Message ID | 20230508220708.2888510-1-eric.snowberg@oracle.com |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2468093vqo; Mon, 8 May 2023 15:24:55 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6Njci+F9B8U0ebKPkdWm9Hm1Ep1TuRCH1JnrTAO0D8Tbw5OcXCiDvkJsT41NimutTFMlgY X-Received: by 2002:a05:6a00:1907:b0:643:b081:3428 with SMTP id y7-20020a056a00190700b00643b0813428mr13597020pfi.27.1683584694903; Mon, 08 May 2023 15:24:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1683584694; cv=pass; d=google.com; s=arc-20160816; b=NtNtomhTVdrHDyjs5sYYPVe/bnlS/nHp+BPw225ffclUUOxHNg1ysmbLaiz6XwZER2 BvtGqPbKtLLE76URihBEqltSw8QPADeh+hshVu7n/98ZQikaTi3ibYtrs/ZQJEagD1gY PPw8JBXtiRR7CkbtHZSX2uGCV4TobljOW8+kicXwqKm9SvmzT1aXxj+6ZMIOXXXEiaWc 1M8TJWBZLVmv6PMcmF6aimCrgmDWqcj2yPTWzjovbALXGW2a5fJsweja5G8cROGqKj1d xlFbIiER45jloWo2qo+OyxUZ3O/boT8ZCvOLgoHgJtcN72mUNpIp1fxnedePsPeT3siY Re1w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=+ZxuZqLtwXycLB/M1RtKBPVWf60cLeT/zgVQFmTG5X4=; b=PgEgx7Wc9SBAsRdoW2ZCY+3YG0iyzS2Y1awPFD0ceVRGBbE66pO4vPocfn+z28tI+j EpP0haYjFp3bzoLuEdo7dC0iFrWO6vAxOpW3CzlclUcpo2n713P1ZcKeeohjl/pd6jP5 KGNiNT+ul4qRXZCHoW4kWwobPMkLGzN5ed1BIMfILa13+TID3/aMH82qPIv1L9C6QMU+ H9rlE4j+lZVS23WdlDjNuqpNhzBF08LIEUOnugiDYsz3MZfY4VofgokPnQACJ84nuMyf NJZIk6uGXeewz1LmcronA36+XRcLXFbdcCjv6wedZ7odr93l2iTVMbc/QeNqLMK0gN3s dtaA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b="DUS+JU/e"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=V0BqcYUJ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r8-20020aa79ec8000000b0063b645b66f1si829334pfq.193.2023.05.08.15.24.37; Mon, 08 May 2023 15:24:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b="DUS+JU/e"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=V0BqcYUJ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233821AbjEHWLQ (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com> + 99 others); Mon, 8 May 2023 18:11:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230025AbjEHWLN (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 8 May 2023 18:11:13 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A60A159DA; Mon, 8 May 2023 15:11:11 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 348JOwwd013547; Mon, 8 May 2023 22:10:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=+ZxuZqLtwXycLB/M1RtKBPVWf60cLeT/zgVQFmTG5X4=; b=DUS+JU/e+XgzwNRJ75FHn2+WN5ea7fwfMgbMNN9yhJmkFuPGcsk2ECPdCMVVonoO1Xhu kl5JvdKSWAfx4x7+yfWl1eftKQBdhNLXMugFOnMFzvESP1k75PZaZ8nx7/WabhKd6th3 LBMEVMNcD1KrEzE3fA9SPl4dpD6QgL6jlzLoWe2CY6ggmGZ7B57yZdjGp1ne1KFzWQ30 JBMQnuvsZcvn+sl0C5gvu2FAzQ9JLJ3ItKNoZ16Uvs5L7fM5+jhentqv7w7Ii3P2oG/p 3NABpeyBPh8Vp+i+/fXUmzMKJZs12xbpRNSa+iTl9uAeKUg0mSs2Dpm8NIWHXhcNxg8o Dg== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qf776g9hk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:37 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 348KFEMV032711; Mon, 8 May 2023 22:10:36 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2042.outbound.protection.outlook.com [104.47.73.42]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3qf7y33djk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 08 May 2023 22:10:36 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PWjFArz844utkT/MGt8XfcILnxcPtT40g8RJn9baqMvJAf6JupS2NhS9NIrhYgeE3bPCTc1y7r+yG8cZ5mABKKDrRSba+OwE3hxaqQ2uHOcj2EigBGbDTaM4K2JdN03Myozd6jsQiE0PmLLSFw6g0RwH7ditz8ISRfpApYNs8X/bonAKfHuOhNoHfpqWzWiK3tGvHxRIXZHKLPO+rLWhCt7J/CiOCNYbDmyhyCusKqNF3Ra9bGBZq1VJT0R6KJRDTC2BICJW3r7pwyizy2qvJNCJue5IMi+CHZ6MSU+m3ui16L/22IePHIhffPY7rZCLu1icGq4mfDq50sUq0Gh4qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+ZxuZqLtwXycLB/M1RtKBPVWf60cLeT/zgVQFmTG5X4=; b=g1AAzTVdTXzcaoLWsQRNLVvn+F+/f6/BxeDfX6ggeavnHhCRhr7XZzTgw3KJQF/CAVlK5uVLVew3zQ28uKD9LDD+9H6JWJoc+voVOxJgZEfU96ZSYS/7SZlKzCxYkb54krw2XIAJhu4pbte2Gu2rjoq1o/gv6i0rdpi/4H9mplxv0PruRmA3DQPIzUEkCSR0WHJ5uhtycSFkLv4dKiI/kT/omBUn4k7xFp3MkMLRhXNnIYAQcbnDDT1XgmKsbSIgrK3StAWEqSe91uX5txJyGtqEP0A6wMWqXqsGZ/O2lc42c4sPHKREVSA02/Hhec6gpCvtDD1xu7fa4TiEM98VLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+ZxuZqLtwXycLB/M1RtKBPVWf60cLeT/zgVQFmTG5X4=; b=V0BqcYUJ+PyqRO7PuIWQKCZL319DwSobeW7M6K8VT9RNiCgANV/kfqIRRbK9GtLtZdQAIAk6cTlq6ZeUnTxwX1YGeAPt0m7RgIV8/RDhjN4WLihpfLHAdD+mFby8u8UaB4/yPwxC9FY2zmmsQkZ1DRKpeXpo2U2zVR0+7Pad+dE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7065.namprd10.prod.outlook.com (2603:10b6:8:143::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.31; Mon, 8 May 2023 22:10:34 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6363.032; Mon, 8 May 2023 22:10:34 +0000 From: Eric Snowberg <eric.snowberg@oracle.com> To: zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 0/3] Add digitalSignature enforcement keyring restrictions Date: Mon, 8 May 2023 18:07:05 -0400 Message-Id: <20230508220708.2888510-1-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: BY5PR17CA0012.namprd17.prod.outlook.com (2603:10b6:a03:1b8::25) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7065:EE_ X-MS-Office365-Filtering-Correlation-Id: def0739b-f166-4ed9-e884-08db50110b9e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: eoptKVhOkypKruF8X600P/6BuTdrrDSbsZVewSFDGjLc8mqhvaw9pxL4G5WtZaJF9aBix9R4uALHsUqB20WAn0po1F83YQqGKjbglLrv5vF56qnVRK8VkLcuaKlcPrTLkg2vfJuvaNURYjkXPDMB6o7oaOg6SdMZGpBdMr4xr/RIYta9i4aZfY76djcvq82cSph9yF3QXvK0/vAlqM3W3w3kYi30MS+8FHHMq+Kgqe0fDv6G9qWN7W2YJMiimXeyPSdM3U/L09sT2e15Q+O1w6rjK2FB+X1bZHbKlHOmI8xEk03mIwq+bStM5sCr7/1fXQUVmWnwhv+QW8PNNsBA5nDAth59gzUKPF5zLlKx3lEY18lAc65CUVbRHzdT2z0cf3pojZ/dglosYJjoeuJ6SEcWeR9pFafaAMN3BBVVTpjhlyo869H8SgB6QT+pcPr3dmNea6JqXTh2sXFnwrA/JPNf4nupnNqi2Xtxk9opSD56oZNUkL7h3ADm/kwAvP7IegWs2Hjil3pHApckmq44tszXZ9m6eUEcDX9f8yn7KhMzqjF7ZXB2gBFjSao1eRHSERijsN9RzcE8AyLsRANL+w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(136003)(376002)(396003)(346002)(39860400002)(366004)(451199021)(83380400001)(2616005)(186003)(2906002)(38100700002)(36756003)(86362001)(6486002)(8936002)(8676002)(966005)(316002)(41300700001)(6666004)(5660300002)(44832011)(7416002)(478600001)(66556008)(66946007)(66476007)(6506007)(1076003)(6512007)(4326008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: SkgkzXU7p3AsVznC+r0qr1XZq4GQVEHOgUCglZTjJNfjplpEHTrr5QMYRq/LKH2TdH52TCIUTQ73kgEcQNt+kEJPEqouVvXu52yNGmdZMNszMJyr66SBo3aplJaHKaaVckwTdTKORoYSIg/vs7/m0WBSGMqpBrsn3c+wB+hloYCW19DwYOP6NCvsThlky6z2eV0hJwcKnzf1DYXoYZeUP0nOR/jpyVkgrAql5J1aZIon+0zQHFBUfiFUx2nKMsNj6rRvqsZx6tBUxIgKq6XN/xCjgGp4cYsu5+hERk3AEgcuw4b7yS4bLbMpugDhT4fEf97uUnMnZZZLtqvvdKUpy+2/LnaNhi4lVzxXBSyvWgAt0SKj4RSB2UHxHBt1wxOEuExEIop74R04TXsZ9ZEJjSHdtvKMUzpbXv4PUzAewbVmIgUWidDo9jTwu1SHRMOBC6CDi0exqKyr/MGflMUkg37EhUJ2HvcYngulaRFRsbwoA7YpvTpxfgsvHs+7w7WAiYuCAvwZNV42rMk1Cdc68gvcaMWIgjnM/6suxa/rVUNMkxA/UZuhrvzODHF2sIXhdTh/1k4gDZFmCipeUvkQCIyktTqKph9hz97dV9NodiCSM8lHX4yBcTQPD/n5AITc3OGUhuAB5zUUhRDXeq40ePBE7lRxipkYm89W3KbdX8TicXswNBGGxOI1UKd/dMpUw8Iri5V9OguuT/4y3RnrxIPZfaifGfyvYhLGYI8+Dm2kBBiredM+wWXAYstoq+TQeVzrsF9N/NVZJfQBO/a2W+M7baFE/D9bHz2n535R4Oa7OMBdWAlaLE0/tUTyrCoqzvKQt/3xUk+KaLdH86gKmF3FTyiLitHFYkky0I61U32fPiXQlOJS2lUWzmWjHfZErB5kg4UvsWnlbE3lXQYg8a1g//9LekmGDbMezZl24r+Lqpum+g4jN/tWxIcpknWsfjyyi7MgK1J04nuHFmtmYrAyxgN4Khb6fBp0qACy+7AEDJxiJax5OfSH4DM14lq9xtOVjFVN54PG+a7TU0+zUm0QZDixIDgdhumrrlCP/rjDu4UzGmZh957gc8IWToOAfNqqqVasipsPxwL+t5l9+9Du7Ymi3kggd7qHoAU30+JRPxIfCRfavwDZdMZpY7ulz6Vgko+qnLvbvTx3pZtMAUNK358RpVZkUCsKA6CQe4/+igqHuUhfmTfUXLwpPKIYTTVvpCgKpgh+ISVZIx67xV+ykAFP9f9XENsoGpo/p/6B/PYvNYbFiIcAtLP8+Au/te32FWttA+6NkygkaoNA1Pghd5kfC8Zz94bkonre+QhfzBavCW44ikFgj4IBF6UDXhUoDhOG5Lf78WR13qdrM6uuEWUquO6JizEqUqIVkiSHkDYVYsx32wOmYRVSk1hT4vvXIHf3KqJb2BlrULxHI/yyvhg+LizPx4w6HT6eRkTfY830fqW0kAeaezMvGSKLCvc7pv/bQDhaIBrdI1rfpdxy6QBf9/GOTK8dREtERQx/EHr0CyAWX9ShP4mS/BET2VgmzZRjdWUa7nEziXiupo/J8FEOxpoM8qfAyaZqLzaZNlhJ8CMphvqUS03IwjeZ8IP6EnnvF92U1z6lpxfEBWtdT9ILzRzjbkm4sa9W/X8= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: we1bmI1i4FCf2eVJGPibHnJFrikNxbm5Plfbgn04OyBZ6QcpJRl6wx1i1lSwiLK5Vt/xc74jjRZROIh3iDgnAIUMxPW86u/pneUQc6k8BnL+HK7dAMgcpxA4o1RjcchMYaAQrv+CS1b5zTCLoqB1aISpnHKIFVhVW/Rj4ktRE+VP9egmqh+agh/LrcK7hNFfplNaMQzCnKRD7qVZ+wb0b1zxj7eel89TYayZFx+tCjIC5vcFLSpiQuLD8Sehu3VFdw43yejpfyomwARv1MwPUCBA1wEDz/V4wV5E23zja5XfviYi7zlTM5HqjKHXl28X5y2RfE/2yLRbkOINtNaAn3A+oZNtzo8lc8N+45hyFxIfxMq42mqX5piFuhWzNFFa7+eb080SaO/vctFav5zuOqF3meAXgaCTuYmYew998V8Ybao/rzV8VHoszv9CTeR+aoffZgkwoKMTWK7lSNkp03XA9YbbSy2ABAaw9cWLOh/5zbrhDSOBlwfoPk4WEeRmqpjN6f+7B3o1H+Z0nxoq/hy+HfsaWoyYGFeuffuwuGEi/XOJNG8zzqwcT5H1al/SOSzqq2jnUKq1FxAylZptKSqVyF4JNucuoJ9yFZMwGU3xCo1GsxwGfJ0r+ajYLH3sRIwGYfxn6Jo9JAWcApduDQorcU97dLxSQsvjHN7UWr1ObNXdMpbkJaoovPoL8hFz3ko6kRx8cvxfZIVaXwd3Hp6+sPAPHiZM/jMy0N1FRGQAGTh69L3YYOD3umPyxHyQZ+YNTRioJD4aDBrp+wu0MfO7kc0NBuqYOI/XXzlFdjZnFRbtoDXpXQjSFDRFMTEOGEhs/MQOVIIhEGUtNK8R2y//Om7mYbn+8IZCgxL2Ni7bfWzTv9C+EuyEHOSw+Vb4dwqVBem0xMD4BvA1EhOFqKWamvRMcj4I60rLZMHV9d8MhDHc26EGLH4CpbjfaG7bERfru8eAAKVbwNMaQcpOxWnp0gaBA6jN835CDIQnqu+8tNeHmpUmxagzOZFhemze+/P6hhbHn83SoYJbZGyowRtFAmPap6f9DC0/Aul6jS2E5mAhRgl8I5Qx/FtmzKQag90meExVcU0f9wm9NfzqnMRYa6+sImthxJgEnMdPAj0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: def0739b-f166-4ed9-e884-08db50110b9e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 May 2023 22:10:34.4937 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: UPNFY22FNh9eMoXd7QM3hPtT13o1/bABfjgnk9PYJ21YrqHhWTo7fiT+fJroWaSAQ5veOjQJyhoNpYb15vBg0r+d3elmDmWvP4WVBo3+B1o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7065 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-08_16,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 mlxlogscore=729 phishscore=0 adultscore=0 bulkscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305080146 X-Proofpoint-ORIG-GUID: dtFdIMDS-5q4rWrvjJ0jv3XZgwjpqJA- X-Proofpoint-GUID: dtFdIMDS-5q4rWrvjJ0jv3XZgwjpqJA- X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1765366505019026650?= X-GMAIL-MSGID: =?utf-8?q?1765366505019026650?= |
Series |
Add digitalSignature enforcement keyring restrictions
|
|
Message
Eric Snowberg
May 8, 2023, 10:07 p.m. UTC
X.509 certificates may contain a key usage extension [1]. The key usage extension defines the purpose of the certificate. One area of interest is the digitalSignature. The digitalSignature usage is typically used for code signing (integrity). Within the "Add CA enforcement key restrictions" [2] series, the digitalSignature is being saved. This series builds upon the previous one and adds restrictions based on the digitalSignature usage. A new keyring restriction called restrict_link_by_digsig is added. The new restriction only allows keys that contain digitalSignature usage within it. The first two keyrings to use this restriction are the .ima and .evm keyrings. With this update, only keys containing a digitalSignature will be allowed in either keyring. 1. https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 2. https://lore.kernel.org/all/20230329220231.h6afgarrvdlwwdjc@kernel.org/T/ Eric Snowberg (3): KEYS: DigitalSignature link restriction integrity: Enforce digitalSignature usage in the ima and evm keyrings integrity: Remove EXPERIMENTAL from Kconfig certs/system_keyring.c | 52 +++++++++++++++++++++++++++++++ crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++ include/crypto/public_key.h | 11 +++++++ include/keys/system_keyring.h | 11 +++++++ security/integrity/digsig.c | 4 +-- security/integrity/evm/Kconfig | 3 +- security/integrity/ima/Kconfig | 5 +-- 7 files changed, 125 insertions(+), 5 deletions(-) base-commit: ac9a78681b921877518763ba0e89202254349d1b
Comments
On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote: > X.509 certificates may contain a key usage extension [1]. The key usage > extension defines the purpose of the certificate. One area of > interest is the digitalSignature. The digitalSignature usage is > typically used for code signing (integrity). > > Within the "Add CA enforcement key restrictions" [2] series, the > digitalSignature is being saved. This series builds upon the previous > one and adds restrictions based on the digitalSignature usage. > > A new keyring restriction called restrict_link_by_digsig is added. The new > restriction only allows keys that contain digitalSignature usage within > it. > > The first two keyrings to use this restriction are the .ima and .evm > keyrings. With this update, only keys containing a digitalSignature > will be allowed in either keyring. ... and disallowed if not (for completeness)? Maybe you want to say that "With this update, keys can be filtered based on digitalSignature"? I know, it is only cover letter, not a big deal... > > 1. https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 > 2. https://lore.kernel.org/all/20230329220231.h6afgarrvdlwwdjc@kernel.org/T/ > > Eric Snowberg (3): > KEYS: DigitalSignature link restriction > integrity: Enforce digitalSignature usage in the ima and evm keyrings > integrity: Remove EXPERIMENTAL from Kconfig > > certs/system_keyring.c | 52 +++++++++++++++++++++++++++++++ > crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++ > include/crypto/public_key.h | 11 +++++++ > include/keys/system_keyring.h | 11 +++++++ > security/integrity/digsig.c | 4 +-- > security/integrity/evm/Kconfig | 3 +- > security/integrity/ima/Kconfig | 5 +-- > 7 files changed, 125 insertions(+), 5 deletions(-) > > > base-commit: ac9a78681b921877518763ba0e89202254349d1b > -- > 2.27.0 BR, Jarkko