From patchwork Wed Dec 14 00:33:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33000 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp447844wrn; Tue, 13 Dec 2022 16:35:05 -0800 (PST) X-Google-Smtp-Source: AA0mqf41nhFoXoPFW5/ue9TiLVncDLIvSTv0NCWNkiiDFPWKBp2WAcsIuRPFNTMmy8cCTs9aLxWU X-Received: by 2002:a05:6a20:8e03:b0:a7:ce32:4085 with SMTP id y3-20020a056a208e0300b000a7ce324085mr42113640pzj.15.1670978105292; Tue, 13 Dec 2022 16:35:05 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978105; cv=pass; d=google.com; s=arc-20160816; b=GIejRAAeWfIcum29Wy+bqHqeMu30YFe42rGyJUzdXSIzhe/dCzNpiteQhq2Mao2BTa k85eFmKDdNSKpN3BM8xkZpHbM7g7nyiN3PF1uJw/gRxS+Su5M0cCT6TBG5EE4dJWXWBa ZA/c2W81CrsvqIL60xec0mk3Mi8HujJ2hW2eCdPY0xrmCZIhGJc4X0wejL0wy9n9G9UK ZHBbXICpzq6A45pc2XJeyQpSDkQbSItSynDJDTNwiUZnuAVC0bdfv2WLog6GYRKVUfiy RQwQll50vq+908gISfSqPd2XSbdLFwCL3xm5Fjmw9QWQUhaf7vsRwZbbtSeJzghIp4kR tnzw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=BHfVT4yR39mWslr3wi8mn5PnYXGFver+7rH4rUFgQv9X6q8orkHMffMoqS3hS76P0w mAdf43FVkB5ZDscaXhL4Jm7FSi7kwYQCGQD/AOxoQPe1Q4bnz0/JLZLcNRQYTK87kJbo amVbs50aUUZxoH2E3GCtl5B8BZbTBROkOEakzA6Bv7POW2ujjGyxC7V4+octaSS0/0DN QxLAl6l0ZIrMhcYbR/bGZDkgV9TOKOY2F2vAamBhJZN95LzvAzm6QUB9M4siiNLYynig phINSnCvSGy95FBvlFVw9Gew58ZXNP5Tgi/yv1ljwchlSCmGBwq9EYr3IAPmchM1osL9 zNkw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=kEzPBqlS; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=zlPhtcxt; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y62-20020a636441000000b00478c5216381si14842664pgb.191.2022.12.13.16.34.39; Tue, 13 Dec 2022 16:35:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=kEzPBqlS; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=zlPhtcxt; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237761AbiLNAee (ORCPT + 99 others); Tue, 13 Dec 2022 19:34:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237741AbiLNAeb (ORCPT ); Tue, 13 Dec 2022 19:34:31 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C47E1D66C; Tue, 13 Dec 2022 16:34:30 -0800 (PST) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOC2F017254; Wed, 14 Dec 2022 00:34:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=kEzPBqlSeJ8p4QZs9qLxhspdgWTwXYfVKF/NlG7+09JcFZZ4Hsy6FlOp4qhmjP6oX7I6 cQ/JXKfhfht02KsWk3d+lZ3XCBdHmfOyN/HUr+lzNMCh86afc9gUbyTSB4rPuSybIDT3 lfiqsW9ecwhxZsytXqMjw4GjDkpPc5yKCuJQ5K6Iz97XKemI+rvjOnAiTF8+XFxRlT+o 2Zu2IyDLU49jsGI3KSwB1nXMWU/FVGx3LSpG8aOhfN409s8/stn6G+jZW/DBYBuaxPXG 0SgOyVeo4bTHkx+ph2GciKShVOHh8bXC3CNM4ZYPJRc33HT336J0JlAqR5Djy/uWz67x 3A== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyex0p17-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:04 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE0067I012240; Wed, 14 Dec 2022 00:34:03 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyev4set-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FrVrUPTX7YDJoOVyb5BI7IdlGvOCzGM1CHEbMdNrY10LJYJhjGv86xloMZBKEytWbIWwCSQ8YuM5+A8qhkJyt+ZNQfswwQPYP8Hbf21/3FcLC5fgynqQQUCEB5TygpRRGvSui31I0ipBXOaTeLtWwQsJCxVUUosoUi+JwdYY/Ea/RE3qfYzs3bgDOyclHfWy228gCWAMJn4PrMXUc6UH8545oGhMifZEvYKv5YasS5tbA28YouHf7pAmkMMAHkKeVuJDIe2GIeoMgIwdm6n58c/gQB2BXvW3zvZ2al7ahOZhKKZA0EIFf6QPJ/YrD7gmv9I/YYMcbnCPIzH2UCRHBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=mWM5qso4kZF6mFzfk12H/JYKXSizLkYCG2t9aUIrk382vonzBRZVMAJoPpYaCJKb/LGXC2AAsl50ZwiBoaOPa/7j2Pda4UnCDZ6NYzMM2xX8pv9Wk4kY+CPOFWHTsVTSrKOFKC9UwE0npemc4x4yMff+kazdj/lbvdeyZTSyzesc1yZmianqG59p60Nz3726ajtlwGQCnjzhtQ6amliaNvBEOQBa73JPhZB4NE9xYQdhqDdrNXI8Serb5NuAe7AqMmIwemv5rkWHMmpxUy74tAIUb0CgPPqLOIlGlHbZJqsAm+D4w35js7FlA3nVC3grETtLaLZx9k0Is1Xz5JiE2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8W/vlhZb4o/bmF4homKSxi+DQTBL/EgQDy5hpmLy634=; b=zlPhtcxt/DiquEf3dTGWgEjB0Tm8RU5RM2Gp54uVqMlOp6F9nUF/os9gznYa+txK4hALIoN5bhOGt1EORDqrPLwaY6CtXcXPmRXNOR+L6AmIQjsxRdy2Tszn7O3hnbkw+5RaOEUvGd6LwrKVwwjdnu6fjS42+2DLg9Mx+6QG8gc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:01 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:01 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 01/10] KEYS: Create static version of public_key_verify_signature Date: Tue, 13 Dec 2022 19:33:52 -0500 Message-Id: <20221214003401.4086781-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0033.namprd06.prod.outlook.com (2603:10b6:8:54::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 26569603-dbaf-4782-671d-08dadd6ae56a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KxSOWh1XVpR9WI7LholYkmzojdnr9/IBy4xaxoySOBBPD1jS2KjA3qXhjgYzNzME1X2JBv39Fixd0x2Ck9gLUP6vXnQ6usPz7Bxt49fF5QPRT3pY4ptyFNJOmzkzzpcByFaHx99oQGRoNdUq0v/MjA6FZ3FGF0hAORqR3lwrbdLOec/9M391E+QdZCebONYNtr44X80XrFYVkvYhaoU5Gn1+97Ls+0UtxRdjdBSl3IwSkpPrWv9Ds0o+K1UblzBQchxynO8bJGNzcqqUn5pGrs37M1R55LNo85Rl/rTd8UC0lFRUGq4pfKZO4O2+B/wIANSGq27z4jtqCauKGUxBz84fa9ZoR9IIffXWMhxLzlz1Jpi4JDXVYDr9Y0C5YOt2qJ5+1AJjISCry5GPfLw6KdFrmvYCdHix64pW50NfGnfqoeWjvbYOrADJmYEobwlBfozStbNz+iDE+c7bgdC2Fbu6UjzxjoF+etCRT/Fdbtf3TcmGpUwrmyKbcSMJAPN4Vmb9g3GQaMNT8RWfqKIUnIuuNIvgCey54iX5ccnsXmRhLApi/gY3ymABSNBZTHBySWrSmfPrkAz4+78fM8TWav11XFnHS/ibZa/b5dmUQ4GlLfRKG1t8hrdK+FrVkXrdTzsUO6+G2wkt8D6UlszF5A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: WPS5QlTMun6Brfa+/mg1acqqSAENu1snNQjH5/GZW+qj3LD4fzIU2dWN4x9OdZkVeaifLs+J2XLfccFlCff5v3JiPEG3gmPDfxE4sTkvyGVREh4UJG7xSESZQXYEc6VjBvJOHBJawJPL5xluKg7XQCmgWd+PTwSUpcUfY6AG43qZE6TNGfSoDehpX+vRTWfA5NqnNLO7fbRKEJp7oceycZ2UXB/qoYkj5yhp3aepASl+5DVzJSEm/Y3bq6omhBgk6qUY0bI6Ksrv5TuDyMr+CMDt9eUKqROJwvqYHnGloMip5OeB1+soieL0MpJIjNnzdEoxD+vqV8KMF5y9vLx53mySwTSFPoKPrQh9M+xlMascLH3lrCzblh1Q26QTYCowB4tH5zjxH92arqFldgalpdhA9D9rz8i1H5iVMYONBag9l6GLBCluwARA7uwtC3rQJ354XanbHVDYbGkbIYCrFLVnzsyQUEyv2DJ65qdRQkNAf57ErFqm0RHMAEk51GQlI9YVLdLOjM9aX/KAFSvyydEIh2ho7iNmA48+tO5nzm5rhb37Ke3ZMQRV9lnWSBpDwXKHOU4olFpcwlj7rC65frp3kH+OAiD2JCAM3geO7atJxzCrjXuM5dTvTdjy5h9/yviGVUtfj4lCysb7EeXY/bZyudv9CdsaeaqRrIzKWpZ38VJFaPVjv+VkVRJdTXfVK68p14R1e7aiYKWF5F/jK7a1wJeafEsbt+6tjtmbR6t3jEy3bdFPyoZwM+fS8wOjILnblvkFS3dT6rgxApNaowveRTgdVcwgy98mZkSYS2H52VxjeiqSN3sCIKkv0DUdWo/ZraH/GBQ6kVWMmeEWMPF0+FFQWB/lfijglKawjXzCVCMXkO1APFqOVYj136llJLm58uBZfUdirgJO/DHi1SnFxD6fog1ZJVEKkN/lzxokfK3pS+jYesEjH2FYzIGfhZG9xQ2ZZtOr1E4Ln+bHGmlfy3Vs3bY3XNydEaKQwDQm8LPEuDiU4XTLm2HRoCovH7RRW5clGauRv0XKveZdbhCYn7fM6Fwm06ZAx88/7gB2YQyTD/7Y7M1A9N0Mjh2GsgtqAv3xJ1cFFJWcUkOSbTLzNzLqG/ArIxDYztUn2vmVi3t4+9leX0JjNIdvl8qKFWGkndhUiFf5K/deIrjv1S+kpxblNFGk9V8lJUczCdksxM/DQRBilbqOem5m1zYBWPFKcxYGI0UKLdau1hhKZna/lSyNMxnnGyHvPhwM5lEodXeepn65v/ixKVQD7r4bfCFibxsLPffW8fHIswOhuMH6RtPO7u5cB9MsoQJVnTcByjnCc0TYK8FL1sAZbVTLZI1Yrlmcgh+gq03uRYO78Gu47IzdtuRBvlTXsd4hC9Co/9syuhKQHExilZ0ry0mRui3YPGog3ND4d/C1ImqjIfkR3RrXbVCX/VI0HWv0QguJcjDelT36/X+H/cKVL5nuulIOawuao9LtO0cDP8XiR8K0Mdfy6ZPUVjvITE3T0bbhvu5mPFdYb5aTNLUYum5OmA0Rt2FVxEShM1YjIkvrd9ite9gMKDpx1Vg4mCDuisEv6m/HRxaaWEyNJSJ0cRx8XV+Q/vRy+MLLvctoquZnkVHKhkfKDE1zKqOVSjKOtKs= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 26569603-dbaf-4782-671d-08dadd6ae56a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:01.3137 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +3JyZCuGGREq0haF48Z6ZCaTg4IXYLPxgeyQrhFN6HN1UfFPx69vQFjgWr+dEyQmpsabgx9WdAP3ACN91jwZCSifCBo7phfaK9pN2JY68F8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: I1za-0DgIyP4bhj5j8_4ocivw7I0gQjb X-Proofpoint-ORIG-GUID: I1za-0DgIyP4bhj5j8_4ocivw7I0gQjb X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147537391444083?= X-GMAIL-MSGID: =?utf-8?q?1752147537391444083?= The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Dec 14 00:33:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33003 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp447973wrn; Tue, 13 Dec 2022 16:35:27 -0800 (PST) X-Google-Smtp-Source: AA0mqf6rt/JwQFm9M/m88qSWZNyLlJYbZSf+jWRkozo+hOZESON3LyjLgO4VK3b8q3+ctksbH3q0 X-Received: by 2002:a05:6a20:12cc:b0:9d:efbf:8151 with SMTP id v12-20020a056a2012cc00b0009defbf8151mr33082482pzg.26.1670978126914; Tue, 13 Dec 2022 16:35:26 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978126; cv=pass; d=google.com; s=arc-20160816; b=LFWOgF/gObx7LXgR3FcjVN0Umna2fUZyVhNlFomD7IWgpi4MXfSvX3AKEjxz0OLN9S rzJffUzoFY0JMAfohd7hC8vQ+OB4pe527ArVsQdKQ/pRjwNK47lENrEaQIw7TAENQSF8 XbvZAAWgpkpxEXhrhkiYTB3H1Q7nzKIdfGJd2vx/WPGT3V8EsLJlUufahhYnNqQrGNtk fJ72Gj8b0rChPbN56+Y1thnPLBXfVn7/7sLZuEq7Kx92sgqzFMlvoB43lM1KKA29gXdQ U/qgM3O5qbnkXY0NDE0LLeR+PEph4aT/q1MPezj8Y+j2Qz3iAEDuLWoGTyZ5ceZOEOBS 9gDg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=mrumaTnfXhBeA55/YMYHLSuxQzeawUOu3+kHqfhJBBA=; b=DnGHzWeltbbVVcR/9fg4HQAM/gyGDPauwS2RImetgpfFReC3JXFI4DgDKtngVFkrF7 9ubwVgQghYGwNWbRuzn0ZdM4R2qfwMgWcGx/N4fDQmg99iF/xN16/NtSBeG/nGikc0Vh Iepw2bCUGOYPPa4WhwbBZft7gQqrhiHrVfwKRUjE7qKJ9c/UhiYc6RoDE3anofMCGeYh iAzjqVOmgaTv7eLsudZubeRCGINkX/W5uiEn7wpgQMU3HuTtk/niKf6v4NIW7F30OCDS vyJtGbtCL2lnYwknZDvYfvoM1ioYqbdHPNQjr1GhieDo2gmoeAg0W5rZ7jXXig5Muwvs pLfA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=2H5oANFP; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=MjgzOzdU; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qe5-20020a17090b4f8500b002199a16366csi347471pjb.173.2022.12.13.16.35.13; Tue, 13 Dec 2022 16:35:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=2H5oANFP; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=MjgzOzdU; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237814AbiLNAer (ORCPT + 99 others); Tue, 13 Dec 2022 19:34:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237745AbiLNAec (ORCPT ); Tue, 13 Dec 2022 19:34:32 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9FFC41DA7B; Tue, 13 Dec 2022 16:34:31 -0800 (PST) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLODap017264; Wed, 14 Dec 2022 00:34:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=mrumaTnfXhBeA55/YMYHLSuxQzeawUOu3+kHqfhJBBA=; b=2H5oANFPjQ4pFdyy1hex3MGx5rKUJNE9JT9C9v6RtmER7biLkcOsZ3xeBh+hHa0W3fNB q7GbnSEuntJeMDDy4ou4+5gwdzsQg1kmGvLcYU/J1ct0WagGFKOc8VwiKSPf7e9+X71d WtrlSfVPLDCXlVHZMHc1sNqax0o7nv6R94J8j/+CJsTaH1IQ0pgoxlgF85mmaT56pozR 2YANCiqJuWwW5YjoiqYRsh94m0GiJZKZ4PntW0/x0ippt6+LN610wlJNsfJb+KLmlaLr CZejCp1s5nU354RR0vNlj1z8PoN8MVS/tBI0zB9FxN3d+tkTxM5Yw7OY63gpuf22AZ4k 0Q== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyex0p1b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:06 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE00O8k037575; Wed, 14 Dec 2022 00:34:05 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3meyekcq2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cryk2aCyYN/dYWhqHzU+w/pX/HxH5w8Q5UincHAgBe1XQSDOAk3/BuSFVf8z3pNQJuJtsLVg+ixGt8Ra4OVkOpbxYNOdSL/Sxv2YP76kg+lLif9MeUbMkYWfMugy8EyZOWaJsPadj7HVsJQcTF0zD5mVoD9TBpCnEVlmHvQ2zEajK6FJeKUJyRK2fMpaUplmndcEgH0cab15E8Tx9gPdB7Bpx3vjaNzCJPi7ngPSNjb2p42liRAfu0K+HrzR7bJT3G67NzX1ctJ4AqMa17uPaZNT2fWEdQ6EzWlWcCS7bXPkltXg8vQkLLO/NU5myDEef2BIKZvXrtKFKz752RHuvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mrumaTnfXhBeA55/YMYHLSuxQzeawUOu3+kHqfhJBBA=; b=XHQhqeoB1vZYHrdQVcbDreV6yErO7l3ugEgHlIBVMq4PYPyszCUApttAVTp8p3kp6Hny7QLYVEPjoZ1F5t+69pNU0MrXoeKbH18PT8SwHYnnuvs5Jq/fH6GCnu74mF2rHTreANbvHRtbPCIMFsb4aSOtb6uRlIJo3Y75JGFAW8kUc9Pf9JA0SiymualU8xBG01QO4dhXaKWedtmnQTreZronimmoQVKaWwtK+Lar3evo83jI0KCL8g/o7UQK12yB1I61kXghVzq2g+O7jzRMYl4pODMnQQV0Sl5uqQDv4xizwygP0GitJaHsT4mFNoHafBkyjHDYzNtpzO05s3J2Yw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mrumaTnfXhBeA55/YMYHLSuxQzeawUOu3+kHqfhJBBA=; b=MjgzOzdUx+xdIdggBhmVUcqto63A5Vlot4IpzxHN2UgKb4IwJpvXZh3bvVwHcv1WIeQ8r1ggUw0JjiyV2c6VvgOZB2GbuZI6mBfyJkKSn6j1rsnkpOHPHxzj/PJAykn3bdXOvDRjCfcewZ5s3FM6BqskFVzKdrS4m3+4ieBpx3s= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:03 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:03 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 02/10] KEYS: Add missing function documentation Date: Tue, 13 Dec 2022 19:33:53 -0500 Message-Id: <20221214003401.4086781-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0028.namprd06.prod.outlook.com (2603:10b6:8:54::33) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 6c434b2d-04d7-4561-3d73-08dadd6ae66e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Pc3bzzQgB+pBGtxKXyesVXqJJb0sy8d0+PleSiJPIbx9Qiwnsec3u/mtBe+1CfXInD4CIZOeKy8cndpWE/powjyBWgrho3wcRCmg2BJvb/YwxrDu53uy50XCbY+9OnMgy0WmeDH3bbERoZ4yFQjPZtBdY31L+AXgPKcSLSKAEyONNDbRI2kmQvdtrWZgiKgQeuasf3HWcIevC5sVueLsqn1GMvo9GR5QH3w4A5bBpRItyFUt7YnUPPw8yHp5b0RZdLxMbJwu2MCz3YSIO91+9Juh2gEuGNhqdGMs7S8Ox+by4nPRedWFkjkyxVsuVTBc6/PWrGrVCH6zKsW9Y48MQmKx7n5ygWX+yAjNyqBWNq0g4QnhRf1eYBshgV3rYbRN5Bnhh2bmA98rxJYxntlR6t9rN/3sbaFTIzS6NHA5o4fceA0rVoIP48sxpOBeCLguBTALjGKvSiraD8SYuUdU7PpL5hnkJglcjFSfCqri9giSsSeGHMy2q1l+1qZD/2ooX0s/C6O5ZQYIfTuHVKIg8b97ew5AiMzNCaa2p3CPMrueAV4w0vViIQVd9ngnkVP0C2IHRHww/VdocqPojX/yhCElTzfLuSRkZMc0kKBqr2Lo4qWP/sFyoGhMwV9k8oheX+EuAwdOc2IkDgRW+3E6Iw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jP6V7RphRfupOGw2VZWmuxGmB3fivuyzmDxU5YRFPzlIVSKpAWBJhIJyF4XuDOpuKIN1x8zN3vNuC+RWrmR7qIJc8sgEgtDJWUDXJdPNYkbeURGLfVpy9gHvlDHTbuxAeYtKxIowB+3wVoj26u0LENv4Icx+96ukaH2p1qMqI6UlTArX0oYSpQK6Lroat2z1kH9A6YkNGwT1yz+0bXU7dAMUVZ7i9dQgNImOn8UqRh4NflhcRddE/bvPgvfWNb0kQ2YEBhlNeQyj6qigqj8K64up/vaNWs9a4JVFVVV8wJxt6ZX3tm0ZqIMCg+MKzlt3V+tOl/VIT2hmSeO9cyIusLwkm/rmr/02+Wds7T/YgE/GbuTSHzBvOSgHGOgz50rUSreaJTh6y/kcYGFgsZaboqtjgKXs4tQTKTT27v5NmPwdZqaiQ6Ohyv24AxloUw1XkrvmUHt9eGMl94CK05VXsGNpFLF18VmSNF1zfkSttUeXZig3dkeWMPb7ZWs+oku0ShFB8dPEk0RtbnyEXUUWUxET9pEEBnm1cRvTmcrAoI24HvgSAuxQSH7J8sugois13q+uQWgjREgC02nSHRmF8VJywE18ptnvP+IvYyhKG2Byo5rBMr2WugVSowSZefvuqnQLmI67MEDq90c2pQ1cOrNzqWCE4zkOEJFUFyhzuEUSkNFUjXDxpvQM9KiYRH3qogO4kpt9Lui8822PG12G3NN9vDHFG7OftI974y24TkEVjI1NooyULcBKkYVXkBJwbGJQQpcJ5uFJSZJQCTqbN87++ZLMgxgzh8gHy12sHry+f+T/PMBE+fH189mKNh3OgnDa4Wk/bNc4c+8J2micX7WAHcYAbMyk6EVzILMFiS5SxHFunukJkFS/a5Y6b4MxvhhoI03+h8oCS7uYWEuRMGEzfFcnIxFOfUcvcYjZGXL0coqdr+XBj7C5soLQwYUI0iYuGmo8fq6fpfH/9UO1HxJ9GiUTyS7BblwcMUGwI4/iwdSa8lmdg/flTxr/y9mu1/Cc0IhptqG7G6bw67TGGAYNInORWntXge7AuuuoFpqGMbaZWtJe6u8FlUDj/iaORscMfa1N213SAZAspWd4s5roEnLp+LU5/TMuzQC8SrtUiE4LOL7//E8KvqJoon62kEJ3q40W9yNG9k9g7ryKd9Ip/Qr2EuG9WhK/cl8tf3YpBSU10GkuDM1PQPfaulOWBtJ5e0tnBH83Br75UqmllVHqxZ0GnQLnj6M6CScMJsnA4CueDLo1ZepYMeI2BPUwdmQnCTLZwNtEcW/KYsZtTmGlN7J1UdqMHpsxPvv4BiqURKj1FBZFIVhW8/nmPu1druoPXZ35rMkLs+JQgeK9p86Z4McFV8/FC57bD3rOpqBEPRb1xh/SumUevfStlrJMBwGnV72ePTwLX3nSHdkOpuJDqbfMwmJkuJfnkG6LmkAyIq+4AH8javGxh5EfHPEbR1jwPbHhk7lwQoXjTsdEkLwmpmrQqZjHsoC/OTaf+RzQ2PxXhll9dScjcd2hqC5tDJS8eZoxQcBjoDgF4+vvhxUKoXrm2eXVZ0mxsrt20Nhf2L4AAN1k988VVN2LrYijdo8F5FRHrLuRUb+xaZjtAU+ohzDdIJeHYIH12kJohIc= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6c434b2d-04d7-4561-3d73-08dadd6ae66e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:03.0164 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 80on8DbYQkpmSDgNX1VcKd5hPVjg18EVHxowwb/TaBE2hp33TubO9lxK5knnoGR4wx5YpxGNEAgcgb+KtrZXyjADapWrMs7ekUoJnEBMeOc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: LOc5OV0XAzSPzrNQOo6qN40lPlsZ7hm8 X-Proofpoint-ORIG-GUID: LOc5OV0XAzSPzrNQOo6qN40lPlsZ7hm8 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147560718067873?= X-GMAIL-MSGID: =?utf-8?q?1752147560718067873?= Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Fix wrong function name restrict_link_to_builtin_trusted brought by: commit d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel --- certs/system_keyring.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..e531b88bc570 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -50,7 +54,11 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring - * addition by both builtin and secondary keyrings + * addition by both builtin and secondary keyrings. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Wed Dec 14 00:33:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33005 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp448035wrn; Tue, 13 Dec 2022 16:35:38 -0800 (PST) X-Google-Smtp-Source: AA0mqf62feEvqUuCHjG4bscoGSz75Ho6SiSt8XE9yEIaSCOvB6N3Ny01CxQOE1CeIqT0EqLsS0uP X-Received: by 2002:a05:6a20:3b98:b0:ad:94d0:ac97 with SMTP id b24-20020a056a203b9800b000ad94d0ac97mr11669322pzh.48.1670978138550; Tue, 13 Dec 2022 16:35:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978138; cv=pass; d=google.com; s=arc-20160816; b=Aoqpo7RMYvjQHIrjrYEWGaS7iDrPi7EXNMky+MbmeuT4u/M9Yaipf1+1W9w70DbN1l bOfUZ28TY9Sj5oaaBr8QLv9b4jBO90yt9/E3iakPhopbD9Wr9PAOwGRIocFxWQTmV6sG VCKnwPhL1Epn+9Vu/fc6fSHKFGmddXyun4L65KcVHistUQQcFGdb9PVnobfsLTxfa7kr zVH8WGtQ/ceZQNE+T374G6l/RAFUgnrmei0G9a0/5yHf7Zc/7s07CROdUUD1Rc2D8ISL +/FHq1lau9Siz9b7HE2kFzE+YLULViENpTyjtSV29PKh4P7QcNftJ5uobhliEseHRD8n oHHw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=NZURTZxF2cmz2LLRHLuvNdS6JVjKSdmVqJVjkM4w6Vw++GwdwxCckjaeecx8T7k10V /8I2aserSXT7saRgeOsd6GZ+OpDuiQlCeXAvdmlT6lMdYyxxeWyl938wRe6BVj2ZzB27 +8nfTuvasztaOCLKmFiBlt/xfWN81wV+4Mk88mgPrLCD9es8OJwaGIwOyyG/AgEw+abZ ThA6BFZhcCjDuMiaKXD9J+B9yZN7QGyYkvrR+zjFp4HrQsAccRkWk2P39DTQxvydvfVO FT+Kn1cneqpIlRmmnVyC9KDFXQJzZ5HOy1FK+RUm6Bo4lTsrIFYVFKgVv1fMnj41A0wC ChgQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=klcPyIIC; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="UP+/jRPQ"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oj14-20020a17090b4d8e00b002192566b3e3si408860pjb.146.2022.12.13.16.35.25; Tue, 13 Dec 2022 16:35:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=klcPyIIC; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="UP+/jRPQ"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237859AbiLNAfC (ORCPT + 99 others); Tue, 13 Dec 2022 19:35:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237783AbiLNAeh (ORCPT ); Tue, 13 Dec 2022 19:34:37 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C42361DA79; Tue, 13 Dec 2022 16:34:36 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNrUm028189; Wed, 14 Dec 2022 00:34:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=klcPyIIClZucSom2R7BEAPIXxkfz6JldzSW4wSK40uNvguy/MvRhu5aGtjOQrdBds4DR qbySHvN7yUrFmEik7rvc2jPiR6MK7inYmf8ZZcC2D4f5woMU7HaviMkOFvAgYFvu4bH+ SOVxmV1ZijvrpDbhLFvWfFbTYShfo07xCItzw8e5G48ORgxH0FWu9aJvIYpyoqsbs6Fm Fn+JS942U2vgmwwr4kHoVf/D4hGDsWoHqCNExVvSBcVZEIcDmXKxkeeEwDbocp0D8oZA waUbS6gR/aJ/SrdBaJwu35XJAum7RFvGwj8+HMFff2EHow5LsMxFy2fHqjtI1G3E7RA6 WA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyeu0p8b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:07 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE01HTi012437; Wed, 14 Dec 2022 00:34:06 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyev4sg2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e4N+uAnj3cbdo0Mgj5t9+IkeTkoVvjLuTcZMkvpkSpbVF1FVNs6yL2oC3UTipofkXLQpOpH573lkfUEpfwm4+wA1Ut42lQvBUlSVJyyELpcEAkURFn+8mxf0RrpZnCclX/ZAWpAtLCb325NN/vm8rg+vTY89PNx5Q8XpQfetQosgLbLZk00KCkSCA0dljy/qpgdJsoEwBntks2bhkyXgKOZk4cctHMcPkh08ShgdqEBhcN+zE2Vnx+Z2MwUN4JT9cnNHwTsAGIjAenCvLXb58E//MxwaK9xPQ9H+g4QB6S3pKjaJ2eDCJWkUNqMYb41WWP6A7nfqkauTZswh8IPemg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=JdnFnenPfc63v8MQeXR6DQbg4ZRIDcZo6EcbwFwIBelA100Tn4nBhixdM4hUv1NnXto4ZiRrCUwuebO2OKwU+p6k58oHXUUlitsReC6Ym5cMyRXmELCd08Hko7XHu6KDthM5/LsUDC/8W8JrHFaSD1PCNq4n044v4qX2KVcoOKFoYLfdJpUjGJM1oW7SmDU62Cwpg5HPl6XIrPe70oEOGI+Zlle26tTU3P4BiKQy2I+JRsYO/cirpS3dq/D/0eLrJge3IEca/IPU1lg7eo20O81Tnk70GciCA/3WRbqCm7TmD+3FNZ1PRmZJ0B3IxvMksYyxDjqbebwtGQMO1AAOZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cTAomxXzPIDWsbpstlgHWraRKzhHg031SenIx2me/6U=; b=UP+/jRPQkSuTf2fGFRMAlISgAEIExiDeA3JtUWXku1BWg0Qn9XoiweVQFUHa+XwxEF9Q9jt04c1EHfxbnCyJMZ7kf3d/1Y/LnjKN93VJPb2PvJXQnuXZml/sUVDt17P88yOpuF15Vcy3wRmIc991IXEAk9myxaVGVXrvaJBqqzk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:05 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:04 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 03/10] KEYS: X.509: Parse Basic Constraints for CA Date: Tue, 13 Dec 2022 19:33:54 -0500 Message-Id: <20221214003401.4086781-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0027.namprd06.prod.outlook.com (2603:10b6:8:54::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 2a47f8bb-17f3-468f-0416-08dadd6ae785 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nK6Navt0iZJiJaIZdSxMWkWIS0nEyN3R5dSphWwODnUflmkdrTtqnKA2L1EfxlWNNducjVuAjTEWbDaIHQw+zqzPse5E2haFEPj+1UXXbRW3R3CC/g7niqB0V3APCJXvFMbyL7vh35IAu4Kf5ZlcEjUMQqhK21xjN++L9rOCXIxZFHMEGY/brP+vD/EJLHUS1kot6UML5ORfOnxGmfD31xqmIWXIjPhRuyRyz8DNvuKRca9SZLYjlp0mdJ0nXJFQWnjl3N5dplW+pNGdIra1i7Myuoy/vTdEMJgImU21ZM9s8hBXoNKztavBBulVVanAqM16zjFp4/QtRtZuAOdyD9xHXsiHWZRpwI+xY53Vqx7S4lNGIycPhGflE4CvBWeMcu1KKruc6gtBlNBagmj915hUptBwr4pzyfKt1IcTQA/f95LkXQElGvEGCTfCICOM9jlny6eJo/p/wKG/ryTQShaKfpBbmuboK2RwcBjJPcnJEM2jBILr+RZ2Bkt7zutoNS+TGb25uiNAba2nEWi9nIff+/t9UJICH7DCHAqkD2JRIAcVWzIHNeGG/h09Lr+jUI/b3GKK40gCCuO5nfcsM/vtK1C27mQyNIrOMRalm8XgU2CZWUxshVpRj1ayk3ANvST3VQVC96/QXq+bKjmIWg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iMM+MECEqXgIJgwuWUTKV168Rd7q1Q9SGWVIoRxpLSo5OLjOVjzTRRWpCBdvLJJgn7LGP7DE4kw7vzGZRLqWYSlMTmadgrjy02wohHrX+ixIlOBm/+Z3rjKMjO+a7LNcFEnI9u9DkAkhKVs9jQdF/qmnwmoGWPM4OnuxE65nvd9L7FfFma44rq7dJAbNhUOevdHNS767B7ROQil5TCAcp8UhRqUlZaOuHJFz39iMXbZhAJDXW34O3CREtUEKl6Xd4mq5U0Ien74uXORDVnA8gjD88XeNkd3WFDRaFKHM0/uv1J1TkFujnDS4OcxS2go5DgDnUmzgAKnIGKUZObxtppb0tviRLTR4+6Nn3G1i7qWXwz9t7Nzo4HZk6IpSlIaAPQhTCj5OGXNfh0xBEw53VpNrPvnxnL6r/1iHzHXXm+vLvdj6FTB6HAzSm6L5yC3KBpZLCFoGRP0/qPubPPY2jAbcq6gixt75nsv2WOYN0UFHJtllUnILhKMzrKB10FL/zjYXQpJoxveCdQgHu6jhOTDxGd2R4QKEVXsEUsrkoC3MKZSH1dgCpyEbxtRZgcx/7d9wCME8qB7IfGN5jhmBJ9nyPgCTzSw0n4vRKfRA2oY2aKAxn7L9HW219xug6Ezv/rPmJpkDrsbpdzI2yB3ot+o5V5Wccr3jqL1ZA3vx9oz74+mDz4m0/XfNBXgfYw8Zcz8pzEERQLG2Fg9GYSsLwnokTvnXDKxs2mJbs8CCrfAhhej8p+PhxEdWm3wQzqoN3VOSeKIk47qxY2rpjUgw95/+C8xT4/8kGdJcvmrsgT4xtRor4Nt49uT7StSAyEkVXJBCo2EgH1s61wpxctXxeI7HqctxWFb5kbAipyvPbKqy739hrZHVh0optlyr2TveRqc2PPtsze+7SkORXZhg/T/S+PBV37IjGtZJWVITvEfuHavosYnhVw3yR0eSMfJ3F1LhM+8IGHSBT2SA70kNDYEPgXlCMfRBPJuCEyDRernjsrvP0sCgzJHtReTehYx5GZEpYXjQpS+TpK7pcIRxNgvjGDKgfpTRVWJ/HsVdDs1klWUKptA4voi0NqzUznEq65kwGczXXuhkGsNLbU2Jh8n2LerTqB97QEWRVBgn4Klz7fuweQJrCai09CKzt52nAzSAHSIchCOJ+lipWnncucBrGuuGcOdvfTUZeggl2HhTiPlb4s4zp5EpU7To+qYrmJlY75sUgNUNcOJx0JLVcRpyM364wtaJCnGpPDLA0t/pxKgf4tlMGfOLvVNr+ciaE1m5UTJQzttpZ0TRutlOiP+DPwFteQbnbIMlMl5UhXepfzgHkZp2fuitolGo1jK7l2sskKXFNRAJUc+2sU44a3VQtMS8oqvW2ggO3lWA+NoIDnzbcUp5LYtZvN/D4dHkjvsI9d76kwKmbZkGG8uOlp8Z9Tl+JgHjh3JnGGq00M1Uttr2pgcIku+M7elHO7swt3Y2j1r+Kwf+60DH37XNENLgkcow2t7zu/0S30//hG+bopNXyCqII+3REH1mde29YeohOhg3Aa5CMID8DSP/7Rbc3XkdafY/ODSMDyN7Ui8ddqsEOB0Yg4AJOMv2WhM3kYjL0NQE8tjzGy07cbLRXhgved8xSAA/4DW2G9JUFKY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a47f8bb-17f3-468f-0416-08dadd6ae785 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:04.8903 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AVZm6QoXsZBLNVOzegH+yivmniSYypsHBPyMxYLDDvR+iyvBt9hsjCoqI/SAatz2yBi9/dl2lS73K0gB3uSJ3VPbjNB83PlpAsjItWkZCNo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: ZfxX5ZQhCLBW_gpxjKA0hBQYi563WrY7 X-Proofpoint-GUID: ZfxX5ZQhCLBW_gpxjKA0hBQYi563WrY7 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147572308189649?= X-GMAIL-MSGID: =?utf-8?q?1752147572308189649?= Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the x509_certificate. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..b4443e507153 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (vlen < 2 || v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->root_ca = true; + } + return 0; } diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index a299c9c56f40..7c5c0ad1c22e 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -38,6 +38,7 @@ struct x509_certificate { bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; + bool root_ca; /* T if basic constraints CA is set */ }; /* From patchwork Wed Dec 14 00:33:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33001 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp447845wrn; Tue, 13 Dec 2022 16:35:05 -0800 (PST) X-Google-Smtp-Source: AA0mqf5D/iRYSNnfQt08yOsabJQ+DhPNRgk7XfcRNx8+naPo2gkCFQmdx9jVhl5IygKgl7ykSDpk X-Received: by 2002:a05:6a00:1d14:b0:578:1708:6416 with SMTP id a20-20020a056a001d1400b0057817086416mr19508840pfx.11.1670978105295; Tue, 13 Dec 2022 16:35:05 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978105; cv=pass; d=google.com; s=arc-20160816; b=TU87zHL5c20X+m62dA6elDJK8kOXlE2JPsLTkGo/kh0xgXuqFSq+fz5hjaV6VjNBRB RmTIV1/oVxcBEBD9L1OchuYroLpjbSXyTTAWGwQk+5lwp93rPIugkq9sXX2xGxNeAcn4 tzwVBllhc/Hz/sHKBiMi7+TOqGWdUZO9HjfhCyYv8KJ6AA5oNo68MbphPY0tu0ujTtE4 47rGUdJq3zmLKVv7iyi8S9yOZbngldPbTbUprplwnQMLNf+eTSHdiM2R5cA8ZVR53cu9 PP7IYvKAsTPDpKnoXJordM+t82Xp+uaocBzfOVlzuKq4tgheqHFKhsrZ3plVuAbBMXq6 9PRg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=TDk02i21qYIU+7iqunstUSVzL96bsCYeG8hEsd4Nxh7TC8Q8iPhu5IN5edtQ4aOC1I ImaKPq+025dTg52JFGL86oKwTUHxEhxaGWxJq4RxRbNQlCjbBwO859YvmjmjEU+hoDTV RySvBiYDv+640HLXaVNLDOF2HPvD2nYISy+awm8DIKYaOmneLy1Q1CkysK+LzwKHvY9W Dz3nFJ7tk2foZxN/wEKOL3BOz63yijD3jIzHCV/mO6QO60QoH++EK3HEDP8ggZL44kuK SR9WX0OR/YHluNgFdlb6b6buPpctbktHpMjymn3vzVulQue/SJP+5hRXq6/SHWV184c4 3iag== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=zz7DxVGE; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=mHc0Ix+E; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u2-20020a056a00158200b00576fca27d92si14616104pfk.206.2022.12.13.16.34.43; Tue, 13 Dec 2022 16:35:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=zz7DxVGE; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=mHc0Ix+E; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237784AbiLNAeh (ORCPT + 99 others); Tue, 13 Dec 2022 19:34:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237743AbiLNAec (ORCPT ); Tue, 13 Dec 2022 19:34:32 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73B201DA53; Tue, 13 Dec 2022 16:34:30 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOFZo014773; Wed, 14 Dec 2022 00:34:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=zz7DxVGEgqqroy5TQj1NwrIgDqHGN5HIMqyI8TE1ITu9QFQjW4k6LWpt/kVP8wYpWe0B hnTk2Gw71QVSdj6AAT1Rqk7SIPQSenKi9mUIWZBmxIMWyXvCT6o9ZxNIyTWNiraZnrdw LZMehcl4S6E6Yv+mjHUMFNOOcxvDOzkQ0MZZZpRBUubht1RzyeBB3ztZFC7Ow5mIutDn KWz3TBGHWy1a4KE4k85pbi23uiJMiwGzOxJLyuPU1m62utTILXds7Z2EQq1FBZI2G41y 8fRSoOZ65VEMcy2nnzzllUW2flQstW9oiMZix/4n4fbwCxVCpLDpOlX1ZBxBl467W25P hg== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyew8nr2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:10 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNxu1H012274; Wed, 14 Dec 2022 00:34:08 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyev4shc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sct49W19orIIfbhnZZTXhfjEkHooCC+qBdn0l2+LwZwoUzE/r9pO0j2hrFnOgvdWeUSCDhM3rHoQAQXjOiA6BY2mVaNHTnlA6dVSP3xd2tH8m/JM8/FPruGmwBzIdrURC4lZdFswc/DqGrgqh9nTZa3tmLIRtnlzGNSrpUXqwvMbi1bBWr8wHj1/PIYHzDShlGTKba9a7Zvxs6rPWCSibNW0XOVWs0IKlS0/h8yrEjSNpG82JdAcROKEA4IXovsuS/VgnD7Nvx9nAavg/SlptYEF9wvLhW4X7bPW40xksXlg+35dgR8iuQYjU230Il9EfMRDX2mfb0RCeu/kRlxL4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=cG1ss6pR1P5+YQ4YB6293zgCWo072RXaUkfdcrI9BJlZaQLntm8e86wfESu27MVRAmDGuc9BTae7MkC+6IyvdRm3DhX0ygr32mecOA7/tcP2Xt0FUugQC2DYpHvqnyfE7ZnpVbszmvKd2yGaK/FNgz8w7N3G98YBOQd2ESDJBVtyKPvu+chk6ZvbOpMr0w32rLHi/cOyN0ZWP4rDEmPw5P2MJSrY6eADgVM4Vz8Jy7gQgwEPnw6M+aqc8xpTG6gva9sInI58kVH4fXOvesc9xKQSfVQPSTwsZ1eYi0ksYnZA/y6sOQwCowI0qVJh/i958AFAxll/NsuiPGGpvyyO/A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pP4Surn+7FPONQ6L3YWLkQIdsqC6Al/UKkJByFHU0SI=; b=mHc0Ix+Eq55pE6kaw6GMzKwUOPnCuk+G+U+nwlyBdrwBR1xeR/tHhXJWF4qIuhMmNrA/6LCttSY8YcK8QDg5UQdO1NP8lclfi8kNH1fqze1sI8gUF9If2VI2ucaT2SBGDZQEV4YpPBvLP3xHprUT7RUONHaOwZs4Heauy+OR/ns= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:07 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:07 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 04/10] KEYS: X.509: Parse Key Usage Date: Tue, 13 Dec 2022 19:33:55 -0500 Message-Id: <20221214003401.4086781-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM6PR06CA0102.namprd06.prod.outlook.com (2603:10b6:5:336::35) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 9d6dab43-6efe-40c1-79c5-08dadd6ae8dc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qGnPT11s2EYOl97Pq8kS4WxQBRYBa63nim9Y3Q4BixsRdSzcyoOwXYN5UGCIPVY0ZksInw7MFVQJo3xaOfCmZB4WUpOSyJaXd3GXR8VNDu6QlPqdZIuqV/AO3kLYHWzCwDnVQ1A+NZxjM81AqA/2L8hrhfeCiq/mOTEiH7MYoNjiD6JCnNmBbXbM1HDr+mYYZiC8ziMH6y5AUkjxa/aOqi/0mt49u36alEIoJve4hmd2cJH2M40y4ZgrTf/6cdMwYvH71wIOWFAYXqPPqtnMvdWAGngyuvKqsBHipTgGr04x7RvGAYG3/b9bh+DdYHDI6PGZZNC7Q1AZ9ji/usGltHgIkonov2SPjGx4tERkZ7CXuRzlgO/i0GRb7Ak5alqY7cl3l+BZ9Lyp8uP+x1pLA6ertyvNLxmCJ4BfaDrtUPbDecOxB7TNxCal7b0f+Gbl57AAMqJb01IvBx+nQ1OSbo/QdAVoO096nDu2hpkeYROdGAwBR0p5CBG/8S/etLO/AmdZa6H+rFDAd96Dq2h6pG+zDASKPteeGZuZ87u0lkv3G3I2YAr2AWHc+IXeP+SwK1rMQ/A+9qoAQ8H3PfOKKmijFmuqjMvYfuvb0niozvO34ICkElzwJJx7/2Ac9E7HsR31/XuegJISAsJWYq6PGQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4arNmP6968AcoW5VJpKZxPaow9Nc/CcnHAXtP28hicbvZf81par/Be1BewUMCd/HgrpDmJYQwYlfkguAxF57PIc/IzKIjRjW6DpuQlkyDFC2zxKzzHjnE+wWhtu11GsuP+IsVMrjM3v4NxosaEoCaDxrTNT7eW8RHcq9+SZfotv3j0RS9s+EGOJG4mNCobxJbwY/6xm2nHQ6VFaHn3N+wNPM9JG4pAsqTmvW+v+7GE6ul0PhIudrHb9fw0c0YXUhTKXRc4RPKCWuB80q4IXf1AL7Jaqh4hqM+cgXOFajm/RgY6jTHRBtZ3gaRWcLTeJMbe0fEsV0HKOrj8lJOZU1Ga9fnzzY3ZRUIJ+eJojkQCPLvDoat0E3SB5ATxnVhDo+iW7BSRORMEvyKgMWRiVEpWgGdoeRxGz5wS2ivqyeq/BU0sUIWwWrNmA4PhKlAECp1hbwFUtfKBuvx56v/+kEP5g09rPag2b8OeQ/+is+vkRSFuReEp3qXsUB3l1K9Mi9a7SHHBzA9E7A4gOCRYKjmMu84aNQ1s05BH0WycNJhfsoaTFiSw/xNNtdbugHaGq6wtOWv2bREjKLahYugbccv2GnbNYIuyzsSjtjuWbyCRyphJXlI3sfMwaWrZBmI/Auv2+bIhvqiVH6oCr2YFbZY3x+ArBql4nqasZbXraE7wd/VVSr572qugzOw+W2HzaEiVFjmJPQtUdFYje1pt6aVNRdtriiyWM1gbaPDOzZffw2d5UsbETRrten62BeXUMd/Zjal3Q9ShYgwTz7t6yjQ+2i0IhVbSYazWN+CiQHCaA88XZduYOgecGU2cwmnYE0UjsqiFZrE9Sy7j4zjs7L/6nZ4fitD+RKBTj7KFeKvyvRcuKsJHavQaneXOB1Wy0Pa+eYyjEOLYAekSCj2fEm/UHn5xGPMOJahEBHNTy4sf7JctdvgM0z8U6AmUpirFVzqQIo/jvgGSw0rddetKJwEGC0Fa/3a+tS2IJ/C+XJ520xEvrooxLKEZNJaK4cdzxKZBX5DyuqeDTeNZsoGx8QuZ/WPqCqfsb7plegOUqHOkpHj1etzl8mnXcuJgKk8e6gmzJFIAIo1RWY7gf5spP42TMRH3A0PbdQGWOMkRm0usAyZEInvXYUG2DuuT0unq8Qdty6+MzIGbmyEUR6fcLDJldexOxCTgDsOLFdXrntENgOAyZnRV8TDsJCoea6TCiLUjTNdPGZJMsQUEo1RNPux1NNpIIspRe/W9uAPdjp1pFqWiBcK03fUmmnCmd45BnUyLNwGCA3zdIb0NcHmbF6A3f6n9ExllAQvk7mvafyyxruhHL9mdaCEwUTPPpPo5JnTzUH5FrYJA0GPlbVbNXy9xGMSBKNm6wa1vxTgZ+a8nk6aUxdto/iaG9m7TW96d5iB93VCtl1YWdQWrDZpOlj3YryPHP8KMgjbtAKJuhU8urTnjGCQpLgLRU6qGLhkZgF6t2odCNikKeDM+m0W9ZdbGog34uZxj2w/r+EaGOSpgFUzPDbDvP8UtTrTjZuz2f6STq1z9ay406Tp+NEnBccM+Jm6/Iiuu3cnJog+3+n23bGVIQ6SajDnj50SanIwMJmfCnXyumtJcWhUBcijl5i76ujeXptCq1YKPutjIPHvD8= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9d6dab43-6efe-40c1-79c5-08dadd6ae8dc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:07.2196 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Loex+q1E6cSlnBmYXrZ3+EgXIQn/KUKjAiPIrm8rx0UXoDkwe2NL7+Rflng84RFgdB71edmZ4tAukmopgVf0VB7O8EnKLR53wvXDf+lA+y8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 suspectscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: 87Zir4qgRiO9kE8gFd_WczHPZ09GHpZ7 X-Proofpoint-ORIG-GUID: 87Zir4qgRiO9kE8gFd_WczHPZ09GHpZ7 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147537322547122?= X-GMAIL-MSGID: =?utf-8?q?1752147537322547122?= Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 23 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index b4443e507153..edb22cf04eed 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string to validate keyCertSign + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing) + * v[3] and possibly v[4] contain the bit string + * 0x04 is where KeyCertSign lands in this bit string (from + * RFC 5280 4.2.1.3) + */ + if (v[0] != ASN1_BTS) + return -EBADMSG; + if (vlen < 4) + return -EBADMSG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->kcs_set = true; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 7c5c0ad1c22e..74a9f929e400 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -39,6 +39,7 @@ struct x509_certificate { bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; bool root_ca; /* T if basic constraints CA is set */ + bool kcs_set; /* T if keyCertSign is set */ }; /* From patchwork Wed Dec 14 00:33:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33002 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp447946wrn; Tue, 13 Dec 2022 16:35:22 -0800 (PST) X-Google-Smtp-Source: AA0mqf7TP0RwqiSHum9WVT7y7mPeVJNS64Q0B/S63YmwF1uJO5ZSMjZz/LVw8nIyOoZnDGs5OKkM X-Received: by 2002:a62:be17:0:b0:56d:370f:1dc3 with SMTP id l23-20020a62be17000000b0056d370f1dc3mr21072441pff.9.1670978122226; Tue, 13 Dec 2022 16:35:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978122; cv=pass; d=google.com; s=arc-20160816; b=EIDyEcZa5gU2S9Ak/861xnRR21WijbsrHVgRbHjYteQx6a+8OLGrD6geGhndyVJDGu bnysfweF9bqnQOKRYweTHHOYGnVO86vKM/cZ4xmiarEQRxBAu1zn4sIeR5mOuoWs+X4A SKEe1AqrodtDn0Rpxkm+kio7yf8VRt+/E08xlT+QjPnFxBUkyT5PmqlaN/+czH/bYjAz ET9NDZMTeC/J6Mc9Ma+mCN5lGWfhuNSbsWSLWeDdYBLQhZ7h9KLni6LoVLy/0hXBkvFf aPL6NWocA2cgUGbBVolekMFGq5dsKMzFNoDcJl/v3FXVNOFrt9laDHzIcomB8x1YMxgF v3Dw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=wYqep1jLDE3Xtl6dNncIJk46XRFBbv6XBL3SdSji7B0=; b=E79lKCJ6gMW3A9aIUkHdq+aUZK0dgy3TMzLTIRFUZ06Mgclktc0Bhn5Ug+OS8vp3Sm nfuXyEpDxt9XvaXyBJLF98Kpb3CRKcX7SUHMEnvyUCCxO3iYxxqSg18wCRIaLZDD+DEL hIrne7SZp/yyA4z+O0dTUwXiZlmLm1MrCcrHgmBQTKK6utsLH61eRj6m0OXuq1lNfVaU KZxNklKmot9bW17ppMR74uWohLuFOgqu3syN7fIIKNy22jRGkuyQFz1xqtT8jrnAYs4V EteZ29mcxmJ43ItvcfXPkALXzk+vK7SG+ZegsGb5yypcVesw0pj4fJ+kmQLDTIpQP6JY 3Dgw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=LxJJVnnN; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=TGnbc6C9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x19-20020a056a00189300b00572e6576462si14091730pfh.97.2022.12.13.16.35.05; Tue, 13 Dec 2022 16:35:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=LxJJVnnN; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=TGnbc6C9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237822AbiLNAex (ORCPT + 99 others); Tue, 13 Dec 2022 19:34:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53398 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237755AbiLNAed (ORCPT ); Tue, 13 Dec 2022 19:34:33 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AD761C412; Tue, 13 Dec 2022 16:34:32 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOGQ0017123; Wed, 14 Dec 2022 00:34:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=wYqep1jLDE3Xtl6dNncIJk46XRFBbv6XBL3SdSji7B0=; b=LxJJVnnNIqVLXKhN5Wfvhh8ruq+2CmYNEXUWozjyTUg1Dy7Uwo7T+3IUlK7B+Dpwi3E6 OIA8Voy8spDd+eElozZf1mFoJQ/QEhgkbO1nn9HfpomTwnc2ZUVL3nts0zN4b7odg7Gf fLYdEaLSHuOEVRD/GJ0NZnn0qmO5H/odxml/skdUd04Qy31jSesg5C1orlcK6r7qYzOq 19l8K8Yp1GoKJXGJSCejEDozxL5+l50Idbr3IPRVx/baBmRHItOF3k3vR2Yfbfez65gg SFD0gSMwv/BFlYgtWISn7G5kuVbAKiiPAnMlTKkzEtoqKAPwJ1f6nfJhdIrq818dYWg2 NQ== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyewrntg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:13 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE00AJB011802; Wed, 14 Dec 2022 00:34:12 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyenvsg7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BdJoaI5Mj7az+KzhY3qOMac6sgIxX/mMsaXrxIqQnQNh3zrcPwljt2Q7o3/yyj8nUk+adwAnFEfXRQLtoGU7kuXq97kiE5NMQKSxznBFt3sG+zsIbDlgzIJEKOnMxLRQX6iYrEoUXtQb28fB0QmfYDEjlc8vm96cSswhaL3nWxacgqad/LsV5ZMdrqUNo1G8o5K1oQpBNU8S/7sV141Q/7Eg+8D2IcsfZyDeIMxoRLyDdy06Vjp7lK5Xl41E0v2SBmLkT1eCOgP7PPOkR9BTkdMJBR/thNj6xs9UGgGyUUsswxECaj9Y9MIYQPUJQ9sfaXyLBJdg+mD+6g0cW3At6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wYqep1jLDE3Xtl6dNncIJk46XRFBbv6XBL3SdSji7B0=; b=L94A0x2rwr3EUas+E4IWA5dPm8gbbDrlzs5CmWidwNYHBLgD1q0CsrAtNZRHhWJc7VrJUeupYCaHRnf4UT5+HRt/lghnupOfZVyuyC+O9d7tNcLORTjZpd5TOpB/BFgGUwnV39n3VULG/2zpZRM69T7fBhi1YwDzOkifL2Xayhn5+hVJWv6p6RMwauAduOuxeqI9Bug2dnZuEmRDC6ZMc+yGGDpIINnSRQMPv8lgiei6tSMU57dVDDMq2FLJe/660An23JUoz2rmW1f9UjGzMauo5vg1EuQw4xv0t8VP3UklTbpclmG5vS/WHxXJPavCNaQ/aEpSRyeCFSCm4akUTw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wYqep1jLDE3Xtl6dNncIJk46XRFBbv6XBL3SdSji7B0=; b=TGnbc6C94YHdUFXgiLI3wgc5w0keRCJ0UG9SX5KPThq1l83DU3br2LZ8u0L7wDmBRc/pbeo4Vmsb1F0LL4kEi//Fp2uSRWZ4/vyZ0CWM+wq3QXsCoKdoBzK5WpIAOktRBwakyjk6J7or82khAs94M4phLp6bGskxprr+UWdn5z8= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:08 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 05/10] KEYS: Introduce a CA endorsed flag Date: Tue, 13 Dec 2022 19:33:56 -0500 Message-Id: <20221214003401.4086781-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM6PR07CA0084.namprd07.prod.outlook.com (2603:10b6:5:337::17) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 4b69f573-51ec-4da2-e1ae-08dadd6ae9e9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9KfE1LGfGM6mULhjgEGxUMJIfYMUwM77yn4UEa7o5MB1InYnCjR2R3t2YBPrtuT3PnWP7LqfxMv7IAXyoHWsO2LXrO1kz1/C7JySom3euvtbzEhO1zOOIKbp+8N3WEOFvPoikjC480jVC8wySduz4AMIO/1AAHcIEhkOGXnZdMoiFS9CrPTUSp/w88OP6JYdXoJGFXsAZ++fNcsaLVG7sShm+94o2wpaJilJajlEyHdzHz74UlFpBIiiWFWGGcsUDYKNqnbYXvEJiQ8AuTKVPn5zaGCxhvzNi1CAwgBTzgw4DGQQHethGEBapKEYSrADW0Co2b/pH25mKrhxDe8z8ZcXrZA/bxv+mmrfSxpetTHLeGnRJerBflfc9TvYrjOvo6jSbZXZUSHi4vSVvaiqU7culldaq2R+0FVbk+WytouKlVx+215ST3aBc1MGAMNs85vqW2Vsbwwkldu1KNxWf/MLM+JyM0kmIQTE0E0asi6uBZCsLRVAnjkQtq54R5QyESOce9AbRTZ2okKae4dYQ2prh20Mk1pXIpXcny4201Fziv2cIKF1AxB1pTF2hL0necgKvrOTpGiQFzQTc8OIRgNmVeYrhDimYSPRXqgj9U3Lo3GoXkF4kUA5Rd0Lt2iQZgY1+j6DtGKgteVyaFNHrA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GlwcTmbuuWu2DCFESk9qhJtvvQxxyz9vdpQZxnWfwh3QToCLIEp3VIZD+bf/drDxd52m2acqmnuSbuUYvwCcC9o0AsLTpasWd+yieTrRRIUWL03yLmQ9vTX9QOkUeTnAkQTAfDLSkI9p5PyqRwA2kjSbZ84IxhrrKHMkkAVetKoiJ/AlbGvVtsxMSJ4nelAH8xBx6QxMdWm2O43bIiLGcUIukhn1zkmy6JfLzpxzQ1BgYeL0CQK8tKJKT4MXBFHtxKHE+REUEDJcMpjPZF+4tFY5kGDLZj7n5Ceb0+gO2ETquNPGDbwF5K0cqBmCyJTICAg4nHfFdt0QJu5Kc0d9LfIMFf852LgoyLCuyFGV5d1AoeRlU+m37ImzM1/WzMxuQcC49Xve+j1M1jN7JnRZNlWLpQmyjB5cP1tBFFiOwPceTXxym3aIkGWH0IEOim8Edsui/XNFzHXTIYnTeELHZhIee0TxLob/ywmdJ7jBGQMfBRZswsrA1LPtf0Q4tpabp+WPW61v2P7XB60ZYE75DBZQg/YL1g1uvhuX8vOY0wJB1LcmbPDcAb2KhisLLanO9hxFDMLFQKPKemR16oCLrjlAMh+mbEEVE6gq/oTGRVlzpVxSfs02HHC9ppr3arNI/5x353ZzrfQ4KnwaMlragAZ08N7la1yk9+jUju3ZkIbNLqPi29g0LfylNk/+wudKlUDsCpEocTCstVf432CF0mRw8m8AfGLR+Ik0LmuJSpE9GYivnEsVACJ1p0Jrk+qINMmNjQi2gJ41ENLOyr/w79aXs3iLDBOWrGnjpAhOoUpBja1l1CV5GrA7L+CzqHMuVCNkwbfqHlQfN49WSuGJeN1PKKs7Np2kcWTjwCvZP5qulrmSC+NA/TthBdjKEV74Mv/QsWk0B8ouTcujVGB8cCQV73SQDMiQZ4TfWplvb7AGb5buH63CJnQJ2EXGJKHyiRrRUyPgkOvtAjhV9Mu/DpNUQyXqZPO/hF/O5GKsOmi9onCwd2PtnTg1NbqF/RcmYqD8ndVVQIqXljwIKDzueGtpMJg9YbW2Q/UYzNOXgPiCO/fm02FAJqdz37uz6pvwVhEh804jrfTqaVgVqPszzezvpLXlcEkPOSav3ofUHbWANSrQTV0z2S6koykI4+0p4+Vn9vnyvrJTRpNWhP2GHfKk4G2QFRVXsWjYzgxmPyDGQ6tVLLux7sn/DRzLfjdz/W7t5MsR0n3s3nOlkDM7r2CJ9+voZFOFiUHSAczap7t9GITvCA0aTppwyLACmE/yG8ckSWc/sMiHk8ZdDN/8w2z8tUoi9BlCs8eLtrFtLLZCDmFcGs18YAw9EIe0W2ketvHZ+mmLTQlM9t/kBgr4n0mf0yCZIbjQ7A5zVxDrE10q6yGQSbCBEM0nXkSAfLCb8mchJovgJHrsbWKsbtuZ1P8NZDkaPTSvN5exCvtaId1du/NeSP/J0GtZ9S2dnO7fRUtsE2CclSFZUQYO8MsGikNrjKTzLJbvN1xYw68bdNWrkjLz2kVQhOB7p2j6Chgr+ePurbiLfvnUyECuNy7MdXJNc9YK+mdpNx0ha+Kb3w7Z0hNKsC6nccLcHoKYXdtewx4faZo0vLF9jeuKUHDS5iEsix0pItvLGbVsaFuReVA= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b69f573-51ec-4da2-e1ae-08dadd6ae9e9 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:08.8755 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2kvP4cnzbFj/zuCs+jlWlMUi6q0CtgwGh15VSCPLFJEOW364R9AgXYgKGVuyZb7hxtdiQfcMsWNeuSr2T/BscD2IyDQyNf5H8F8U1leP0yU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: LKRAEkKeiwSK7Dw34QaDyhKPw9F_wpHo X-Proofpoint-GUID: LKRAEkKeiwSK7Dw34QaDyhKPw9F_wpHo X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147555168336280?= X-GMAIL-MSGID: =?utf-8?q?1752147555168336280?= Some subsystems are interested in knowing if a key has been endorsed as or by a Certificate Authority (CA). From the data contained in struct key, it is not possible to make this determination after the key parsing is complete. Introduce a new Endorsed Certificate Authority flag called KEY_FLAG_ECA. The first type of key to use this is X.509. When a X.509 certificate has the keyCertSign Key Usage set and contains the CA bit set, this new flag is set. In the future, other usage fields could be added as flags, i.e. digitialSignature. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 3 +++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 15 insertions(+) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 0b4943a4592b..fd1d7d6e68e7 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } + if (cert->kcs_set && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); prep->payload.data[asym_subtype] = &public_key_subtype; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..0b500578441c 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..21d5a13ee4a9 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -236,6 +236,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..e6b4946aca70 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_ECA) + key->flags |= 1 << KEY_FLAG_ECA; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_PECA) + flags |= KEY_ALLOC_ECA; + else + flags &= ~KEY_ALLOC_ECA; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); From patchwork Wed Dec 14 00:33:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33006 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp448202wrn; Tue, 13 Dec 2022 16:36:07 -0800 (PST) X-Google-Smtp-Source: AA0mqf4hEkoPJCZsnTLcuJkY8Rxt/AuvKg/2zyyJvRDgN8ORYxje4vDWWNsj0oWrIpa2Rs9WuyKj X-Received: by 2002:aa7:9007:0:b0:576:755a:47ff with SMTP id m7-20020aa79007000000b00576755a47ffmr21498389pfo.16.1670978167000; Tue, 13 Dec 2022 16:36:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978166; cv=pass; d=google.com; s=arc-20160816; b=hbwetjaL2a/CEFCKeYplG7qxVEbXwX55yqc9x0M/XWDh37f8xxkJmSoozbro4zLnXY SJRTIbe5ku7rRe3TXjm9/2cLiEMFgC9/QuDZP+qhFkp5YL4SQYtuTHazek3lm7ynt6u3 P39oiFetiVMhG6AE+3bhXWTEuyqC2U6c3dwfFT2JlGmrV/dSyZM7jSi7gPEim9h5xOOM khWOwAiFEn604cP+oNRi7UcmE7yIO1h127svkYI8OE2ykDQp+OBcg/UMn0lOw8UJPQC6 3aOYv80ac0gxsM3MW7BdZecmv44vMAn7jHjcysZGtapBXaqbJXL03RbCAccHR05zteqj kLxA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=LwJL9Yrm6Y8mfY33L0FLY55FrN4gGbzkWsHivaWScd+dDN6uEXDheD/JqCIEIS6es/ AyRxJau8drlLZiGnd7xi3f3IXHFvT1rzVjPzzbWlcwT7rTQ4Pmy5wmK0Xl8dscsAt3Qq zPB4JeDqKdlRj4NJwz1GH+BvigzCbrpnv3e92wvyxSfhrJcS8mFpyZvvjedPpHnCLIjs ork0t8fxHcbD/KaqCJiQde60H6uwy7h07pVpnCytnrcQOisVi0yd+ac35P6q9uU7KHwG QiANqw9gA7OFiSXLW3TxINDuYN9IfD39ude3RkQbKsHlE45GPEm8hZ5fKcSm47sgS8+Y eK3Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=XQRNfbDW; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rsvku0np; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c14-20020aa78c0e000000b00576916b7127si13114834pfd.181.2022.12.13.16.35.52; Tue, 13 Dec 2022 16:36:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=XQRNfbDW; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rsvku0np; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237829AbiLNAfZ (ORCPT + 99 others); Tue, 13 Dec 2022 19:35:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237828AbiLNAe6 (ORCPT ); Tue, 13 Dec 2022 19:34:58 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E73C1EEEE; Tue, 13 Dec 2022 16:34:41 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLOBYV014294; Wed, 14 Dec 2022 00:34:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=XQRNfbDWPLfk63//Lpf3B6uEnmzyVCWwZZBcczP2NXO6+8/j/ifAGuRF1F9UOlta4Slh 5Z8mGyH6Qf9XLbR8pvMIpvBkbu8ZhG2OUCxIn4wEyRNZrEknTDGaRwPQ8mISvsgNFq3s jUrHc/kvYXt1nZum4AE02MxR1MFBBtHawH4Va8+lsaKNkV9vUbmfko9Zgp8eib/HDuRl qS1ewwQ6oswQmb5d1HO+B0kQTfC/Z0pXZwh0NT3ZG5b/y2VJ1kdkAlFMiJUt6D+SS873 ZDkf4oE9rC6SzbUtCcZ2IO9E0zQw2Qs+ydpNfY98OwRilLH/xrF33IT1+G3dR54ScojJ ig== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyew8nr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:19 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BE00AJC011802; Wed, 14 Dec 2022 00:34:12 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyenvsg7-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HTodrjEXusfq9LE/CDgLDqjXowG2axGtPul004Ku01KOjcOYcqnCRkzIonS0jzwbPP2x6KkoMqrrJabCvozF0FpPY86AiL/EV3JxUx/NFRXsL7eQYrpYneZC8MBl/kYROkwssKWQZGhHrfkLpasatStj2tnuqIx18QGxtuoC/b8dQKUtXIH9nvaWjkhsvyMTHsn8mRY8PqXuHxXiD768vCx8lmxLCU2yeX+qoTFa4zknLP0Z5inkP+9/O8lO4lWcbCbQ3rxMGAQJBO+o/t3ppOJqwbaLUNoh1Dcb7ZZOOkiebCEGuYZYW685/xStheQYGtB8mtGDPKfJoAVCKjKt0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=hv47EG+1HuU75V63dqt2Xgf79sXGJT39LEx8eO9nLAu5/svietNVV3Oxn98ory6Ym8gzh3/p1I5kLiQq2qz1v0sFTYkyJnhyHpN7PFAq0P0K3MEafr3p7UPJ1DCX+ZicZtXUrrCUx0MQqPNh2Q1g/nKjM4qWsUyKIDOgmpfEB10JYhMVKAtjeNF+SyS7KYHGgx/Gxn10bjxMCunDJhzXlrd39J7lYVG9I8y+UBjz1oFW/juMNbm6VoqZTuy0x2fdE/wKkxQfMr83SL8bRJ4fz5/UW8ikc/i3v+g7hlVbH/tdWCu8bJCWZFB2mJKYI6sxtwWa7zDKPPmmcCr8T8FetQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lUDxfaOkl2IOixZjwzaV8s1BFWU9qd/m1PpkSwedOA=; b=rsvku0nplt2axLh5hzR65eB0QXumXt9dHJJRKMSgQmIkIdqeJ54QvnJtXNjajcO6hEn7JW3SaWeitYfHEJLo86L3ANODwkQBfIXn7LQ4zIzlGgucMPTEHm9kXKARpUSb8VJRH7Pt9qlHk8wzKx3GOiVUU2tKleo/VMc1kPI1uJE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:10 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:10 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust Date: Tue, 13 Dec 2022 19:33:57 -0500 Message-Id: <20221214003401.4086781-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR03CA0226.namprd03.prod.outlook.com (2603:10b6:5:3ba::21) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 740bf181-db06-456b-6f1b-08dadd6aeb05 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hzOUtONuq80RZKbd/Dw67mzpSymqvPghVueK0X32+Rgk1CnUQNijSHQbVZVhIB9BFcJqD9Eji3D8PCgIWecXoU5+PXcjbr5moMLwjbd3NBr0ggAKB13j9QCvwcfcw3xJr+23kqL4T6RinrNTnza9cj6ZXmIWtBQfInBvSVoM7fuclpsaQ6+ZVfyEj2V9a8XQ9GdTIzCtbrZLiY7B+Xb2KArT+BeDttuYHL2qCNJbw/ZeI3hZZJ392vAQs3kPgE4UOnO8n8Nc/2C7uxrxNI07wQ8FP9o66DoHDYvSK6AGsJfovNE+FFfV1+L1L7fWtjY3a+dhiNlPBK7bKhqECYxCR3NWo3jBOky9KWo2opMOeyiTLN02nQqNPPY6KDiDHz5nFd5A12nrSr9GnWpl+SJqBxkaDht2yFclhjTM0kQVyCPTZGZ+7iFOrVpKke6GJCSxmgqxhp6sn5ZKdqo9zOgvD4ozgjHb85ie0VDVdyQzFnjmPp4XxoARnB7bi4ygVKTuSmzmH4aAKyBFfGUcentkRDgDAWM3qH6uo5jxaIzyDDdHWgYkz1Xu8dlO0ZeydsowGldEy8a0w6siMrFKONpgTephDmTyhW47gILkhn/vUyH3gc73Z/6NVZjiobecAlRlTRS+koWrMAhuRl5ETf81wQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(15650500001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Shk6R4ng9qYZaxGJI35pPACXCN6bpeiKxQYkw6GYYGbHBtJVpU26DRAQ35bZHpvOmImtM3bIcAsS3Memfd+3tRIPGghviWTBq26s8iKDsUQ0j/NNTqJtET/Dl4wJ8mAnsOeIxHSl/u/g0gtyHk7TsgUPH3e8217MfYDX54g9Vw8qTk0mWPxM7Bp0f6nemXZ7AS78D0up6t9COoAdDMOX5pxngkpPd/QS2b6B/XHsWqXcJrY6UTVb3W30lXE0NenyDIK4oH65LdCfNn3+jqj7dHNT2UZaeJy65oc4Tq6ppWBao0GISXrQpZWbX13Y4mU6X99KPDyY9wWAGszNK5pXoxt5zql1s0MtduYcuTG0dBolptmRoBgMeIqnXAOXq0+ha/+dItti/iinU1NBClyi3McYCWA7fQ4j8cAreJdYTBmp1ug3IBEztMNQTiurB9WNy+W8fHKTblVvzuPjRg2xaOwFUcza8qlGbT0pI6LXRjwKV8eLfxN72h7KDphw2aby2nsDHfsPirJGPBZvDxhHS4qLpMk9xnzYPPbR53C87fjVIU26ANEXYKS28RTvZHffeWVchnrYvipF/AyGXD9XuvceBeK/A4H1oXhWXyIkqzB87178nv3j88oSthBOVz/SaqackQgwPSfqyoz7WuF9kljLrtcdCk71VFSYHb7IQj4R3RnlqoihII4xaqMAFQUQHYm/7N5Zn9OSwebGclm5oI7MMUlpm8qXAfpNwukz5EbmOWygHG4O7DKg5VAqwDmSIA6qHF7GMB539Z9/OBjn+HmjqBlNq2XsjrWghD5DuCvzvxadsM3Za2Hh03DCOELAUuydqTAGJEzYSe6TMwPvFRfGUPfBG6qoq3xkP5qChwER/UJS66RODwdx178F1R/D242kmY84CRfWONuMUONLMgLXRjp+YOfVCXaFSuyZZvTTSmf8sxaAdS+09RCqBzRhy22U4j9smF8Akj3D9RidjeMNeHfihr+DvDKNTBRmuAHC/txT0BynvycaksJbq9UaWMpvW6qEpVT1ANu3L8ieNxCs9muM9Rj4zIR+7deapSp7UdP0qbdM6bobx+o4rMPTdbejFGLXtP/bPXLXVzhkcD466dAunqZHlIDVEz2AOxMuDlMgUNth5Mafx2ftJi5kA4uIVQ5pVDmsCIZn5zyYly4BVgc2Ya7qS4q4XTSjuQMueHHsMofPf1fjHh7/WJeuURT2yvSsiaeOPIQktIRbUt9MJRDB4H8LTh8RWNYPZWIyKXTkK9fVjfPBWmIxTmDN9xjUEIHIXI7kpJjgIoZa3tha3gOBQXX+ZpvDT0KEwmRSMqdREK3C+r++QDF7PU+NkLaJ1cG0UcTeUYJTIQbNC1kIJ3aR9YrinInsI/c0vuhCI+jBfBR8I2/eS/N8FUo5+upAmNHr0n1e7QCd2uKg1fffG8o35w0yjvRPHBDEcHEBXyJT4IgouKdzTsZMv5tn2XVLsvfHIjvW3L+3CZs55xLwZfD3nMYXCsC8cOs5XbyrzGO5s/SyP2yMwJu+DKJHiXAZkXpmBP8yB3yX6h6n+H+vB2qtv3msSBkZ2xEPBOee/2uiUWlznpRbe3jOtegbBsmpqqvIYe/A/7kTNnd39H6zu//wscTK2FU3hfrd1rk= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 740bf181-db06-456b-6f1b-08dadd6aeb05 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:10.7182 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9iBdhBHTJohMNjXbEB9faKnB7zSnuQIGaPUP7MVTmlaQly/cK4jd3jpt2hVeU69aGnycEcY6K/hydOeXjWD693nQb3hp/a32Q3ad/tFaa44= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-GUID: UUWus2xm71YT6frHTpr4LSCg7ycJWTq8 X-Proofpoint-ORIG-GUID: UUWus2xm71YT6frHTpr4LSCg7ycJWTq8 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147602635838341?= X-GMAIL-MSGID: =?utf-8?q?1752147602635838341?= The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_ca_and_signature that both vouches for the new key and validates the vouching key is an endorsed certificate authority. Two new system keyring restrictions are added to use restrict_link_by_ca_and_signature. The first restriction called restrict_link_by_ca_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_ca_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 18 ++++++++++++++ crypto/asymmetric_keys/restrict.c | 41 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ include/keys/system_keyring.h | 12 ++++++++- 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e531b88bc570..0d219b6895aa 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +int restrict_link_by_ca_builtin_trusted(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + builtin_trusted_keys); +} #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +91,16 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused) +{ + return restrict_link_by_ca_and_signature(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..005cb28969e4 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,47 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + struct key *key; + int ret; + + if (!trust_keyring) + return -ENOKEY; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2]) + return -ENOKEY; + + if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) + return -EPERM; + + /* See if we have a key that signed this one. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], false); + if (IS_ERR(key)) + return -ENOKEY; + + if (!test_bit(KEY_FLAG_ECA, &key->flags)) + ret = -ENOKEY; + else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) + ret = -ENOKEY; + else + ret = verify_signature(key, sig); + key_put(key); + return ret; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..e51bbc5ffe17 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..4e94bf72b998 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -24,9 +24,13 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int restrict_link_by_ca_builtin_trusted(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *unused); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_ca_builtin_trusted restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +45,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_ca_builtin_and_secondary_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_ca_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Wed Dec 14 00:33:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33004 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp447974wrn; Tue, 13 Dec 2022 16:35:27 -0800 (PST) X-Google-Smtp-Source: AA0mqf5cXWTlPqb27tNJ4Q/nNlQrPkO4CyDP692NvsPbXq3HLAC4Gp0xNmPZFBzUC2JYSRhet2ga X-Received: by 2002:a17:902:f602:b0:189:377c:9ab with SMTP id n2-20020a170902f60200b00189377c09abmr23151299plg.51.1670978127030; Tue, 13 Dec 2022 16:35:27 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978127; cv=pass; d=google.com; s=arc-20160816; b=FF5bf2o78qpTnf+Z3iMZ5HWtvQ7dHhEnZwakRW/iN6uzb9ErY1HA1q15tJ6OYCz/c9 hP5/owYcSHIFzz1yRaBfhFNVQtdVrEYG4ekJsjs6qnQ6LUu4KD2e9E1p/TiOrdPoinEH NVqAdb79xBE2oU7DX6EYCv9uAR0X+CSSBEKD6GRcMZcHEat8MslTN6ZuDON3D8LNA9D6 0jJswCbuL1r7H4Gh8hNYHMHFzH3cFw+ZbNnXhtUqLuKpfbyg2WcCrrjhwpCMKAkEjzmz 8eISxCfXxMZUC4xf+rNh2JYCv2srNQcOICmbJy8N7kGm8jVClG0McQLcR3+bf0uN4xO3 jrzQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=fb23DwIcqVDvQm2VXYwvraWl9CZ5T7zMb76Cj2GcoSWMRXjpCJdeDlkckTiKpZLISM neu6TuET9nRQZa8chI0mb/VkaTto8b6xMm5TfM/F5Rdt1z/TZ5CayadgC+6tm+C69vV3 86/0pO7BeCRG892Nhi7cfd/7gOTGPtRjWujSVp00nCkhCqQif3ch9vTTrTrp/v2upveg pvbbMpYbC/qU3n5T0LPy+a2hifcbdP6o4/3EwGrbwn3PoOHKpvlQVb87cMHlfp33RxG1 GeNBYXCywcAoeOso55AaZrca7pZDM3+xh5HweC750Z2jjC4h/ql6T438CxBdviV33vII 1bgA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="1DezFdD/"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=EjY16i8J; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g10-20020a170902e38a00b001747ed48ee8si1138938ple.150.2022.12.13.16.35.13; Tue, 13 Dec 2022 16:35:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="1DezFdD/"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=EjY16i8J; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237840AbiLNAe7 (ORCPT + 99 others); Tue, 13 Dec 2022 19:34:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237766AbiLNAef (ORCPT ); Tue, 13 Dec 2022 19:34:35 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 671D41D66C; Tue, 13 Dec 2022 16:34:34 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLO7dr016062; Wed, 14 Dec 2022 00:34:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=1DezFdD/LaHfgbOgLuNlGJx1QT26KX8gUISMbVChFcuABo7vj8MW8iMT03TMDOg0IavI S0qElciIA6Blcd/YsAlZMCkp2zB69pH3Qhohm1g47/wAkJtEquTi94CZx7NIf0DMiX7Q bZvw7SdupMWF9UfcyF8RAzRSK/qSffjK4XiwRm/JjJXmJE+q/GYBIM/5QOg6Tf2aOeIl RCIRyK6LTVtTGawhsyRPa5wtNpbOy4heQcjOJf6nzO9BnS3D7CqdVsfO9ZLoAkprb7Dq ruPsOML7K346dEf8Lyph0KzvBEtuDBbN7t/w5jyOp5IaNcCJkPGp97NwbT0idqViL/Jl Fg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyewrnth-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:15 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNUIaO037224; Wed, 14 Dec 2022 00:34:15 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3meyekcq6d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HMgnWFQCN1KMslKg64Pi+Xb3Z71Tk0Yk8QO704ZN57JPkWxDNWFL4tmkcMXh0FsUT+NhFuCbxdEzmfaEjxxKzB2cfbgLX3p4aAeHxJDVxwB3rTastWR+x2MmO9/30RjqxhTUmqgvgqLV2/znhzILGhtGK8q2SW4C6/wtz4r9MEtwHPwfQ7jsm/Bk0OVCABVhM5Y90ljc/nuzeaG2SZVDO1CgZDzAyK+7580pjbl+ljieOirNHHGAoogW8Hkyh7Y+3PYVP7dVLlNIGerKsrXGIATUa+Gnq+Xry9wbsj16LlF3i60TLpjtEMwvPUcZWXwlJDBgDqxtnOkBaZoR3FKMaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=ZzpJizFY1ioWpYpgD/ednEkzxoztMQtXrwCKQYG7xSEqZtFTRLGO7MjLWfhdyAs+buZZflaX4sE/MBsSc+kxe6QYRBYPOTYE9jKb1fOLxO1BEuxPzQsnl9QkpW2SERy+a42+ZiQeisICtv/dygfkpUjTKMlYo//8cgR8PGP0+IsOVZ+sMBBLvM3wYWkou6KLVjNUWNnVMqfebg4b7CcuOsOmbGLEun0BpGhuPx9dnR0b9r5Eo4mOcUlgumdez5uG6SYrDKxzr6ARx0kciR8OFUkoN1CowbHHmB3E4UQvlfQhmurVL9bmcWFfjqwdeYqao3AeUXPVgN6+mVQSnZXjdA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9T70b9iy5omFjdxa6HUf4W+h/52V84VeDdJ/ZDQXe3U=; b=EjY16i8J7wpSGAvU6QLehmKe0BGnegSxKne1dJ1Zapj2jF9zySCLnVd5hX5/H0olAMY0uqnCCHANCL5j8wsDQNU4ngyq8mTqVTlCx+Jm2L6pZL2vC+1bBMe4MYXu/+zA893B6aF+4JxSVDE2CCSBfZNS9Rufir6IX/3EigMsMHs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:12 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:12 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Date: Tue, 13 Dec 2022 19:33:58 -0500 Message-Id: <20221214003401.4086781-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM5PR07CA0080.namprd07.prod.outlook.com (2603:10b6:4:ad::45) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 6288827e-127a-491f-62eb-08dadd6aec15 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SmA4pAGxsvgJx6YI0KEcy7elaSsZ5LgxGgKOEDS3GO3bZCHNNeTI2Pe+CxQNg6kNpqiZtDsE23X9f45P2BoDBZmr9Eo/nz/085FFkKd9DGxZ3Ay/OvCCfYax/cHrOTKHVttVh0UAW4qrB2IWaxKMmMaRDB6AX6Ubik3WflQFrVUrq3La5s6THER0t0GlY91wqBNZDz20GCDDyAi2fuQZt9eYSOeDr7cO7abCzFp8GxOgSI8kb8A4NPWufJbpwln0AXfBuy8tu/RfRpNBIrBPN0HlZgGQl6dCfMWwa9lxlhW/fdUL/z6FrrkNFCcLYPEG8IuQZcK1YKv1TyMhJNysF+Ae5F2oMZUIgvn6FAgmkOHckI5/LnRNqN+c6VhioIS/MKvW1VaKA+eqkJI096gLMwl/TVjjxxCo1CthILuCkasvvrjTZcJAxxerBJVaUGQB7qUqdyh2G2j3pYh71pSoEN6V/t0DtRjypSGXQK9LTLkJpuozSnx+kxVPQncrvWBhXnA/IcUjkIwxL36Arf4tAM9/13fiHT/D0Gr+M0xBaPIYsgyTn5FKe0dTRfXmmJSQIsu4w9Fgj2Bl/zVlx2c+M0iMYdpADqK9quKRxfONfHA/O6+3BVM2ZGlmUMyzHiyIiFvsxf3I09ehRGJ0ZZtNlQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +n9qvO7wn/BPv+B/m6Ly7P5YM+0HCvXYA2Qd0iG3GYWZ8Q08hhY8cH1cKzmoS4GGhnRIKYBCUXyzDA6m3JBxH4rjthgWyf2G7zh/JYfZGg572pjw+go0toM8zxLmmH+5mquiF/CuQ2CxCyy4I96XeaOH+2xakcUUiV5gOI7a+OwIgtcDWvXqe7q0r2fEpWH9khraiCpscPCDmnApQEC12NYHjiVDANnxbxBBls4Cbbb9ELnHEC9kKWRPpVr4l8ff06Hap0RV4MDxhYeSvGgiP2dHbsP9+ua5X4BHRc+Bc2QtZ/SLr4wHso+sDUb3BXQV3KcoVtTOxl+2jXg67iCzogxfMsLou7lORM3ed2WySL2xAaiaWMNSC2UUUj3FNuDqd4s6P+z05Abf+X9fjyOfFAM1Kh9lxCotG6Sn41FKni/2oQcG+oHvKxKfE7rDwNW8KA37GG4BKLTx//JiwNM7GzlBkHhhzflIJixr5YXC5DQXV/uUlRgKs/pHyb6BPIlso0wNHTjORAoQOornWUBCevt8gE7fga1u1Re2iOIxdYRTMddYPn/H62WYteLFIpfPOphVMqMshZ9TSfkb90urFcuMXo3yJ2X65E7d7z50ks36DrQT8/I0a9poeRtnUsnJm3uhbfrsfdVGXezlCHnCp2JWxwC/xYGPbkW9Fq0tvRAYG5YJQ12uTtveNI2ns3DljJ5XkQZ5InHXfdbiGPS/8F7lB+3LdBDb79dxONO3s8eadrnjj2PX41IUQ1kH2I6tFt9MMn1dmazI7IiExtRmDkxPEwtuksZs0g/+LOUbMvXmp7HYA83bQOWpJ5GFOQ6j+Nkz1ILFTu784QuRl3MRKDxxP2fWBVWWMUpB1sLgHAHNW9DGV9027G+JW6oOreYCCarA8Um1UqEKGPQFtMdor9CJdh1lQPWTfQhhLOD9dTbkOwXfg3b2ojqP3AGIyk+CZQKs5nyHem0kMqUyJx4egDxXdlqUvvfIrxinXGm0xiO/LxBQOIrXgObVnbz9lZ7vZVYdtYat3c3m/q/Ywdm2WlikRyPWKIOR+KBFids0iYygAzA8KerWJp7+G3IICSYtceApP2KtD48W1nPGUQRKPeLWQP2E2SPx0nR7pi2h7EqyAOtT1FKVOq+tNhyCU9UaBVyS11ZON/CzOMsRc/z1qgGIf9mhFrZO4vTA+GiL22Vviz6V79/tYMNbO8B+rcV8AoB+ra0AvZf52gzrbepoa9kVhzPr/2Pk6CwhsdaE6gtAtUDtmKCN+F8GAi4Ci9gkMaeeUeQnFrluMpsrkqWm2J9KVFwUwt+9bmJYX8SCFC7bkExHE6uJ7jvW3gbXY152mOsqOPkIQgXH1h34h6uRBZoIQmb40bmTw1VI/CHshUj7ufDBhN44h5JOrMzH456C0G7EQ1jy0Nxc2Pueh+yrlWk5euG/TPytbIDkGgDYMObMcpmOpd870CADEaVIpB9gl+D2LskBzfXCmhY+iRe9g5Vs6xTL1qxoa54y0U5VfRzRPNLeICFTO0qxtF2Yec51m4XuZL2wFZ91q1+U83L/QGf+kLe/uW7NqC6HND9C5sMbLEblKe3eXz0Xb4lF7INiuD1ZEJyB1DrP1PI+rb8WrQ3sPsV9zUT1DFxG61Fusik= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6288827e-127a-491f-62eb-08dadd6aec15 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:12.8598 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MJb0eBPZLJMZFTzc48LgPdY9du/5m8rDC0pJc3GqlFHqYx2sI1w++277rQquy/aE3Ecl2UTM9cp1pRTwx6MQ4Btg6WY/0MpmATeOTgfIG/Y= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 phishscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: -Qa9JTphCEIUQcJ91AbkgnOjgDa-PvCs X-Proofpoint-GUID: -Qa9JTphCEIUQcJ91AbkgnOjgDa-PvCs X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147560466462236?= X-GMAIL-MSGID: =?utf-8?q?1752147560466462236?= Currently X.509 intermediate certs with the CA flag set to false do not have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to be added. Requirements for an intermediate include: Usage extension defined as keyCertSign, Basic Constrains for CA is false, and the intermediate cert is signed by a current endorsed CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++-- include/linux/ima.h | 11 +++++++++++ include/linux/key-type.h | 1 + security/keys/key.c | 5 +++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index fd1d7d6e68e7..75699987a6b1 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,8 +208,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } - if (cert->kcs_set && cert->root_ca) - prep->payload_flags |= KEY_ALLOC_PECA; + if (cert->kcs_set) { + if (cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* + * In this case it could be an Intermediate CA. Set + * KEY_MAYBE_PECA for now. If the restriction check + * passes later, the key will be allocated with the + * correct CA flag + */ + else + prep->payload_flags |= KEY_MAYBE_PECA; + } /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..6597081b6b1a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -12,6 +12,7 @@ #include #include #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -181,6 +182,16 @@ static inline void ima_post_key_create_or_update(struct key *keyring, bool create) {} #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ +#ifdef CONFIG_ASYMMETRIC_KEY_TYPE +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_and_secondary_trusted +#else +#define ima_validate_builtin_ca restrict_link_by_ca_builtin_trusted +#endif +#else +#define ima_validate_builtin_ca restrict_link_reject +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 0b500578441c..0d2f95f6b8a1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -38,6 +38,7 @@ struct key_preparsed_payload { time64_t expiry; /* Expiry time of key */ unsigned int payload_flags; /* Proposed payload flags */ #define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ +#define KEY_MAYBE_PECA 0x0002 /* Proposed possible ECA key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/security/keys/key.c b/security/keys/key.c index e6b4946aca70..69d5f143683f 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } } + /* Previous restriction check passed therefore try to validate endorsed ca */ + if ((prep.payload_flags & KEY_MAYBE_PECA) && + !(ima_validate_builtin_ca(keyring, index_key.type, &prep.payload, NULL))) + prep.payload_flags |= KEY_ALLOC_PECA; + /* if we're going to allocate a new key, we're going to have * to modify the keyring */ ret = key_permission(keyring_ref, KEY_NEED_WRITE); From patchwork Wed Dec 14 00:33:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33009 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp448219wrn; Tue, 13 Dec 2022 16:36:11 -0800 (PST) X-Google-Smtp-Source: AMrXdXv+y8qswirwh3uDzHcDF8kGXkhdlWqDVJSGiC2RJNVdJHqn9uwuLYLgg8LpD0Dpojxrspi/ X-Received: by 2002:a17:902:ef89:b0:190:dcdd:edcb with SMTP id iz9-20020a170902ef8900b00190dcddedcbmr2419347plb.56.1670978171243; Tue, 13 Dec 2022 16:36:11 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978171; cv=pass; d=google.com; s=arc-20160816; b=f2XNRyNlGfKoGUe4qDhvrbIlEm/shv/6a3q5xW7xWRzEVzbVgwR6KRKVmbbSesIWgg mPCsZyXv3Gk4MhfXegylq7qhFUcidRRmzJqhh9PUysmYqqxVVgDXh+SR7Rd3p404aUx1 hcTSa0GziPwUtZ+zrmCqlWjy9qoZCW0ncdZij4H6CijIN9RKlOmwQ/+tymN+FF1OkJWS ZeyG9eKYNnb3ckl0uPT/21abzlTFOMwHpkJAScGQ5X7XRZypgP6wAfYda+K5biMMjANk tfdUVMONJPDKe/IWbM/xX1AcKNLvTn2pAiGeerxkonyzRuZ4oA8BsJS/B6f2puy/Y4ZH osPw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=FcqSzew0O0FjdrK9TzNxq8T1yreYM9HpipI2oLXI4wo=; b=0nLzphz0ASqoub15tWYkAIbyZWOS3oLn52DApJJcPqF7b5DsDqwLVPmXWIhP1y9s2F vZFlnY/W0oZKf+tOIlS8O0UCS4hXUPmoo2Pp/O5+vU317Pb5XWzCJD5HH0zxvn0V4g99 MTATseSI7bl8cwb1oIrjtBSoOyShN1g9I84G4o3dPlSXGB/JQR8bcgsIOYGasXtWe13b g6v7PKH9ElKfcP10ZoDueReUVVIGDkTgrcpcZ9ZGiL9B7YAsjpRaKN5CcyVIXdODQn5P 0JjpbJnD40xrozoHOqCjBV796SGYvsVA1xAKtT3zxsSUgJLH45fCXRnhY7ynaxPPlRJG T6qw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=vMCILZRE; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=BVyvV8G9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f4-20020a170902ce8400b0018873ba17ccsi1478082plg.32.2022.12.13.16.35.58; Tue, 13 Dec 2022 16:36:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=vMCILZRE; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=BVyvV8G9; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237903AbiLNAfa (ORCPT + 99 others); Tue, 13 Dec 2022 19:35:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237806AbiLNAel (ORCPT ); Tue, 13 Dec 2022 19:34:41 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07D411E73B; Tue, 13 Dec 2022 16:34:40 -0800 (PST) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNqaH028144; Wed, 14 Dec 2022 00:34:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=FcqSzew0O0FjdrK9TzNxq8T1yreYM9HpipI2oLXI4wo=; b=vMCILZREWqbaDhZOiuQu+ty7uwsYepewwcFAx7vG+z+LJ5AnZKht/v+t/kxJ/i/DdqCV TWTAZ8itt1LuldoVb/yFkZwqvcppRPi7VYlzvrrh9ZygHPWJStKu+hlHjTIcnw3IFLyg tJw6Zhm23zOAm/Y5FwVt+YqsnAaTaggYxeege+O0K8GRd13xXY+DtxsJNGehybPiB6ee lBZoCpkjl0t8qWfRvHzSvXUm9iIIELf3RkXyjie8hIYnhxFsaoL+fcnIl5+Ek54JaRTF Z0AEhYKLUBh8n/pOcuQadOs/qAVBMb3sQgdSYGhhKRxWqEh+esBzhlCtivyX+jLTk8pc FQ== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyeu0p8k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:17 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNUSBH031747; Wed, 14 Dec 2022 00:34:16 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3meyep4h1e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:16 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RKSvG2eYthNiz4Bg4I89xhnmSFA/Dsgsyb8IFQENMlD4KChml6Hwt7+pgYuNFujBHDn+CiN+DRFsukCEKHTAy+/gwT6lV93NudIwfW4Hgysqpny+ZvYGm7KP5w7UJF4oo1MQgB1zs5mCTrGKxyXcJB+Nw59tXNX6MrOCBjbkTcmREblwOuv/fBd8ybGmbx1DHKaP2Blazzh32O3lGuF54XUWgCEzzisofrKOY1ZuPwf44D72t/T7KaDEoNv2q9dIBNdVz/T9IryH8jfygVlkpYzqP+GXjvhSNncNMwZtU8lraA1GR6ClsuJE+Tbhr+ZGMIuCZEGfzubh4Y293F05mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FcqSzew0O0FjdrK9TzNxq8T1yreYM9HpipI2oLXI4wo=; b=ZATdh3FIJgCDc/Ho3xyLpBHn2MXWH0w+LVmXqXCZGNoNLIOjZtFGUkEPj04GHxzR/tFRC0wOjIbawmKdNEuuAe32Bb8CLiuqMgFu8FqAeg34D1xFvcp9lMOtvY3nZz2Yh6RXnTy7tNVvneROX2p7nIW3FpDItKG8z+VFq+cYKEXRElg0FCKdzIffaly45fEPyId6xnWRBIravf3nAt9xMZdA+m6t6YFzG5OTPL3OZIZQa8NsRo4M+mWPBdjEmR7ilbwioWZxQp9zUz4bcrdveI+M8bfBhDIiFw5JLYLj1i7rhORV+LlJgnYIAInJnTeqxxPP4N4FBnQF9Vonict3xQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FcqSzew0O0FjdrK9TzNxq8T1yreYM9HpipI2oLXI4wo=; b=BVyvV8G9S9OEKo/KEhMU6LwYgfoEApwQrTdS1YHx+q38ssNTFyeayFUTaGqc3y0MpepqWlOtdYyk/NpXynA0q4FOx8YXItcCZPL6fuRk4+hTbAaIehGoCJPa7fAA1aKsG9jOkTgox87gIyXrzOTaM1RhGXpKg9v1cpCfLq/N08k= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5223.namprd10.prod.outlook.com (2603:10b6:408:12a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:14 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:14 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 08/10] integrity: Use root of trust signature restriction Date: Tue, 13 Dec 2022 19:33:59 -0500 Message-Id: <20221214003401.4086781-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM6PR13CA0021.namprd13.prod.outlook.com (2603:10b6:5:bc::34) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5223:EE_ X-MS-Office365-Filtering-Correlation-Id: 489ba04c-d578-42d2-1f94-08dadd6aed38 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ApO727HRLjx1gsPyIMe6gkcdgY3XCz+3xGROuizr+C6Th5GK9vtBlPo/UtzcXlH2LVxANfhkJNDKuV27vZTbWz0wpCN9OKMubm6cglWYYjHZPuI1K0fH6INKRbW23taRStr67wNiKOi6FFe4hCt90oHidv65X7ykCmER2ZDNt0fQpo17DyC2bkcWTCky9anx5PIcGpqlB1P00IJ/sjqSJgM9DHouHROEfRoqXiNmNYfljcoFed5ZDn+1s1lBRBsdLSPVAZPGS/B4fnYfHF0oiRaiVPnss94+pkcc5DBFXqfDM5hQtd2HoReIuWMieNAkP2yw4RvWHnC26/d83MulH64BjZ3TLErpSGIncEGJyyR0k+yD6WUe9JZ24GAe/pPVbYt1d+ri2yFvrYYnEeuz+PDeOzIs3FtYBMJq4R3BKdlzSjjzookLJzDQWpkq2xGEYETkdNfqd9KSaoKThxCTJv174kpHwCxbj+j87BIChXjG8uaSTAdbBJwC8keglbQ+vxNLTdphiObThDOShxbwLyyGdTD2JeW5JPDYA6QHnPSmWmcSm1FBCWWh6/R/+FDglI2bhNtd99tLZDSUdD4F+avsqnIbOWZ5IuyVN/diA1rm8TAXB6TjWjjVklhpIrrBJLfdRoHnWM9mKeDDJj4TDQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(39860400002)(346002)(376002)(366004)(136003)(451199015)(41300700001)(38100700002)(86362001)(6486002)(8936002)(478600001)(6666004)(4326008)(66946007)(8676002)(316002)(66556008)(186003)(2906002)(83380400001)(6512007)(66476007)(6506007)(7416002)(1076003)(44832011)(2616005)(5660300002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: le0tVj8x4BhsCQTCUqv8g3M6dtlxzoNsfLO+7f0kPbrAU8omDx/fXil39G4kdO/6fjsL+JkWUz44b35//hOPHyTMnQI6q0qSiGTnHabrvc9jJ8t9KxegEr6tTbUcZ2btRVdojJ5U0cpGTVG9EcJsd/upaLvLQ8oZSvQGePlZ29urd2xH+ngb/QWyOML1TQFV0N9NQQJzRBeGlBdZit2e+zJctnCAeHhR4gnOqh9hQweZNfRV/d54uvPZLxL4JUVTTQvJ4cqNvfCqGBTGWzRetodsPvADHTQQxgBsMkAOux6JbHZhGNYAUNbE44RcfAkKdTmU0XIiZjGuzepWI0sLNZ1vj40q3VpTBXXbKAygaYztgJWpZPAyKdcMcapuS4Ait4dVTQrhcUQxExiO5wrdul5CHycNt3COGAg4wRwOSFNPE73QBCjD2KnWG7Ygmc0rtRuqnG48GkLLNIot8CfTy0skBdlR41f77hKcN3UlWLa1hg1/oqWvRL7UZhGhBr/s0a5JLiXkhct4LtUL5Mbb8Z6KG4yL1UU9vg/lCy7R38r1fBisLtuKeO7r2yaJprMZlvzJLhP+9P90KgEzrO8NabG6Cpc+vWpyDrW5VKUpi0f5uYGzjxuhZQP+4cqDvTnzckrVhZ9QtlRTsw8Ilmc+pt8k4P4+5ofp5kjn1+G85biMjbEAkr0/chewTDsxx5Gvl2y5g/wDrdFvwIxdiRIHhO3rm4IeNPxGLJKqNTXbG9HQXSnu2q+xxApywPPhK1K+hGNEjm15WL3SDyW5FDLc9NDYqWsI+1cZBswL094/esHCVgV5keU2EMLkT1W6IVtk8J7uIHs5vd6cNsxen0naqWrW5GJ2wvD7U22Kzzvo/FrqFt1LPrSSHwWcGtQFkkBoVBVLt+xAUezHqxapITUf+a2CCX1VIMRDMvMi7kr30C4yMIZ4Sdzx5dTP2HH5puVMW5kEpPHZBLYlF8Ci4vWVVCHttAUcZ0V4p3mP8F2GUsZUnZwJ5Wv+II87QVs5k/aQH6zuyWes1VPalFY8Oew28HNY8bn2eI0vnXgRPeYuraLEScOlAEZXqneqRaAqpXEkS7pRVDV4JxpaEdgbZFyDNZsPttftn5OOEhX7BpuRnr0LVDQhcUJnbD+goG9QS/eL8ixx8NNh0i1UeklIEFA8hU1t/UB62wkZMwRcrgtsnCpepWA5BBoqF25E7mbjrGBn1wsNsoBxnZXm7VOYG2keQAJ6Zng5qn93U5aqVkJQTO8GHO1hNTMTB9v/lFgUB69I+4Ad9TrKs+jYKFNHAI9gnTf7xozs5evJ3tqmKIvm5LyTepNjDCdcPJITIgWxWjgPNc92Q2vxKhFJN8Xl2QTKN8j+H3zeYLrDngPIAAP+pnWdEa6aDHX8+IaCkkfOMRetUwS0Yd8K1Q94A0WgdqUUzjjJcolP2o8dBZpVNVjVGLKBqXPE9RRW1Od7hJb+X01aUUBotSx+5WFYnRAddeP1sYsSAGQjnuy2/dI6pg3ECUVoJQLn9sszHQYt58Q7QSkMpGL+8ZfBi5RgUhoYLMm6Zdd8v9SWtf8d0QCxMJMthUts7jmu94XaKVPcW48WnrT9JLYc2PzmiU/twd3KmqrqySz+ezfmKm4TOgA87gRGUT8= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 489ba04c-d578-42d2-1f94-08dadd6aed38 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:14.4058 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8tg0EqgN5Lf+Hpxs7W4TU7DlHxxfxfDvbZoIOePc7LjiL/Oag9kteWqTxXqKz32OuLxXWShsxl+3d1GWLX3oh9wWDHtJKtFeyI9gHhYQ2qc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5223 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: vRBgYwg7fkI8eVg9s1Y1iuT5mt8L3ZKd X-Proofpoint-GUID: vRBgYwg7fkI8eVg9s1Y1iuT5mt8L3ZKd X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147606989583522?= X-GMAIL-MSGID: =?utf-8?q?1752147606989583522?= Keys added to the IMA keyring must be vouched for by keys contained within the builtin or secondary keyrings. These keys must also be endorsed as or by a CA. The CA qualifications include having the CA bit and the keyCertSign KeyUsage bit set. Or they could be validated by a properly formed intermediate certificate as long as it was signed by a qualifying CA. Currently these restrictions are not enforced. Use the new restrict_link_by_ca_builtin_and_secondary_trusted and restrict_link_by_ca_builtin_trusted to enforce the missing CA restrictions when adding keys to the IMA keyring. With the CA restrictions enforced, allow the machine keyring to be enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 1 - security/integrity/digsig.c | 4 ++-- security/integrity/ima/Kconfig | 6 +++--- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..14cc3c767270 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 8a82a6c7f48a..1fe8d1ed6e0b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_and_secondary_trusted #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_ca_builtin_trusted #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 7249f16257c7..6fe3bd0e5c82 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -269,13 +269,13 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + key is validly signed by a CA cert in the system built-in, + secondary trusted, or machine keyrings. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, secondary trusted or machine keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" From patchwork Wed Dec 14 00:34:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33007 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp448214wrn; Tue, 13 Dec 2022 16:36:09 -0800 (PST) X-Google-Smtp-Source: AA0mqf4FsQmF/VKeLCaybDJBOII2AuyuPg+8Zwc9K1a9M2mPaWm0r1chRU+lNvxmgOyahGjK7S7e X-Received: by 2002:a17:902:cf07:b0:186:8c44:1718 with SMTP id i7-20020a170902cf0700b001868c441718mr25626851plg.52.1670978169589; Tue, 13 Dec 2022 16:36:09 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978169; cv=pass; d=google.com; s=arc-20160816; b=hlR9p95g9X4+bt3IUY6OLy4sNw1PihI24NYLNAANqyfCAYJqzAUxfPtzV6NhM/GPkJ WJN4XbRZVGzqHf5cW5ztyl8O2XvS43ZU1Ov8LCxR6RvrQp03i1jwcN+29UCE33L5QDly +/WwIlqHjhFHUaL0/BS77vzgag2eQCyblCJlWuEHg8aaXpL+BJ8YbVWLrJE7KHVi8G8S xUPyphlMFc+pp9MWkFoyWtIYHebdWbFwAc0JSZ5wXdei4t4gJJ3KxyoaW98U+pTEcJo2 vLdcHbO+rTQ4NY4zAR2NEpMwIZygMiDvjJdSKnHC9ebqAW7D4pZjVB+l2vZY3/hoR7aD d4uQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=rF5QMf/JaOXNw0ahVv9E4x7XqxR/0gFM/dsRxNlFVSE=; b=dFzpK0/HcdlqPbY/aTm16frH9ImG1TWlWhEVtgetRrbsmUCeTqLuZoilbRbRTgyChb Z/51+jYb2oDD4wY9ufAEvLIOKVA1uasxmd5fI0HI8ucHhMAYhiTBYYshOezNIk4/pLGk u1qYmxXiZh/LDWV5nrw7epIugT0kzVP+VnIsjQUZgZONJngQuCA2QuUDaNB65IPg6Dyp 6eYat5HPhaFewU5WjYad4uwgSYBFfsZ8e1WSTTKvah5Bthy1FQtMHBzNqSTjj29A7PG4 o7wJLM7KHLEEU6wtr+MKkfBqbe9NKwK13LgI+4atI8oJCET5ZPlwLCMe5pW6uKtPLLke NyNg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=KfReXpy2; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=HKmauecS; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e4-20020a170902ef4400b00177e5c1d5d0si1184082plx.347.2022.12.13.16.35.55; Tue, 13 Dec 2022 16:36:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=KfReXpy2; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=HKmauecS; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237783AbiLNAfH (ORCPT + 99 others); Tue, 13 Dec 2022 19:35:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237748AbiLNAek (ORCPT ); Tue, 13 Dec 2022 19:34:40 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDB8B1DDD6; Tue, 13 Dec 2022 16:34:37 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNie6024502; Wed, 14 Dec 2022 00:34:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=rF5QMf/JaOXNw0ahVv9E4x7XqxR/0gFM/dsRxNlFVSE=; b=KfReXpy2CyCa1y1VbompQUUerjtwR4Hrt1Z5gYfN432oUxjRSItbMpBhhD2/Zx1kmxW8 eV1jvqVV7vkbvLGOymHCniEAVPStd4VPtF9VnDBeD7KKWsRCemqjWn3K81nMkHKA5JP/ SP4Q17tQclExQ1haaTsKb8+iYMvye3h6pSvNC7VMP/Bn8/FfonwF0Z8UmqwdE0HARq20 A3i7WEkDsgOO/SdnPIJLoIz3KDrQkvl9AQjVU/7X4BZErZ0C/+L1FEyi2erboEqpjSyc z+X2kwAyorbOM9fDDf7RyRyw4OCujP+aDjYzsvNJ0aTGnnDf5ai8gdqAnEtRG3v3ez1V Bw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyerrp9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:19 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNht1O031876; Wed, 14 Dec 2022 00:34:18 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2108.outbound.protection.outlook.com [104.47.58.108]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3meyep4h29-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:18 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rgc0yyeDyBwjX5oJHVjCb9BGyHzGUZRWDMNVn9D5kG/qM16G0ompa338+Q+xu12Bo4uuVoaAPGedNzkxy/UuWo6I+eZrJepSbsQDOhZhQSlGeoWIjETMHTfpK2pR9yfn2ssdK63SJokE0mC7AYNsoIi2+BJFzDblFoLVMSlOy7f2oRJMvvabMyYmrP4hJfbXRB5X96K0GyePFWAEaSs4l+3YRtll+A8ngj60867bQTyMBDFUny0tp/gcGEuvfjgLWoTJ4vMEKI9vY8x+EyQkQDcWuzFMzCWXsQNRXAl2qvSBlWg9iM/4P8MoMa0hF6rccSliJYjhvDpDTXeMSU0QDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rF5QMf/JaOXNw0ahVv9E4x7XqxR/0gFM/dsRxNlFVSE=; b=b5RxP2DSArl+2xoXiQ6o2kYlf4D9cXBbXoK2iqh9mDuVT86dMqOksQrowU9xpelAijaf5tISaWmGkWZVuo+41/M46FW2eZ8KcocFriOB9b+owD8c90eOZPG1w10aRlmiWN6ip2FG51D5Ic5kfxj+W+y4sZjtQZr3r1KghJelnL1z0KybTtXHdWOe0XHwGE7jOxP5U1n5zEtkFi3Nvy5mAhqsASkiht5XYTkXXLw1b+qSGwWLJkWu9HRT0/zQ3o3UxmXLjFJTAWCsd1JF3MnK8Ev6vX8LthY6AxuHJr36vXP4uTn/lk01NnkSsFQTxyPvmDm4VY6cRBJPSpbL65jynA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rF5QMf/JaOXNw0ahVv9E4x7XqxR/0gFM/dsRxNlFVSE=; b=HKmauecSxzfgbM3z+WhxjlkmOhsMJI/h4AeLTcnJsFsaLx+lXM76qnRHT1Dy3ypX1XrVsoCZIP2/zAcSFEeafVHW9byvdNW4fpYrbWwIi4bV7MNfj2STYOTsTJOuGNC1KPjuh9rkpDiaQ6AmHUBmNztgiyybCmSa95qHR68qGME= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4324.namprd10.prod.outlook.com (2603:10b6:a03:205::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:16 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:16 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 09/10] KEYS: CA link restriction Date: Tue, 13 Dec 2022 19:34:00 -0500 Message-Id: <20221214003401.4086781-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7P222CA0006.NAMP222.PROD.OUTLOOK.COM (2603:10b6:8:2e::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4324:EE_ X-MS-Office365-Filtering-Correlation-Id: 544303dd-1564-40ae-2266-08dadd6aee3c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: B0MEHBCEylG3H4fnG2f6HKFO4QcgW9QIxxP1thdw+RliQMaEQiEF4qZudYJD6BCajprM+nXqLfNpmNczrMETuvkW/Qq19Q3+7llVHFDAm4CsUb9VkiheS4pXWOT/QKog60vsAtdG7X1Z4KwkqHUyl74oO12JYc8/smEc0crL7WBve5YSJ0GAfUNlAYC+G69tNcASRO5f0tkXQZKhBoluE4vnOF18gxIOHG9FZitlLOghW9nhNg7byxS/yZ9c7W0pKKtK5m4GRE9WKmJZWqtIiHXFz0gA9rid9W5eeEatVPmhGlv8xbVDRALPSuiKJQDnD+Ds6B+iM+c4HMqm8FKFS0B9iltqrGc+rB2vyu9Ejx4nshL/cgagEm8Z7bY/87NBWCuajkls7lec7btZhuTsjihJ8Rv6thn7oeTUtvpH67Sl8NvhLqtQEGvWqUvGFPNd2XhIDs+hci+QWmjHCS+wEi692iRGhtmDlYe6+94jbJL2N5rAbvb6Cbkeglc++DbtUt4gaMaOacPv+ur51rgjverKqHLFY21paqNq+qQswozu8oYxy/whMWJYTZcz6arpwCSm45cExCccyFPhOcQc5J5WTScjF6pL7CJ80ZRw3oD8t/FGzrfRLlVTP1kQeHnmJEZR8Krhk62tMQ2n2+DetA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(376002)(346002)(39860400002)(396003)(451199015)(36756003)(478600001)(6666004)(6486002)(38100700002)(86362001)(8936002)(1076003)(83380400001)(44832011)(5660300002)(7416002)(2616005)(8676002)(66476007)(41300700001)(66556008)(2906002)(4326008)(6506007)(6512007)(316002)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8Px5nDgXJhaQLc65/YWDS+igouk5vo+H1MoThmJIDkDSn+jsMqwA/+hlxGGNNzVl9NnLlPEkqHQAQ2exFvJZpUE7rkwMt+sPdWh3QTIFnzPXko2RhV3UmfAa6iA5mCWzYZN7onWbxLe5HirA+k7txGjQ63599a+lgNvw2B5RGAPuIhewmdPLbJpjXUsZ7uAM4JIlFItFPdQq3b1ue1yncikiRwwbtLXVU30gJYXj2/ql/1WTwI3mRrS3IHwy0c2BCT9gYu6E5O7NjC8OVtpsI6R8MQ0RFUd2NN7FEdGvki7foYpD56jtE38ywiptqkrEcd5EYBo/eb+o6TjiXqWKbgQfZ2/a7D5ECyPHNEA5baO4jQ5aUj7V/N/y79aFZsmHT5N17PyggqPMcjHmahSQyBVup140bGsQ+F9nkZI9dQkwcfqfegYzsOO+f29wFTccTtKmj6KZF2l5jbhoDblrR01TA+XDt2YriC5kxI27ECib9AvYrg8peGHvkQov1Cf7KlZrk/IDZcLMvojGkBK6aQpm+IRmSp91x6wgSB8eh402c1sxyga1qVlvm6g0FR6NRYvXw3tcV7BT8Rp+tmpNWFZjMnkV6/8wxFiYln3sn4UAeZOyHhfvcurpg513qb93gR+DN3WGzjhi+wdPYQfRyTiK1JYoB6FCd413YM9Ddw8IXNX9+i8xMvim6Qi63z2SuDA+JUqSVQKYUKg7DPl7vEf+xxigUVze24I9XLyTdS3B/V/7uiC8clAS2Sx3tV0uFceBs0McmdK1JjWo1dh7L8B+bnfA1LpXeIjhwK0b0WuYp6tUs0eoPvwMXzXv69VVLHa9wkLD+20kEUHQ2H2Ov8VSWMLzX4+G3jRQnbfq1Ml5d9qgMA1u41CkryZML4x0P+F1hpILHpge/9+bbGz1UcA12OObLd/mQG1GCQZ+kgHraK+wVKB+nkeMy6LgzVlP4ShwUjkZtkZ+6GjvHffOl02u7EPuAo6X24cbfZlSiZHDSEwAtp4qJm6L/XXR7HgwSD+LUYP4m2Jl2/yQCNHceEulz9s0iHLU5wvcIkAIbz6B00KQTFG0+lbwrYsvQCcDi+lKt4MylaQ88mspD0WGx889CXcELdz1rYQ3v8yqeR6hhDkXjNUBlQ6O0SQsjDYVcYba8SoeLVWyIJeQLgxXdY7okmfXjrzaos94v7s43H3cExlTBwjVqjIWJQ52dG3AjlI/06gdR+IdCSgUtazQgokyu5NMT6vzTlDUkbHSQG52mtB4VDfx/JNOXFWGDbn7pINbxMvjVY96YE1+6FY9EhzBRKd4B+Xvaw+PLUzszRPiupUYjMeNLzGuVFQS79SQ6svNvIAzdKDG+pTJJO0Q8cfzkSrvnUa+34/lEJjpKe/doYBa8tDVXDulFd/WzQH2+Ud1rT+L3p+4HBnqxt47yv0zqfatNK3qzO8jhOUexpUbH3VfQp5y2xw2dW7+Fhiw5uWf3emCZdf9YibeZS4zN+qTub99WdNjb5i8G6GLoll2AYr7XcE6vPmguzus9WWEeREQN53F0ZwO3OwezTQZBLGGP0DmDrqzQzlRw/aq93RVXR4UtGgNWrlq74Ld9k/xSni71Un72Se+rZIwIo2UgC35lal//HOjPpKgwFQI0/o= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 544303dd-1564-40ae-2266-08dadd6aee3c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:16.4535 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GtPteGimRnUZ1UQAJAv+k/EWK2ucamrBMf9579cEGqVNK4lYT6lgUHeG+RFTB3nT8bGEM49yA5hDUl5kdliOPr1Lx7bKVRhKSLUZVsnUmD4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4324 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: zhJKs2DIhVpkEkWO125FrWAgNELqsnSV X-Proofpoint-GUID: zhJKs2DIhVpkEkWO125FrWAgNELqsnSV X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147605420108625?= X-GMAIL-MSGID: =?utf-8?q?1752147605420108625?= Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 35 ++++++++++++++++++++++++ crypto/asymmetric_keys/x509_public_key.c | 5 +++- include/crypto/public_key.h | 16 +++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 005cb28969e4..ca305ba1c0b5 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,41 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + if (!pkey->key_is_ca) + return -ENOKEY; + + return 0; +} + int restrict_link_by_ca_and_signature(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 75699987a6b1..88c6e9829224 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -209,8 +209,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } if (cert->kcs_set) { - if (cert->root_ca) + if (cert->root_ca) { prep->payload_flags |= KEY_ALLOC_PECA; + cert->pub->key_is_ca = true; + } + /* * In this case it could be an Intermediate CA. Set * KEY_MAYBE_PECA for now. If the restriction check diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index e51bbc5ffe17..3de0f8a68914 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; }; @@ -76,6 +77,21 @@ extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, const union key_payload *payload, struct key *unused); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Wed Dec 14 00:34:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 33008 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp448218wrn; Tue, 13 Dec 2022 16:36:10 -0800 (PST) X-Google-Smtp-Source: AA0mqf4t1P277zodl5ttht6zxvFs0e3KzLBJUGCx1/0hT1colr4oB3sn+kQ8mUS4jfisehkb9bGo X-Received: by 2002:a17:90b:4a85:b0:21e:1c8e:f791 with SMTP id lp5-20020a17090b4a8500b0021e1c8ef791mr20188246pjb.31.1670978170596; Tue, 13 Dec 2022 16:36:10 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670978170; cv=pass; d=google.com; s=arc-20160816; b=LfBE6ifpSGhG2CT2b5s4Hf3JO30P3d2ywqtYqixyPRW0HDEBpdiGi2+uuaF5DIWnm/ xa1SToI99Kkb5YgM49RGP5XBAH+I+HGeZYhJg+paULJkKIIudTdQdKZMewHgzHv0X63+ KR1hPsHLm4d2dcXa+4Rag8YxXdbuxmbjfCOPFrFOerkZFv/umwv5o8uPoXGTwUy1KeLH prMi8pKdesLHpzEeJNtSvi6yrD9GNpTEEi50KTXIdLTHXIbv0s6jdUhjdhJIb9cXKT5F ErOZgn0gOdjv4uJtyOH7gcifZ/K9kikznS4QqU7pfvxYuIIVEaNBUI+Shb9zIKsphVmM qOqQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=PVGJxRr8BaQkqtigiBYZnKlBfGTMQuizr3vGQ6jtiUJUnnFNdb+OxViVWGwZzPtkeO TU+YxLgG8KUrbGOHAIH4ScMQqNTSaMe/t3TNdHipx3FCsyMRqYd6sVrB/Khw+JF+/1C5 ahJLTA+xEWq4YWw7NI6TKwaNpR28ymS877AiBnjU1x4mZugyzAs/ih2dMw6xks2F7C/0 JRadgf5XsNmbeF474HyTEl9H2abq+njX49cwbIClTLdgmkH4y8C10PJVJVQgQZ0rxtKN mTyzclMMlfQBpsqQwsN18L+4mIwPWEV0LSFQa4duGJFQeyRutu3qigpcsMoKdjJHPpUK sY7g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="zeE/ZyeN"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rLWm8w97; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i4-20020a17090aee8400b00213f5bec3c0si386281pjz.84.2022.12.13.16.35.56; Tue, 13 Dec 2022 16:36:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="zeE/ZyeN"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rLWm8w97; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237868AbiLNAfN (ORCPT + 99 others); Tue, 13 Dec 2022 19:35:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237743AbiLNAek (ORCPT ); Tue, 13 Dec 2022 19:34:40 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 814D71EAD4; Tue, 13 Dec 2022 16:34:38 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BDLNqvI019987; Wed, 14 Dec 2022 00:34:21 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=zeE/ZyeNAqjkTPDBdOX/rB5AhP1AtmamvrYa2mkpZE4tMJEtNteIoWCXnoCUOZvsWu1j ij0o70doNBOvD8I3ZxBWt9+TCdiljLW5VRGgLqXtLCG67ygH63M5uQi7VOiEcPIZ47hu J8ul0oP3GSVfAw7A6s6CdyjP/FoHVFPxqEFclGjehkPXUDXyqMs+xpXDLRBsSr5X8flh p72tudkOepCJe+uQvk8IQolretYusf5A1L/0kpv5rAddwEl9eSzhqyi2EQxOUBZGu93+ kd+NztY/l7J0nfJDQIAR26039jw+sXKwqf3GdqpQZuIqidfFruPgF7YSxOCbGpuVDrz4 8A== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3meyeu8p7q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:21 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2BDNh14S031305; Wed, 14 Dec 2022 00:34:20 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2103.outbound.protection.outlook.com [104.47.58.103]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3meyet4sj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Dec 2022 00:34:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jupGOPsSczDLrX28VLKoZpb7zcvOkLDvDvSQb9zVPz/4fnTlyFDz6SLMlnLrATWXMQKBNtHz0467BMSAUriMl5kuIaXc3Xb+dgupchP/pbwFlv+s0fgufbx8hWP/50cuIt735+zy4RI8iPY7ArYijpaPTztragtQG8DouG2D361TpFBLrDawMdnM8u9Fccj4sdim53XQaEgKL+3cHphH9zl9i7tELmPDsKgoZdMZNCUI8dACL84tbJfq+szzHFJb4At6hqNYhs3IYxRxxo8vKq5Fg599p7dBzzyKzFj0vHhsab0vaLTsl1K+YbcvenmbMO42XKkJrcdI7EnphS46bA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=EREKDJm/BSV9f5XHhj/K8u7PnC0NtchLIB0vKAdim7G9DCNq0HDocfOMdVxCR4XEx5vhBroNrZMRcbI7A7LUTYo6wpGPthSVGf7W1qOgj81dZz7yr9baejUv5DsOAF1IDydbBfi9/rHK96qYJAmXe7rIjORU0CnmkvY+TdZxaY6QaI+8cfLGYwQ761N9JBo/EQqgE4XgnCSGHA0r2Es1zoQv9Vl8KDPTkPSHrKs88bgZ6xpX8Cz7iLtf8XPAkcmyXHGhG3Aiu7A6E7YeiNf3jXs0q5v3/f/v3ElYLjsA9jKTWya4T5EElMX7CsXfU7Flm05luqCLvch/7OkGfeX40w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwjU6HLISIcurPWwMgKVLqa4mU1kc4uoYuJlz7APYHM=; b=rLWm8w97qJ0gBOhp2ljHu6r60pEAEzeNLlJyVMb/15eQ7BRI8OlFlP5eCjAJ44wnzt8Zo5ysY01izyiOxED866z9dtJJpnZTJPn7YBoW/KJ1vcJXl+54RAzIJSFqIs8eK/iMshMpgvCeRHILealC0ptFo9ht8dRz30Y0ZAb1kcc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4324.namprd10.prod.outlook.com (2603:10b6:a03:205::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 00:34:18 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 00:34:18 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, noodles@fb.com, tiwai@suse.de, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Date: Tue, 13 Dec 2022 19:34:01 -0500 Message-Id: <20221214003401.4086781-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20221214003401.4086781-1-eric.snowberg@oracle.com> References: <20221214003401.4086781-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR03CA0016.namprd03.prod.outlook.com (2603:10b6:5:3b8::21) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4324:EE_ X-MS-Office365-Filtering-Correlation-Id: 196a559b-97bd-4d29-e835-08dadd6aef82 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4d7kr/wZuvVUf9qwDa3FmJfTCjTlgXk8x2lyn0r7bxyHhuae7mveQGPtS5y74abcPyQQsHyviCnFs97Y2DeFfl/TwvqY8uIe6HFZ3f3g5PH2ns+F9MMstcV1aXu5bmUik+myiNPtJkYOc949wrSJZfDoOUxQ3SarYIEEZxBGIiBAaSlJ7/+/BEzy9bkRq5Xi1pijTx5cpuGwYW0R2vp9ld8eVNZaXscM0G9Dpv7tcomBG7P9mZm5/HNCuToraEVAyQtxIGz+O9y7nMnOQ5kXvXkaexUOlDF+oz9PlP6gNyccaffXz5qjeMrF0VyVR0x2jYDSiF1IQ6M3pm5reESPbgC6EZNoHuXY3Axv+GBdTM6jD17jWKYJp81/W04nicepZZePG5X+caIxkXHYIh5GBqYBMOhPWSdofiBetNu23p5Xi7ciUnE9TgnohucxeoBIBr2tYghdYAJ0aLQd1hNQebbeb+T9Rontv/WT+lfRHnVfCZJkqQBnxc7r8pRMmCxmVC5+H1jx/VgGfYGZp3pGPPNHeTel/D9D5nNbXR5BkOzDzkw+NtPGVBLsqRW2oewX3MwapIGbwyif3rWLMnNP+/s22IZxu9MRLOGdVqbJi3+1ezFnxPpc7eWRBf0iJk/7iqufpXbz4WK8eceMq60Obg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(366004)(376002)(346002)(39860400002)(396003)(451199015)(36756003)(478600001)(6666004)(6486002)(38100700002)(86362001)(8936002)(1076003)(83380400001)(44832011)(5660300002)(7416002)(2616005)(8676002)(66476007)(41300700001)(66556008)(2906002)(4326008)(6506007)(6512007)(316002)(66946007)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: KUiArnUcO/nlF6E8RNlU/3UhRLU5zaIDp9npkktzz7yCD7VxolgTQQPtLAYLZdHR5cs1C1B7MXOGRtvzy4m8ZRdGluHLdbi1KsadKQLKJwrhQlDfUfcE3zI31Hd3rTSFXWQhxhjFKaRCu2Tv4Wi9/rt/PIPLQCFW8E8jUQAlJvD8ID1FWUKiiUkGXnMWzbKP9PpEXczdU7tbXWDt57mpZRb+kWD7jXR/iwfhREO7q/jEkbxrbWGztoTYByhA3axtf1sTucMQOArqpxs1cCwEX0bnhq9dWUE33hiNxWO0D/FI2bAaPNnwyTcRbvRlBtShinEDVXRWt6tTLZBWeNI5IZz2UEIgYCZIsD/Wyy28pyMxVZtWdC5a0AG4AW0rCYnmKFa0ntag+ys1VOluv04lA5BpRuKYcGBRXGUmYhWSVDEr1ZV7EaFj3u0Tp5Sn6Bgk+1xqpjdEifcSGfIDUqxZmDMNsI/2hppp1rgEzRvrSDuhJMDxJr40fgFq0DIkdpCb7u8vLmWGLZ/D5PPMcZOAIkpMpJUJZL7JSKog2pfgOO6QJogdBAuZjwgZkC/JMG4Hlkq6Y8YR/cL1Jww14DIz8UHaI+vGI+XY07hyzTZA+eUoP2vyXU+IMaKBCmLUjB2TCKrI52pN7Z+hrByCX7W7vjQMApz3Eijg6cnnlpkKxopvVN5VDWTcjHwMn1xTBbsIhRyngudOZCRGanlY9Fj8d89yvzJB9Oyxp8gOUGMdbWDitLmv3nzJ6+PKfwAp5VUlgK5mJmxYwx+hq//dBS2TGoVIXyaAB9bzssAR9OdwdJtm7eITaW6QWkxXbkFCVqxh4b7wYwWnKsAuqXyJ/eIYVKj15dHv2InzLE5Sy11JSpXypl8goM1HmCm9jl3blYJYujwEOjYtXAy67VRb9GJgZVrx8q4cco8K0wGSveQEyZXPwuHLFCpIhegWqN0jAMERU1wYsKGGlSruM+8ce6bKLxdMZJ26wdo2bd+0d+gMk1qGoliwgyY3bstKq+/O1YHcrnq49gtTo3b6o7gJ7VOxF6k/i+7ivuhTPcHe+0Q4g+n6Nl59ElyyIWX68RX6ITcwR93z2T77O+Rv90XMmrGOTIcuVY1Jq+//Cl6+XmEWnlcXDEay3YONsf+NI51OxEZ7HRj2L23laG9yvM/3K6Nn/8Ly1kpidSwRJFE92pUichuJqYMWGgtuwOUjsI/8QM6JfclHJ1jlNyifZ19DTFgFqnrbsykSzfjBqnSBjdXubVRI8HpviRxeIblBfJG0anwwDmGKXdeS5+3hOufT0FlKW+AMi8HtzmVG0XjD7hrZW8F3YhZlL1Jnn5SluMcPEdOfzHsbnz25m8Ub6633Xi65JF52ADMfL1Mz+KLy92zTug7H9TxWcqixeRm9hKppj8xFBubzO8RF2Uw586t2RCP96EJ1steIHw8kCmVXSzL8W1OjZ3VQ9kURKLVw2k4wBWdU4Kd1ETsAx3Gzhjix5eME1EnxnyFJhtJjHZ4RVY45YdApBKP7X5/j/Wu12pFskc0/fF2YNSJNpysUeLz6+1glHI13Abn8Q17FD6bCH1DmVjhTdQxq4jgv+S8BVTFA5AnEVQZZakwiYUo5Q1/osx+SEc/rs+eL2hCbMk065ZNX0mI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 196a559b-97bd-4d29-e835-08dadd6aef82 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Dec 2022 00:34:18.4233 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wi8uz4R9ZyMXugJAv48UsKj9mUnMassFK675FtgKVh6X/Je5Etdyk3xQkD5DBT5lxR28wdZ3e4xZippweda09zIlNKR5Lpr6Dd9wGuybnzc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4324 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-13_03,2022-12-13_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2212140002 X-Proofpoint-ORIG-GUID: 4BiB11Szgt-6DAiV-T9Rdb9R3e1uWJDs X-Proofpoint-GUID: 4BiB11Szgt-6DAiV-T9Rdb9R3e1uWJDs X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752147606413314052?= X-GMAIL-MSGID: =?utf-8?q?1752147606413314052?= Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg --- security/integrity/Kconfig | 10 ++++++++++ security/integrity/digsig.c | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 14cc3c767270..3357883fa5a8 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Only allow CA keys into the Machine Keyring" + depends on INTEGRITY_MACHINE_KEYRING + help + If set, only Machine Owner Keys (MOK) that are Certificate + Authority (CA) keys will be added to the .machine keyring. All + other MOK keys will be added to the .platform keyring. After + booting, any other key signed by the CA key can be added to the + secondary_trusted_keys keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 1fe8d1ed6e0b..b0ec615745e3 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services