| Message ID | 20230302164652.83571-6-eric.snowberg@oracle.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:7b8e:b0:9f:8c76:fea4 with SMTP id j14csp5827917dyk;
Thu, 2 Mar 2023 08:51:22 -0800 (PST)
X-Google-Smtp-Source:
AK7set8tt0JONZxDES9a+p7XtcVOYEYSRXJs4IdeMO1lpjL8dabgaiHFFEwHyPmB5ioAc9cz0gng
X-Received: by 2002:a17:90b:390f:b0:236:9eef:e285 with SMTP id
ob15-20020a17090b390f00b002369eefe285mr12547828pjb.35.1677775881866;
Thu, 02 Mar 2023 08:51:21 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1677775881; cv=pass;
d=google.com; s=arc-20160816;
b=RSrRmPWdVSDBsooLAZLYIKAnDmk8Y/w6Z/QlNEHFAEDEeV8tm7g+NbAfT2g1BOH0Ju
IX5aa1t9gzc/xOJ3NZ9eT3baAj/ZElr0eqS2MOuGovTRmKJyI+GGCLXfIRqE0tHJlhKV
44bRvk9hlTi4YOgQYFc4WE3cSu2LUQTB86/R/bELViPXeIIsxViltokRjax6YUC/63Gq
M9S/RA/eFB84sLHj83WotwS/nMt48fUagVwoGMaZvG1OtJ+Fj2O3LHSe4nT2W8ISP4vd
xDh99rpgIU+4sutGaxt4/DDfn33dYRJJbI8e8l/MfpYoBRtxpJqurez8eWQDgjhoSbZH
zg+Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature:dkim-signature;
bh=HLaUN75QrwKILjjgmQMqceZ0QkdpkJ8Mw62vwbcq+mQ=;
b=XwJLYwbc2dtaymh9b4EPrFVKlE19iTbxjYqt0XAwR/TRsml7IXWk3JA5YeB6q/z9v3
h0bTWDAkMLDjRzgrBZXvGg7Z+vZWIxn6RqiR44p6qjaQX0cHk4wWoHaadQsQQ1ktR2p1
vX1GAycq5fIUx9LIVmlRnHJ44aL1J9kKIltsxSggvYRV7r62bF00zCWuWxJqQtjiLe/N
BuQXcP8d6aI6uoYT0cM8iPoep3PV8sPnQQOmxgm3a263oJtRkSAKz3Ve5nuZ/smFiWV9
OmY8UJaQl/QnkRx+6oI+7BLPXxtsnxG7+K4AWc1mD5WpEi6g9IAdEIpT6YoYslYcgLXL
PNeA==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2022-7-12
header.b=jy0sfO7l;
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=CE3Hgjqh;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
n11-20020a170902d2cb00b0019ca3bea4d4si4168872plc.507.2023.03.02.08.51.08;
Thu, 02 Mar 2023 08:51:21 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2022-7-12
header.b=jy0sfO7l;
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=CE3Hgjqh;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230121AbjCBQr6 (ORCPT <rfc822;davidbtadokoro@gmail.com>
+ 99 others); Thu, 2 Mar 2023 11:47:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56000 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230075AbjCBQrg (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 2 Mar 2023 11:47:36 -0500
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com
[205.220.165.32])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81A5F57D2B;
Thu, 2 Mar 2023 08:47:29 -0800 (PST)
Received: from pps.filterd (m0246627.ppops.net [127.0.0.1])
by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
322FCifF006148;
Thu, 2 Mar 2023 16:47:07 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
h=from : to : cc :
subject : date : message-id : in-reply-to : references :
content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12;
bh=HLaUN75QrwKILjjgmQMqceZ0QkdpkJ8Mw62vwbcq+mQ=;
b=jy0sfO7lph/yWW83gIkYpS6UReky9JCascI0gdjvpOCgA93OdDI6pnl2iUFxXX7wxBA/
1zhVxLAoZS7HctaUfp5poDB13ChU0eZT2C5baJuvcof7jBxeyzJZ54qcaC10exuFPZvM
INPtweHiq2qwgEn9+55TwLpR6VuFedHmZBLv50Y/cCO4tELyF1zAUhbcPBOcFT7sJQNB
x4ROIKy5b82GtPPlhTz7uLCZRe8iOKcbwZi4ibHYNT/n6lazn5ApMq4Lnd2RfI1AAZvx
QEZcsbheSJ26qeDt8wbcrwt7jBVl6c02Wvy0sv7kQ7xSIHQnkRU/p6LSPKR4Ws8w0wMd Ug==
Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com
(phxpaimrmta01.appoci.oracle.com [138.1.114.2])
by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nyb9amd7j-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Thu, 02 Mar 2023 16:47:06 +0000
Received: from pps.filterd
(phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com
(8.17.1.5/8.17.1.5) with ESMTP id 322FYCOk000609;
Thu, 2 Mar 2023 16:47:06 GMT
Received: from nam12-bn8-obe.outbound.protection.outlook.com
(mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173])
by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with
ESMTPS id 3ny8sa9snb-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Thu, 02 Mar 2023 16:47:06 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=WeGaCrz7d21Nf50S9Kbzv8b2Gn9NXgsA2OOdbLUd9pv5ADafEOvubgm56f1zRV86kLkMXgA2LfgUVI5lT41eevjfoYnfwtx5slao5/Ejoe3OIowso0GDf+BuX+gSzKeIfbkHODIVDq1hD6OgnVHkPeYH7BqVdXEIBWoZCqZ3XhyfwOD1xlRDNIQNLTl2U2a28Cbk4L7WnFojv/TftoQscrJGyPl/xb1FpEe7TE4HGGHVNNukyRUFINToePygo300vPtLnL9ArDa3eyd+9CaAOsIxdEYHizxs5PMBL8urGyrKtABjQEW1S8U3XP10pP8//LHCcDyIb3F2a7OWnGi3FA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=HLaUN75QrwKILjjgmQMqceZ0QkdpkJ8Mw62vwbcq+mQ=;
b=f02KV+Qa1M/Y0yexDRt6ZD5lGwq5KEHAKdswWBc7wtfSHO1DDUA+fz63I7B2UFG4VGDXwSF+/PY7QHYRguntbVUxFboYA9abynziOPS6aQ6TavkzGUZ9GmkJTLAGSNZSQwE8qeqzteFypk+G7yusjlbaKIPH/PEbcBA/A66uU7GLbznowHveP7pGp+hhQ/1VXKCMAxIKslSh5FHiMQAGV1SycJ3/TY4mnq2Q4ybPsOa70i7vZ+Aop+iD7HQDyeQ//VzpFQnMriapAmligNolzvsd6z0IGudeQGX1PuoO87+Fp7LdsZpOs9FMmpLEMpJnFBZbQ1w56ABTQLuVE98z1g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=HLaUN75QrwKILjjgmQMqceZ0QkdpkJ8Mw62vwbcq+mQ=;
b=CE3HgjqhejQLiqLTdKYfy/Dx4octX2hofWZbkDAFQF0t7yH2GvgyW/asYOSoK6RAm/lT4yitGInR3gpe2d6iBBNLycEj0TKz6RSab2BicGG4etzfc2Wm2QCZxc9AGiGO3NxRGymJXQq+RuqiNl3js7ueiopu8jmzfMgXbx84kMM=
Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13)
by DS7PR10MB5150.namprd10.prod.outlook.com (2603:10b6:5:3a1::21) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.19; Thu, 2 Mar
2023 16:47:03 +0000
Received: from CH2PR10MB4150.namprd10.prod.outlook.com
([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com
([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6156.019; Thu, 2 Mar 2023
16:47:03 +0000
From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com,
dwmw2@infradead.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com,
kanth.ghatraju@oracle.com, konrad.wilk@oracle.com,
erpalmer@linux.vnet.ibm.com, coxu@redhat.com,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v5 5/6] KEYS: CA link restriction
Date: Thu, 2 Mar 2023 11:46:51 -0500
Message-Id: <20230302164652.83571-6-eric.snowberg@oracle.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20230302164652.83571-1-eric.snowberg@oracle.com>
References: <20230302164652.83571-1-eric.snowberg@oracle.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: BYAPR08CA0042.namprd08.prod.outlook.com
(2603:10b6:a03:117::19) To CH2PR10MB4150.namprd10.prod.outlook.com
(2603:10b6:610:ac::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5150:EE_
X-MS-Office365-Filtering-Correlation-Id: 0fa2a518-ead7-4b4b-fa92-08db1b3dc021
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
zQXLi9mWm70QPgQKGXFOzANODnGM0pdpnXEW9tCN41IrHLxsMMqkccOvA0ZcHy6zb8oeoWzBqam4KXmXg03X98M13tUBFtyazWLfdwdZSW3Ib2M51ldDbVsoHbNzKp8g0Nrb8did3w6hHghzhlsBzOlbD+xCeFCmBcdOXdLrcCj1RT9XavV1mgbjXWoaG3RJUBvD+6T/cG5QaJWg7gD1Hd9er5up4TyBPSIjMRYLVDlV8T2+hGzwFXhyH8iomsvelOWGXjYeYPN4NPin2pNvE+rWvvgDBixPVzX43XZB9WxWI0ptf6HqSEtQjAFgoZZNZAwP4EbBbPNRyk+LQ9JEkgqcH6DrTlzN+TxXIS+YZQGDHnzmInbSL4pr0y4TFu448wfG1+hLHdjGu4SZCquBDkJySJoeyxLTIP4UvmPmjXlWBOhAx7CApHeka6eVD26VHqAprFQqw8E85p8t4QBpOETVYUSk3u1B3tp3d/J0ino9KBdty77JL/R+IMaGOqueQyA/Meiqm9cETU/HvRBQsXGO65jGZB1unOjreRS67o/qHs8W9n1QLhG+YqOOTlI/pdQd5DZyuum3ad01S7spZAXKXSelQ6k90UUY3xXuRUCocbxRo8SBnYq5du+qlzegXHhS1umrZwII/w+GgnxTjw==
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(39860400002)(396003)(136003)(346002)(376002)(366004)(451199018)(36756003)(86362001)(8676002)(41300700001)(66556008)(66476007)(5660300002)(7416002)(8936002)(4326008)(2906002)(44832011)(38100700002)(6486002)(316002)(478600001)(6666004)(66946007)(6512007)(1076003)(6506007)(2616005)(186003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
yAq3/HGO1JJp9ESeS6rpKMN6ztdh3ECtdcWJLTKJgUBDfm3IFO2fMPTEPWvGNpD1Nrlq+cd6GSNnzACuW0A+7gTeHOvbO0kau8PkbxRHMe81WoJApe+QY9kEmes2L/ABEY7T2AjS7y0vHPOZBkegK0bEqws0mPKPDgfWTUoGaTIetBOcnK+Po4BIerL6c5V6+ezLgiP1WTEVySfyiiM1ood6EQd5ZCnvYY9IYkhh/DpfXihqvCClIMQ+U7/n8TO0ydrsH5JM/sV4h5msLqfCTQeEsM0zVIv5LVlDnEi3uZ148g+Ybv5BC/lIH8dPAGEI1kfAAmbptrA7TnMvTDxpQG6BrQTV3Wl+6k7/vpEh4+j+P9Hi2IIMXdvMvXBgjtcm1lce/Hj8FFoS/cpIVi7fQpUTDsT2yOpeiqCL6EkIX7p4AvJLql944qSr2diC7UpQNiEqMwZsVHIp8QwVSWAZYCTGWP5HZMJ6mYHp8yxBkFCUwpLYJHwAvt+AhW9kokxRRDt2e9hknzQ1eQLzij7xZHxrP6lclSLHRv6Uth/VQovdVmg9BxO3RcHtLPHzcjs1p+MJpgMh2TZPT3Edj3hsbn5tQ75HR9e9PsYWAEvmhQ1CsQcXFW4PZYjNQAVPg4v4cvg5vDZnhQqgqlfSakanpbR5t8z9kuaDClJfe9WAxFEaHU33A3QurDtrBOTRyX9sxZsPas+NwkE3Ttdgez881BwfTNn4F+fgobpeA0PpiO9ZMSPmd3Fy/2O+lTzVW0Fmndd/sHxL7xvHto4V2yqFPdlQkMLzNDLadL8PUOJfpO4i4ux8WMoBlCfTeyhhjsUDxAlY8qBeKH2QwD6K6hk2YJYSaqsq6b+6oHpXoY3s6Uz0GLGX8IMUd8cTHgEXWmFN3R/1WRlspe5kcDGNwljI4TcO7WxTyqmjhIt07z3mCU2MbjKNDyPLRuC/8tJYOBPI/OfCGZkBcl24c18uJnY7W3/XjraUByz/l3nZ5KdiZ9Faijdeua+mR6+g9oXdb6v/f31kLsZlvVtrKL4CJyxpSZx05hIX0t7X/lYzr0KznhsbIECQheI+/eNBoLJYTuosO2NfTcQuqa+OpoXEDVtOxCSGdkEl7isOngvjVY+utsHYTSSYu5EkViESDdrqg1P8WiV0hH8T0Tp8NWhOVRQS3kYKihTo19nwnS/iI9p0kW5zP6xSOdVhXRMI/Qm/CxzciPXjgbEad8md48HYWXNE/HMDxSJ2mhNTBz81z+ojLkZKtS5pwtbmsFprfwGt6R0azMbywvzxWv2ZTaJAVzWJ3NOTZVkbooNBph3xTJKwdS9b9+TcG5xyrqrj+hlWu3MHsUhQFqPNVLbKJNyyLM0AsUp8DxewGlzOd+jd9pgruUXiJR3RSUMeNUaETljC/blGrvsDJ+hTeMx327MTmFgIeaqbgySTjJe/tnMBB3Get8o+SVILOqGM/jsZxfADQo7uFrimt7eVGBuxM/oWtwwmm0fT0j31yVCJAI1IAl9w6tYSNVwWBLeoSaxu9xu32cMVEMPb7mRCO1lFH0IHc3MZsKE5NdLU2oCvSeWA9oEln/ICGwqeBfgE9dCPkTOy7wUcYJz6xOCPgiman4mDHV3JMDeOP3y3lKcBzl5qLo59rcY=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0:
sVtYYx793I2/3w+LgSvO9882ca/Bvopj0l4HwseS3kwhee2811dicneIizxHpyuF0uex8vaUEJngMzCaT5UgUCCzk7Y610aff7SuvMPO4m2FjgIfejuuAh9qPeBjDus/ZMBkSaW7NozPj56154KCjayf2xvPFMKVZfcdJgB4CFPtoIyle1UNh2velM7ZHtwiDaCI1ViSalJ3/f+Z1WROHfwDzdxHwFg247EQY6AN4soz6YgbAA4iwaO/gOtpHqSab9yFGB2LE0ZrIOv7iugICTH/I/wvgQsdhXKenyAan9uf/wBfbdIHKd03LYa0VaaCQeh3uyV4f2f3+PaDxrxpwNOdpxnqBiNaxCG8YpOatK+6E+witmyaHLG1QyqIYgvD9EI7F5wtwdrhhGVSFEoYgCBsSTmM+Oa9u0OcSTDRd1+TPAlnKGpEJCY0AvqngY4w/aN7p//hrKrTF8WGYUwitZNLpV65mUQhM40coBJKbWyqA+oVWla7MgVz1hYxT2q68eZajXmNAX8kTZjp0R0aZSLfpw3QRUCKyY9/i9VolrdCZrYXqdtyZaIhLTwNUYYxhI3d3QY2p/LxAnm/bXL7q+7EnD1Bf0R3C/bWnTnVSsnyGcG52COqEKTZ0GdLspmYVlu1Tzl6aqGAcf7F5573prg9MIIkV+5liqifsZ5fuOE74awRz9DK+I3SoMjBzeBDPW0NYCYYJhv31hcXBY4jTpFGfJthP/WMuhOAFiVbUTfGsRogNc+notZ4I5GYHOL3BP9glkXvbRoj6zEyRsoD5XPODNJkDkIHUe8XZIxIo4NDJE+ipZoSA2PnyFIu67Z6+Pw+VDc1p7tBaDOVzDtfbcEHvqq743F6TqrlOADCkYkEorOQeveu2JH1R2OhvcMrXirXXPwKUjclvjjLfdfXSGAm/KlgUU3ER1FRoWvcZTkP831BOtRgo5ZD9iZSlqZLwC8mi8l82Au+L3zdwBUR8aq8ops5zC3f1LRpDssvMDdO1GgRVmBBX+mXzOXINVV2JKsuN6wPr/1aykvfZaOlvg2JnuEjL/+4cN5C085Mg0JSk7L4ROhXFl9lJNAKuZZCI5NrOVxreRXNotJDMaWAB7HY5NZmibZfZhso64i96b784W39U/CjzGzfI1a9oqhU2WGHX0ud5ir3sJvOLFQWBBxdDGRVBBlH0Lxdm42VF2s=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
0fa2a518-ead7-4b4b-fa92-08db1b3dc021
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Mar 2023 16:47:03.5339
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
5Dsk+FMlY7XIup5MU2tR/10tEJdwB1eVQ2BLbaS8EgXzo/IL7j8Cg6HHxErOzysfX96LAcrXUWSfRj0poduaXUU6LgWtXY2oKT4oMtGFQlA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5150
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
definitions=2023-03-02_10,2023-03-02_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0
mlxlogscore=999
phishscore=0 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0
mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2212070000 definitions=main-2303020146
X-Proofpoint-GUID: YOvRWeNHYcxanEhvwxptLIq5QTuFhvxw
X-Proofpoint-ORIG-GUID: YOvRWeNHYcxanEhvwxptLIq5QTuFhvxw
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759275523071038834?=
X-GMAIL-MSGID: =?utf-8?q?1759275523071038834?=
|
| Series |
Add CA enforcement keyring restrictions
|
|
Commit Message
Eric Snowberg
March 2, 2023, 4:46 p.m. UTC
Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> --- crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 ++++++++++++ 2 files changed, 53 insertions(+)
Comments
On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > Add a new link restriction. Restrict the addition of keys in a keyring > based on the key to be added being a CA. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > include/crypto/public_key.h | 15 ++++++++++++ > 2 files changed, 53 insertions(+) > > diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > index 6b1ac5f5896a..48457c6f33f9 100644 > --- a/crypto/asymmetric_keys/restrict.c > +++ b/crypto/asymmetric_keys/restrict.c > @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > return ret; > } > > +/** > + * restrict_link_by_ca - Restrict additions to a ring of CA keys > + * @dest_keyring: Keyring being linked to. > + * @type: The type of key being added. > + * @payload: The payload of the new key. > + * @trust_keyring: Unused. > + * > + * Check if the new certificate is a CA. If it is a CA, then mark the new > + * certificate as being ok to link. > + * > + * Returns 0 if the new certificate was accepted, -ENOKEY if the > + * certificate is not a CA. -ENOPKG if the signature uses unsupported > + * crypto, or some other error if there is a matching certificate but > + * the signature check cannot be performed. > + */ > +int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring) > +{ > + const struct public_key *pkey; > + > + if (type != &key_type_asymmetric) > + return -EOPNOTSUPP; > + > + pkey = payload->data[asym_crypto]; > + if (!pkey) > + return -ENOPKG; > + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > + return -ENOKEY; > + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > + return -ENOKEY; > + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > + return -ENOKEY; nit: would be more readable, if conditions were separated by empty lines. > + > + return 0; > +} > + > static bool match_either_id(const struct asymmetric_key_id **pair, > const struct asymmetric_key_id *single) > { > diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h > index 03c3fb990d59..653992a6e941 100644 > --- a/include/crypto/public_key.h > +++ b/include/crypto/public_key.h > @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, > const union key_payload *payload, > struct key *trusted); > > +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) > +extern int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring); > +#else > +static inline int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring) > +{ > + return 0; > +} > +#endif > + > extern int query_asymmetric_key(const struct kernel_pkey_params *, > struct kernel_pkey_query *); > > -- > 2.27.0 > BR, Jarkko
> On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: >> Add a new link restriction. Restrict the addition of keys in a keyring >> based on the key to be added being a CA. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> --- >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ >> include/crypto/public_key.h | 15 ++++++++++++ >> 2 files changed, 53 insertions(+) >> >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c >> index 6b1ac5f5896a..48457c6f33f9 100644 >> --- a/crypto/asymmetric_keys/restrict.c >> +++ b/crypto/asymmetric_keys/restrict.c >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, >> return ret; >> } >> >> +/** >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys >> + * @dest_keyring: Keyring being linked to. >> + * @type: The type of key being added. >> + * @payload: The payload of the new key. >> + * @trust_keyring: Unused. >> + * >> + * Check if the new certificate is a CA. If it is a CA, then mark the new >> + * certificate as being ok to link. >> + * >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported >> + * crypto, or some other error if there is a matching certificate but >> + * the signature check cannot be performed. >> + */ >> +int restrict_link_by_ca(struct key *dest_keyring, >> + const struct key_type *type, >> + const union key_payload *payload, >> + struct key *trust_keyring) >> +{ >> + const struct public_key *pkey; >> + >> + if (type != &key_type_asymmetric) >> + return -EOPNOTSUPP; >> + >> + pkey = payload->data[asym_crypto]; >> + if (!pkey) >> + return -ENOPKG; >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) >> + return -ENOKEY; >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) >> + return -ENOKEY; >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) >> + return -ENOKEY; > > nit: would be more readable, if conditions were separated by > empty lines. Ok, I will make this change in the next round. Thanks.
On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > >> Add a new link restriction. Restrict the addition of keys in a keyring > >> based on the key to be added being a CA. > >> > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > >> --- > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > >> include/crypto/public_key.h | 15 ++++++++++++ > >> 2 files changed, 53 insertions(+) > >> > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > >> index 6b1ac5f5896a..48457c6f33f9 100644 > >> --- a/crypto/asymmetric_keys/restrict.c > >> +++ b/crypto/asymmetric_keys/restrict.c > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > >> return ret; > >> } > >> > >> +/** > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > >> + * @dest_keyring: Keyring being linked to. > >> + * @type: The type of key being added. > >> + * @payload: The payload of the new key. > >> + * @trust_keyring: Unused. > >> + * > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > >> + * certificate as being ok to link. > >> + * > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > >> + * crypto, or some other error if there is a matching certificate but > >> + * the signature check cannot be performed. > >> + */ > >> +int restrict_link_by_ca(struct key *dest_keyring, > >> + const struct key_type *type, > >> + const union key_payload *payload, > >> + struct key *trust_keyring) > >> +{ > >> + const struct public_key *pkey; > >> + > >> + if (type != &key_type_asymmetric) > >> + return -EOPNOTSUPP; > >> + > >> + pkey = payload->data[asym_crypto]; > >> + if (!pkey) > >> + return -ENOPKG; > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > >> + return -ENOKEY; > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > >> + return -ENOKEY; > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > >> + return -ENOKEY; > > > > nit: would be more readable, if conditions were separated by > > empty lines. > > Ok, I will make this change in the next round. Thanks. Cool! Mimi have you tested these patches with IMA applied? BR, Jarkko
On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > >> based on the key to be added being a CA. > > >> > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > >> --- > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > >> include/crypto/public_key.h | 15 ++++++++++++ > > >> 2 files changed, 53 insertions(+) > > >> > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > >> --- a/crypto/asymmetric_keys/restrict.c > > >> +++ b/crypto/asymmetric_keys/restrict.c > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > >> return ret; > > >> } > > >> > > >> +/** > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > >> + * @dest_keyring: Keyring being linked to. > > >> + * @type: The type of key being added. > > >> + * @payload: The payload of the new key. > > >> + * @trust_keyring: Unused. > > >> + * > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > >> + * certificate as being ok to link. > > >> + * > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > >> + * crypto, or some other error if there is a matching certificate but > > >> + * the signature check cannot be performed. > > >> + */ > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > >> + const struct key_type *type, > > >> + const union key_payload *payload, > > >> + struct key *trust_keyring) > > >> +{ > > >> + const struct public_key *pkey; > > >> + > > >> + if (type != &key_type_asymmetric) > > >> + return -EOPNOTSUPP; > > >> + > > >> + pkey = payload->data[asym_crypto]; > > >> + if (!pkey) > > >> + return -ENOPKG; > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > >> + return -ENOKEY; > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > >> + return -ENOKEY; > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > >> + return -ENOKEY; > > > > > > nit: would be more readable, if conditions were separated by > > > empty lines. > > > > Ok, I will make this change in the next round. Thanks. > > Cool! Mimi have you tested these patches with IMA applied? Yes, it's working as expected.
On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > >> based on the key to be added being a CA. > > > >> > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > >> --- > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > >> 2 files changed, 53 insertions(+) > > > >> > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > >> return ret; > > > >> } > > > >> > > > >> +/** > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > >> + * @dest_keyring: Keyring being linked to. > > > >> + * @type: The type of key being added. > > > >> + * @payload: The payload of the new key. > > > >> + * @trust_keyring: Unused. > > > >> + * > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > >> + * certificate as being ok to link. > > > >> + * > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > >> + * crypto, or some other error if there is a matching certificate but > > > >> + * the signature check cannot be performed. > > > >> + */ > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > >> + const struct key_type *type, > > > >> + const union key_payload *payload, > > > >> + struct key *trust_keyring) > > > >> +{ > > > >> + const struct public_key *pkey; > > > >> + > > > >> + if (type != &key_type_asymmetric) > > > >> + return -EOPNOTSUPP; > > > >> + > > > >> + pkey = payload->data[asym_crypto]; > > > >> + if (!pkey) > > > >> + return -ENOPKG; > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > > > > > > nit: would be more readable, if conditions were separated by > > > > empty lines. > > > > > > Ok, I will make this change in the next round. Thanks. > > > > Cool! Mimi have you tested these patches with IMA applied? > > Yes, it's working as expected. OK, I will pick these. BR, Jarkko
On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > >> based on the key to be added being a CA. > > > >> > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > >> --- > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > >> 2 files changed, 53 insertions(+) > > > >> > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > >> return ret; > > > >> } > > > >> > > > >> +/** > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > >> + * @dest_keyring: Keyring being linked to. > > > >> + * @type: The type of key being added. > > > >> + * @payload: The payload of the new key. > > > >> + * @trust_keyring: Unused. > > > >> + * > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > >> + * certificate as being ok to link. > > > >> + * > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > >> + * crypto, or some other error if there is a matching certificate but > > > >> + * the signature check cannot be performed. > > > >> + */ > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > >> + const struct key_type *type, > > > >> + const union key_payload *payload, > > > >> + struct key *trust_keyring) > > > >> +{ > > > >> + const struct public_key *pkey; > > > >> + > > > >> + if (type != &key_type_asymmetric) > > > >> + return -EOPNOTSUPP; > > > >> + > > > >> + pkey = payload->data[asym_crypto]; > > > >> + if (!pkey) > > > >> + return -ENOPKG; > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > > > > > > nit: would be more readable, if conditions were separated by > > > > empty lines. > > > > > > Ok, I will make this change in the next round. Thanks. > > > > Cool! Mimi have you tested these patches with IMA applied? > > Yes, it's working as expected. Thank you. Please check that I filled additional tags correctly: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ I will then put these also to my 'next' branch and they will get mirrored to linux-next. BR, Jarkko
On Thu, 2023-03-30 at 02:27 +0300, Jarkko Sakkinen wrote: > On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > > >> based on the key to be added being a CA. > > > > >> > > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > >> --- > > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > > >> 2 files changed, 53 insertions(+) > > > > >> > > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > > >> return ret; > > > > >> } > > > > >> > > > > >> +/** > > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > > >> + * @dest_keyring: Keyring being linked to. > > > > >> + * @type: The type of key being added. > > > > >> + * @payload: The payload of the new key. > > > > >> + * @trust_keyring: Unused. > > > > >> + * > > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > > >> + * certificate as being ok to link. > > > > >> + * > > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > > >> + * crypto, or some other error if there is a matching certificate but > > > > >> + * the signature check cannot be performed. > > > > >> + */ > > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > > >> + const struct key_type *type, > > > > >> + const union key_payload *payload, > > > > >> + struct key *trust_keyring) > > > > >> +{ > > > > >> + const struct public_key *pkey; > > > > >> + > > > > >> + if (type != &key_type_asymmetric) > > > > >> + return -EOPNOTSUPP; > > > > >> + > > > > >> + pkey = payload->data[asym_crypto]; > > > > >> + if (!pkey) > > > > >> + return -ENOPKG; > > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > > > > > > > nit: would be more readable, if conditions were separated by > > > > > empty lines. > > > > > > > > Ok, I will make this change in the next round. Thanks. > > > > > > Cool! Mimi have you tested these patches with IMA applied? > > > > Yes, it's working as expected. > > Thank you. Please check that I filled additional tags correctly: > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ > > I will then put these also to my 'next' branch and they will get mirrored > to linux-next. Thanks, Jarkko. The tags look good.
On Thu, Mar 30, 2023 at 02:01:52AM -0400, Mimi Zohar wrote: > On Thu, 2023-03-30 at 02:27 +0300, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > > > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > > > >> based on the key to be added being a CA. > > > > > >> > > > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > >> --- > > > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > > > >> 2 files changed, 53 insertions(+) > > > > > >> > > > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > > > >> return ret; > > > > > >> } > > > > > >> > > > > > >> +/** > > > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > > > >> + * @dest_keyring: Keyring being linked to. > > > > > >> + * @type: The type of key being added. > > > > > >> + * @payload: The payload of the new key. > > > > > >> + * @trust_keyring: Unused. > > > > > >> + * > > > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > > > >> + * certificate as being ok to link. > > > > > >> + * > > > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > > > >> + * crypto, or some other error if there is a matching certificate but > > > > > >> + * the signature check cannot be performed. > > > > > >> + */ > > > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > > > >> + const struct key_type *type, > > > > > >> + const union key_payload *payload, > > > > > >> + struct key *trust_keyring) > > > > > >> +{ > > > > > >> + const struct public_key *pkey; > > > > > >> + > > > > > >> + if (type != &key_type_asymmetric) > > > > > >> + return -EOPNOTSUPP; > > > > > >> + > > > > > >> + pkey = payload->data[asym_crypto]; > > > > > >> + if (!pkey) > > > > > >> + return -ENOPKG; > > > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > > > > > > > > nit: would be more readable, if conditions were separated by > > > > > > empty lines. > > > > > > > > > > Ok, I will make this change in the next round. Thanks. > > > > > > > > Cool! Mimi have you tested these patches with IMA applied? > > > > > > Yes, it's working as expected. > > > > Thank you. Please check that I filled additional tags correctly: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ > > > > I will then put these also to my 'next' branch and they will get mirrored > > to linux-next. > > Thanks, Jarkko. The tags look good. Hi, sorry for radio silence. I've been transitioning to a new job. Commits are in my next branch, and I will include them to my PR. BR, Jarkko
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..48457c6f33f9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + return 0; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 03c3fb990d59..653992a6e941 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *);