoISt jA6z18tpN3rPNPP89Ewjc5GFHcMG98OUi4pLiX5d9e3yi1Iha6uCVFmJWdAB6ZwzIIuL Vb9wqswP61j+uhOEIO9inFHw0BSFWrse7jyR9jOYx7YORUNfjTtnM387NspFW/OMLYfh qRq66CCojMkTDyQ9FZ8ReNLpC2vrTF2qY6Gkr12EezvXiauT2dL3FcnBjrRWALME5EQd wQ== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maud70vuy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:04 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwNFu033884; Wed, 7 Dec 2022 17:13:03 GMT Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2044.outbound.protection.outlook.com [104.47.74.44]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7wtwks-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ehBZM/8gFjCrLSZddeD+B0bCduwedwWkfF2q26DxOjV6OnWM72uuDt6pVH8XxV3+Qfl8x6dDkl9F654k2vCas3DYoS5Kg2ca7Isr5Yelgplu4JJOPeoiBwPKc1cqml158srWD5oYye2XfbFmVZaRHgipDk3p661I7CYirLN20qjtrjr+wGj9LNQdVgV0D9/8jPjOir8Yksnf3Y75geYea/fO6QsDCMHNEz3cqSLlrwE6NGjMwcIRqDcOzMw++qEd3Pk3eMxtv6cs5LFP7MZVPhDSTuuDES5879JQCA+A0lM9dVprfhbtbpFP2eO5TEATI0EwTvEHj2BnLfAi+YKT4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=Awpw6IdYeCxZxpxHGW/RLZ/JlpLIUGdeSYwBEnsasCQRClViZqoHMLj/6beuWaCCPRPHBjMhvAscm2ZnaKUmMPxsZhxRk9pPtdg+f2c/prVAjnIst9bsB/cThH3QjXcSsq/GGRPqav3FPIhZBO6CIyHG+Pd4YNIIMXLpHTRT33cUdrJWIhtdxABM15M4eijhRXRRkaV9UcP3ALkwfm5cXqcYHnwh7h45KfZ63XaFQjKtUugG1aUSSuzL7GB3SKi/zFNzdlRjRyg+Q1tvLi88eJsg+SRrcpLbaWfu1f2CfB+rG9AcwoICnP/9+09Xym9zfZBqblYVWFzWPwvxrJlklA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=gjcw8XtasGDOYL8o4VDAcX7A1eapbFXa+Jo5rdiViM2ko8pSRLf0H0MS178o9tJPE1ojOhlTjQyu9b7BSwP4m3SM3G1tg0If7Jvv+YMPE9iAMB0gGSb1tDNzLEy7ADHQvIdTHSS6fId0+8zo8H+e0X6YXI3icJyAPZLcodtjrPo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4182.namprd10.prod.outlook.com (2603:10b6:610:7a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:00 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:00 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 08/10] integrity: Use root of trust signature restriction Date: Wed, 7 Dec 2022 12:12:36 -0500 Message-Id: <20221207171238.2945307-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0220.namprd03.prod.outlook.com (2603:10b6:a03:39f::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|CH2PR10MB4182:EE_ X-MS-Office365-Filtering-Correlation-Id: 22135200-81bb-45de-10a1-08dad8764aad X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0+KAzs8bY52oYq+Ys5JD26BHfOEg3LQQFN/PmmfBbfD9rjSqJhlrEjsjQVmuZG84kOsIc1vYYRh98albafJxvRfealCzoOf7bP4R7SBlkdM4ygbFFmCnhv8KY4v4Pw4K+YRhytExULBBCVpgv/PjgJV9+EHrID7brz7na4rgDR0sH2x+Disd34GQYJODLQUdhjO8frQLxFKELOwsI99B7N4SAa3l04f+CNtTfE3Mrtw+aA9xH5oj8eoy/n4H+BYMFSdMZh/6/4wgEJPexLeHFY42TrwOCR73eDjJ8NYYA3Qgklx8i3CzrVjt67Yf9Eewf0sBcgsUQyrLPg8W6EXICjzr/ezx4RSY2s7wzsRa2coOZaLjjctsrUgRmWE766GaHRKWOLt/feGn/gCQDcef0LtY319tcE474oKyNVEZL8675bqFM1xQlyOD97IHCdUGfDfrhxnHsHTWF085IfKQI559yOCKWQq2Z84c9VsXPS3tqQrSsUnI4updKhtMVWXHbTQPDJDZC6m8vhILnJuZqxLyebutsnLT79NoP1X+wMMpKhgH331Yb/1WX8QTG3bUsha8cMeynsDMxbGGBAln+WANcg+r+2gfDQDq0rKeoXrHZy5OCm17ggGwy4FUPopddF82NiYk8CMvwEkYEseZqQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(366004)(136003)(346002)(396003)(376002)(39860400002)(451199015)(66946007)(66556008)(6486002)(6506007)(6512007)(316002)(4326008)(86362001)(8676002)(66476007)(6666004)(1076003)(2906002)(38100700002)(41300700001)(2616005)(186003)(7416002)(44832011)(478600001)(83380400001)(8936002)(36756003)(5660300002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: TSpyD0XcFUf5SxO1mc69YsmuvJTJxpF05wO/frIH8aJole5VwMqxc6S5l3/1EAcKWkPrlQf7+NxCS9VO6BJv5/BeRo8yq4nR8wN1yjgH+qqhgviT0YMdiYpnKrLGG1CZdLdhCc2TavQQnhGg1wf/PSgPgjisiqRV5o7UrB7uDPPs7kYItA1drEsrmpj00oCmfxfQ6VC6SyFOi54dOvPwWYspnZjL5j285RxNvNvCwlZVJ+GB7w4jqj+MpFuYhBecnp8Il72N8V5ffHUTJRo4aqzEuAszy4PKbxUFCDIJnS7JeVNMQubySwlMmcMUQlEipOzGwjOaCqJaiJuHxVeyzmTofzulwZVus5rkc2V4c5dIVPKWw+WT0BfeosohFhvvK/HqTSkKwcz/wv5gKpp11folaJbxupFTKfPaTCdHUOifjT5sf/TuWtiOwvrGBv8KDE+X7CLGkNp61SpToIJso8jVF17fB9IBc0sc2ra+1gH4A+UEdZllh8z4itnWvRH50QfLjeWN8YU7WlbxXYj0yD9QKsWADIW5PcGC7Fg1OSEDnByH262oFjsGP1tt3x0eRwVo134gyti4wM4/3CKTw/xfWwa8g8X8ApBhoqR56hfaWkCffhHRnotomSuV73hj1+gOLPdntCpNN8JVy9bZzpGbch+Y8lBsJP8DCqvJl2rk0BRSxXKoJXPSmZpLFqdZpkgP6vVEoVKbxdNVrahzyyna02+V1oBrQvWvOy7fbIR23Sa+SqdZt6pyYZLGU74vV051WsOEj2IwfZQGgFXXIYk8lsp4uVOwtWaXPawiuBzv1jP9+cVRJ4rEUsgTVbATxgWM5qCBITuHQoUDJI73CtwuSQota5AmaJOAMNFQUJ5yraTKl4DNn73lYOVaRbLM4PXXAe2zhS1bSbPecpcdfoszbDc5sVID6ZmXSPn1angNNbYZzHXhXvQRgMbE8trKYmO10CZ5j6M9CDQ3hICe3jZLbobo8W2XCnwONRpQOO4xicpwhkrEmgUtijZBCdkctLZTuqsdBALKWVYm66vE1bGSQwWMtVGdW49ujlVRbYD692v1744mBj0+hNCu5G0b2X9UqFXM0kjPQCtaty90f9f/6QexTPwcY4ha9CuLZ9jVvEh2O/yS4pd68nDfZkUFc12pV/4u6xrTVbHYCbCrnjCb0cUtuc30IHAYVaoOLzNVKLPzPCl9NVW2jqPNbgiGs1ce4cwZi45NS1qBjlsjBEP0RXgcK1obZmeS4UzDPO5S21aXGEak5MdjIxx2Y5mDeXui2qeEVJWaBoTO35OmER68wzR5/zc8yqEAJqOMI5t4/Oq/daVlahdg4Dw4lZyED9iUmHpjIqcihFHhIsZ0p3MDwLR5okDJ9aUgT8kl3/YAwzSsK0KY60XxpO5SVF67ojfWnXBc1Aqdha2f5z2Pkoh2azr0j2doGv5B0fGU09TTie/7yrIg6CAazQiTC4CmwVtAUrYybfPYNv6dXdOpqgYer+9qp+iWmH8aw3vSyGEplXlBPoEow3hWFJb3zHHpQS3b8KAu0hQPcikVnr4qOh5UYLimF9CaNuDlK38HTQxNKRXo++DZJ39H/aDC5j+XzkFUkFynvpQZ27W19/erw5fXJEkksdJABbJsLV8yXqA= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22135200-81bb-45de-10a1-08dad8764aad X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:59.9442 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LQW3DMx6VduihMRGMisFY8mAO8Jer4ldU/gTYTjS5Lb6jh8fO5AClf+zg1xXOrataTYztub4WAVhbAC8pTH4DRHlVSq0Zr1LHP1Q3KVH550= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4182 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: FGMLKIJ4r0nHt-3YgLfuaaMHUg77u5xz X-Proofpoint-ORIG-GUID: FGMLKIJ4r0nHt-3YgLfuaaMHUg77u5xz Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Keys added to the IMA keyring must be vouched for by keys contained within the builtin or secondary keyrings. These keys must also be self signed, have the CA bit set and have the keyCertSign KeyUsage bit set. Or they could be validated by a properly formed intermediate CA. Currently these restrictions are not enforced. Use the new restrict_link_by_ca_builtin_and_secondary_trusted and restrict_link_by_ca_builtin_trusted to enforce the missing CA restrictions when adding keys to the IMA keyring. With the CA restrictions enforced, allow the machine keyring to be enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 1 - security/integrity/digsig.c | 4 ++-- security/integrity/ima/Kconfig | 6 +++--- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..14cc3c767270 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 8a82a6c7f48a..1fe8d1ed6e0b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_and_secondary_trusted #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_trusted #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 7249f16257c7..6fe3bd0e5c82 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -269,13 +269,13 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + key is validly signed by a CA cert in the system built-in, + secondary trusted, or machine keyrings. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, secondary trusted or machine keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" From patchwork Wed Dec 7 17:12:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067399 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95171C4708E for ; Wed, 7 Dec 2022 17:13:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229811AbiLGRNn (ORCPT ); Wed, 7 Dec 2022 12:13:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229745AbiLGRNl (ORCPT ); Wed, 7 Dec 2022 12:13:41 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25010578DC; Wed, 7 Dec 2022 09:13:38 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGo7q021939; Wed, 7 Dec 2022 17:13:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=ngtQCcCR4S+BF86J2U71ulwD/iCiZaT/1tLbG5kdrKF4iaYuZEDjBQVvzp7rBGrj0Ag+ JGUHbminHDED3rnb2tpBzaIyO5ulo3zHGrL5lG5ao4wNjP/NeklfkmkyushVcvxngMQ/ KWnRBWBDfp17B2dTfWIya9oVEb/xpwZ2lbLitREOTuiW+ALODoO7cwC+2s5Q0JwJWob+ VefF8AZ/8g0d63CKwyn4QmLoVsIeGkOBecJmevWRfYBmu/cpq3NDKhDYulzRRrEiN1xM pzqmqRvU7G/PFiDNrJwk0NIM3f7qjyXuJLMkhWn5w9iuAxTU6QkXg+paVtjZ4ubXSrTw Qw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maubagw0h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:06 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwNni001932; Wed, 7 Dec 2022 17:13:05 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7chkea-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c9xv5J+OxZRy72kWTJADJFKSvNyTVgPrKoTebtODZhioxu1hP0wcEVOY/Z2uLheJa+lQ6Cm6lDYkl2C62UeDbeKm8p5WCUgEnrXz1uQwwTntELtsRhxZ6Tmli5VeX7sBbsPfusVet1Ga9JeHPglf4ukfSurd7be9ZVJnKpDTGbsstrH7xMP+k0liQonIVJ9+BSdN/aV7BCgnySefHxcG40fo2Wvga1vSou6mjheEQ0D2GalYrnNRHAhLk1UZg+Kf1A58m7uRNw8L9iO+L32SE5X9ConD11F7qknp7cq1Xeghh3pvwCiMsPCCdBy0/NhLiv+Ms6k9MZYvAKSgg5Ag8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=IJmrRnyWFCFM8iNhh335r44ZBTbl1azQdnEPwqvogk59t+Ry6yTstmeTFZ4UBI9fcqRWW7SpZrtvuIKH20CDzW0llqKVqxibzYNcs4TsEgjIlU13ZJlmiUiT5Gk2tzg16Ssq65Nx41vKvgZI0JSmI/Aw4Z2ES14C4J1iZLWc1hZqWqXV4xPB6sxQoRjJP4zKrcYQNCxH3/8PkwP9J93mAt8z5ZYLddcC3Eykm3wxWjnn2VzfYZRlwBTrzYKMcwymzw4gnpIXoVTneIvDvlEHyOXdPhaIMTJPh5bl/Jc/CyajQNFC/kyydzLmnQK9q8k8zkLDgOMIusQl0jS/4WGQOA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=EkSIELPQr0gSyGeoIRG3a+n+wnbrWw2RqoAKrMKLTFcVDSjEbKBdAV443gILPQh2SNj5LCOUHNO1UbAs+qxAu+lp8xmwB4BNlxrgZ58P7wXi5tTyeb11xo8MSo2MxM6YibcvrV8VhcMGDzdjLLy2/ksEFSrMak94gFgjttKqq3o= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SJ0PR10MB4685.namprd10.prod.outlook.com (2603:10b6:a03:2df::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:02 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:02 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 09/10] KEYS: CA link restriction Date: Wed, 7 Dec 2022 12:12:37 -0500 Message-Id: <20221207171238.2945307-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0123.namprd13.prod.outlook.com (2603:10b6:a03:2c6::8) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SJ0PR10MB4685:EE_ X-MS-Office365-Filtering-Correlation-Id: 289b7e4c-3c59-4956-309b-08dad8764c66 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TQ6kUpnv3pRho+DSqLUILYKEyYS5vJZJkehEIZax8mWxH0+85peN2JpJLbaBPWgThuEUxLOFikEXeLEBvS+nbaKTEYtc31T1qruWzkxFnvTJcMIHFi1mWxRByrTwKRPWYqQ4CLM/J9a2J1O7Xi5LstOAv7rRR5eoTgMfP9Py2FVGwM0TUFFy2ppCKWegUvbuEyIcqWaqcHHxk2byiSWMYzhEM5TnZp6QcaukMFJd9ZV8y1usqO088RRMXsFfvj9ma6M4sfpxgnVLv2b7RDIGLzdr+PF8PTA26LvZGoBzYr1uJBJ/sxvbd0NoqmBE3Yf1OvWef61zZjL4I4ljMk4UcOgKfdGtor7K4Nbfc88/YE1uaky3iV2DErpRGFNPuUZWEzzZZsMD9own974p+xDr7xgaZPxJW25t/fQH0mqIvyhq9PDYKqDtwTbvAGg7a2aCw/GLUpCQlGiRpwYn0rAzp4Fm2NLJJFmsFZa1vo/nUoPWAfeZUzicRBUNLUm+MIsjHrssWlqplUD0E1BCuemU37mrH/84UQmyXeWmiTHqo3et60LnE4hsGzramERubcRXKu/YDWlKLt0T6oGg0XPvQIvCoAtphKVoBlGkSclJrx03eDT0WtkE3UJC0Mnh+7rxrzwLBwgYcubxeTrF7IZ7OQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(346002)(39860400002)(396003)(136003)(366004)(376002)(451199015)(5660300002)(1076003)(36756003)(41300700001)(2616005)(7416002)(83380400001)(38100700002)(8936002)(2906002)(44832011)(478600001)(6486002)(6666004)(6512007)(316002)(66556008)(4326008)(8676002)(66476007)(6506007)(86362001)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YKtrxOJbEMPzuKn0CunM29rDsb4wP6CGkcF6pREBqXWKVqqG682kKvbYrHCOHNrLJ4iDuxo+PKFSh2biFe34BxnLoEwIWoieOj2WJe6E4IoYXQEWasGz9+z84kCvr3XnOpMjCdi3Jum646Zgn6wApL+UrslJu+owfSWOg2Pvs0c8MviO5qSNU2A8kRDj51GvvHHr7eMsFp0yRxng1zAu7puxB4vOLaVMYTG7OkQX4pIa7u814x6/lMMlbmrACF5cClABC7FdepIge35iB41WGUSXFQc64mvkKcsojT7Ou1dcdUlxf13T/s9Rn+jbcfY5kvlHUoZUPXYOMGrdk5trVz7SS1WeXwSUwg/lAjX0+q8wjfzP4bUeHQABmg9BfCqGLbZnTbfAFSXQf0JL68Bm/SsURLNrfQJqdq3gFdkrppC9vsB+YGH305ih8M9DKjv6ymaxLrEvlZia/lzrlkE7d3gavbBD7VO8Y1lvqaAUhimaFETMdKMRAYor1SrWd32e6LHrHNf8SCxZp8OfM5kS3tMwVHHxAHY7s1P5mgxcCN9EMiALj7c85BDvXTVTC8R95VIxoZsa1y4r6cdJPSR5YOrLs/qBnHwmmsHli9QnwmcglxbbBj+ug3iE0a8Bm8cK1CVrby/fmBLokuGzd39VBeH3l1g1sMAzG0yTUZh9pBGMJOYYfdRgg1O2KmhwJmpA+dsTWgN7UNP4MsF2Opn0txoZzZH0CeIOlze7gSILDNFafEEoyBs5GYBpggqZLc0s29sSFaKOCxiRtL4xAlUnxduiip9a0ahFlosvXUMiL8C5z347v9yf6qmBQldQq7aPc/C7O8b8WO3gmXsFGo65SPhfJ/HizrDUJzKcY2Cj5Tuw5ceNMjzySU7DpvaknzVf7R0d2UM/5pGZtO+3ynexxu1q2jfB1W0RAg+DkNuTkaj9ql355Qf/kiagNWHUxW/gC3EaZivMHmwlWW3jJxCYU68dCVmAnJmtJKSnMGy/GVdXkU0y6w1RShSrYrm7p4y9XKVmM6bGTfnCFj2GSp236qnzoxBnyvB9bJf8gvPmjgzCUix+6At3NLl2OJWEcNh9Y839TIEyvzxyP2AcPuhyyrN/Mf4DeicBuK9lys3qvlh6m0fRtApZquNcN18X0tz+fYx0b6T7o1wcbOEDR/vCliQos7mUx2pws0yS9iLbs72z70yb1UVtiV0Ht762hkxzqE5zJLWA1NGx6ZQB8aNabWotXF5h434Q/Sr34r0BW1laKb7NEWuO5zCJHNli1tKvdLBf5c+W9TCqGByLgByU3tiIlLrqaWoump8H0dDZNUYAKoTo/AQqhen+oCdwi2modOmz1b7kJRFl/ZIA/V+rN3ymmUg7J4TluvRtaDwgwaoAr3UDLy0bcBHgXxeR9tZxRfT+SXlm5Piz6i5pMj7NjHglDXHrwpSJ4YRckarWjsD8In3DlbKSMB236IC0osNCXRZ0As09n5bhm0WuAhbexAFNy0pjI+RuzEfmUIwW8IdhKmucUnW3jNnQMpyAR78xyagJmf8y2pGsgKoXdkpYExOMDT0NU2Lc39Yp0fLWJULrVeVuOktaTJ/euh4GfvdIDBLiDKLcET9X7ep+pgI1NB6KmtD9TOVwIcRx3pRY3eU= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 289b7e4c-3c59-4956-309b-08dad8764c66 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:13:02.8330 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wMVwkQjbPRPuLN2yjuDiRlBHT0dKSbqPONmfCWMDbsA6newdwth2MLBUrWV6Yhgcu1foNAzUYfLu4Z+SggfRhArSbJk1NeuFzkSfMqJwhKU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4685 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: cENZ6DYbFNXsisZXzJQlHupZlg_xEqyu X-Proofpoint-ORIG-GUID: cENZ6DYbFNXsisZXzJQlHupZlg_xEqyu Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 40 ++++++++++++++++++++++++ crypto/asymmetric_keys/x509_public_key.c | 5 ++- include/crypto/public_key.h | 16 ++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 005cb28969e4..ac0a6efafb03 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + if (!pkey->key_is_ca) + return -ENOKEY; + + return public_key_verify_signature(pkey, sig); +} + int restrict_link_by_ca_and_signature(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 7a87d5c0c32b..9c2909fea63e 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -209,8 +209,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } if (cert->kcs_set) { - if (cert->self_signed && cert->root_ca) + if (cert->self_signed && cert->root_ca) { prep->payload_flags |= KEY_ALLOC_PECA; + cert->pub->key_is_ca = true; + } + /* * In this case it could be an Intermediate CA. Set * KEY_MAYBE_PECA for now. If the restriction check diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index e51bbc5ffe17..3de0f8a68914 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; }; @@ -76,6 +77,21 @@ extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, const union key_payload *payload, struct key *unused); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Wed Dec 7 17:12:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13067400 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD8D7C63706 for ; Wed, 7 Dec 2022 17:13:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229883AbiLGRNq (ORCPT ); Wed, 7 Dec 2022 12:13:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229796AbiLGRNm (ORCPT ); Wed, 7 Dec 2022 12:13:42 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76A51654DE; Wed, 7 Dec 2022 09:13:40 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGlS0021894; Wed, 7 Dec 2022 17:13:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=e6wJWEHctxftKPRlCGskX1ikgDVrPCoLSHxMEBVlAz3Sp2T/NVqchQ/qko+9T2PGIU78 KKONBeLj8LCspiWyQfGdBMZyWhHrgkevEw17OXoXNKXYoo/p6u+hRSr5LjyoixrvtAiY wyg4oDrg0NClFmaMk/srzVTNv3QoQICNdfXJJa8fSCwq7su3hKlx28FrAz0xykN+NAWZ bmmQbyYVx6dZBNKe2zjGJdAsQAr5Cp8un8sV5j7VWKOwE51p2xh1B3+Su2UOJrxnXLkF nbQFi0ErbRWW6s4zU9/+c2daWYPUNlN0yxjlcpy6x3YtlhbUbrL65+ooUfoBf0TVYmqT sA== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maubagw0r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:10 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwPH8002304; Wed, 7 Dec 2022 17:13:09 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7chkjm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:09 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nee7/UrWKz4KvdvAhEWQJFsq24E33FdgIUPvarXlZxrSgQnOTKtS4QUk0Sn/gfs7hIhFfmLTNYzyjCdrQ9RmPpQ07bpn7x50XlpGxHlrJ4jov7TBATotle0ZyLemCxnuHNl7qNEdyjf9ZMtoXxR2wANGcTxKZW+eSBN2P/m2GYtACevzqI4hkRLXZarYT/eqMq5fnTwe1+nCEwok1d86RVo3PlBxhRnRO3Bf92cXkmr+Z0Ylsi40xHJiS/S5+paDo3kMbW7JOoIGOZMkok7N/Umt1fClzDywdZUrrYDQxC4ooY1LdFbv7Pda9vctvlTmDzdAIdnd1SyzKLkHb1Uk1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=Q2yrySjvy64nYmQiUGE8+KODcPYotnj28T4+Q83TpkjureXcMWAMbOWtDvNLrJOtRiIDDvZ0ZTawyvSshdRWLdzH4xd2V4nagsEBTeW38zF3sX6lnWjquzA2cwk9B87ykC2MecxHxzPL+Ab2qj24L9TZRbk5Yi9J9S7pHlJqKiwziklq+P74rdW88f4PbjTgeIeVuMEy8X7oe407eU1FtX25+V+dkkjhMLPBalpj/x+wtoYzzW/cnrL/E25yLFG5mQyp0CKZPA5zz3xu9hZ9qFJTlZ46jNZdt3iEDQwKwDUn1t5sPLHaNBqXZdZ7o3VTp0vTHMag4AcoqL3IEtEXgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=yKPL+YYHM9c7rIajDYxWbA57zSeYlvuipRg/m8T/JcLEV94QpHsDGABhNzKRroCnLK0KzF8fsGAOb+S7nQRTKzlcRF3g8zfU9G5HGyUgDxGmYTxjWIivDNeQdxGD+WM8N/ni84NAYmJKOsug92WjGpvhCvZ3ISVXkIVET5DchfI= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SJ0PR10MB4685.namprd10.prod.outlook.com (2603:10b6:a03:2df::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:05 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Date: Wed, 7 Dec 2022 12:12:38 -0500 Message-Id: <20221207171238.2945307-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0138.namprd13.prod.outlook.com (2603:10b6:a03:2c6::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SJ0PR10MB4685:EE_ X-MS-Office365-Filtering-Correlation-Id: 3c609ca5-9f40-435e-8004-08dad8764ddc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ABK83vBcC44/pXYq6olY9k/klNAKzC4m11Z72R08fVClZDBHpeecl2fCAytBperz6Mq08jzRqimwTUQ0QjH3dNuzxMCqq62QVMr0uGHwH6oVysafxc0oE26wcXu8k78Qq9k3j46AZ3G14QKDlOG1KBuNS6w9d9i66yLWRA3HJz4Nk9eph5jT6GkBaGp2Kk87Q3Rmbz3uQSiGUvmAf/lzpbKQSwpY2+SovKrCD2O5cZERHXgiy46IH56XnToCUKmvB5bJEO1/HF8jKJNexDYMvtmJlC4JbtF9qqNyKj0rBzekrpR/OqPA5kvKnhXXOAC1QSCwf8vrfvm0daW2AWZ1RjZioAa5L8g3fl3xxNPUpAB1ZCVi3iYOumeVUc00qXM7oX4h/f+G34nnSyJ7Z29yuNGkbnO+AwlILMa85gDczKlhRDfuvuskIbNZ9od6wzkKKC8v4ycLqnR+gWZ5fpdGvcqrNL9DPJmjU26XYdNoD6CTUqUV3/sQ2j02fuZ4epYzFxMaiNzClOdlBzbVoEmQ02Zf87JXabI6+0qmB/3MLOWhabucP+UWY8ghjdzEEMDgtomfkgHTT4dS+o+IY9ZyPAzJ539As66ja31gTt6Y+uVYsdMELh8GhgkwNoZv5KA+txyF8Uc8cgF6eCzagLi97g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(346002)(39860400002)(396003)(136003)(366004)(376002)(451199015)(5660300002)(1076003)(36756003)(41300700001)(2616005)(7416002)(83380400001)(38100700002)(8936002)(2906002)(44832011)(478600001)(6486002)(6666004)(6512007)(316002)(66556008)(4326008)(8676002)(66476007)(6506007)(86362001)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GRgudxubvAa7diJ9hTyRvd5pOwZcUCQYPAyqP2VFiFAN5eEY1LLO8avtbZ/JZIxKa5t4rS+oFsObq6548ovp1xAyDgWvx/Q7hvH243kz5vgJCJprB+AYAp1uSMYP/Sv2RpnS+0loq1aOBL9+ojkSG7QGBayz0xLJ1NQaSuVbJ4YOn1dq8J4LeewlE3k288v1L2K00wKUNW0y1aqBhovmSOQIRzqZ9quQXo3yxhnvwVoEbmsDA7Qdww10yDhjYz4AzdX08OlNfH3hjHoKQNtJ4S5SDszRqseZ7V5TqiJh1XX/66s1Mw98zs9kGh777aB/DjL75i2sgKZ1VwbkbCbCQR2qD9jj41vDXLtTZ6fCjfRnNd5fsHd84kZUDBlBYcvqDp17kRVHcK9KUEJMt8rCMr59nU9cwLECBXpHCnqzeJZGwYNBFIvNMWeYwyE5oVfAw/2Ev8AWCvgw4+yUtT2vKxAmOjigMLB74e973WdYAuJ58NvEdPnlqKIKoA4b96M5O61HQFN4h2DBAnFenS+QvVDWCmMqnCNDk4F30DYNZJCp++NgG8HE1EYXYzS2AxcI8BqI/e9+2CRKIx9ieKOwo8QxBFrI/RX49TMjTSza/vBwtR+BXQRcun+5pHcwXcgmp4vorKECmKMA+wYdDXhQHth53nB7flaxFjdSZALq+nJjYgfYHDVC1gLDP57vw0Q1c8tecENoMCl8kfvaOQjyhS8EPr1hv4oGBXH5Y7Hszd37vBRmP45dSTVdmZhe9nEtr81tEzB1amAyCv/3iUtCgMoDtF6h+nhggTLd5R9hEC0PXHkBou9JNnaZDoz4wHG3v0UnsW6s+OHxWxkY3HmQmYcBErE28jakjEqSykw9q5M9FgefDMKZALI+By0sgbycp6yKWBFAzFg0WKj17VgkGQLUq2Qju5lN+7B8t6cKq7Cxr/KxB6llSo9PWYMtUjI7NiTUcpvqN3G9ARzNXbvWHZRe+LF+0xV29Kt1Krrh28glQevPq1k4iRJYWY9KUsqUy5ILHMsHMq/fcmOZnzZDdSedKov8sHP5sSoE6grhkuOGtecVQq1IbZVXkqsz1cg2UzKtICZdJ8WxxfS0/BYiRRHTsA4nXsznd+HQvuXVvbjBq3yV8UBoaedGKi9yTbR1gKaVHCygYQRocOvJ7oP8/Iww3XFVeR0bNTox97gxg2eyTjwh+kAKK4qxVJ3LJYNasNSiFG2urjj2C2c98kEImTl3QYnpbf1vZMPBdByTUNgV9H86IeoX/p6af9I9stpeYBTNkIuQKjy0sU3T2Achgarc1Bz0OX8SdsptUkLxu3zxohh8FAXXYxoNW6qsKv1bPoY50HgCtIDDs9keCMT6Ii8ArusiYTPRkqFARlIDH95AbMFpD1SfxW35Yft2yr3wU1IlFBBlV3eUVebuW+Op4d8aglU7DH/wlOsd8FqmowzPZ3bQMEBXhlY6pDqrPDRGaMNHcVrYAURoYeNxV61FHdQKuGLQRIQvzMCr7eYiMofY6vKTOEk+n9g9HGZNAQ0TRD0Jq9owkUN1imQyj6s8QhWneV/yqjJyT3c5gNXvH9Xo/ynhfcRhhmUfui/q2gbcqJpAHgMQMgjLGc0Z4tvefu6QDwyyS/gXQo2pgsYre6w= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3c609ca5-9f40-435e-8004-08dad8764ddc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:13:05.5070 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ke+1EeCNrw1sslgpKKN/QN8SOZc9mx/iS+2R5ZMO3VJLT2GuATsOHGVAb063cv9BJ9M91X+lpghWSwfFZu657CWLCfoCrGvB7zs2/Im+QMU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4685 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: l5z464-Eg8dgu_oy_ZzjWhrYKftNDtwC X-Proofpoint-ORIG-GUID: l5z464-Eg8dgu_oy_ZzjWhrYKftNDtwC Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 10 ++++++++++ security/integrity/digsig.c | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 14cc3c767270..3357883fa5a8 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Only allow CA keys into the Machine Keyring" + depends on INTEGRITY_MACHINE_KEYRING + help + If set, only Machine Owner Keys (MOK) that are Certificate + Authority (CA) keys will be added to the .machine keyring. All + other MOK keys will be added to the .platform keyring. After + booting, any other key signed by the CA key can be added to the + secondary_trusted_keys keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 1fe8d1ed6e0b..b0ec615745e3 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services