From patchwork Wed Dec 7 17:12:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30947 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305870wrr; Wed, 7 Dec 2022 09:14:46 -0800 (PST) X-Google-Smtp-Source: AA0mqf6ng2M/Nm6q337nE9vTby2G2qe6vzdI+b20Abt0uQNecuiwmIIwTyNjavk2OFOAI5rpMLGM X-Received: by 2002:a63:520b:0:b0:43c:6412:994f with SMTP id g11-20020a63520b000000b0043c6412994fmr63763830pgb.421.1670433286403; Wed, 07 Dec 2022 09:14:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433286; cv=pass; d=google.com; s=arc-20160816; b=N+a/RyykdjnERTYlcqHVBkrnVFL1HbEzBxX4ur6r+yiU0sGQyjkcIx0sfE4WXg3K2d eGh2hs+bBYzN1FbNo9THXHspiW+p345dDEqxYikhZ5f7XR7cVrsiey0rVHpzgGRfRSox 7CLvEArFkxgZdwvLWfiCdTXdsG6h8nBAmwvTVmYcdUAZ8stQyPB4T0r9nvToVIuz/M6h MosSAbXAC5TYxUvqwb++qTMgfInb8ZNAyOxlzSI02xe8C3qDZN3GBBeQDGGdQfVzxENg R9aEO7QjHsOTEULfEf4w+3UY3xYsDakboGCVbTNfplDIT5x7wbGvzwOQq2M7iMJxrNhu f8lg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=VKXZThvEwBliMQXKXJA+cJDso61c1Wv4pmNddv3tFD968bc+1a4Gd3iyv+EmfM7XNp pcE4DU1oL3JY2JKkH4lxZwVJUw2UDE3YwmTfryvhnlJ9Rv+n6Ghu5aGkcDSwVCF0/G34 m5Z4dulO2cqmh3XmmS67oUs+95xtRu7BDPFUhGKKfyFns9OStMTPupn+v3dagkTMbBxl ye/uzZd3sEyqSpPj/edT6fOhJ3czDlffCBTkPlEXDJYMnqXdZQ37p8YBeIVFzOv1M4S9 +0r0/4Hvf0x2M/sQnexmSnAi45OUjKTYWEpJOk5Fa1xxb+aJLmG4DUzBqOx1ScCMdQNa SCDQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=0a0el1ss; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=qsTyDruo; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bf8-20020a170902b90800b001787f1922a7si18961310plb.19.2022.12.07.09.14.32; Wed, 07 Dec 2022 09:14:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=0a0el1ss; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=qsTyDruo; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229905AbiLGROB (ORCPT + 99 others); Wed, 7 Dec 2022 12:14:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229755AbiLGRNl (ORCPT ); Wed, 7 Dec 2022 12:13:41 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 256AA5B86A; Wed, 7 Dec 2022 09:13:38 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GDZlF030086; Wed, 7 Dec 2022 17:12:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=0a0el1ss31WGKxwEFsv29hTbNUhOlSRxOaresSxmB2SOamTqt1O+zfDiG+WRtijcSceJ jGN4B2PEyP0Y7jrQ/wofC6ODj+df979n92xJFYPC+nC5vew7A9s7KbPxV5LghEeKdzHi hMPI2QOYHWWyugQdmneoibAXAwH/U+94RqGEOt51k7qLMKdiKWQ/LsZhVRCiV2n1EFW1 0cMwnrYsAR/z3s68qrvTHBAHIPobuapGNSE1o8eFxowyURG5Ry66mhHuR6se5h2GSsri hjck5EuJdXIMNFvTrvjkYP/D3VJMwD0TBrEbMW3mVB+Okjzk4jlKkm6ZrLvhkG8EW3II qg== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maudk8vqp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:43 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwQZN017226; Wed, 7 Dec 2022 17:12:42 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3maa5y2ms7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VzJ4IGsfYndtpNhuwDi7y8Kv6BklCPaNYELGSDwk9T8T9SKp65QYWiZ1vRPHsixs5UIO8xHHciLwthGHGMZPq6Sl1+O95rJRGVgADGgM9SyKWhaBqfb8v/rk6jhoz6SE+1rZVyU/PC9eeSdWn2zQlEF1Z9JylxfEb2rzN7Dw3KK2pvQZg0Hl540+3VblyHH4NnzDsgpR5gOLA1LePp7uXQnVSRrmBRua+LFQ4YpP7UPO9f9oMwUaYbIoNPofKh1uHKfFi//xA+yQjPaCynUtS1zi69lZ8oHKiwDXswmdDKY3IaeMnjUv7Hj1VtZmqQtlwgBd7ZWcNvgucv6sAoRWOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=OICjDbZPFjqds9Xi8xP7hgJJveijfBtXZonKyYOexpJZ7fV8p0In4BluJ1nRbwoTfgpGLvHMDRBmrpGJ6vdTNhYnW2nHgL9vyeCrJ2vdH470HzfOurFQvLni6yArN0LDSizWfwnwwdapEBMU+XJ1fVqUqcMOVGe9u3jlnGQZgLcfSjIy40prKI51GNNRvnBNgBhfv0GyG2EP9tMa8BJ1wxz3YK4PHzUQ6Bf+YKpYTZtAj+lEIG48OYSzp50kN4oIsNhaygvFqaZ6zRyfDW61YynHLk1t6rg8yk3Ze+/mw8Qcf7ueJJDqkAXLRI45wFxa6RDEHiFiu+1bKaO9sFh54Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=qsTyDruoYNZl1APP6VlI2Mw5uHbVtbQ7rdCshkN5Xubigf3bK/QnKKNSnM9q21rwMRqKqJ0p02+xS1GCviUT4lGdVz/CMtDVlV3Un0vc61n00FzMz63cpLbh4JDpcmUcBnnbAZWMZ3UBRtFeOkqqq8bmTJqhHP25J2n8ULOtOMs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:40 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:39 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 01/10] KEYS: Create static version of public_key_verify_signature Date: Wed, 7 Dec 2022 12:12:29 -0500 Message-Id: <20221207171238.2945307-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR08CA0029.namprd08.prod.outlook.com (2603:10b6:a03:100::42) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: c4293df8-0c16-459e-ba24-08dad8763ec6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vvSt5wUrktWXiulyDT9BBBwnPfxup5j/LAnYA0a1qEhzd8ZNvog+Wv+U/4L/mupJcvx3hA10nGMGQtBDnwVNRsK1fSwJ5dHdEGRqYbG93VoXLn5bUB/hyCFAGXY7md176dOnfNq5gc8KPZOEO+MiSrrIqcjw3dbkYo+NJ+SxZ3z8zsuqo79LQg67djzMLa+MkbE75QpCjz/emVDz9XrC0aJiAO6sjQcyPPP26XT6iiXbTLC2veTNEwFXUAhYsPw1AO9P0aT11qr+a+1EHRiauWcLRpry8QRYuJltKtS6kPyCymjuW2qGvdEtHvMo9bUYV+Y2x+nAqaO2k2CV3NqVxmetOyvggnD8YsqILu85sDkGwiEy7tDyxjWjrQh4X9JcVHaecbuyft/iWQpeoXThLzHDNYVriOI0/QLiB3+fSbUssAmxvzAMX3f58CeNXNhVzjCbS7x4HL1uSkcUuFVetbbalumwGnTlt2QVYgyobA08jGESLF66Yfz0/ERXIPl2e329vSfH+zL7ytg6shHmgFS4qkd7NB7EzwjfsoQqgJ94OKNqU2hUTcxJVgeom/Wo/85khxR8m6tbT641Dq/H8B7j8yzq2HYipe2J2A+DxlQ69kyHWbfReeht1z3hTfACIq6wMXaXO2rCXWmIiaZvGQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YUXK9biJnZXdRaD9c0k4XUepRzkcdGPu2wbz9dWHxppzz2LGoAa3IB9Ugxnm1b/abs/1H0VIXi4dCU4syTFxwsmWNz2Fuv8TzhXVaF/b+cq30gPolTTo+pCPvlPPNsswDxCUMOqRBaLEFHh7HbGuxm6lu0Fd2su+9p9bK1yU0kRxgH1rmE7aGai/DWyjUTAMriW0t8qPY49wpnjJhTp8OsjaSl/fQbitz8g7I4XVUdl+jkrzC27nNoLWTuVbvfw7dHAaCbEaQANq9+ilOxWGP4NKLQVoat1uRlLVjLlP747h26wINSsnzniJ+Td9T72HVjcu0IR4kjpkUJMYyL+o9VWfpyrNxJU0NicCZYI9fUHTH2oFQY+cSS9n8lZ0Md8NVNTj+RziWfuAHuRDesbFyuoho2FqzFKSzCzWSkttO6K1NLtVN/SzWGLyHEEuCH6XwJdP+gSiR+XcKLttCAzcJCuiPN1RhNgPk3AmSM9/wUyOGPI5Wk/DPShaHdJ7HpVLJrKKTWKpcQun+OCx4RIEiJrNnpOBR/p3TKPQ2HBF1lHervBpJ+CuIlRzAyh0DMrgkOOk+B7Ad+Ok+AYnjx2Reaoszp/Y4pMFK8pHJf9Na0dvmw6oxr3GGTDSd3CPpXX5SqJqfjO6iehP32JaHw8lHtaoJXmMp/dddrHXqFphaBiD/wnQNf2KY9MUrYI+Laov8WRuMxMhU+Afv5MBKAi//tXIGmB2kpARHry1Brw0aH6k6TWm4KLgiKrxByaa+GLQeLaxj9SsKSuVwmQdAuDnrDbPZfMBhmDHWpkvgXBkp6006hvfJqSZ0aykvl79+L04azChPe/Ys0FmRZ86mWPSSxh9SUX0BTORvqo00/m9SEO/3e09JT9neH4Kv2QPnCPVzh+gBUEgUBSvmh/pai2wmH4O1Gh2ryAoLu7/1/SSohK4kLJCtlP0Idb9FQfI5Zu80u/8tAeGqTy1nwLXMJzdxssIHEU4YBhikJs7N9tH2hMz+Ozr61+1DvGpD3jYJX1398UgCfUdFhXZc77oIr/koNkG3ja9tnthgIwcrS3Hs2KpIkDxRNbSD4sK7cMlt5gXOlxyuMaHl6+UA2AEdZ6s3vq7SMo25QGUqcvr5RJguUZqM875ZuSfivpDLe6r5Dq+J8L9JpbL9rHN+sedFs6qF5d1o1qD3WoJczlr6IyjyiRvJ8FSRzXTDaCWaqApSFMH/gVw3kBvqgGIEDjoyERV1FsHNXjPcUPW5QamnpyF1K4Qo83x/2Xz2JsM5b9KAYs2JYPKNOwuj7YgTG3HjjwPyTcd4vIVgD4O8Vrv04vcIrDHkhrfoldtuiBmH8VGx0NsbiQ8GsrU6sLApP1SaXxw1foXdurI9JTK6P3qd4/6KNCOgFBeeZtWXRqt2BEMClbaXkgucV4ZtcEs9qIlBgh/0j5aI/M124uytl6xT8/ThgrcaFHCSt+K5QzVRohpYAlr3et1zer4ymmNnzbiILMKWl9inBdx+GbxrUjOqHqSuXNUSXcyNT/Ed0QTZxOTpph1fH4BwXiCA4IB7KgIqgYidjI7f5goiusRf/qMwAfM2W2nDAuid/eGpFLszn4jICTnTWqlyu72WNpjGXqqWeAIyCdXCzphCxOp2rz+qwcnOeg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c4293df8-0c16-459e-ba24-08dad8763ec6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:39.9016 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OQ1oVGZfThJ5IWlq0KUlTdM2L2dJ8cSOQsYB7f8f+oLYzpro0mb/3fF/q+w/m2UM0vyytnOAhYljSgWl71x2itj8KUWBmGEaovQqVL7kOqs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 phishscore=0 spamscore=0 bulkscore=0 mlxscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070149 X-Proofpoint-GUID: Jtsj-gmV3TclrQ24D9cp3kqKl7nv8zNy X-Proofpoint-ORIG-GUID: Jtsj-gmV3TclrQ24D9cp3kqKl7nv8zNy X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576253901731226?= X-GMAIL-MSGID: =?utf-8?q?1751576253901731226?= The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Dec 7 17:12:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30940 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305467wrr; Wed, 7 Dec 2022 09:14:00 -0800 (PST) X-Google-Smtp-Source: AA0mqf6+jqOFawOqUeEBJ4gFGcye7S3gttPFdfFfAUsxAjePEjOBXt+n9mBIsaP+OpZpwo94XE4T X-Received: by 2002:a17:90a:dd83:b0:218:61bd:d00d with SMTP id l3-20020a17090add8300b0021861bdd00dmr104218302pjv.236.1670433240298; Wed, 07 Dec 2022 09:14:00 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433240; cv=pass; d=google.com; s=arc-20160816; b=ubtU4/mrzwSz6oCbiT/NFCbN2AIil7/VOovH1fzlppWy0dWibAUvZciL7W5ogJ5vlS hqCb++65vBL5LySChTGVisCbFlnrZNCqKh64RTSN4ueEXZ1qsOMqHDW4WgSK6HFS45JA H5c+nRnu6coOKyFRyjlHorf5rO6C6e/SSRjd3B3nZfUuWKS/dMOjQZLCQeYuORs/W9+8 L8R2YY9aQvxd+RZQaJCBofDbTgM1ozfdlPuvwsD6jvYPyEPjmIepVCQhPL7ymDd9cqbv yKG/Iis4A1tDWqLQ33S7QI67kqnIW9vM1bv9Aqd4G8ZMZ9gqm8P462KFsefYJaR1LrPF UDYw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=tObzIJyOihKU7KM734AYPCqIp9ydQunYRNUZcWaL8Uycz8X69m+R9Lghgr9NNoE5Xa fF9d1TShqP6bwzG6MClUrg3EfuYT5C78PaKFZvkHyyK5DMH5N4+BoNFAdedqZDg+sN8u An7/D++MNWrKykzaKO1i34Elj5ibV3ejrWx8RRzSno6q9mED4ZdEHKq2mKTa3Ulgg7wR rCL+6bU6OE32lO/mhR0CiekoBytOCbGC0nit3+i6asv1YUKQXs7kNFS2rBDVqic+289G MlEhq8o4xZWJAZLqe0DO6tsrnvMV0mXla10RD4GV/cGSL+C8fluUrjNkCWgPQ3dJVoT2 E2KQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=yQ1vWqdZ; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=kJPIDETA; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p20-20020a635b14000000b0046f357face9si19858606pgb.356.2022.12.07.09.13.47; Wed, 07 Dec 2022 09:14:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=yQ1vWqdZ; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=kJPIDETA; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229605AbiLGRNg (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229507AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFB0745A29; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HATiH003855; Wed, 7 Dec 2022 17:12:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=yQ1vWqdZg7EpEp5cADc8g+IYCZmwu3S9FFxK4MDPEzgaGVcfrgR2NXJIuntAUcKOpCSx +2kFzIZhSwSJVJtDBgcIedeJvVMH1sIHyYAZJLo5CMUJWuSWPm5RtluLD3D7vpofrC2j wZK3NjfTLEU85DCMNUAQstqmjbskZSYc6Wn4azfddrPHS84wkkl6SNyKmyb9eLHazrjP V8SQNMGaWIZWq48C23743VEDQ+j7lflkDUjW7zC7zRPVkdChEZxYbVaOEnyBpOdR9Kha iHkfgLRqBU1lydf4aCVAyyWpsbR04s1bLHRpH0w389kw6OWQcAQXdIA4FdGywISuLS5c aw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:55 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQp009733; Wed, 7 Dec 2022 17:12:54 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:53 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GecwC0kkmOJ1UXPCspC3Ih3AgoFoNGCgy5E3IQYmyr1s9nsDLIGrISWQAcRxB3xnPxH5UvO22QaEsplx2JGIpD+uz9L5QYWds0vzjNnMild21AQkZ0sKqgydNIygHpSS0FzWvBD3UODZi+ezKElHN8xiPNljUBbkgWatGL++Cr4Y1TiMygf+cWFgSXK3kN+0fmt7BfHU3qtVN/YW5cgL88dQLIqIC2oSaSLr3ysYKrBq2IBpYU89C/TrsrqN7V9ut6KvCUGBqt3LaD9AlNz2OXylbVlfEv8JQa7kgDgZ/o8gM30vHPrSHDZyyg+z/XmOwGQU7cnv8vfCeWKQGdRTHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=hfiIAaxRy22cz4ntFD90/2D1xT7Bksgw+W5xdcJZef9VsJPQ2kAjQ++X4s8F6ueQiwO3q18mCEgwQMr32CsBlgM+KF9myFjeCdMtN4OxWisquPEZCK4oTpAwI8ejNic+9kRsGcY1N5zbmFoeBMO2ZhPLPKMR3iklgLY1tPCKNceVs2wwtijvvFWcKhz9BldKZmaJTImBU84ClXdmDuTt52pcwqgH8RpgkzwGWHNWXomHQJ27fm0MVrBlsm3I/R/cLODhL+ErEeHeDs3MAyZCNAT9KGeAVOr6Fl28LdLqKwN0QMFCNovwMWm4yQ6sjGAQNv0u2gmpsCp41P507wcoyA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ba+u0gbcbdGScWkTXmCq7GRcXOr17wLnvQx93FYNBLE=; b=kJPIDETAkR4BUfktzATrv1ovvklsqflC8AdeEAfJDa5sdnmUQzZCfedihD5yqB29Tb0PcB90EZeT8LJ4FJbwdkGfLaj40kvbsechuV8nfhaQ5tiot0Y/P5Dk43l02IjHe0il4fJnxIBi6q+5iQEPnbZ4oN7gBar3mKoGbzbISuk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:44 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:44 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 02/10] KEYS: Add missing function documentation Date: Wed, 7 Dec 2022 12:12:30 -0500 Message-Id: <20221207171238.2945307-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0073.namprd03.prod.outlook.com (2603:10b6:a03:331::18) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: e92b6910-e9cb-4858-a916-08dad876415d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /Sn2zFUao8NEhLxllNk2n3iCjCa3zbeaOms2wrl2MrZzcbG5zFaUFNCyfi+aC8EIeKB8LRAxYwPYwERjYPh4+aZv3hSsdqlhrhJ+HvozpybP+lNC4/l4bx9XeXcJJuxa3lhQorsoenzirqmtVVtUVgqyQ6SAbvnry7tfXlD0Q1Nc1TmpfZxcJzIhFCGp4CdIG1Wea12GlYp3pTvzVlWL3L/xWcXdeWieDgd53hD1FfbXCFLwG1dlVwRib7XOVDdrlmB2ACQ5MDJyQ5swoBMZtGmcgyqp5jcHwSX8e8zASDRZCSzAi+uS3PMF+Je2VkQ5IbpP+YFSnApqC9Bx7JPQM4QoRalbNR6PsFcoW/I7kwNv4/kiyk0ud7+zT6wXz7Joa+f548TjuLs5lrLFA9QHWnwvmyT0s7alDaVkWwt/23GYYbJm7FUv4PS+AepbgfW9VbAIzZbVj8j79u0eCTBxA0TUxxq+bWv00XWJAXsA/VjkGLO5LFtuUN1Gv7+LlDWGBc5FSdPxcVR4nIH5j1gYKzQ4dZ2kE/N4Wf9zHKcehdvaiq5haQEO7fE1sA+C4FuWua9jszR7XkLqDyDriPJ89DKPCDrXYUHPfBGeYFXAV7H2rP3Di573mqfpBnlQ9Lhk0tg2pxA9o7ZPAiZ51adjRA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: s9KZVafvUgvnV/b4kc8aTSDNn+EzVt3yNlg9sLeLwnuTS+1V/t0Leil5NZoGJM9ahrz8/F8F1LvCJB/ltUw+vAfSuyOHvJ2mRqCVEJnq3L1XvsAzK/X5AzYmxCUuNjCxOutaq386/eC2qSpcxQbnxhJZ4KYzXSYM8HP9KSaU/k6kUYzYPqXeL5jpK5W7Q1OIIUeG+zt3xOWyVSAQToc3Sx+1ILj3hdIPoouui9UY0P/FbI1CkZXxxcUNNBiMw55lRPxCqPausdlcY+p2n7id3vWjaQSM4B4rzF7pg1TvfjMMrrPXbI0VLnUso341SO4QJnEIVv/VncU8Pz6EqXUwLvsFJZV65X1XSR939HNf6THaOXluj/HUrRMuS7W4UfrDsLg9TjHajNyh5rQpr2+xF79TJK9IeJXtiohGaHErlOC/F8ccmT+5R9FIiQGI+8BlzvlN2ez4kiA2tTkzPTgiWWQZDKwR2VDYVjT/4xXhPwUzgJG004uxQzvOEZdxFzmIxGHCGA+/RDgG27lsynnrjaeiuhn9XmDpPcdT4n0fsey8E19LH7JzrY6FCRGG7TrzYSYrZygXI1sk3A3eFp2NE7jKAR/HoA1nR9RRONfOagTTHJDlfl0GYZ2t/vCbaS28xLlZl49TxctgTDvxqRolAMhoSNFhyy77gApyXzDkMqzqOUrQtNX3BH8BQk1ScV10hUMjpQZpKM1ip+S+5idlpZSCxgO9mRGp1ujTp+dZHkGW0OMMvkKn4n7jyKHLECJtPgtxFRKnpgO6FhqmmOlleB9P0kvdLkB9E/MXZC5Yrout2XL5c4uGoDWDjNbnO6gTMGyA3rVLX9XqwFiG2ltlV9FuGqTd0+qUfLG8Njy7JOFEwfs1midDp+ScZvpWMQTl0y9Ir3uZmgVsGGYkmw1ObXWE6vTzLkAEe88DJ5sTJqWK2S7ptaZJfOd7m+E6umSm3IBIeqkfU5as0VByuE32PzndtOYDhF2LUntW0N21GQdgsh7ibTPwjK/PCJUJaw0dDlIJQ1KqwAezUmOtd+eCR0LqFNXtE+HPrgTzrB7I6hcfNXjhK6JyDzvvZD9anK2QZkN2of/9FpVt5mNBwlxd8C8E9yGW8GKeRPB8ZZw1BrXLwghtUBiwTZGq5sPNxc8FyDO4xqXNMjGDHUTyocvbVqgYYYQMu7a/4jEB+xQKGlRvYhXp5CnUewiVnz4AyFBrYQyI49JzeMZrRb3bb1BIdauGX0ZYgFli185wNCWcnNP7hkucHy4UAsep3hmc8B/DtWr3bZW1z6lvgaSbjoQD2BvdaewOXo4O5S5KTO0zPZVJpVF9CkTNf3qXQaCwqxR4q9MaDuYZCkr3b9WS2jzetS+LyrXnFDU5ilOTYRwKA2wpctPIZqpPksL83GTlVIORnnt/KbZwdd7vdRqI5vw423xoTqasfGhHKsIZ5liO21FYMfzmlkyLZ5I0spdPxr/Z0K2OebaXmYW+CfEpcCoLLCC3tHQH/Xd7uPGu9iSUjqPftVe/oYbcLA64MeYvMoibPuA138SDq2V5fJfo3xPEcKIcEyPsdEw1HsNFUaCF7ksXfYUj03LYnNbeZX3l+9BRVr6HfbHamVgCMWlEvoUfEJ1akvhRcmldO/YaabyjgBI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e92b6910-e9cb-4858-a916-08dad876415d X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:44.3568 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QRxNUJ/4W/0PaImZSjZThgwPenv5TjnNf7IwyuXwAKTqLBzaBhdaUU5oavQuq1Ff+8viu49Yz0BM2duV4O5U+kX9KYGm4INYzd9gmn05c88= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: TZMJXBMj5RoaNWkorOTnKHJNiPOq5ykg X-Proofpoint-ORIG-GUID: TZMJXBMj5RoaNWkorOTnKHJNiPOq5ykg X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576205549423842?= X-GMAIL-MSGID: =?utf-8?q?1751576205549423842?= Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel --- certs/system_keyring.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..250148298690 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -51,6 +55,10 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring * addition by both builtin and secondary keyrings + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Wed Dec 7 17:12:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30945 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305792wrr; Wed, 7 Dec 2022 09:14:35 -0800 (PST) X-Google-Smtp-Source: AA0mqf6o26qT2fsLFFjh84uGriCZVdOvLmDna/OGLc/wsTZMcm0ERUULcldrOQbDw+jOW1Ljq7Vh X-Received: by 2002:a17:90b:3648:b0:219:dc25:d031 with SMTP id nh8-20020a17090b364800b00219dc25d031mr14108372pjb.245.1670433275591; Wed, 07 Dec 2022 09:14:35 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433275; cv=pass; d=google.com; s=arc-20160816; b=wwTEvxrtwF8j522hEgkx7h1OnLNpDeEq0PqHQm+FSnfGBLu7dm6jP4zbyd6wzsoVF+ ZeLln6o+GDMw/J5tz+IzM+xi/vzZ3quer/CpF2PSXrN8lX/m00ff2/k5e+xwGfQOHwgz CAFHUgkvwV797wO+EOyk3WhWzuK0lMB9i8EYAfpCewAxWufe6J1iBp0XuqLbn/9il5n3 uRf8MQbAzu1vw2xf4BiyxAw+kObMTFQxi8fmqgNi/RYd9pQhueh18qFp1odM4HrPm82k SY+EEWvPAepMkHQTKJBKqixOCnRCksgM0PLhab5AS0nXIHl7/K8g9vUZ/+qMeSprHC7q Zkhw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=oj9pzai2ImSksf57eNMoTpHRz1kVc+18982WE1VYOMkGVg7UT6ToY2Y3xC1k7GVcZ/ i65sUb/S3P52llB6ZFzApPlPNxFbxAgpyNpT17kd5PK7hTJ3kfFPnvWqzIvk5lFzKx5H 9lEU6H6OqQ3GYKZbe5mkWg6Czsk1eyp3/d++B+ZPVTL2qxVxpo7m+Ff/54+xgUXz3e6L ohwMDR7/yASxQjyALKr/TbaXM4w6PffAiherPBjOIE0PpHl2yz8pK/q4A+z0Tqh9nR9e qlSrE/RxL7zCMOEL+OdeL5g9wK7wCcOWRhcZl/EnLtkoe9zhNZtTsUnLmjFlenrvZZNR o7BQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=w2ISjhhu; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xPqHhn4X; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l16-20020a170903121000b001888f93dc55si22710453plh.519.2022.12.07.09.14.21; Wed, 07 Dec 2022 09:14:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=w2ISjhhu; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xPqHhn4X; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229513AbiLGRNt (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229589AbiLGRNf (ORCPT ); Wed, 7 Dec 2022 12:13:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B831745A1A; Wed, 7 Dec 2022 09:13:34 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAXN4003892; Wed, 7 Dec 2022 17:12:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=w2ISjhhu3AyZbHqVpo9RV+X7mfjVTOaBY5szpPrtBT4w3Bzjsaoys0HRx05Ng5A5pKP2 JVIiU47CLOMi9wumkme+Q7yehEWxPTKzC2fnP98KYl7AMFPhQssGzieoMLDJiNkd5att TIqrz8LmkVedOCk7iAQILIQo/zegfWaKOdv6PM+3GrYvjWTJD909Z9of/nU0uuF6GsA7 q+gwCvpicZN6YyrbQ/E8vhPD+IhsLDp2/+u74Lsb0ZMFQsehdQbo6uNw6Gtfh66VhwWc tCObmmZx/EcD+34GIh72IwAoPU4W8o3jbly5HOA23hGCeDaqu1Wvj7iNzTmN+NJ9+B2T 8Q== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:55 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQq009733; Wed, 7 Dec 2022 17:12:54 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iBQcBd4iaspt3/GW/ARgMmadX/OFhbQ/Ym2R/kwplwbiDF8oGQus2DNcZ4KFPJIqWlXKVgAVgjirdKSAgJxHsU5aUj0ii7PGI1vKkDhH6gJrLV7ZN0pjFqBvgJD31DN4PKuu2bEHMIA/U7NI9YgZr43Um2lvt0o0lqBY7x8D9iIYueL5Wc9gkK8Zme5/q7KAlLF83uhYUJBdvfirZmjWDSMEzd8iO6rZgAbDdEytBFA+idc3sM+5ZmGT5syDryQI+te8ikCo7ctfxPNMuAiJDVF78KghtAOvt9ESelQdq77I7iS4ppDMF74KTx1Nxo0RILk9VwEQzXUVmDbh+kYssw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=YqqJcExiJo/mv96AHHH3AuSfICKYM+Rp4P/yWV93Vb/9BeivoSHV5m3J2hxjzQ8Ia/xj53PGP3ErQ3y4mhLdk4YSq1YR8jllg7CFE0GlgUzhXdo6yeoZcp1SL5pAHY0oHvu+ulptPY+pHnQZPcIJAFwjvhCzz6ZA+vYOqOB++Z/uor03ryNTerFFDJpMcBMDOrYO+J77ZvBeWlWKzddDGRvokAzhVIXqDh3hCqbTDKU8T0sBd0wcKL/RfTZFwO+//AuKSdGH02LNqsYYjGBdoiiEe+Vb/NHlr+TepcB2E9pvZBSYYfCMN5q39NE+Tb2vTcPPz+Jxdtnf+qJpjGEfGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=xPqHhn4XAJgAOytd859eoRxk36YWZ3fY7EstucvXKE3IL1kZ7YaNjfyos1l3+yqNJIi6kOpWC+LuYLMh5jqir7fyY+PrCI9wOAzQ7DOU00bRp0vtW+WZH/aOQEWH8gbP4v/PsoTPUM7H3biO3hRjuhK9DXVXScgW0R+WqTrYZ7U= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:46 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:46 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA Date: Wed, 7 Dec 2022 12:12:31 -0500 Message-Id: <20221207171238.2945307-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR08CA0036.namprd08.prod.outlook.com (2603:10b6:a03:100::49) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 526a0f8a-c812-4f30-4fcb-08dad87642d4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kD9gRf9TLkYOaqFK+D8LnfeFJIpxUTSNsWgkPXsDE+GaQ9uiCzseC22R+QH6OvSO58WnBUTMsf7cOLBy+Jb1IfQClZ8sZbwADt1nBUt/6WOIBpu6tOzcaNXUo7RlFW8LqxKUI5wVcBdPG/WYjSLfnB394VOXbtHosC6xMCxUZcg1YpG8AXjgxXJj0tSna+Kkf0fVv1pFVEMhypBaH0zWrKsfaMMBe8kQetqECjlECGwuk5SfAg+60xODYu/7mqnIpkR/vUXTFJhxKpho+ybV7IDbXftOzXrVJc50vqTXJcu/B9Si2thIQ2o0lW/aBilNtn6b4nOd5A/Zmu2OzUT3M7JHLNHbdZuhbUWYwk/QDxRiiX3fEyGQ7kSElkuEktZDr4Pzbx9aJsfBfi9d64w/ZI4ojjyZy8TWCHYLugNONZG5ofFfWPXM5GFFNfLo6tRbnzKdJF5oGWqa40rzR4R8lGkCLYdlEt86WKQ5xZCwqbMgH25OrhUKchx1lgvP9TBK0QoWFeF0KLeirlJqjo9FCXwShl/Ra6XsP9KMLLxblYvdybsJ3HTekq7vhvDfZt7YAZTa9J9DJ0JDwWiNidCZpdc6g+jaTA4i9at4NkTFs3Pg3r6ODBQ6vi/R/T3dN8dA X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4dcpQU0qa30qZvT//wNZAUcSPlZx4oDRotHy7Ik6KNX/wrP/g/E5+QCaUKx65zc8SOxjbI5Ycs8aa5kaOmVeUxxm6rDB2cU9Vwzd8N//0hLIE0DHC3K/go4oikjAaVzDK6w1+udGP7KqZrVHeRBXFcZnAl1Q0Lhb8GfVlEOsDOZTmPqwUJodk0BR/2u9aQ2u3oYNIOk9BYboAhsB/MtaOl06/nkbndTWQi5TUxj0p/Gp90BtKfACQugv1Qy8T0/KSFhd0cv8TPqey8f0VzhvZXuVF53lkC2w1x5VFulGp6yEl/Sbqwba6CII/iRf6vnpJpqflgWLpolPOkA1vvaUvBNpeZ3DIg6kQjWJyGARrnEboyjozCJAolCkLh0dxIyil01Bu68oHvBwVnm0LeCoMMcFhjt2znGwVwTEj606HCfX2DYPf16kBHLLYlMQwE+ZwCQqMUdog3h87GiQqnppa3/piY1NJu4RHOcaD+cxxOmvRBWvR+tMyy9OKJ5KN1sxb145PJqvQXYkbKf+hATkY8FWOOLTBZET7nJW9RisEczkuEkSh2mn+MZ4v2/vHrzA+qUvI7/VxTWfXFTNXGN6FMl0muBphgDaIqvBM5caLpIXLaGUHdIJz/RinvOUvidMJ22sNd/dDB4Hler53UE8+mq4mDf3+LCK2CW5rJjSOTnXnxJO7040QQriNzgr+BqLiYeGGPd8x8B5Qed0cnGJr5cajZM6L963pHebVw126r8cZMKgr0jG8UQpesk4Hs2ijdTKmEnwZKY0FUbgxtdAhg+R0I9TtRhNSjm5fVpQR9nagOCQq7Mm4qqEQdZLkJUmgBOTFMwi4+bNLgxz2NnBeUusl5hjImmv/8tFIO+6Agz3O+b3BNeQ4bXAO1slPmXi7yA2f8kmf8h2x09Q8wjjVQhE0bbzFTblTssWzRz/t7YznhMWIu0fnFtiFbKcxxC0Ysi3uGj7XQGraa/9WLigbQdKb7QcNETX0sT6ek0exHa39CSCO12/ZJmXJ60rP9iYzYbqMaul+r9BnT/wXI6+F+YWMN4Ij1xkhtn98xRJQO3CiwYR6ufdQOCBzyxSxM5pYRGW62RbL/nQYz+tjoXdiaV3B/jBpPXfQfk6FCHFbJc6x6r4HpWi73lKiOUUQ7tNkRPaSDj4szpLOEFCRCGeyDrtuusUgZJj15sX7g6gCCQFTgStnxGh1mRNJ+L64DGGuRj0n2yZnNYFt9XMsUyYkliYb+Hg1ifULl/lmxAbC8hLOq5nnz+toEFs9WwD8h7Ta8AjOnpFOGTyxFtuScNh6nQLduoiqv8B92ChVzwujZ0WwmapKf0YKdl6cV2fuTpqte1Jm155OwXKfeSf8VIDr6NRUIljTUaWL1NVty22qeYZyfzw2+y+vyKhNiUO++D5hC96v7xx1lNKFXE5h/9wnCTfAgykDDJYlkrGtM32MSGgkvmXufQ4cCUTErnmArAJenuGPdlrhQr3Dtm56jQnhF21OPTejbR1ceV0AIH7ZM3kcOPn8YozroSpPe3wrzVy25GAuNUyrC06OJHdSVZDC/ArlEOeXPGGQDkQr+CG0geLgMhzxmdm+uZPC07LsxZcacXSuxq5escFum8bVi0E5nNJSMY65HHoUDxGKGsEUYM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 526a0f8a-c812-4f30-4fcb-08dad87642d4 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:46.7015 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pD9eiMVPtipuD7KFUxjjHLIUUujllZkMWJb4hoBwoICwTF9Fof4hTVJ1exe1KsCs52QlrHLPSy1az7TVQ/XrcvbLxLia+D2Mg1RJn7c6pDc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: 3mw1D3Rx8jjSNpf-axa-cZNA1FsU0IqH X-Proofpoint-ORIG-GUID: 3mw1D3Rx8jjSNpf-axa-cZNA1FsU0IqH X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576242311761198?= X-GMAIL-MSGID: =?utf-8?q?1751576242311761198?= Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the x509_certificate. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..b4443e507153 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (vlen < 2 || v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->root_ca = true; + } + return 0; } diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index a299c9c56f40..7c5c0ad1c22e 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -38,6 +38,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; + bool root_ca; /* T if basic constraints CA is set */ }; /* From patchwork Wed Dec 7 17:12:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30944 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305790wrr; Wed, 7 Dec 2022 09:14:35 -0800 (PST) X-Google-Smtp-Source: AA0mqf5V5U0kVDERWNtjGrHhSKBHVt9HXQS6emmjaHwn9x6lWhOrom00daVGnuZDoabOJT5T50DU X-Received: by 2002:a05:6a00:2342:b0:575:1df5:4207 with SMTP id j2-20020a056a00234200b005751df54207mr49091571pfj.4.1670433275588; Wed, 07 Dec 2022 09:14:35 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433275; cv=pass; d=google.com; s=arc-20160816; b=065tPVSVFIQkqOKgMRuRqJaTwTcoZc4VLdN+hkL6qnFnqdQgFPrHjqoKBKB34XvjBI Zq5xP60Dzf1UlrzekP8+JGCxB02Pg240MlfGahUexTxBUUDYzS9uuTNqzF387//d5yCH LEA3DCpdVxCBXIR2zNsgwMN08ocRmtcE6+DRm4yfy/TMmR8QAaAkYHzsT1VsHMQrnypW pdtcLVTL3Byzf/faUW36PA8jfJv9b3bM/OHNEmRzUfMegLYu2DD7LGiTEd6Bb8VJ8lue ycKqILkHN5PFZOQu0oSvUyjcRfXK6V/r3b8XX48YCTcq5jMuKHK2KXLka20H4f61LxnY cjEw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=e3udckERw3CfVL1cTaYwolMTdnNWssxKYil8YVUAoc7yU7Hs7r0X8flk2mM3RZEjcx GlgsgSDl76vzmTeBQRhJMhAY1FxiMDcxdwrYfJNJWEesxkKuVfXL/ZYoaw6HlZQbYkKb eCfslRKbet/DJzLlODC+2jIS4oaC8UBBbvijYq7/oAj5M2iO2AS6QI5XpZUdi9KGdxA8 CVcy8zC2p4IuNcP2/U+lzNhmrpZKnAnVHITxbIwCm2FfBENmqaemixDl1Up83KZiXCvO wSqN9oelz3PjmExHsS5w13XfW1IHiEUDOeiHDZUybPVHepYnN06AMf7gOqhox/rwoulS gAcg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=wYKLPL1L; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=v0k42LRU; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k3-20020aa788c3000000b00574fcd99824si23216285pff.73.2022.12.07.09.14.23; Wed, 07 Dec 2022 09:14:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=wYKLPL1L; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=v0k42LRU; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229821AbiLGRNy (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229649AbiLGRNg (ORCPT ); Wed, 7 Dec 2022 12:13:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9402C45A1E; Wed, 7 Dec 2022 09:13:35 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAZpa003903; Wed, 7 Dec 2022 17:12:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=wYKLPL1L/3kLBgFR63K9k2Hydx7Ufbc6bUtmemkYFr6FFaLOyGYTsNlEXbTDnkkCWUNH EOB6r6RBnmZiXqaPW/9FQ47JzzBjjNLby+kkN/gxpKAsqO5h8xVwHauHHxPoyve38Wfk b2afPcRQOQBzQM7ntzKbgWx/+4XIOoADC4YRTWK+Nk5OVxipvICYSRnUrjRT+xAP2M7T Pbg0QNTPcyIp//POFYN3rj6b5bW1zQOHlO/5WTTNin+xAw4T6DVgXzUYnHB/BSMLdI7c Jum4ZLGbwGIP3rY8QzD/mVLXX08EB9LtHGt4F/Hmo9Dvkmj4E32DVk7GqFEoqZWyxCgn 7w== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0br-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQr009733; Wed, 7 Dec 2022 17:12:56 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:56 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=arG6M6vlFRsjBDq4A9uFSdLD/eXw6C+wNdXBRqmvoOgMLQt+b7hSKt1Dcaf/1YJz4DjOGZDkHhIqUjoZ1ypl9gVye87kT8ccIIgIrBeClEB5xpJ+Y2l18A7+7NRNmwvKqx/61AvPdBjyHqkeuot9qXQjFkfkMwyUi9BlIDiW7xiZvo/0sWcx/zR/y2fpnzIWbBPEKkkA6YJBka7zAcnaOUUaHtK4HcsKA3sqxPRgr7F6BMw3QHyuGAEWH04/jwVgEiUmwyiZWUvPvryVrx+CA1bVojqE2s8Mw8/RoA6r/x9aa3E+PBU5FLM8HIHM0VB9guTHYd9/RA9SELdi9EN9Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=VLdXmWrCm5K0XpGS+dg5Pq5p8OyvloE1rgAVURd2KFzlpu3PxmRfBgWbMqHkagKyGcqbMBNC5Ygalk9eV7ltmkoGAuyHVipEpqjZc7sG0IJt4ldmcuG4DWWq5kXruaNLPrl5SKyKjX3OZbNmgmYYISlN8FlS/RIhbFs4VkAmRNDiY5WLi1sBqiYHONS2ZG654XbL3rT0NumZ58NDYcUzwdJZ5EU8uKcxjUyDice8O22oFND73FD7Ss+LQXyQXmemwyJurSQ0eqm56wWLHRS+94kOe7H3xJk7XqfqmeKnaLZjVGl6RvzOGXIazbuodks2xHraZl+xyOQVZ8J7WfQS8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=v0k42LRUf7JKSSP/KCseHZHRZA+bxM0Wpt4qxWoqlvfFNegsebf+KdIbp7aJ46G2eADEcqmQ/ksvzgWiMiF/NuQ7bmRLXoln/lJMdIhBiQ+K6zfw9feMWPdiWZVX5ecq77MJfzuAzzRKD1ydmRiW3FVzqlvj69PwHAU0U89BCXQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:49 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:49 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 04/10] KEYS: X.509: Parse Key Usage Date: Wed, 7 Dec 2022 12:12:32 -0500 Message-Id: <20221207171238.2945307-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0080.namprd03.prod.outlook.com (2603:10b6:a03:331::25) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 8dcd3458-1e11-4516-98a8-08dad8764457 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: moWBXtvRk7i9GRDikCjnj9n4Z+MJgDNV9Cs6EKACUefIq7rT6ORelo3g21IWB+tfhWP79Zqe7wmtzhW/YpYQFF0YNe3T3WvRQtztScQx7EdtIt64t/K5Byp1z738Rjdv+D5YSHLNc793dJSlVK0F1h7oQLeZyBMP4nmudkfXJ+b46RieLHgQ+Nn9SVVTE1Vv6rleS2vEj7x6kfm/N4aE3JDf5uvBLn8wlxQ9ib/uWCDdVkvScmOYK9uVwL6eFcCrBbx9tO/pFSQHO8KMC+MiUzwrdISU5/1fGF5PihLRwlu4uVh7ffk5zS+etLgJcmMyPXNeXjGzEiKg8aPakG4SFBOsaTGo6+AEIJd0S/0HeFBxIRYFa68HtKsLj4Qn/2i1xXE7S7wJJJeuqiorjmigoW5JrYeOqqw1gN/0Nu0ag7zlGe4aFqaKBFTB8MN8H5m60LAGAbKicEldhltZwfRcEwwxo8Fi4Nq5OtMXhRuyq5A2kconRisnSzqhVObRb5vSOn5oThuu8wPTBFUUreorPijwaE6/bLGoWUTb1Z1qffwD8TnN8d1P7i0FzTb91Pc72JtvUtWsZ81D5yuI/78g9FG+JHiTxRPZAZyzC05OFV4mlbOaKn3XcFq3V986BlMNYmbbBpQ9aVsbMGaCn9MCrg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hGdPgk9Ay+YwYuXnl5ySCdsEjZREpYaMdzhyKkbUURzmVFLUfhCrxhxRopZzWC0JmlPAT+Ccall2z8bjIo082x9aIfUS6iXuh0mgbe9Pal/dwBhUheBg7WWy3TY+Aq9nA7NVcyp97plRolNIEECwI9eo3ZL2xu8mYXkDsXOWZBGzu+1xTeOLM7lDBTLIpuCiE+ZHmAtgXDEdYCmld5pFeL9X79/FK+kJvt14B3BKK0Fd5bWL9UryBq5PGWvm4Xhb1JBC1D4+BJuSSgvB9qo6Lz3yzbUqpapUTOsNQoToOj8jwgGFd/38lbFloodFW915HQD95/2s0o7bCEL0gRPCJnSgZe0GebALTBXOutDsHxA8+EoLrzPsDwveFw9bHN+HtRBlwUwJP1G3DSyGElF0w52Fgu/I3ffNL2p1AG9KK2j3Z/6HqUsHqCkXQJ8CJfXx7eFCq3oS1H9qrlxR9BwgKoUo1xSClbJNh9PF6aisrs8rd71OD1xnQf5Dm25awfcUzJ70PAdvylD2mHvr5Gov7FRw/dhaESvrSK8U6rsmYoshloSdRFoD+f28EK5dkgzwYfjCkkJlsEfTaiYqOyKEyGeOdQh+PC1tkDvN40iOYkt8EYrd5dDqh6P7OXWdSFAlJcDwd4cOw3Arcbwat0PSuyTxeWqxtCbnuq7d6veY/o418pifvcx3TslepuaRy1FvWYS356z8JntSNntayHawTdV3IGInw/IPFzT74hTMIriXuiBCiBfiN8I6tE1R9XUoXQsiW+5LwDVfpvphbgnmuHPVYdM1EuIuMujsCm4tXiXKwCaasXE0tT+pXGDxWzTRkCSBgeICQuolcZfqpGyBOeB7PwjWBHsW56zy7AWjAXai+OPgfOkkXFXfEtX8IvhzJhz0Nr5KtZ6Oi7M7TCk4tPrGuq00ObJMaVnzh3pu9yATAWAw0i9r7FoH/VCGPiTEnnBhnod5Wr6juQIvA4KX0D7cHsoah83i1/b5elxYfwT059e2Hvt+ZGwrg1Vb1MtWrD/pbdZHho2yQVlxjtB02V00AZAFYfZvynYTTQBfmH8pLkbcD1ijliRbtOshO5OCUlvGDS0yu3weDABe85PX8cMVWtKz37q2EiVZiCtqp+sxiQVU4dkuVkVlSt4eXXB5BK7C5RR+4O0O0MX67bOUxV0g4UzuBz3PXPhn1V4MbDxPAR37IQKqyI3cII+IVSjMCJhe75/Xwwx0646GOiTuf9LxjHid+wpT1Op8KDAeOLRIUGio9Tw+RGi1qXSf7wLk6zx5KZ0fyUcAULauAB7LEowSpYOb0XNhC9WjbkN9nJEpj7OwcJsv1GCalo7UnzlyjUy3Alw1Ghn8FkgjkFPJsBjw4aVNEIhX2r0EO9Gcyt+Obx1dLbf05DrO1kNWSZis2gmnvOJKs9AvmCeCvG0gdAtep4OwwTHx5NfIAN7imiXmjqtWHIRgcDtplgL6SEUmxe/G8nXKrxHvI+xPq1YaVJ1KTsf6l2UE+1BGJAhl8iY4AGTmI9GztLjkmVHWTigOiUIaVrBqW5HeXQW6P5bnXFnEQxoI8ZBtBV9jydmOj2PIUHp54domzAbqbtjBOKdS97n+41CFmfqReLlYc6joKMrifVZ4xvClGmxN0Vyq7P4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8dcd3458-1e11-4516-98a8-08dad8764457 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:49.2240 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Dy1lZl96TAEjT8I57doAlm45cff8Og/cyclWSj93pKkcjuAvx1iwhsoMdn08uvrL6bOi4gUz5fNpqn+0zSff1MnapcTn81ihCPU4/imEuGY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: rkLOYZGQAMvLc9HUAf4quPYhdDgHgpJu X-Proofpoint-ORIG-GUID: rkLOYZGQAMvLc9HUAf4quPYhdDgHgpJu X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576242418352849?= X-GMAIL-MSGID: =?utf-8?q?1751576242418352849?= Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 23 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index b4443e507153..edb22cf04eed 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string to validate keyCertSign + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing) + * v[3] and possibly v[4] contain the bit string + * 0x04 is where KeyCertSign lands in this bit string (from + * RFC 5280 4.2.1.3) + */ + if (v[0] != ASN1_BTS) + return -EBADMSG; + if (vlen < 4) + return -EBADMSG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 7c5c0ad1c22e..74a9f929e400 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -39,6 +39,7 @@ struct x509_certificate { bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; bool root_ca; /* T if basic constraints CA is set */ + bool kcs_set; /* T if keyCertSign is set */ }; /* From patchwork Wed Dec 7 17:12:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30941 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305498wrr; Wed, 7 Dec 2022 09:14:05 -0800 (PST) X-Google-Smtp-Source: AA0mqf7WJrzCCnIJ++0994OWS/532L3tl5grncooj440IhDRZOe/osCvkdY83iwE+wF4Qpv8Bs/X X-Received: by 2002:a63:5fc9:0:b0:478:ae4e:bbb1 with SMTP id t192-20020a635fc9000000b00478ae4ebbb1mr15724020pgb.476.1670433245122; Wed, 07 Dec 2022 09:14:05 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433245; cv=pass; d=google.com; s=arc-20160816; b=v9SmTTSKhcW3sOHFZCjl3LOHPRc4Ta7AD9TKeyZXb1bbzDNDa+kXwmzyc0vIPYRRRo KmzH9EihVq7WzAIk3pTNhhoGg96TyRjNJQx0poTH9oGH9gr/1dQqAzUCPEOsVXZrJdKo irbhDnRanySPjvsDiM8l2KS2O5COj0MkCy1iuHLWn4znnuQqlihS9PZNkDDAv1KFOwhv 2DkjDNwzPSvYJcR2y4rfkLlFL1r7jWeASHl6zCMBh6kQZgvLoHPqRgrSH0iUtwQ0MjUm Oxi8rhLVV5enIZb4ZarMG7B06jx7V8VOUUdI0QpNCh6/qE6eXvJBAyDdnwYpkgrTXOAr qMgQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=yUDJat4a9JN7lJg2UsHmhUGt5d4+UzkEWgYak3ZTeCiwSJCdxTMjAMb2TvhgHwkjOD uB2A8I9irXzkmzX4n4WpccxkKLOFiBbA3Swjctlnlsk/q/TNXqujWTeX6A87PYxPOXIl wQv96vuYBUKm2PoF9uclXJJ3YqV7B1+qv2dp0YcIV5kr8B4VLzbj+1jVTcCxrWcPdWtw q7wd4RYT1sLCMbX/csqP+53ycFaf5UyfZXOhSRcKaIRZLmm9g///0rfXDZ4v6KYXfBU2 8qyU0T9pxL87OVn8LW9WEjaTHvUjD1KmdVtYYRqwvzoPgzbSWGgo93+IeXBd16UYCp4U oh8A== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=WElDAYYm; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=HXFkqOsx; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x136-20020a63318e000000b0044034f2c3b8si22036188pgx.310.2022.12.07.09.13.51; Wed, 07 Dec 2022 09:14:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=WElDAYYm; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=HXFkqOsx; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229653AbiLGRNi (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229500AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E4FF45A1E; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7HAXZe003888; Wed, 7 Dec 2022 17:12:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=WElDAYYm2enlwwiFj0ytOyYd8TOuqRjlwnu0wRtk5yh5d9Rl9/gTX8sEFY8X0VUCoKXN lPt2TNekNdsv1/4sQaNcErJnClXWocj8lyHiO7GMKEFWmMc4i6TNpBAN+nPZ6Ujm/O5X w00qy1TiuRY33nTQPDKNzUqV6nAB/uidf6EbCo55KsnZqV9Xo8LniGuCAggSS+8CY80M EqrFJHeiycKRhLkG0GatnnaPvclZJ9XLSnESX6JvIvHXU3ErYffPzTTbpZh9woD0mOJE WPq0Ws5bsKkjVMIl5jTlA9j+1j0aZ1FtWzSkmjckyILcwou/vTXY6xQPoNMu9yz8cuz4 FA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mawj6r0bt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQs009733; Wed, 7 Dec 2022 17:12:57 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AGfAbulwaQBeWPJrdvI6Mb1G0gFkpIqn+Jj1yvfyakeSCkCqwTCestw5gt1M21VmLuiLmcB4tCBGW/MPrug7EbVnKUd1tmWTX/yQvEv+cdtFE5qTvM8zD+O0TYv48Ejfq2C3Ro0QT3whPpmsIx247PrEVLGAI0GCExrIu6AGidvPR8hnQ5FxDVVBIIGlyTIQQ5b9bHByRZqjkN8OQsIbMma3l26GIQQvlSOZmb5Lvq8myqf0G2s4kc4bIy9P+d4UQoNOcwiYHtD0e0c6W7OmPpRNFkke8rmFI/QncEXFC/Pos7rlCoAhyNT7/A3h7bsRisPvxv9g+m2heNwHdkoYJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=fdDP+FHzp2qe8siGl25K2QxgtlVKtqhhpmFKTOi1UA1ZWPaJ1yrFIa5wmxOgdBnADeUIxweoPUD9krj2NafjoiOWcuqcoZclTwzZMuE9KjYH+8+R3zUc7OwTkmps1+m2S7oYPpokD/4Dl31W1bppFwyvy3rSAEel1sReSKIgpmRXVZCMeK6YiPu0aAEooyfY7KiuPUo7AFdZ6jerVOG/jB01FkG/pkEpfTgyTile3PQ4oENX2h5ABUtLZnvlGzZ+S7G5DNUpMEduFjQdL8sSGqmK1HHFeHsfU4DedVzy3lPPzs8C7KpZzZR1gWJHdkKVzF+PI0sd2wU9qmq6JEfzEg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FNUcD2uSd5MyQDvdzTNeYf3NM/3TKwdkOVab2yNfNs0=; b=HXFkqOsx1QbVPzPYFJ2aQYSbzDsULsseKsdwb6WetNpFNHzoeAQnORCjAaNwCj6K783t4wzW9NCzglBwettpPqKBJivaKKNYIHvQsI/v+5p8qPKi7WKdxsYHDesqOiIezaPE9d3qKohdASjS4h/FBequwvAXA4foXD2RPyCx2Xs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:51 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:51 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 05/10] KEYS: Introduce a CA endorsed flag Date: Wed, 7 Dec 2022 12:12:33 -0500 Message-Id: <20221207171238.2945307-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0169.namprd03.prod.outlook.com (2603:10b6:a03:338::24) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 8c2fa197-eca9-457d-5cea-08dad87645dc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Qr5kPVm5mpnlYG3t1APEjYZ2aHuE2OOErnPyxPMfiVgRqLm3WNHW+J+NdbnVdw3ho0Pz3QkghFNsAmfUxAnT/8vDHs+BgEMFkkb4cvsBRp0Rx1pBoOwxMCeGlXXQSo9R0x1n4Sa0aIHsc5UCfn2gLgZPoZVDuRwtxRX3sJzW0OERuTzJqu7DVD6QbWvanMmNSGflVLYzO08A+6u5orhikHkEuEAfEDShtoC9EZcfVV8sFNZmbzO4vnvFFTx3FVp6+zvrXawpjvZxQbua+SlIXGVyhqI/pJ+V8DQJDbvSeBTPJaPuGgTpME7/RZXiFI8kiym4u0pI1975HdfSfQEjlVzW2e/hIuQDQBxjalhrzfyFubBrG6RGWmY4cS04iDAj4XRLYMiZLqmTyuE8L9u5RnH1XOgFhGBExz1TgBSRsGTF0GnDpOgMNdN0a+khEUh/U2fDFPBSPiSp53PNvP9hVFraVu1dl81Mi4SiKANj/XFBzdSohx9IN14TTuNEc5MSWJmjmZeV0G02l8ee2fqUktQPhXepBWBpPP1TeAMD5/UjdOWIMs4Od3GvpjB3IJB3X/eLY8KDS80ly3HmIXK8cx0AIv3we92qPdzK75KlJSqxKSsiVVIS6tJKFkLvg/Hg X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: h4pHHtBCMl+n2uIALQTsAbH1DrZllVm2MRYXu8MyrtBF3abeKRu/VwBblnM9Am3HAfw1BcvSX/9EYhusE29EmVaoAaInG1i1XqhHdUbaI3nah68fj+l+9xkL57HFJZINyZ/IUv1nxp7Ej+3qaSGbaww8x+s/S3+lKC0AVj1AF+tRiIKpAgbjPO/IpyOQAS4Ooz+sXeGDCOS8zGYij1a9n/b7IDQtEzUHVVKE25RMpCjUq2qRtylYUgy3OQx1kr8lfkuMA59tsrs4vpJI3XFdlUTQfB6GhILgkVveVnWxPGRnzAfjIhrnqOagRYR4I9l+x4aZg4BGkzvVgXlx7ajR22sX+OCBU1busOvlIDpX/2yO1VFYRCwiqQNztARyNU+jhUD2ZLisQezUSaSuWejQMFrghj9Uo9GaUylIYoaaBr2n9C4ttFWGC/LcIKnhN3LW4H2OGaesI9dfQVAox/9YRv2A9hejBHTBXQAZGYFuk925yoedDr1gcLQ0Dt6naR1GFsa/5kZapHj+CdVugl49bMxz8u6xrB3S56UKFtVOPDoA5GDDWWqGzbCkBdGNSkymcOn3N/UeX3/3BGlMYJMNGtxR7yAzty1T+tuSROIe9/ZaJDXt3zCNK/0qnWWRx5GpoADkHTbMm3yxP8c7F0N/ejxDXO2H5bO96Jib2PD4xJiVJJc3Scq3FwKRmJJQgZvC9c4DiQxI6rK8R5IoFomqVHSrmQxYv+cPs5ay1xuavE8Lof0WAtcwAyEEoprRD8rn1rSkhQZtOjHspQR5poeZN9YOKbn3X7yvoNxBMZSVI+4Mu8vwOIWy1YrS2D5I2MWD6JGFGjRZCae/PB8UKjWtIDrZz52TKp5S7k0OVHTibepEOgGAriGG98oYU4b3I1RCjJFWyzqnHnPgeP2E5jUvp47UpoHxh3a0emnUl1Ao6UeYVSJMmSQPt76Bg3QhvK/4cRnUcZqCIIPFJPxKh4dwBuR+W4VlmjrpkRbPmz6rPl6s8wu86fuUYOcwUzbfRCxt5K6XAdPMRx/dQE9U3TBbVsP2LKU0hnVufgF36JKNUYlfMwdj+L+BKOlcKB2LN0CTq4oMF4nhJ8qAbylPQGKAr7m4Kn+Iz2edPpyzMgmtzjoVf+gmFkdHucwVzp1FeYGwnlM9XtjLXEV27c5MkZM6+h7u5Y8Izqf0LwvyQxP3t5AimU4KhX4Ho3+H9sihWd6WvXRwXnoNQVXVvfv33nqqCqSG/+Qk6sQ11rPWWWK9zt35axvgtmNgrrOWhNNC8/5JKAAIsPppPX7ky3V1FBS7WHoLkZldHeN0ccdP8iaytD8eP2x9WwAfs+2+w+Dv943RhFeBxh0kVi80I+1G9pMla2Nmeez34sPFR1b5K0JV0415KF6ZWYRIlwxSmNIPuDId2EL4PDXj9Hh9E+RguerlCsRW9QGgTPqlkNVCqjbnbKyPoiEu7S4FwyO2pCYuGf6tpeDjhz9vvQcY4eWNFAvWYPbjUjmkbADhKrpvrYteNW27XxaOnLKi/lUGAEie+qbFmi5xLvm7VVKmlN+FYrf4lhZH2N0bLZvKaY2b78jajWN9AT08Aondrm8KTDzGN7rbn7Av+yzRkSXZ47qFmGTGhoYENYCPXwQbovULrqXOGCg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8c2fa197-eca9-457d-5cea-08dad87645dc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:51.8031 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1el5TTVlOCxDLfUEkMy3FeBxHshvhrN4JLsdkYMDk6NL/sHlRTD377U0Q2SzK1U3NfzoAwB4ZWmLg4q1odO0FpcTU9sXe720FeB39HovP+I= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: nZnh0RXHzviYsynWwcqRDvXI8c4gLx0l X-Proofpoint-ORIG-GUID: nZnh0RXHzviYsynWwcqRDvXI8c4gLx0l X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576210223331360?= X-GMAIL-MSGID: =?utf-8?q?1751576210223331360?= Some subsystems are interested in knowing if a key has been endorsed as a Certificate Authority (CA). From the data contained in struct key, it is not possible to make this determination after the key parsing is complete. Introduce a new Endorsed Certificate Authority flag called KEY_FLAG_ECA. The first type of key to use this is X.509. When a X.509 certificate is self signed, has the keyCertSign Key Usage set and contains the CA bit set, this new flag is set. In the future, other usage fields could be added as flags, i.e. digitialSignature. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 3 +++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 15 insertions(+) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 0b4943a4592b..64cffedc4dd0 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } + if (cert->kcs_set && cert->self_signed && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); prep->payload.data[asym_subtype] = &public_key_subtype; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..0b500578441c 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..21d5a13ee4a9 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -236,6 +236,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..e6b4946aca70 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_ECA) + key->flags |= 1 << KEY_FLAG_ECA; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_PECA) + flags |= KEY_ALLOC_ECA; + else + flags &= ~KEY_ALLOC_ECA; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); From patchwork Wed Dec 7 17:12:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30942 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305596wrr; Wed, 7 Dec 2022 09:14:15 -0800 (PST) X-Google-Smtp-Source: AA0mqf5ssSMsbUSC20gv5fHm32CongYqcDujfkMO7GvHIdJb5OovCp3jvAUpB9p9WUYBYYUAfWCo X-Received: by 2002:a17:902:a505:b0:189:e149:a1a6 with SMTP id s5-20020a170902a50500b00189e149a1a6mr12148976plq.58.1670433255042; Wed, 07 Dec 2022 09:14:15 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433255; cv=pass; d=google.com; s=arc-20160816; b=vjHTkpiY7txeToLANvdEd9sUH0cG75NF9bcxJ93a57dhe5BLPtde03w8YCRzrU3aJo 9TVXyDe6kVXqDtDassmfSuZIe7xGkWcs8NKViuisr4hJPBnJLPw/WCOHtmp5XlVN3Mm4 oy+29O6Z4tsg8Y75wtjXqIRE8iaL3wF0wYBSBFNge90bbjW6n9xmdC9X8DxMa3H+nK/v 5Z/HSn+5C5lFnj/s+l6NvyYCol1kvSOfnctbvKnDNddfND4mrX/iIDfwkqjqXacugcb/ gO6uny04WPlPV9lBWw/5Oyj0s+FmQ7v81uwb7/3+2h//chn1GDAv9teV5XA6IDi1E82u mk/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=bXLv44xIdi59vwR5E780SXk6QyATaZC4Mdqa8mOZ5wCIUftYnTvzm+3eVxankVZh0b AMBMYHyyLwyE+ezNSaFICKP/nzMQbnMx8vM7CxYXndBoFe/tcXfJJOAKEUtjE57MhQZy 1jH1hKyM88j1EVhTvO4FSln6I0tOtCsSRSDnKyxybrIdDcSoeuvkfMZ97NL/xSmMYYD1 rDWbY1EfbRH7JjR/zASMRfyEwly+rir2pzfKb1tRIhhgAJOgNy16dwDmSV2Scb9mpaBK PIfnLIzG+ZU3cYv7JHc2NcJv1Pbu2GP/41UVrn+Lh4Yis9wnpwGZEMqPm87JjL4iCxSv 2BIw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=e7ACvKlf; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=CH3oT6kE; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b14-20020a63e70e000000b00477bdc1d5desi21357217pgi.330.2022.12.07.09.14.02; Wed, 07 Dec 2022 09:14:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=e7ACvKlf; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=CH3oT6kE; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229773AbiLGRNl (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229513AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 569E145A1A; Wed, 7 Dec 2022 09:13:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GAshN010143; Wed, 7 Dec 2022 17:12:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=e7ACvKlfRei8X5C3eVz0VkWhyJU8YgQsrR8jwVZK0K4K1If268sh54KGwjHVQ9Glw46v ALqRbepnxNfnW58iFhB/3S736zavUiyWpObq8QNjqqEzwlFKSn7L0iGvu/03FCR52DvR WD3txm4u8U3WP4n/Ov0mFMB9tX5fNwWjz/5vI8JLknxzkP5r8xTtzkO0gc3kCKWGRjlI gH4I55WV1iwmTGU4PsWtQD//o7RtcvlayH5aaiRs79wGRbWCz6hyYBN1qkptI2nhDd05 9sOyml/ErzQM4H+dRPidMKG5NK24EiooISLmpbglvSnZVosupxsF4eDfaUcjOJR9HgdX fw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maujkgt9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:58 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwbQt009733; Wed, 7 Dec 2022 17:12:57 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2105.outbound.protection.outlook.com [104.47.55.105]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa69a430-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BKPUlC4IbYpUqiur+fWt8E9AO2qfwnpEpDuMN6PDvG8TJfMYlMKH6lDMn/9mMZQYyUFuORe92MWhj7RGlIiYIhZ51AHDiZYQpt+5fE2mQ02E84/AlEGPQM/aqG1/2SZWCseHfYLxE8tVAlRfvaIpt0mGaDWiKX7uILERkzOc5KgZw3Jo3bEDEtBLC+j/d/z0WQDy8clsDvGjxpwMWEb3JUcR4bIAeWIjixtuktqLVEuHwo1Z4gSBwKmA3BQvD0/MKmXxZHIoVcyG54kWpGdwwcouzsT5VgrFbRu7UP9gK+K37Ua9JUH8ZZmbFW0z3HyU6/nis9qvT+PhfNg00Byovg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=dzDP8MNZUdRxMmiuEY45VR5fEk9FRc1Rnb6T90tcyfbQCozDiJ4i+rxhj0j9tY5ahKOrPMCWI2b/IGgvi1sXydUIgh0hLHxh0rVXAlhwBrGnMDnXQ+PLkCPHsUOnNth5qK13JZzO+ahOO85bbU5rnTn18rkzE2WlYBTMzfl/Tm5yNnpdF0UL/ttTL40cInbulegukFSPDUNEp7tAODaWH3yV9X6atzeiR8DgVDpNxRZ82XM0ll6Q1n0Z1zykQWjrpy4JuW5dX4jZSW4NTIIw1haitlluMKoXYGlC7ZdCa3FswCXYCgt5Vk1bwjk4Ok75wUD0guFiNbJiQ70wwqjlkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=67/NeSQJOh9GstBqAB+Fi2Zi7ymP9847y66TJFSl5CM=; b=CH3oT6kEKeelbsDIWCdR6whbsjMRnDRkPVfUfzXRSPkzq7cShhHyE9f5Miq49V8Kbgr+NrXahtyISXB2DqhfWpx1ZEFoS5sBV3JpIzUoER85R9NgRSurr/MTgbEl3X6IPfiumEugpIovxQXR4UoN7/mUkS+fGNqP8AxgBbeJ1G8= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:54 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:54 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust Date: Wed, 7 Dec 2022 12:12:34 -0500 Message-Id: <20221207171238.2945307-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR03CA0014.namprd03.prod.outlook.com (2603:10b6:a02:a8::27) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: a25617f4-0df0-47ee-4f9e-08dad87647a6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: R3d0AfC50Khg1KBsox1oZWB7ddjIDeX9ecCmA07BBMMye0iWklHBLSq87IqsXGMGEYhipH8J8TVuShM4YQYXUusCVjOGqkQ6fcBiZb+gDWSC46T9yD3HM49BHglc+9dpAPvwlmtd5RHsV/5y9m85b5cemh9HfqV6++GbmiGy74ZgtoBG0apsmnUSi8iVrAU4UB1w4ICEavJ8Kx7LzogjzvNKiFKK26Bu6MrhTLwKFZatUpUnqaliJ85ICallovPlHnftAxxztqgiMqUiiBeEYlRqAcSLkvE7d2s6KIFApTxNt8OIhVq9YjgQ1jXWEdrorCw7JK+FPf5sPRWaZSP6zECTKkuo/jtXS8iRELY/HMsFUUzZMVUhXtdIC+zLQKZ0bnS+vWpjnOOcx3GhKBJtDDtXxS5EeANWchibeWqPNUYKHs/Z+LAaZkB8z2H3trAG/IE3CbEMNYihrwEcsgfzisR3JuaqKbsoKwo4MZNhSSCZPWrBhpbe5PAmLf6ln87zO1Qb4Ida9TldP0GfnLorBtQKD0riWpWnSXxCBpLnDu+12ULQqPdAitZutzhhZDghPRnofeJ/ITLaMRc4RjqRW44cAgjZQEzMgvt41UvN3MYui5iJK1rGHWGhGrgMHHBv X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(15650500001)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: pz0GErKT956OzeJtuZhMwmREfGAjpfwYD3WlwLYjh94kqQmACA0cp88XhKbAtPThGreVeZDatdIl8vpF2bXrxll1ZZplMjH9X5Alt3KZk2haGpt4w7USjXo/NCKl/kMY2Rd69Y3G+2GhrCWEsb+2yoUZQvHjaJOVw9M+H2ABg6VEW3YqfrPOsjFIo8WJmcmm7BeEqYfYKdd8B3M2z/3hpfRrndSW7ygGiQkDan7AFWTLV+784zYC8knAVf0voszIBQrjme1NE2Jyp3ON00np/AghjVVa4scCBM+BJD01Wxp4g5zA7ZnkE789JfEMB2sQY9qbTSGMZ1jIVvyzI709DN6vx65VB0XTpfnkz3n2eRdeNcgXtRFZWX+wofS+mxCbbkCk34RetH4TNRnrGQNvXM+x11UO3512QZOmarxzcDYvUeYM839NUEh6Fw2exFEgqt96bbc5cynEGQ41xYRl40wNjCfEansPoLDqMGqeAi8HV4rk9U8SwsX2pkY2tkWf8kssYhQajWKCy8vPr9J0PL8HH3R8EmUshDN5ZGF2SOrrsAMzqVKa8gRgQTuNDFSxIi5j8ljFOdN3iakwLz+9sDvpGCwAJ1xhzvsTrU1Ehh431Ms+p+J0mpOO8owhPH/HHNNWG8anLSGapkPrF6fk/wgvy4pU4TPZHe2ix0mJF7hc5y5XGbhzVnFnEP4k9LFeLApnISjxUPJcV4LDOEq1IzJDjA4d7IDFmACwu4Yq7/NgkoR2k20e8/8dZS22IxSyKec/C6xQH8RXRJTM7Ldyss+2GZsjkonLcQf0ZPGfJ3V99ZD5KGepmTAIYXJJTzvVWcO1H9BE2PoqIN4f+a4xFZnpky4ViiWn+mKLI8MxGNDw4RIxn0lKIRGezV5h8MvBw2oSXyimKK+9/aysQFeeL8F21BeL5SBSo+p2/GxNkiKA/BX6V82h6ueRIxBVZ3oWuZqNq2ZJ5Vl7VawdxHgh/g91W9U/Oq4UWZfcKrWtuau0gWFD5DpJsxdRBC3iDT3Lcv7nDbRl85QpqI+I94XqUzQab1ZLPiNtd0B7Gjqw/7ha9alIxnR0wFOl5INjtAgWNUjIJZSdBoKJt3PfvzNZKYsqEwiHJjDaHk5fY0PilLITYUr5U1mQbTG49LwHhCFYSTcwEeTpjZQns3Kn2AZ+DZ8cjOzts7vhjJ0NCgFqWSU2XbyqBbxIpqOMSvgo+qml6BRBvkwC3fSwELmtz5MNequsFltTmiAJXVKyjnsQylZzwWzlq/xUYbX22RhITZKvDWqojdx4gx4pzZvf7O6YKkszn8N46xJD/EiiQ+cPktxc7KIen6wnf3ZFeD496gmZAIBmLPFA0T+/jxC44ryfjSYeeUsa5Cz9ln/IpP3h4PUR56yQxAwIFpD4qFXtb1iaLvLkAL2pmS3942s+Bbnjf3cV7m57emUSNIoDethK+CpPP16RQMdPmLchosPreDw+oCXDDACIdW9kEX7YXqHnYXWMoqyEhBVFxlpWOwbm0qmYsLX+JYp83OFSMay9LyMY68yBJE4cHLBXXFWbGHMv7GHgl/kNeRfmkD08hcmp2IfcZXXRgpZRAziZODAGhY0Z6fgCG8R7auFNge4V2Z+WBmO/4iwAa6///J7EE031pFY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a25617f4-0df0-47ee-4f9e-08dad87647a6 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:54.8042 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: f7j2tkmfMBWmmawmt1fq+bJ39DWVZzpnnODDgSz/dUWvJAx8z0BoZf7RLtv57h8hqvjBm5/yrfzKTHc2M/50Xbkq/6gOS5MAXT2+bXqHaqY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-ORIG-GUID: Tp1HIK1xCUcRWReEoYlU0sUCivubzGPo X-Proofpoint-GUID: Tp1HIK1xCUcRWReEoYlU0sUCivubzGPo X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576221212725280?= X-GMAIL-MSGID: =?utf-8?q?1751576221212725280?= The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_ca_and_signature that both vouches for the new key and validates the vouching key is an endorsed certificate authority. Two new system keyring restrictions are added to use restrict_link_by_ca_and_signature. The first restriction called restrict_link_by_ca_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_ca_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++++++ crypto/asymmetric_keys/restrict.c | 41 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ include/keys/system_keyring.h | 12 ++++++++- 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 250148298690..af5094ce9bcb 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_ca_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +91,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..005cb28969e4 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,47 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_ECA, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..e51bbc5ffe17 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..4e94bf72b998 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -24,9 +24,13 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_ca_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_ca_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +45,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_ca_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Wed Dec 7 17:12:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30943 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305696wrr; Wed, 7 Dec 2022 09:14:25 -0800 (PST) X-Google-Smtp-Source: AA0mqf7+vSGtayaxdHJg2+HUj1XrbfUZ61Nus2h/BGZR3b45wWdOIGP0DuzTguxQzRwSerDt8SNp X-Received: by 2002:a17:902:8604:b0:186:fe2d:f3cb with SMTP id f4-20020a170902860400b00186fe2df3cbmr78514570plo.132.1670433265099; Wed, 07 Dec 2022 09:14:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433265; cv=pass; d=google.com; s=arc-20160816; b=kuEW44qwZT18fXk+BMSiJ+hNLStR0+Hv2jwqtQUrFEdfBkhauif4KKqcH3Amsa0vgO W3bJDhXi201n5eOAv8ol0marDWVKlS40ekNJeTKs0Djb9SionfAjfyHqrRaf9yaLdx/O MT3P+0XVl6u8I+Qa7+Kz1GlZ1iQXr36GfyTFElL51PJKbCuOfR+WBuTZ+Ma+bRpGzH1/ vMGxkA2Wkmthl0YK4V8Jz8jaWJfoPeXaqbYCLEPbSLhO/7hui3rglFs5wwrPHXPfDF80 VGpzpr/qsR7d6bmjEI4e+P+l8PQ5bOZf4SPWBRnjXhvqPlKk/RWabArSDXJPqhxbG0vR LXbQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=MRIJSM4biIjG8XPTn09a3+BAR0jLrZN+R3midVRbwwzRbUnGY49I2sfiuqGTFMlbyF 6Ay/QeGw8hWhEtZjBWaJnltiUxZ5ajR+bB8B3ZLu1VeTdZcGZrjQQ9YlISOeU5Y33xU+ 8Bhz/XRKNJMVhjP7sKuVeEkqjOmeunFshrDZgrXm0XSGoulsa8aRG9SLW/UxBu1inY+C iua6P5v2UHa6po51Iw3ZvJijGORh4YtO/X/Hcn05AdoVPsRhbQxaMq1K6T9evhwvV4wH gjVqk26H9Q0vEWrJG6jTk0AkTq/h7T1aUUE4Gaqf6VD3CKJ3O2N2+l/j1DitiY3cmUtY PH3w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=RFIC0Q9N; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="txj/vbh8"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020a056a0024c600b00576d16ade55si11092158pfv.35.2022.12.07.09.14.11; Wed, 07 Dec 2022 09:14:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=RFIC0Q9N; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="txj/vbh8"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229892AbiLGRNq (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229536AbiLGRNe (ORCPT ); Wed, 7 Dec 2022 12:13:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9056445A2A; Wed, 7 Dec 2022 09:13:33 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GDm0U010567; Wed, 7 Dec 2022 17:13:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=RFIC0Q9NaZb4wepix2ryaEn2v1wQrP4XuxhIkeUKmwDCawCgfWYFZo6vdg9d5VC9lpB8 wkroSVAcS5F6cvIung2zvTwOPKtHCuL9DVr38Bn5t9RdsglH0qOzHnKigobEcbe5eu6H bEspk9u5f3wYCUS+OybM+w6tMIGk1G00k27lrO7HGOksE9kFrH6A1J+/aULvvZ6oxPJX OuVl5W36xSAZS5CGkbNpy2XmO9L2nZOMpcaeEhpnhqAoumcboliN57N0diWj1rrgjzbx MevhtQb6rjsbalfWuwiXQXyfOBCBfmcN5JYeGC20Rm9+q0jTIgk41NN/YDPKYFEitj/2 pQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mauf8gu6h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:00 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwN58021795; Wed, 7 Dec 2022 17:12:59 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa8g1kam-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:12:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z8pxplFIRP8+AENa+yJmMLYt/eecXzjBXhS1FsSHdl/jSrr9kUXpXTzkGP9cK/X7JYp3u2XobuATi4/uL6ojZGYE2gMnpjxEEpLj6KM+igxKKrqrysmcrxVeD1tGKDaEZKdxJ33rUP77I6KzMlxyfzKqaZby7TznD9qRhStZqQK9z5Hd384e4OFb5Y7W8KDmJDXwHoXhwZON80/fnl5cihUR3Vk3L/uIbkd6VUnauoZzW2F/hFwT5u2G6xhdDCc0h7BBk//cUscENfZXVyjluul8BAcVEPFW+YQRZ636WMXs0yvw0qwpeZB4vlWdNWqaJPYqOAdnmjMmvkwylusrkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=kflbYZyN3MW5fVDubJWlDZi8CXrVHW+XT037Zz7iFPifIwt6Y4SYbdLhsf3t2grvLdpVgBYGUukrko/RcsOqFmxKEhAl5yAs4WI8VOLFwQrLhCyyJB9j43obw1XjUlwhusTcW2lteTI1Moha6CMbF93xEZYq7vNOhJ2vWX82tZ2110yEhjAkBgu2sWUkfzpC8qbpwkescee7d6oHqUpU2JLKjfUquQJEWJg1GriB80Fa4MOfNOCfjCvXOVdq3GSLBSM5zW9H1U8N6b8rZEbGRX1eGin/sWKPWGnfP3Wb2uhB8O5qgadKyqIP6ebZI7hIy4FKfSVIQphZDHvl7a1cFg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJcBvKmduYyxGeq284aGZ/rzgPTabhLNcvrVJ8EglEg=; b=txj/vbh83urzLWE7CPPtpwCxQ0InFPrvxNg9CfvWHfNc4scii9W93MqWFVTnsdRA69p2iDC24LjBUueRchFyJ3tsKbaz2NhAPuEZIHY7a6JEf80C4e6SHYQj9UOPu9EyyDyrcgefvxpSMuq8BA5fxrsGmLIeMkMAnhctWb8RPjQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5293.namprd10.prod.outlook.com (2603:10b6:5:3a3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:12:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:12:57 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Date: Wed, 7 Dec 2022 12:12:35 -0500 Message-Id: <20221207171238.2945307-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR07CA0097.namprd07.prod.outlook.com (2603:10b6:a03:12b::38) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5293:EE_ X-MS-Office365-Filtering-Correlation-Id: 43bbc110-1938-49b2-6aeb-08dad876494c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: WfAWMuCK4gZePF2c7VAaVoB+4x5OjrmU6LfkDc5SfjEvvRT7LeqjUw+bJu3VCgBcskG6nAsZtVZc40q+dMUfvhcMjdEqUSXCd+RE3tXloHtK2c/hV9hbj8exQTIaeFbmteQ4Gyl0zMR+WMFECMDhscVZ1u2OhJP1u/pA1Yy3460b6p1cVte3Qh3mwlPeF/ykePyGw+2eTbuFu25TnsygYg+ppQuESDqdDZiy7CZ1plMULyAnBnPmhBls1Q16F8qP6eCqLD21sGjMiaCQFhptkYZNX7oX4LhN9sCnFT0pnjJjzGs6saVZzPRtQRVuusp+EjBtQ/amrtn8lNHqNnO1IxYB1IsJYP6JcxZ9H0ILh/aVo4/mh/tfSSuJReazoHawPL+jAg1NpLLWxEq2R1+STAjW2rh/ISbrHgjLhB6nFYGRBtBfQzz8yOnkUzkJ9zeM41uM5ZwCMt+M5FP8oKwzj5LH8VDXLmRqWkuxawRQZgyOBzJ+Iz44pmMd66bR1TJ4q8xRQ2OwnMieXEeUw9um9Uhg29es8HI2kOSZ+cCsVJuT1x3InNJIbg+vkuyS1VwEUAvlkbklpOLWkM9k0OBoYUrxBHo/ND9H5qXr0KqcUoaffaq9UV4od+vwB/WS0oqq6jmXRbeXizbTxaFcKx7eAA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(86362001)(186003)(2616005)(1076003)(8676002)(5660300002)(66476007)(4326008)(66556008)(36756003)(41300700001)(83380400001)(478600001)(6486002)(6512007)(6666004)(6506007)(316002)(66946007)(2906002)(7416002)(38100700002)(44832011)(8936002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jniyCXH7wQ6YR7fzrEkfilNLt4OCLk4dZ4qYwRl68Cp/JxWMbLuhp+uy5N0MXm5SOeZzC7fLGF75Y2WRvSO/fWZ2Px1MR6ju5AjR5vXmP1LCPCI4HVBIxv1GxYK6yWV4j29iRv2IASX6K/4Ue4RiCEdzfNaK+sCwjefgcTTxTWBWf2HH9DaLtlsMkcOa19Bn//VFN2HTmXhmdumD84E4VRtoh5da7OoiKIYUFVuUBsvv0/ZjF7/UwtY9t/5lQw731JiQJbuvGI9WmEkH0sjH3SDmH18aFJhe5YnjVz26eNxrmgVf4PXTFXQRUUrTwdX9Kc2hF0hnfp3ScwfgFeGh1ixqToAzAsoXquh2qZXHoaVJcCQzijavIzB1NypsUDk93WgIdg0KzpFGYTb5/vHO7SKoDRHlmjccg0OpRb+VuzVUUfRlMOlB7PprYckyULdUKA5OWrxCZgr4oqu7MEyv8vMRS6N2kuoawMMrnqvZ0bGOXEo26A9vvhY/FCyldQPUvYJ/xSWRe8r4jTY/QphL6FbtDLvgmZP6fl5x6a7pTFFEQvzF3MRYtsGLeo99tflmBlRvZhdiA1/tAQFWNuuefRz2eABMQaGVHgVJ/Etf2rmsnP/VsfxR4Z7gUAduurmfJZ/nxWkVKoJqcPt0YDJUSCdeDPE03S2DjVSPLHkmoHo0D4wgb8EadQWnOOlkF2Jj8lBpIlIEUUJkkmkEAOVahg6/ODuhk4xWdgyCV0LG+3/9er5uvqiibm/tK7h2dr5m2Ux7swOxP53+5HftQatsip/Xa+RUfuJRgv7K38qolV+uZmGsocayGXnoBYITtO8IcN8RXuPfew5Y50WE5Tn0d7P3IgL9iml3N3J5d55F2/wMa38SU2+YVHxv/W2+UmSRpwZNCoP8WQuz51n3rNDYFIsO3osWEgpj/l4GDDH7cU4g0zw0IeFm39bLhetRiiRm3LrUe1vPnVd6374Zv7sFOXsrVeg0Ie2KMkQhMDeeyFzphx7cht5LnINOzkVMBGqme5G9oq37+yzsjj37564t+6PAM6jPiK+MDVDC/V2LgX2ynvIjXqtxnmxCPuI3smrbaq13g7uHaAvPJ1OzKyU4VxxjayXjkWfvn341EMVHAZj7djgU8bbtxXLUfGNeHwGBwLfHheaHycFHml/cMB+DPPUM23wf4/OyL9hQJod0P1uD62GiymT+5jcsbf/WNVj9lhrr+skYQ4KD76xvjGOuE4e02HJ26wR6faCwcsu+agZfxdJNU0BiacnJ9UUddCRIIi3Vi5VzwSOG+iFof1h+u8wR+6owrUgVSwYfoIZdbwW75di8CflUgoPLRWtJ8qX8LmohSuoENoEHEw1NUEAwg20kmOqtLbUVmQ0F/ZtO6g4PvGlX1mCe1hOyNhF3kuPzgBrh1XKVdXFbty+ZE5x8msc5BdR3isJvk6n2nnLh6eLskvB+/Xi8J7ZFtvylZ61wywlRNMmx7VVkG8YOTGMfNjRbOkbMgJoBlnUX5X63tyTdbL+sLx8J7BGuaxoPnW82IDgIjwd0YB1vCNDy2xvcH/13BD0IfEuyDvboHXwmzLk4jrujTW/tCmmAA8Qcr3WfF5+nUUturXgDRKOFEQT0sO+lZO6205VzJk+Ir7xW4Ho= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 43bbc110-1938-49b2-6aeb-08dad876494c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:57.6278 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0oTKpJhIdt0/WIo2aQrg/R90ZFSPb9njUIyMwoW4KIIEyeQ7VJzP/ue3c/stScsUX6Vybdk3OrE89xWPTHAwmlTUCIXWPoBrL0bVAB1hRtM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5293 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-ORIG-GUID: g97fKBleGDtj43k3nyx2M3VxJyZi1u2M X-Proofpoint-GUID: g97fKBleGDtj43k3nyx2M3VxJyZi1u2M X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576230917286547?= X-GMAIL-MSGID: =?utf-8?q?1751576230917286547?= Currently X.509 Intermediate CA certs do not have the endorsed CA (KEY_FLAG_ECA) set. Allow intermediate CA certs to be added. Requirements for an intermediate CA include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and Intermediate CA cert is signed by a current endorsed CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 11 +++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 64cffedc4dd0..7a87d5c0c32b 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,8 +208,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } - if (cert->kcs_set && cert->self_signed && cert->root_ca) - prep->payload_flags |= KEY_ALLOC_PECA; + if (cert->kcs_set) { + if (cert->self_signed && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_PECA for now. If the restriction check + * passes later, the key will be allocated with the + * correct CA flag + */ + else if (!cert->self_signed && !cert->root_ca) + prep->payload_flags |= KEY_MAYBE_PECA; + } /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..6597081b6b1a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -181,6 +182,16 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_trusted +#endif +#else +#define ima_validate_builtin_ca restrict_link_reject +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 0b500578441c..0d2f95f6b8a1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ +#define KEY_MAYBE_PECA 0x0002 /* Proposed possible ECA key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index e6b4946aca70..69d5f143683f 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate endorsed ca */ + if ((prep.payload_flags & KEY_MAYBE_PECA) && + !(ima_validate_builtin_ca(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_PECA; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From patchwork Wed Dec 7 17:12:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30949 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp306007wrr; Wed, 7 Dec 2022 09:15:03 -0800 (PST) X-Google-Smtp-Source: AA0mqf4HpcbqJ8mZnh+HL8A/CLAiapEWe+ToBfatW8PTYAOgBt2V+VasFIGVGFcTSmYdxz7Cd1nh X-Received: by 2002:a05:6a00:4307:b0:576:ba28:29a8 with SMTP id cb7-20020a056a00430700b00576ba2829a8mr19263751pfb.47.1670433303015; Wed, 07 Dec 2022 09:15:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433303; cv=pass; d=google.com; s=arc-20160816; b=rZg+Px6Gx4DSbxeFg0zgnqXTiFhxLN2+Km94IPwCGwPM3Op8a/qP69sHz8F5mOiBj1 JAaoNbXrPIni50NskXHjwpuVFW7duTakEZGr/vWpD/ElzXBIV3Fh4+uRXh0JwLJj1krn ZNIe/yaQAJZ2+gAtGmrh6nu6xWjOASLFAH/z857nQFi2ESqOz6XW2i76xJ/nhkRCr/YT NVccReUsOSGNl33uLiKJNJEqsOst4cxyu5wm0r8Bua3iTIZAqYxQpnAuYjjr/X1Q6vSx GRKqN5JpbvdCMRCB+JNRd/oTu4BQm5cp1AAmbQP7L5zcESYWsNGzYViF7LZa+tLQEUht 9ZRw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=bmFClWPeT12mtK2O+RAUJAdQpai6PJeqoiWsWpMgu/IPlc6DMR6hJhAClrmY9ykUWh 9wWojfO0qgTqABNTOIP2obCl/3OAESm4IV3vRYpjIArgMGSdzmXmzBxNkW9WY6hY+gF1 O4FGuSb93dmUsuZCe4V3fw5sR0JU34RR0tAqC2oNGXvxEFwe1BEN9mtp6dgKjdrTZ71m t4TvEpTUmidjJszk/d3Odr8RfLywNaY6SKTbcJoZJm8+m7gCtcjanfEGqxsTTz0O4CTX fz5FOW5hBkoDiLuRKYnjiaTrpuX5FII3cRFlngaJ0QoBY6OrrJhO0mZrgCoFG5DQOx6r bNbw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Cff0/X/M"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=gjcw8Xta; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j9-20020a17090a738900b0021812e71e68si1899748pjg.84.2022.12.07.09.14.48; Wed, 07 Dec 2022 09:15:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Cff0/X/M"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=gjcw8Xta; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229961AbiLGROP (ORCPT + 99 others); Wed, 7 Dec 2022 12:14:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52456 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229820AbiLGRNn (ORCPT ); Wed, 7 Dec 2022 12:13:43 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 837D167207; Wed, 7 Dec 2022 09:13:40 -0800 (PST) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGpQ1016130; Wed, 7 Dec 2022 17:13:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=Cff0/X/M4eP/ih0cvaWAJR/qeEOfwwnk7TWuAqQFxvyA0/iV6fdnxHViU/Bm2GO9bnVF u4BZnyPHjsdBC4t81ePEW0IWRBHjsntgDJTFXMRPlvH2vwX0WoeOaOuHvUaurU4CoISt jA6z18tpN3rPNPP89Ewjc5GFHcMG98OUi4pLiX5d9e3yi1Iha6uCVFmJWdAB6ZwzIIuL Vb9wqswP61j+uhOEIO9inFHw0BSFWrse7jyR9jOYx7YORUNfjTtnM387NspFW/OMLYfh qRq66CCojMkTDyQ9FZ8ReNLpC2vrTF2qY6Gkr12EezvXiauT2dL3FcnBjrRWALME5EQd wQ== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maud70vuy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:04 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwNFu033884; Wed, 7 Dec 2022 17:13:03 GMT Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2044.outbound.protection.outlook.com [104.47.74.44]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7wtwks-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ehBZM/8gFjCrLSZddeD+B0bCduwedwWkfF2q26DxOjV6OnWM72uuDt6pVH8XxV3+Qfl8x6dDkl9F654k2vCas3DYoS5Kg2ca7Isr5Yelgplu4JJOPeoiBwPKc1cqml158srWD5oYye2XfbFmVZaRHgipDk3p661I7CYirLN20qjtrjr+wGj9LNQdVgV0D9/8jPjOir8Yksnf3Y75geYea/fO6QsDCMHNEz3cqSLlrwE6NGjMwcIRqDcOzMw++qEd3Pk3eMxtv6cs5LFP7MZVPhDSTuuDES5879JQCA+A0lM9dVprfhbtbpFP2eO5TEATI0EwTvEHj2BnLfAi+YKT4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=Awpw6IdYeCxZxpxHGW/RLZ/JlpLIUGdeSYwBEnsasCQRClViZqoHMLj/6beuWaCCPRPHBjMhvAscm2ZnaKUmMPxsZhxRk9pPtdg+f2c/prVAjnIst9bsB/cThH3QjXcSsq/GGRPqav3FPIhZBO6CIyHG+Pd4YNIIMXLpHTRT33cUdrJWIhtdxABM15M4eijhRXRRkaV9UcP3ALkwfm5cXqcYHnwh7h45KfZ63XaFQjKtUugG1aUSSuzL7GB3SKi/zFNzdlRjRyg+Q1tvLi88eJsg+SRrcpLbaWfu1f2CfB+rG9AcwoICnP/9+09Xym9zfZBqblYVWFzWPwvxrJlklA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zvfH9OOTWmnjOzirR9ArsmAdZMBFNwfvCzWsRoZHEmw=; b=gjcw8XtasGDOYL8o4VDAcX7A1eapbFXa+Jo5rdiViM2ko8pSRLf0H0MS178o9tJPE1ojOhlTjQyu9b7BSwP4m3SM3G1tg0If7Jvv+YMPE9iAMB0gGSb1tDNzLEy7ADHQvIdTHSS6fId0+8zo8H+e0X6YXI3icJyAPZLcodtjrPo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4182.namprd10.prod.outlook.com (2603:10b6:610:7a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:00 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:00 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 08/10] integrity: Use root of trust signature restriction Date: Wed, 7 Dec 2022 12:12:36 -0500 Message-Id: <20221207171238.2945307-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0220.namprd03.prod.outlook.com (2603:10b6:a03:39f::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|CH2PR10MB4182:EE_ X-MS-Office365-Filtering-Correlation-Id: 22135200-81bb-45de-10a1-08dad8764aad X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0+KAzs8bY52oYq+Ys5JD26BHfOEg3LQQFN/PmmfBbfD9rjSqJhlrEjsjQVmuZG84kOsIc1vYYRh98albafJxvRfealCzoOf7bP4R7SBlkdM4ygbFFmCnhv8KY4v4Pw4K+YRhytExULBBCVpgv/PjgJV9+EHrID7brz7na4rgDR0sH2x+Disd34GQYJODLQUdhjO8frQLxFKELOwsI99B7N4SAa3l04f+CNtTfE3Mrtw+aA9xH5oj8eoy/n4H+BYMFSdMZh/6/4wgEJPexLeHFY42TrwOCR73eDjJ8NYYA3Qgklx8i3CzrVjt67Yf9Eewf0sBcgsUQyrLPg8W6EXICjzr/ezx4RSY2s7wzsRa2coOZaLjjctsrUgRmWE766GaHRKWOLt/feGn/gCQDcef0LtY319tcE474oKyNVEZL8675bqFM1xQlyOD97IHCdUGfDfrhxnHsHTWF085IfKQI559yOCKWQq2Z84c9VsXPS3tqQrSsUnI4updKhtMVWXHbTQPDJDZC6m8vhILnJuZqxLyebutsnLT79NoP1X+wMMpKhgH331Yb/1WX8QTG3bUsha8cMeynsDMxbGGBAln+WANcg+r+2gfDQDq0rKeoXrHZy5OCm17ggGwy4FUPopddF82NiYk8CMvwEkYEseZqQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(366004)(136003)(346002)(396003)(376002)(39860400002)(451199015)(66946007)(66556008)(6486002)(6506007)(6512007)(316002)(4326008)(86362001)(8676002)(66476007)(6666004)(1076003)(2906002)(38100700002)(41300700001)(2616005)(186003)(7416002)(44832011)(478600001)(83380400001)(8936002)(36756003)(5660300002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: TSpyD0XcFUf5SxO1mc69YsmuvJTJxpF05wO/frIH8aJole5VwMqxc6S5l3/1EAcKWkPrlQf7+NxCS9VO6BJv5/BeRo8yq4nR8wN1yjgH+qqhgviT0YMdiYpnKrLGG1CZdLdhCc2TavQQnhGg1wf/PSgPgjisiqRV5o7UrB7uDPPs7kYItA1drEsrmpj00oCmfxfQ6VC6SyFOi54dOvPwWYspnZjL5j285RxNvNvCwlZVJ+GB7w4jqj+MpFuYhBecnp8Il72N8V5ffHUTJRo4aqzEuAszy4PKbxUFCDIJnS7JeVNMQubySwlMmcMUQlEipOzGwjOaCqJaiJuHxVeyzmTofzulwZVus5rkc2V4c5dIVPKWw+WT0BfeosohFhvvK/HqTSkKwcz/wv5gKpp11folaJbxupFTKfPaTCdHUOifjT5sf/TuWtiOwvrGBv8KDE+X7CLGkNp61SpToIJso8jVF17fB9IBc0sc2ra+1gH4A+UEdZllh8z4itnWvRH50QfLjeWN8YU7WlbxXYj0yD9QKsWADIW5PcGC7Fg1OSEDnByH262oFjsGP1tt3x0eRwVo134gyti4wM4/3CKTw/xfWwa8g8X8ApBhoqR56hfaWkCffhHRnotomSuV73hj1+gOLPdntCpNN8JVy9bZzpGbch+Y8lBsJP8DCqvJl2rk0BRSxXKoJXPSmZpLFqdZpkgP6vVEoVKbxdNVrahzyyna02+V1oBrQvWvOy7fbIR23Sa+SqdZt6pyYZLGU74vV051WsOEj2IwfZQGgFXXIYk8lsp4uVOwtWaXPawiuBzv1jP9+cVRJ4rEUsgTVbATxgWM5qCBITuHQoUDJI73CtwuSQota5AmaJOAMNFQUJ5yraTKl4DNn73lYOVaRbLM4PXXAe2zhS1bSbPecpcdfoszbDc5sVID6ZmXSPn1angNNbYZzHXhXvQRgMbE8trKYmO10CZ5j6M9CDQ3hICe3jZLbobo8W2XCnwONRpQOO4xicpwhkrEmgUtijZBCdkctLZTuqsdBALKWVYm66vE1bGSQwWMtVGdW49ujlVRbYD692v1744mBj0+hNCu5G0b2X9UqFXM0kjPQCtaty90f9f/6QexTPwcY4ha9CuLZ9jVvEh2O/yS4pd68nDfZkUFc12pV/4u6xrTVbHYCbCrnjCb0cUtuc30IHAYVaoOLzNVKLPzPCl9NVW2jqPNbgiGs1ce4cwZi45NS1qBjlsjBEP0RXgcK1obZmeS4UzDPO5S21aXGEak5MdjIxx2Y5mDeXui2qeEVJWaBoTO35OmER68wzR5/zc8yqEAJqOMI5t4/Oq/daVlahdg4Dw4lZyED9iUmHpjIqcihFHhIsZ0p3MDwLR5okDJ9aUgT8kl3/YAwzSsK0KY60XxpO5SVF67ojfWnXBc1Aqdha2f5z2Pkoh2azr0j2doGv5B0fGU09TTie/7yrIg6CAazQiTC4CmwVtAUrYybfPYNv6dXdOpqgYer+9qp+iWmH8aw3vSyGEplXlBPoEow3hWFJb3zHHpQS3b8KAu0hQPcikVnr4qOh5UYLimF9CaNuDlK38HTQxNKRXo++DZJ39H/aDC5j+XzkFUkFynvpQZ27W19/erw5fXJEkksdJABbJsLV8yXqA= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22135200-81bb-45de-10a1-08dad8764aad X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:12:59.9442 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LQW3DMx6VduihMRGMisFY8mAO8Jer4ldU/gTYTjS5Lb6jh8fO5AClf+zg1xXOrataTYztub4WAVhbAC8pTH4DRHlVSq0Zr1LHP1Q3KVH550= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4182 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: FGMLKIJ4r0nHt-3YgLfuaaMHUg77u5xz X-Proofpoint-ORIG-GUID: FGMLKIJ4r0nHt-3YgLfuaaMHUg77u5xz X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576270710909936?= X-GMAIL-MSGID: =?utf-8?q?1751576270710909936?= Keys added to the IMA keyring must be vouched for by keys contained within the builtin or secondary keyrings. These keys must also be self signed, have the CA bit set and have the keyCertSign KeyUsage bit set. Or they could be validated by a properly formed intermediate CA. Currently these restrictions are not enforced. Use the new restrict_link_by_ca_builtin_and_secondary_trusted and restrict_link_by_ca_builtin_trusted to enforce the missing CA restrictions when adding keys to the IMA keyring. With the CA restrictions enforced, allow the machine keyring to be enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 1 - security/integrity/digsig.c | 4 ++-- security/integrity/ima/Kconfig | 6 +++--- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..14cc3c767270 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 8a82a6c7f48a..1fe8d1ed6e0b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_and_secondary_trusted #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_trusted #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 7249f16257c7..6fe3bd0e5c82 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -269,13 +269,13 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + key is validly signed by a CA cert in the system built-in, + secondary trusted, or machine keyrings. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, secondary trusted or machine keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" From patchwork Wed Dec 7 17:12:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30946 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305857wrr; Wed, 7 Dec 2022 09:14:43 -0800 (PST) X-Google-Smtp-Source: AA0mqf60EzBOqvEanPOeKqnRHbkwGblH52ApsboUdQX3weBhY58OttAe9hgKDXHNyP0volM8w+Vk X-Received: by 2002:a65:58c6:0:b0:477:a498:3ad0 with SMTP id e6-20020a6558c6000000b00477a4983ad0mr65124112pgu.276.1670433283301; Wed, 07 Dec 2022 09:14:43 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433283; cv=pass; d=google.com; s=arc-20160816; b=jzsXORv9AGc6lahBRbCdW6g1n01TLrTyq0iK73QXvBacPndrwZJzfhLTBqSvfb0Bcb VsHMctsV0XtmysXikLZKz6qPXL+8StdADPSHtNzy1IDI4qKjT5BgO3kza/oWzDNFxwmq BdakYABbjHkRlL0ykb/O2rgjxNFoMY4JfpM4d4W+nEiH93rZrRZwcUs8xDCmnM+jVrqp kTA1Pua5Ds9H3XrfdI/YoMTQHDJfnX8UYqQYSBfkUkfolwtNsOBYCzgz9l7nSEAgCxPt 7IEdnYOYPs58guEpuUqo9x3nZzBWiwe1yNFiF5I3AZJQFHhifK3ojFZtCyYAmfd38H2b x55A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=MF7gW6YMkd3wgyMFjfjIxwz4ynRkHK3eloMI+i/s/oPUt3Bp4fjGoipONFX3pnuEb7 ALlFHqpADZU/c69h6HxRKb2/BzPdJLo+xBrLzammH9CQRnKrmOFUGTY9aMMvoEN28fFM Lz0VF7/sI/rOHkVP6u9e/n3vmiqoLxnvumGLiV7m2BD6iRtZ/I0HwRLZpsWcyw5Qr1GR AfpGaYejPWI+tt7sVdETWVI1IakhCdnhaJFFvbW97P98fVc7Y6uBAwXC5OIydpVFTzc1 TVDlhvsC0v3pLHzAIl6Z1OCX8holTTBgw9wHILSzGWsuIdEvLCeDsYUTPZe4OiTDe0IG hkOA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=ngtQCcCR; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=EkSIELPQ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g19-20020a170902e39300b0018873ba17ccsi4966654ple.32.2022.12.07.09.14.29; Wed, 07 Dec 2022 09:14:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=ngtQCcCR; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=EkSIELPQ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229756AbiLGRN5 (ORCPT + 99 others); Wed, 7 Dec 2022 12:13:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229745AbiLGRNl (ORCPT ); Wed, 7 Dec 2022 12:13:41 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25010578DC; Wed, 7 Dec 2022 09:13:38 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGo7q021939; Wed, 7 Dec 2022 17:13:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=ngtQCcCR4S+BF86J2U71ulwD/iCiZaT/1tLbG5kdrKF4iaYuZEDjBQVvzp7rBGrj0Ag+ JGUHbminHDED3rnb2tpBzaIyO5ulo3zHGrL5lG5ao4wNjP/NeklfkmkyushVcvxngMQ/ KWnRBWBDfp17B2dTfWIya9oVEb/xpwZ2lbLitREOTuiW+ALODoO7cwC+2s5Q0JwJWob+ VefF8AZ/8g0d63CKwyn4QmLoVsIeGkOBecJmevWRfYBmu/cpq3NDKhDYulzRRrEiN1xM pzqmqRvU7G/PFiDNrJwk0NIM3f7qjyXuJLMkhWn5w9iuAxTU6QkXg+paVtjZ4ubXSrTw Qw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maubagw0h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:06 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwNni001932; Wed, 7 Dec 2022 17:13:05 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7chkea-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c9xv5J+OxZRy72kWTJADJFKSvNyTVgPrKoTebtODZhioxu1hP0wcEVOY/Z2uLheJa+lQ6Cm6lDYkl2C62UeDbeKm8p5WCUgEnrXz1uQwwTntELtsRhxZ6Tmli5VeX7sBbsPfusVet1Ga9JeHPglf4ukfSurd7be9ZVJnKpDTGbsstrH7xMP+k0liQonIVJ9+BSdN/aV7BCgnySefHxcG40fo2Wvga1vSou6mjheEQ0D2GalYrnNRHAhLk1UZg+Kf1A58m7uRNw8L9iO+L32SE5X9ConD11F7qknp7cq1Xeghh3pvwCiMsPCCdBy0/NhLiv+Ms6k9MZYvAKSgg5Ag8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=IJmrRnyWFCFM8iNhh335r44ZBTbl1azQdnEPwqvogk59t+Ry6yTstmeTFZ4UBI9fcqRWW7SpZrtvuIKH20CDzW0llqKVqxibzYNcs4TsEgjIlU13ZJlmiUiT5Gk2tzg16Ssq65Nx41vKvgZI0JSmI/Aw4Z2ES14C4J1iZLWc1hZqWqXV4xPB6sxQoRjJP4zKrcYQNCxH3/8PkwP9J93mAt8z5ZYLddcC3Eykm3wxWjnn2VzfYZRlwBTrzYKMcwymzw4gnpIXoVTneIvDvlEHyOXdPhaIMTJPh5bl/Jc/CyajQNFC/kyydzLmnQK9q8k8zkLDgOMIusQl0jS/4WGQOA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0uoolZ7T0lcvD0qUYicCH6I74b6nKpAuV95Xs82FtmE=; b=EkSIELPQr0gSyGeoIRG3a+n+wnbrWw2RqoAKrMKLTFcVDSjEbKBdAV443gILPQh2SNj5LCOUHNO1UbAs+qxAu+lp8xmwB4BNlxrgZ58P7wXi5tTyeb11xo8MSo2MxM6YibcvrV8VhcMGDzdjLLy2/ksEFSrMak94gFgjttKqq3o= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SJ0PR10MB4685.namprd10.prod.outlook.com (2603:10b6:a03:2df::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:02 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:02 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 09/10] KEYS: CA link restriction Date: Wed, 7 Dec 2022 12:12:37 -0500 Message-Id: <20221207171238.2945307-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0123.namprd13.prod.outlook.com (2603:10b6:a03:2c6::8) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SJ0PR10MB4685:EE_ X-MS-Office365-Filtering-Correlation-Id: 289b7e4c-3c59-4956-309b-08dad8764c66 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TQ6kUpnv3pRho+DSqLUILYKEyYS5vJZJkehEIZax8mWxH0+85peN2JpJLbaBPWgThuEUxLOFikEXeLEBvS+nbaKTEYtc31T1qruWzkxFnvTJcMIHFi1mWxRByrTwKRPWYqQ4CLM/J9a2J1O7Xi5LstOAv7rRR5eoTgMfP9Py2FVGwM0TUFFy2ppCKWegUvbuEyIcqWaqcHHxk2byiSWMYzhEM5TnZp6QcaukMFJd9ZV8y1usqO088RRMXsFfvj9ma6M4sfpxgnVLv2b7RDIGLzdr+PF8PTA26LvZGoBzYr1uJBJ/sxvbd0NoqmBE3Yf1OvWef61zZjL4I4ljMk4UcOgKfdGtor7K4Nbfc88/YE1uaky3iV2DErpRGFNPuUZWEzzZZsMD9own974p+xDr7xgaZPxJW25t/fQH0mqIvyhq9PDYKqDtwTbvAGg7a2aCw/GLUpCQlGiRpwYn0rAzp4Fm2NLJJFmsFZa1vo/nUoPWAfeZUzicRBUNLUm+MIsjHrssWlqplUD0E1BCuemU37mrH/84UQmyXeWmiTHqo3et60LnE4hsGzramERubcRXKu/YDWlKLt0T6oGg0XPvQIvCoAtphKVoBlGkSclJrx03eDT0WtkE3UJC0Mnh+7rxrzwLBwgYcubxeTrF7IZ7OQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(346002)(39860400002)(396003)(136003)(366004)(376002)(451199015)(5660300002)(1076003)(36756003)(41300700001)(2616005)(7416002)(83380400001)(38100700002)(8936002)(2906002)(44832011)(478600001)(6486002)(6666004)(6512007)(316002)(66556008)(4326008)(8676002)(66476007)(6506007)(86362001)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YKtrxOJbEMPzuKn0CunM29rDsb4wP6CGkcF6pREBqXWKVqqG682kKvbYrHCOHNrLJ4iDuxo+PKFSh2biFe34BxnLoEwIWoieOj2WJe6E4IoYXQEWasGz9+z84kCvr3XnOpMjCdi3Jum646Zgn6wApL+UrslJu+owfSWOg2Pvs0c8MviO5qSNU2A8kRDj51GvvHHr7eMsFp0yRxng1zAu7puxB4vOLaVMYTG7OkQX4pIa7u814x6/lMMlbmrACF5cClABC7FdepIge35iB41WGUSXFQc64mvkKcsojT7Ou1dcdUlxf13T/s9Rn+jbcfY5kvlHUoZUPXYOMGrdk5trVz7SS1WeXwSUwg/lAjX0+q8wjfzP4bUeHQABmg9BfCqGLbZnTbfAFSXQf0JL68Bm/SsURLNrfQJqdq3gFdkrppC9vsB+YGH305ih8M9DKjv6ymaxLrEvlZia/lzrlkE7d3gavbBD7VO8Y1lvqaAUhimaFETMdKMRAYor1SrWd32e6LHrHNf8SCxZp8OfM5kS3tMwVHHxAHY7s1P5mgxcCN9EMiALj7c85BDvXTVTC8R95VIxoZsa1y4r6cdJPSR5YOrLs/qBnHwmmsHli9QnwmcglxbbBj+ug3iE0a8Bm8cK1CVrby/fmBLokuGzd39VBeH3l1g1sMAzG0yTUZh9pBGMJOYYfdRgg1O2KmhwJmpA+dsTWgN7UNP4MsF2Opn0txoZzZH0CeIOlze7gSILDNFafEEoyBs5GYBpggqZLc0s29sSFaKOCxiRtL4xAlUnxduiip9a0ahFlosvXUMiL8C5z347v9yf6qmBQldQq7aPc/C7O8b8WO3gmXsFGo65SPhfJ/HizrDUJzKcY2Cj5Tuw5ceNMjzySU7DpvaknzVf7R0d2UM/5pGZtO+3ynexxu1q2jfB1W0RAg+DkNuTkaj9ql355Qf/kiagNWHUxW/gC3EaZivMHmwlWW3jJxCYU68dCVmAnJmtJKSnMGy/GVdXkU0y6w1RShSrYrm7p4y9XKVmM6bGTfnCFj2GSp236qnzoxBnyvB9bJf8gvPmjgzCUix+6At3NLl2OJWEcNh9Y839TIEyvzxyP2AcPuhyyrN/Mf4DeicBuK9lys3qvlh6m0fRtApZquNcN18X0tz+fYx0b6T7o1wcbOEDR/vCliQos7mUx2pws0yS9iLbs72z70yb1UVtiV0Ht762hkxzqE5zJLWA1NGx6ZQB8aNabWotXF5h434Q/Sr34r0BW1laKb7NEWuO5zCJHNli1tKvdLBf5c+W9TCqGByLgByU3tiIlLrqaWoump8H0dDZNUYAKoTo/AQqhen+oCdwi2modOmz1b7kJRFl/ZIA/V+rN3ymmUg7J4TluvRtaDwgwaoAr3UDLy0bcBHgXxeR9tZxRfT+SXlm5Piz6i5pMj7NjHglDXHrwpSJ4YRckarWjsD8In3DlbKSMB236IC0osNCXRZ0As09n5bhm0WuAhbexAFNy0pjI+RuzEfmUIwW8IdhKmucUnW3jNnQMpyAR78xyagJmf8y2pGsgKoXdkpYExOMDT0NU2Lc39Yp0fLWJULrVeVuOktaTJ/euh4GfvdIDBLiDKLcET9X7ep+pgI1NB6KmtD9TOVwIcRx3pRY3eU= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 289b7e4c-3c59-4956-309b-08dad8764c66 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:13:02.8330 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wMVwkQjbPRPuLN2yjuDiRlBHT0dKSbqPONmfCWMDbsA6newdwth2MLBUrWV6Yhgcu1foNAzUYfLu4Z+SggfRhArSbJk1NeuFzkSfMqJwhKU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4685 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: cENZ6DYbFNXsisZXzJQlHupZlg_xEqyu X-Proofpoint-ORIG-GUID: cENZ6DYbFNXsisZXzJQlHupZlg_xEqyu X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576250390487016?= X-GMAIL-MSGID: =?utf-8?q?1751576250390487016?= Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 40 ++++++++++++++++++++++++ crypto/asymmetric_keys/x509_public_key.c | 5 ++- include/crypto/public_key.h | 16 ++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 005cb28969e4..ac0a6efafb03 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + if (!pkey->key_is_ca) + return -ENOKEY; + + return public_key_verify_signature(pkey, sig); +} + int restrict_link_by_ca_and_signature(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 7a87d5c0c32b..9c2909fea63e 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -209,8 +209,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } if (cert->kcs_set) { - if (cert->self_signed && cert->root_ca) + if (cert->self_signed && cert->root_ca) { prep->payload_flags |= KEY_ALLOC_PECA; + cert->pub->key_is_ca = true; + } + /* * In this case it could be an Intermediate CA. Set * KEY_MAYBE_PECA for now. If the restriction check diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index e51bbc5ffe17..3de0f8a68914 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; }; @@ -76,6 +77,21 @@ extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, const union key_payload *payload, struct key *unused); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Wed Dec 7 17:12:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 30948 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp305979wrr; Wed, 7 Dec 2022 09:15:00 -0800 (PST) X-Google-Smtp-Source: AA0mqf6RCnto2AAzr8+B1jENohyHPK1q3E/fSKJGXsUWJJ/2OUp/8J4IF14KFLd0yg4EGJ+IdMej X-Received: by 2002:aa7:9735:0:b0:576:caf1:10ce with SMTP id k21-20020aa79735000000b00576caf110cemr18461481pfg.68.1670433299689; Wed, 07 Dec 2022 09:14:59 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670433299; cv=pass; d=google.com; s=arc-20160816; b=GSj7SBkt2pv7M1WWRpevRPmrMgyNEiOrf83AVGx309XAjGCM8elB1g+vkFw3LthPGc dUco3tYNWKxHC43LCBcqR8azagN4e9Z1PO6GQY1+wkjZU6FG9H8PFz6eqOGlxaevgwGs dq1mu3o5/Qo+Z8ki3sO9SGjCOWcLFUWj/MCpwSbnpYfrU69Hksw4u/yHNCpXOeuEaPbu Ee96+jHLwEcQG831YWWgzFyHLrDvhTtZdfz8qnFtSnvcUowTpa5t4dmYM1nspT1e+o9/ EKl4x0mtd6c5TDxjF5BfYsNwqmhl885pZ5RuuMs4cCO7eblv+VKBhchMsR51x2qjSPB6 ddWw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=TI5WDgYLjfQlDRulqdRsMRgwbm5q0TPbT+YmFGp2+8el3JlYUeFGhiBEX7stm9YB7y 89UeQDPhaaynbNa14a8PwAN5vpwRSvE2XpjDeMsVrgf0xIH158obUlFe4EhlIHybidoO q+iwbRVb5f/AqwPrIBUUZ26jU6odU9oYAsnsUp/ONRI4q61QKMeBeXJy6PTb822WviQv 4H3VDErZTXOvHW1O7tXdgcONQAu4Z+0q8beLVukNcjMopiLyBc0JgHFA3VGPswfSH3E5 gTNIDBSVcE+t/AHT3y6BztZoxckuR9JoJTK0oTw6Pob8RLaudA9yTvpIkuPpUw5jlFvy MZ5w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=e6wJWEHc; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=yKPL+YYH; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d5-20020a656205000000b0046f583c8c4asi19997684pgv.315.2022.12.07.09.14.44; Wed, 07 Dec 2022 09:14:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=e6wJWEHc; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=yKPL+YYH; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229939AbiLGROG (ORCPT + 99 others); Wed, 7 Dec 2022 12:14:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229796AbiLGRNm (ORCPT ); Wed, 7 Dec 2022 12:13:42 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76A51654DE; Wed, 7 Dec 2022 09:13:40 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7GGlS0021894; Wed, 7 Dec 2022 17:13:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=e6wJWEHctxftKPRlCGskX1ikgDVrPCoLSHxMEBVlAz3Sp2T/NVqchQ/qko+9T2PGIU78 KKONBeLj8LCspiWyQfGdBMZyWhHrgkevEw17OXoXNKXYoo/p6u+hRSr5LjyoixrvtAiY wyg4oDrg0NClFmaMk/srzVTNv3QoQICNdfXJJa8fSCwq7su3hKlx28FrAz0xykN+NAWZ bmmQbyYVx6dZBNKe2zjGJdAsQAr5Cp8un8sV5j7VWKOwE51p2xh1B3+Su2UOJrxnXLkF nbQFi0ErbRWW6s4zU9/+c2daWYPUNlN0yxjlcpy6x3YtlhbUbrL65+ooUfoBf0TVYmqT sA== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3maubagw0r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:10 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B7FwPH8002304; Wed, 7 Dec 2022 17:13:09 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3maa7chkjm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Dec 2022 17:13:09 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nee7/UrWKz4KvdvAhEWQJFsq24E33FdgIUPvarXlZxrSgQnOTKtS4QUk0Sn/gfs7hIhFfmLTNYzyjCdrQ9RmPpQ07bpn7x50XlpGxHlrJ4jov7TBATotle0ZyLemCxnuHNl7qNEdyjf9ZMtoXxR2wANGcTxKZW+eSBN2P/m2GYtACevzqI4hkRLXZarYT/eqMq5fnTwe1+nCEwok1d86RVo3PlBxhRnRO3Bf92cXkmr+Z0Ylsi40xHJiS/S5+paDo3kMbW7JOoIGOZMkok7N/Umt1fClzDywdZUrrYDQxC4ooY1LdFbv7Pda9vctvlTmDzdAIdnd1SyzKLkHb1Uk1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=Q2yrySjvy64nYmQiUGE8+KODcPYotnj28T4+Q83TpkjureXcMWAMbOWtDvNLrJOtRiIDDvZ0ZTawyvSshdRWLdzH4xd2V4nagsEBTeW38zF3sX6lnWjquzA2cwk9B87ykC2MecxHxzPL+Ab2qj24L9TZRbk5Yi9J9S7pHlJqKiwziklq+P74rdW88f4PbjTgeIeVuMEy8X7oe407eU1FtX25+V+dkkjhMLPBalpj/x+wtoYzzW/cnrL/E25yLFG5mQyp0CKZPA5zz3xu9hZ9qFJTlZ46jNZdt3iEDQwKwDUn1t5sPLHaNBqXZdZ7o3VTp0vTHMag4AcoqL3IEtEXgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=yKPL+YYHM9c7rIajDYxWbA57zSeYlvuipRg/m8T/JcLEV94QpHsDGABhNzKRroCnLK0KzF8fsGAOb+S7nQRTKzlcRF3g8zfU9G5HGyUgDxGmYTxjWIivDNeQdxGD+WM8N/ni84NAYmJKOsug92WjGpvhCvZ3ISVXkIVET5DchfI= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SJ0PR10MB4685.namprd10.prod.outlook.com (2603:10b6:a03:2df::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 17:13:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 17:13:05 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, bp@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Date: Wed, 7 Dec 2022 12:12:38 -0500 Message-Id: <20221207171238.2945307-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0138.namprd13.prod.outlook.com (2603:10b6:a03:2c6::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SJ0PR10MB4685:EE_ X-MS-Office365-Filtering-Correlation-Id: 3c609ca5-9f40-435e-8004-08dad8764ddc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ABK83vBcC44/pXYq6olY9k/klNAKzC4m11Z72R08fVClZDBHpeecl2fCAytBperz6Mq08jzRqimwTUQ0QjH3dNuzxMCqq62QVMr0uGHwH6oVysafxc0oE26wcXu8k78Qq9k3j46AZ3G14QKDlOG1KBuNS6w9d9i66yLWRA3HJz4Nk9eph5jT6GkBaGp2Kk87Q3Rmbz3uQSiGUvmAf/lzpbKQSwpY2+SovKrCD2O5cZERHXgiy46IH56XnToCUKmvB5bJEO1/HF8jKJNexDYMvtmJlC4JbtF9qqNyKj0rBzekrpR/OqPA5kvKnhXXOAC1QSCwf8vrfvm0daW2AWZ1RjZioAa5L8g3fl3xxNPUpAB1ZCVi3iYOumeVUc00qXM7oX4h/f+G34nnSyJ7Z29yuNGkbnO+AwlILMa85gDczKlhRDfuvuskIbNZ9od6wzkKKC8v4ycLqnR+gWZ5fpdGvcqrNL9DPJmjU26XYdNoD6CTUqUV3/sQ2j02fuZ4epYzFxMaiNzClOdlBzbVoEmQ02Zf87JXabI6+0qmB/3MLOWhabucP+UWY8ghjdzEEMDgtomfkgHTT4dS+o+IY9ZyPAzJ539As66ja31gTt6Y+uVYsdMELh8GhgkwNoZv5KA+txyF8Uc8cgF6eCzagLi97g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(346002)(39860400002)(396003)(136003)(366004)(376002)(451199015)(5660300002)(1076003)(36756003)(41300700001)(2616005)(7416002)(83380400001)(38100700002)(8936002)(2906002)(44832011)(478600001)(6486002)(6666004)(6512007)(316002)(66556008)(4326008)(8676002)(66476007)(6506007)(86362001)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GRgudxubvAa7diJ9hTyRvd5pOwZcUCQYPAyqP2VFiFAN5eEY1LLO8avtbZ/JZIxKa5t4rS+oFsObq6548ovp1xAyDgWvx/Q7hvH243kz5vgJCJprB+AYAp1uSMYP/Sv2RpnS+0loq1aOBL9+ojkSG7QGBayz0xLJ1NQaSuVbJ4YOn1dq8J4LeewlE3k288v1L2K00wKUNW0y1aqBhovmSOQIRzqZ9quQXo3yxhnvwVoEbmsDA7Qdww10yDhjYz4AzdX08OlNfH3hjHoKQNtJ4S5SDszRqseZ7V5TqiJh1XX/66s1Mw98zs9kGh777aB/DjL75i2sgKZ1VwbkbCbCQR2qD9jj41vDXLtTZ6fCjfRnNd5fsHd84kZUDBlBYcvqDp17kRVHcK9KUEJMt8rCMr59nU9cwLECBXpHCnqzeJZGwYNBFIvNMWeYwyE5oVfAw/2Ev8AWCvgw4+yUtT2vKxAmOjigMLB74e973WdYAuJ58NvEdPnlqKIKoA4b96M5O61HQFN4h2DBAnFenS+QvVDWCmMqnCNDk4F30DYNZJCp++NgG8HE1EYXYzS2AxcI8BqI/e9+2CRKIx9ieKOwo8QxBFrI/RX49TMjTSza/vBwtR+BXQRcun+5pHcwXcgmp4vorKECmKMA+wYdDXhQHth53nB7flaxFjdSZALq+nJjYgfYHDVC1gLDP57vw0Q1c8tecENoMCl8kfvaOQjyhS8EPr1hv4oGBXH5Y7Hszd37vBRmP45dSTVdmZhe9nEtr81tEzB1amAyCv/3iUtCgMoDtF6h+nhggTLd5R9hEC0PXHkBou9JNnaZDoz4wHG3v0UnsW6s+OHxWxkY3HmQmYcBErE28jakjEqSykw9q5M9FgefDMKZALI+By0sgbycp6yKWBFAzFg0WKj17VgkGQLUq2Qju5lN+7B8t6cKq7Cxr/KxB6llSo9PWYMtUjI7NiTUcpvqN3G9ARzNXbvWHZRe+LF+0xV29Kt1Krrh28glQevPq1k4iRJYWY9KUsqUy5ILHMsHMq/fcmOZnzZDdSedKov8sHP5sSoE6grhkuOGtecVQq1IbZVXkqsz1cg2UzKtICZdJ8WxxfS0/BYiRRHTsA4nXsznd+HQvuXVvbjBq3yV8UBoaedGKi9yTbR1gKaVHCygYQRocOvJ7oP8/Iww3XFVeR0bNTox97gxg2eyTjwh+kAKK4qxVJ3LJYNasNSiFG2urjj2C2c98kEImTl3QYnpbf1vZMPBdByTUNgV9H86IeoX/p6af9I9stpeYBTNkIuQKjy0sU3T2Achgarc1Bz0OX8SdsptUkLxu3zxohh8FAXXYxoNW6qsKv1bPoY50HgCtIDDs9keCMT6Ii8ArusiYTPRkqFARlIDH95AbMFpD1SfxW35Yft2yr3wU1IlFBBlV3eUVebuW+Op4d8aglU7DH/wlOsd8FqmowzPZ3bQMEBXhlY6pDqrPDRGaMNHcVrYAURoYeNxV61FHdQKuGLQRIQvzMCr7eYiMofY6vKTOEk+n9g9HGZNAQ0TRD0Jq9owkUN1imQyj6s8QhWneV/yqjJyT3c5gNXvH9Xo/ynhfcRhhmUfui/q2gbcqJpAHgMQMgjLGc0Z4tvefu6QDwyyS/gXQo2pgsYre6w= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3c609ca5-9f40-435e-8004-08dad8764ddc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2022 17:13:05.5070 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ke+1EeCNrw1sslgpKKN/QN8SOZc9mx/iS+2R5ZMO3VJLT2GuATsOHGVAb063cv9BJ9M91X+lpghWSwfFZu657CWLCfoCrGvB7zs2/Im+QMU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4685 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 suspectscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070150 X-Proofpoint-GUID: l5z464-Eg8dgu_oy_ZzjWhrYKftNDtwC X-Proofpoint-ORIG-GUID: l5z464-Eg8dgu_oy_ZzjWhrYKftNDtwC X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751576267576092945?= X-GMAIL-MSGID: =?utf-8?q?1751576267576092945?= Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 10 ++++++++++ security/integrity/digsig.c | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 14cc3c767270..3357883fa5a8 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Only allow CA keys into the Machine Keyring" + depends on INTEGRITY_MACHINE_KEYRING + help + If set, only Machine Owner Keys (MOK) that are Certificate + Authority (CA) keys will be added to the .machine keyring. All + other MOK keys will be added to the .platform keyring. After + booting, any other key signed by the CA key can be added to the + secondary_trusted_keys keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 1fe8d1ed6e0b..b0ec615745e3 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services