[v3,05/10] KEYS: Introduce a CA endorsed flag

Message ID 20221214003401.4086781-6-eric.snowberg@oracle.com
State New
Headers
Series Add CA enforcement keyring restrictions |

Commit Message

Eric Snowberg Dec. 14, 2022, 12:33 a.m. UTC
  Some subsystems are interested in knowing if a key has been endorsed
as or by a Certificate Authority (CA). From the data contained in struct
key, it is not possible to make this determination after the key
parsing is complete.  Introduce a new Endorsed Certificate Authority
flag called KEY_FLAG_ECA.

The first type of key to use this is X.509.  When a X.509 certificate
has the keyCertSign Key Usage set and contains the CA bit set, this new
flag is set. In the future, other usage fields could be added as flags,
i.e. digitialSignature.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 crypto/asymmetric_keys/x509_public_key.c | 3 +++
 include/linux/key-type.h                 | 2 ++
 include/linux/key.h                      | 2 ++
 security/keys/key.c                      | 8 ++++++++
 4 files changed, 15 insertions(+)
  

Comments

Jarkko Sakkinen Jan. 4, 2023, 11:45 a.m. UTC | #1
On Tue, Dec 13, 2022 at 07:33:56PM -0500, Eric Snowberg wrote:
> Some subsystems are interested in knowing if a key has been endorsed
> as or by a Certificate Authority (CA). From the data contained in struct
> key, it is not possible to make this determination after the key
> parsing is complete.  Introduce a new Endorsed Certificate Authority
> flag called KEY_FLAG_ECA.
> 
> The first type of key to use this is X.509.  When a X.509 certificate
> has the keyCertSign Key Usage set and contains the CA bit set, this new
> flag is set. In the future, other usage fields could be added as flags,
> i.e. digitialSignature.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  crypto/asymmetric_keys/x509_public_key.c | 3 +++
>  include/linux/key-type.h                 | 2 ++
>  include/linux/key.h                      | 2 ++
>  security/keys/key.c                      | 8 ++++++++
>  4 files changed, 15 insertions(+)
> 
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index 0b4943a4592b..fd1d7d6e68e7 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
>  		goto error_free_kids;
>  	}
>  

A comment here?

> +	if (cert->kcs_set && cert->root_ca)
> +		prep->payload_flags |= KEY_ALLOC_PECA;
> +
>  	/* We're pinning the module by being linked against it */
>  	__module_get(public_key_subtype.owner);
>  	prep->payload.data[asym_subtype] = &public_key_subtype;
> diff --git a/include/linux/key-type.h b/include/linux/key-type.h
> index 7d985a1dfe4a..0b500578441c 100644
> --- a/include/linux/key-type.h
> +++ b/include/linux/key-type.h
> @@ -36,6 +36,8 @@ struct key_preparsed_payload {
>  	size_t		datalen;	/* Raw datalen */
>  	size_t		quotalen;	/* Quota length for proposed payload */
>  	time64_t	expiry;		/* Expiry time of key */
> +	unsigned int	payload_flags;  /* Proposed payload flags */
> +#define KEY_ALLOC_PECA	0x0001		/* Proposed Endorsed CA (ECA) key */
>  } __randomize_layout;
>  
>  typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
> diff --git a/include/linux/key.h b/include/linux/key.h
> index d27477faf00d..21d5a13ee4a9 100644
> --- a/include/linux/key.h
> +++ b/include/linux/key.h
> @@ -236,6 +236,7 @@ struct key {
>  #define KEY_FLAG_ROOT_CAN_INVAL	7	/* set if key can be invalidated by root without permission */
>  #define KEY_FLAG_KEEP		8	/* set if key should not be removed */
>  #define KEY_FLAG_UID_KEYRING	9	/* set if key is a user or user session keyring */
> +#define KEY_FLAG_ECA		10	/* set if key is an Endorsed CA key */
>  
>  	/* the key type and key description string
>  	 * - the desc is used to match a key against search criteria
> @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type,
>  #define KEY_ALLOC_BYPASS_RESTRICTION	0x0008	/* Override the check on restricted keyrings */
>  #define KEY_ALLOC_UID_KEYRING		0x0010	/* allocating a user or user session keyring */
>  #define KEY_ALLOC_SET_KEEP		0x0020	/* Set the KEEP flag on the key/keyring */
> +#define KEY_ALLOC_ECA			0x0040	/* Add Endorsed CA key */
>  
>  extern void key_revoke(struct key *key);
>  extern void key_invalidate(struct key *key);
> diff --git a/security/keys/key.c b/security/keys/key.c
> index c45afdd1dfbb..e6b4946aca70 100644
> --- a/security/keys/key.c
> +++ b/security/keys/key.c
> @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
>  		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
>  	if (flags & KEY_ALLOC_SET_KEEP)
>  		key->flags |= 1 << KEY_FLAG_KEEP;
> +	if (flags & KEY_ALLOC_ECA)
> +		key->flags |= 1 << KEY_FLAG_ECA;
>  
>  #ifdef KEY_DEBUGGING
>  	key->magic = KEY_DEBUG_MAGIC;
> @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
>  			perm |= KEY_POS_WRITE;
>  	}
>  
> +	/* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */
> +	if (prep.payload_flags & KEY_ALLOC_PECA)
> +		flags |= KEY_ALLOC_ECA;
> +	else
> +		flags &= ~KEY_ALLOC_ECA;
> +
>  	/* allocate a new key */
>  	key = key_alloc(index_key.type, index_key.description,
>  			cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
> -- 
> 2.27.0
> 

BR, Jarkko
  

Patch

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 0b4943a4592b..fd1d7d6e68e7 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -208,6 +208,9 @@  static int x509_key_preparse(struct key_preparsed_payload *prep)
 		goto error_free_kids;
 	}
 
+	if (cert->kcs_set && cert->root_ca)
+		prep->payload_flags |= KEY_ALLOC_PECA;
+
 	/* We're pinning the module by being linked against it */
 	__module_get(public_key_subtype.owner);
 	prep->payload.data[asym_subtype] = &public_key_subtype;
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7d985a1dfe4a..0b500578441c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -36,6 +36,8 @@  struct key_preparsed_payload {
 	size_t		datalen;	/* Raw datalen */
 	size_t		quotalen;	/* Quota length for proposed payload */
 	time64_t	expiry;		/* Expiry time of key */
+	unsigned int	payload_flags;  /* Proposed payload flags */
+#define KEY_ALLOC_PECA	0x0001		/* Proposed Endorsed CA (ECA) key */
 } __randomize_layout;
 
 typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
diff --git a/include/linux/key.h b/include/linux/key.h
index d27477faf00d..21d5a13ee4a9 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -236,6 +236,7 @@  struct key {
 #define KEY_FLAG_ROOT_CAN_INVAL	7	/* set if key can be invalidated by root without permission */
 #define KEY_FLAG_KEEP		8	/* set if key should not be removed */
 #define KEY_FLAG_UID_KEYRING	9	/* set if key is a user or user session keyring */
+#define KEY_FLAG_ECA		10	/* set if key is an Endorsed CA key */
 
 	/* the key type and key description string
 	 * - the desc is used to match a key against search criteria
@@ -296,6 +297,7 @@  extern struct key *key_alloc(struct key_type *type,
 #define KEY_ALLOC_BYPASS_RESTRICTION	0x0008	/* Override the check on restricted keyrings */
 #define KEY_ALLOC_UID_KEYRING		0x0010	/* allocating a user or user session keyring */
 #define KEY_ALLOC_SET_KEEP		0x0020	/* Set the KEEP flag on the key/keyring */
+#define KEY_ALLOC_ECA			0x0040	/* Add Endorsed CA key */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
diff --git a/security/keys/key.c b/security/keys/key.c
index c45afdd1dfbb..e6b4946aca70 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -305,6 +305,8 @@  struct key *key_alloc(struct key_type *type, const char *desc,
 		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
 	if (flags & KEY_ALLOC_SET_KEEP)
 		key->flags |= 1 << KEY_FLAG_KEEP;
+	if (flags & KEY_ALLOC_ECA)
+		key->flags |= 1 << KEY_FLAG_ECA;
 
 #ifdef KEY_DEBUGGING
 	key->magic = KEY_DEBUG_MAGIC;
@@ -929,6 +931,12 @@  key_ref_t key_create_or_update(key_ref_t keyring_ref,
 			perm |= KEY_POS_WRITE;
 	}
 
+	/* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */
+	if (prep.payload_flags & KEY_ALLOC_PECA)
+		flags |= KEY_ALLOC_ECA;
+	else
+		flags &= ~KEY_ALLOC_ECA;
+
 	/* allocate a new key */
 	key = key_alloc(index_key.type, index_key.description,
 			cred->fsuid, cred->fsgid, cred, perm, flags, NULL);