From patchwork Tue Feb 7 02:59:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53617 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611195wrn; Mon, 6 Feb 2023 19:01:56 -0800 (PST) X-Google-Smtp-Source: AK7set80keQl6jiDqQzjRk3vvfwHhbkCIaKAILnGd/P98JR9x8w2naEWO/AOo8dC+ZSQUSr4nNQo X-Received: by 2002:a62:1b43:0:b0:593:b0f7:873d with SMTP id b64-20020a621b43000000b00593b0f7873dmr1693858pfb.19.1675738915964; Mon, 06 Feb 2023 19:01:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738915; cv=pass; d=google.com; s=arc-20160816; b=Rq/iCG2dR8hfgBJysSNZ7rYtcAfCHjtoZ3ULttbBvcZrN0+eO18SPGq2AHIDGS8kTh XJdKNO01KLbNtTxq5iVr5Tk2gjTECOdjfUSA64O0StN5tmSb/17ADz2IjrB+Y38Se6eO FAHpggrV6AzHxrZpe9a9WTCkDyN7gl479Lvxy20nCoF/wItiteINnuD/uKv0Wg1OSKkl XfeD3ZGEfmN/Somrd/hRtZdgmAKuASWiM9+5OJOsUeOF+HenIbBMSwN4lEGR1j+Zd70v u5vsOwtZkpaUhYFCsJUQD42LSZR34r13Zl5q2E76obur/QzIQq02syrFq1NikDi3ElNC WU7g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=evt19djuKt6QM3QZ2/08RQzDXOXPx/VH9bNxH4u7EbB7xGutzT7joYIbhNaY2l/ltV rJ61usYk72HepD5iWfeT3HwvoUpFjREbhdeovtVzyZNfrVQ2FoaD8jwcc7CL1XVP2212 FL/LVb1hSzHByFKqnx35AV9U2ybKOi6VmgpbwUG7FGHJqDYxrxZuS9GZqjKdEvAbWJcg rteKWXSxm6rQjaXQwVREtyj9Ls5innGDg1tQFeiOZhcqTlNzVwB+txdElVs47eYe43i7 qkkH9aAw0FW8d6aI/BbjuXuIM0BUYsfHPKtnuI0i9R821XjLQkd0vXKANjfJ9Ognjj5e WITA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=WOYHaxbe; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=OMUvzHmG; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 64-20020a621643000000b0056d8f42a69csi13514846pfw.145.2023.02.06.19.01.42; Mon, 06 Feb 2023 19:01:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=WOYHaxbe; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=OMUvzHmG; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230134AbjBGDAk (ORCPT + 99 others); Mon, 6 Feb 2023 22:00:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229781AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03B593527D; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE5fY029679; Tue, 7 Feb 2023 03:00:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=WOYHaxbehtjloTMw3TE3ZEjX0YHMCq7mc1U1MYLJK4TVlKPYMK+AqdNWUsGLPW+aPkfw WBQaW3g0PJld+gCcE0YApINeIyMtDYfDUMVn08QvmPhaWEyap/1p7VABgMJ4Rb1rHgLI wl32geLy7aZ0qhaplyerV5HLBMqiuXZV7j4Dfay4oRD5uCI4ArLDzrqhMfQg92vngYWC jxWq3Xbbd3Lm6M6I4aRLgBRMRxYZfmQxApimPzaJvrc9QG1XAgfij8V3A9KeO0DuPURX Ozv5tJcc6L5KCQOt4ccauNZTpeouyR4eOy57xGLBwPW4j5O5zY0O/pfiu1nih1WpWpzo bA== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh3t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:00 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3172s0fV020885; Tue, 7 Feb 2023 02:59:59 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdt4yqfx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 02:59:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ly1LiiCQGyLJZIQb93lOJdJcE4tEKoS+vAsu6NVnarTpSJKjq7P8PIUxC5ztqcUiKmy2qnyi7bZHvtoTC40n37V9bk6HO9ihBymx9dkIYmDClRoCVTx4wDSIyJf+NJ+rcrkqs7NBq57mIwQhMRVGmuGfCi4N6BNw0Qpk7PRiJ8/0dnsmqjOqt8PL5fQ0p2Xd0yWD4DFHACQXwaZezQd//zQ+L01419TV/ETBsnwbmUGf2krkqve8kfTBpC462Z6BxiP5na1CRkWbjN4DMiAZYof0zVuZIZE5GfdTD7HfVD3HFaKQPBV1kQaQO+ejyBoMFAq1Sk73xns69WRxTSBfrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=FVq1bdASLyRIgu/ocro6cNWLf1oNLTr9Y0Tnz8Qla6q7gT9ZGQcsMQmMNTBxsyQ87qtW+aW7JnuycFOhLeL4NJpMiX4lv975hMKJ4VBhMMNVQinNDYQsbU3muW93KQaJGYnlJ2w03iGGG2i3DWVFTvBrty3EyjEGWn8DJfG2557qPTFwm6nfT+rYA/Pswi58aml5nwnjavxvOK60LwYSWREpobBItHih/EzgCcvmUZdHU/sO+q/0WXm9+HMYcvVfFO+ZIjSUI2GlbdAkSmkERc/VbcoBfWABVE5C6LqnURK8y/TWQJAfWWb9cwOyhxBuX8sHTGD0GmuaHCwrXIp+XA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=OMUvzHmGq68VHJcQ0eVHOhz2RUoRK27gCo7s0/U4dQ63A6SEZaKKz7vhrBzytIkkkRvUCt1BSJn6raIgSCFn5AMNYbaMrkEjYJjfIELNKvx0T7XOPj9ZCKJy7gN0Y29SbjMGtilRI9Y/fEWojaftQGpe+DLS/87evEy1hWwN56I= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 02:59:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 02:59:57 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Date: Mon, 6 Feb 2023 21:59:53 -0500 Message-Id: <20230207025958.974056-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0501CA0106.namprd05.prod.outlook.com (2603:10b6:803:42::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0sRGjkFbS4z7jFrsuqM+aQsSJsFhwZbkE5b3vVmwfjGPbvUyHhpYO91K9nmal/xmSCq8n2ZL/lDqz914SdMvKTBEu/VLXhTA428mwAgZKdooDXwNG0GP8o3eTkTkofxtntSiGdS7cEkD10K0mbdwQeL3nnKYGMQpUUwTudb5OFgkWOPRrEyn9G++cV4fNHSb2aKW/kjcbtO2BmL1R5E95hYNhYJwvAR4WiMGtzGHERCRB1D94bmSU3cC2GKAUlC/AMNFZUfqiNofVmK4NH3ENQIUDGgIicSbuh2SDpq/R19e4WICcdbnCt8X7ShnOQDRE14Q3KeFgP7dijpDgQ/QS2J+6D5p+PnxOLLRJKNhAp4YfCaGBzn2DooQHKw3Lu2OE1E8F7Bp2xKP7wervjHXvs3ar50uB4zUwQBPpqcq7g5CYSe+nnYvHmaMd0K/x79sVPQZwN4/itn74gfnFoOW/IIZQLZ687CbbUjSo2OyR/1/O+kSlr+M4ZHMk1Okw6JEjhW82/HyUwBSRe/CRZE3AtExK9VYM2vLoZBFzs3FBF2g0uabgbhTc+PjgAxS4gW44z3jJ44p9MEU5RN634610rhtwKdwYAoNChSk0kLrA25BJyQhl8K54Z/xqpR1bB1hZWAxXjrhUUx78IeFaGyiYw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(83380400001)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: J2sS36o6Ng7FeAOSogf7TSRV21RASDdi2ebF87/m6vtKosO4MRIOLTi1z2dXAohqbPoAOuqoMwu/vAA2IGo7imZ59yskQ6godpHmniYo0yj9a40+eWnvg6CvOLvXLf/0cV90COI8w6+D7wup8AItmIpZ0MT/n6R3fx1kzlbjlbR56HRHXs2YxVugBCRuPL6HwUZjs+ldAjQhj2wMyFvWMJe/avsWQ8ywjA4XweENQYSGoU2oCBtW9cD7oaxzT+F6FITDNf8vFEJR1N1ZADqVRB3LpqeIZqf0ADMtkLcfHjCxqFlPtcHw/Q2Lcn2WcNZNUQvNrMH3sZZ7Z3u919Ao10hYThOdIIBt4cbpX3VLmwTVC40D6p3DI7065nTkgLA/tWAXUrS9kjJW1ytfYytQA4k1M2H/7vEEqci2msjr09EZEW8kxnVIG4+nhLq/WtgGOWZDmeUZLkc1dphQD/NT5cfiK2U9T0Irqh4NY5hyDHFRke7FbFnWDQ53SdMdNqpZYKeu/sXmmJ8imqJE28meyyOLqXvCoGaoF5eVde9SM2AzcHaMSU8k0/i2x0n6L5zhd8MSknZF18r5N3rDhLdJL/xWySUnfpYTLNsdWrKr4P7Mh8hAHNrAasFhBXJLXH8yWvfWpv4d6S6zzS9dKvgnzYxE45bYDVkciPq4kVbkV7oz2SXzc8dtTUsCIAb0Zgh60daHlJq+q8Fz2GUWRfnDlrADeZXGNGiYr5sjldoGNL0nzjEKjvBhRqn+NYv0LA8dkuPMlhLgE5cCgk54cQ6yFF2K9HPtvOjQpkj5I7oj1ZZR9/mzcoFfK7wNXtPEQnSdm4aV45lfmpfe5Ibp/mt9W8YBNULHaBOhK8GDecFknKAdsLrHTd5pn4rr3Jy37rIN2BWN7EQ3f6aFDR1Ml6NNA9h00IYaBE1KR7QALi7IGhzj1a4NsjtPPOunz/hxy5XhyI9nid4/drUC0lpe8HrXDuD2ZWhJS/jWrCN2Rt4Cvjla8hevayKMMAxog7M5jBk75klGM+pzNlRvhCSfZ45d1Ep+vTCGKRAd/2UeYb1I7AYi85jjpLyTPN2lUkGfvdS5/WywaMwexbwnJzyXxtziNyDQF09eKM3f70uiEOUDW7JuVVif8LMQOqqHE9k/Q8INGIUZyO6VO46Nk2XlhVnQIvwmgVxB2QwvrHgj3cFhkofD3LR1w6W8Y+OuBUDVM+uKOLe+PVIcXty3enfYzF78+2pev4eTBzEbZTVQMsHBPM1CESieA1PRvRCcV02zX58DZ0iTFZih8qziOROYHcgJCQdOI1UeeUYe8iVsjFM1AjLD5J16DI0evMJWLWqsvZTvyIaOo6EFCcXma4hBqLtzwrft48wsiT0+osZdgI6rk/WyF1guRZPCqVJdY5Sr7lzmGF6tBHO1a8UzV1vUG/ZBt5u8jt5OQf+9Nm3pdUfRnKS2qh4ax9eWB37SJ7DACfblVmMZMGI1fXngskQ6PHI2FkP8YpRewmcUJO264uYNMsY/kJe7P9Vb/jMVjAL1jUTcbgGN7c2oLZG0OE4jiHHUKBd+3OxGoeYH529lyilLqvserZsWVB8I9sGO66i4EAkR6YfAoHnxe+JDlgIslPtJ4w5WdZLPA3gEN3ECXM1DebU= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: WBqPBZS04e66X53Mdh4e86Ym8g+ZFgXJkw0QXpBTzDYjW2Dtu9YcE6y/IiSnPvWldnuBXZuS9wxkrQZGErY3eUyrnsahci76DyboZbFYgqaq10DhSVHbchhqmPqauFFxrONR805119gKkuaGFFL7fOPaRpWW6B2ZL8xCnv8LrptGk6NwexUQuqFvZqjlBdL1ma0CXLJKs+3wz57ep66IWYbvm8CUGRU9nvIirb2sqO9eoEaB6TOvw38haqniIjmAYssdt+O8ByfZ8tQVZ1SKWXw4lb1oy5O1Cqcrrj4JiKWD3koXlWFqUotv4/ak/rk68sm139nbPerkAP4AcIZXjTza7v/Z36SJv+Dt2hcYLmPJdGOKFdOHpSRgPobeF7MiP21UOkLivVh1e0oLk78cmTj4Y8tOIt/l/02HWXexmv5z8Zy3NV/MRnCXrioGu9LcThpgh5HUGID6Fx2xkDv739g60FLF4h3D1EoSR2FFR8bdbbZD6IvlyZAyvb0/lgQBhEYJvE+wp8W/NfxQorFg5LeLbCGZo1KBc+EDxC3FgWHOYsix2enSMFPnxxjdoborwKL3MFbaSsz6rLeJhmgE3kgh9tFlcDA7h0PAtJWT/UFlrg6Kvx/6GiGGVUJk0/AtVHwmbN6bqnGkPMcH/vyDPaI7PTU9jImOgJ+4J50uwRwsBH/58tRFJvZNhyplQ7vTzTXI/pgsvtq9oZjQddxugtf3rDZKXGoJVOCtlDLMlCxZKUwTsqor6T/rZcjpQ4oBwMb69ikDsbRxNQ/w0u3Sf5GUElLyUWoC9iKLky9hETu7uHcYDpnnFuXEzQbNiOP2tw5ofTJys/n/gN8qN/QSlOR3jq/n0xZcr6FcXbO4f2YrLFVfsmU/uF2CS/XHfDqhgYZuC3YusirbyXMSmN1YW9CcXwRBjkgO71fP7dCb9i1hFeO8arfYU7cOouUOwH6p0D1EOpkChrGlE8Yj3BQEm/xkwrEhn2Dz9Mx0+H31AKtzkUvZTCFhgXfFpZqjqa7QJolvwvSAMMk9WMSw65GGSnQo4mf0QAG/rzCO75XSV8oz+s2+LM5wRkkiTpto6H29zwN+WfCp06Lf/qX6XHawO+bgx1gFUGzcf5nQ0v/9K/ZXe2e2x11vir2tfI9/VWZ5WATx0khSs/08i17TMxEQgxbL0mhk+2vGdUysReP/dJyfM16VkkxETsf2aUOYYjMo X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 02:59:57.2817 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ULYbbP1SVjn+Q53VIDOd+njn0O+G00GDFUP9BM9PdZpiDwZLs9UxT3qYnpR9a1bawLJd9iBEC8L34NJrD8PWXTShGiktsem/tpBnPsaI0ks= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 X-Proofpoint-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139609677347871?= X-GMAIL-MSGID: =?utf-8?q?1757139609677347871?= The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Tue Feb 7 02:59:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53619 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611370wrn; Mon, 6 Feb 2023 19:02:14 -0800 (PST) X-Google-Smtp-Source: AK7set9eDSI8Eq04RwdQrvahZ4qVGrb93wjcFDcnTeaU1Sr1QmewxIk/FwIE05WkCe7xaihpIFHN X-Received: by 2002:aa7:9713:0:b0:594:280f:5a26 with SMTP id a19-20020aa79713000000b00594280f5a26mr1360343pfg.29.1675738934562; Mon, 06 Feb 2023 19:02:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738934; cv=pass; d=google.com; s=arc-20160816; b=Bv89jrPPrsrXipj11x1juQS9iNrOeu0lrgAXpXuhq6wzFqthFYQlex3VpoKnX1IPyB RK9ou+ZY5bHmS7nOp27LHm2XBwArO2+JtB9UXPFEe0VoO9og/oYVis8x1468FOiPozsf Vgsb3zuHfjd//kLsKfNJNRiWyyzudYxHBpGvJcZHhW6tQwlub/oa1mppc/pUmK+nh+Cn QudOISZ2wim5I73yxiaVysgwdvEzxFBkPKEUF9A5ckOVWH3azerTg//mZb9PCK0yHldG Pd7GgWgMID04MVILm0sMiZO76F19A69LYpx3fcsgHI+Ht4hXO0ts7a01Z0Amt/SIN3RQ tCiQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=tJjeNEh2U6byFVlCVqORmyU2snjn2PvyUVRl+7JmZ5SBPnO4S8+BKrYhcZlqKzvbvS bhFuOZS+TQxV64nAQlPWjRypmId7OT9kC+PFVcYrgsWWT+8Rbpt33k9EzRb7hU0lYOzd yrsVuc50fmgUSH8a+U8Lm7cGDzGYJ3yYS3jFN1LgjAZJBhzPJf+2L68QxNLwrXhGhlND uGkt62+DVnjueljCR03GN9KN7yKgZPvuMrgrGVTdVwzLGaCWIa5J1XJG88313q5Wu/tf V6p7LV8gIsWxAM2TVs7Sr7hls+hKjhQ3VVS9/cTsgXzipQIOvhp2D+/gUN81Q3PVHxGN tdkA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=lFGTNyJm; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=Mt3ps9ht; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n15-20020a62e50f000000b0058e1e6dc44fsi12824154pff.349.2023.02.06.19.02.01; Mon, 06 Feb 2023 19:02:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=lFGTNyJm; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=Mt3ps9ht; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229557AbjBGDAo (ORCPT + 99 others); Mon, 6 Feb 2023 22:00:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229973AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B868B35278; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDwX7000337; Tue, 7 Feb 2023 03:00:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=lFGTNyJm3pD8OZKl+4ZiJpxIHrkbeN/yj+dRuEjW4UpwSr4iKYHXaVgon0v7Mc8GmAs+ 2LJHIMEi1mcPWje/oalQ3nCL8HhttUwnRSRZA7STC4ZDAt3UqzinxdnvZwseREIFqRtp 0DYd+UfcrqVTJ43TBi9a40tbWO0oFRrUasGfPKMzaYqo/G31JIORIQsKavk4DAUu7s4M CVlgWVirCziqVqCUGJt1tzIXaqM0wOvX2E/rZMcajkK13OQkqQ/7f3tG441O1qxJcK8B 2BxVIhA5yaiBvlvnZ9qCdTVOWjGnmyIvwQw5KTsix8xRCE1UvsDPjzE6F6gSRB3UveKq cA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgb6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:02 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3172039V037045; Tue, 7 Feb 2023 03:00:01 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8beu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W5u23QEeyvvFUHJFyWLOhc4889NsvNkyiXaUosiI3F8GNnSh2rP88bq7cXLPWKLO2Y6vrlvuEQwcX2awvn0ZlktB1xj/e/nLaTrx3BikffM+0LHdgsuOT0P54Wg23HgTZpKnkyalFKkuSTnJRKn738xFfMp158xB53yKst6T47UZZyLD3FDx2NOyTDoLPk10MSoS8otRp1+GtUaaYIHpDuh4IFG9tMqxOrFgdDauVIPwV3MbMBFkrqbA5UDJv/Hh6F461PYgF7boqbX45476lShNKqikHLfL/qoy45NIuKf9PuYcrT7nA7AgReZQXEdkHKNZKhWTPyC3OpByL93aeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=HHXAKdUt9WwXkznduDHKOKy0ebkapvew8kvmD3RZSlE33rcWryjc4U/gMlqnuiDQ8dp0gWVi12KNMCUaHBds/6BhmkMZpIj/NOHy9YYYvHvPQwzRYpA8eky25XR07eXAzaS5VOqtrJ8rMKKVkwekpw54b9hU4U1F3Ue/9GSHwSZ/MzOi09d5B3b2j2fP2NcdAKrg2Gs76DzVc7X8vMnf5KI0lSnj52Wo4MYBQX4BvUgUAhMVp3MgrVfw3mndPOhL9VobqwtKyYetTYP4FE7BspF6RLa6jzbQZJEnf5mq1UJlEPa67vydCJtY9jPM2z13/CwoVsLe2k8pjfKh4o2yFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=Mt3ps9htHE8l0NWJzFCq8s9Xq6xkZfxY4AVyIPs4RArFrdtpB2YrVvI2r5hwe/qV2cooU+/lSgQ+A7tpEQ/N7Ez2UKRmAHnuWvKy9+1/VkgI5rSW+KBBoeow7pDkVuIMg6uWdcspV+qfZ5x5KoMk5f8jJKAkq+rkc6z45SlnVNk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 02:59:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 02:59:59 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 2/6] KEYS: Add missing function documentation Date: Mon, 6 Feb 2023 21:59:54 -0500 Message-Id: <20230207025958.974056-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR05CA0030.namprd05.prod.outlook.com (2603:10b6:805:de::43) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 07014df5-10cd-407c-ce80-08db08b76677 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UtwwbosltfefbWGx0izktrLDSKr6Y3BvcweENsYZM6VzOZQnW2cG4/YnU2Nt9qzVQGWtJqOjww3FTYs4aLG3+k0ZS6ebN6M2PiXyk4ZioQAfVzE9fzzxdDJxb7vI81RRpzT5AxRBPcgsfCuceswYnN+5zoPQPVOugoSsVopSP1QlcSeNEhF6GSr5eRx+tflVmj8jUx34nOM4wBslhyrWiDigRv24z6ZqLwcgexxhgBs4HdhiIrue0/nXCM5v6tr4INZdIFENIuK0QoOQ9BS1+1eQfrh3tvyBxCk+Xc1dY+wnlp4Ruh4whkuocji3VcAFkMLa96LfgrXJcbAhV2nagNXDZWWX1D/q0xmjnYz1ps1VkG2PB/F98IaWTe5lYNxbv6cGTWZGJzsmEA81iuiqWa0+Fk19wESyoFmPpMvYFPGJrlsOFTdtbpHNkLgn1+y5jT9ZWDoDUkLQZSgUI0Y1Xqq3uWQLLnMlT3i02X5kiBQbVXbBooD2prk/rBmL8/cp5fvK7s8AhwxZdNsz+mXqzwCh4STv5U7T1+TPsaYPfrpyXF0Rye1NHl0//OhzfOSIDrexpKAtbJ0tBSrOtdI7OI2PK90KjkwHJmHYQ2WFqauHW8rEz46nlo2r2GIaarIxeZopj1F8YNuH3GEvvACCdQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(83380400001)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lxW+UimtAsoK7RyQcCMnpZCcJVN6bEnQG5YEu6e0Hm6ZDaw1v1zBfYQ2hmHVVOn1SiPIs5IMu1DAsvlrODJZkIj7ONQ78FRxbJd2Hl68xWXdogWn42HSmFIuTXVDXlllxEZqwHstTjOOOtpNUTI7C/A3V0aqT71YdO3UoJ+6a4g6G1m+z14zT+kwudp/gJ8WxbwBVyCAyoh7ua8tIEYTILlLLsCOQZNb6FR9PPZwy3Rhi1SBpeODkhzDqUSUg3FT8dPgeUZJN27Tzez80DzJ1jP3SzAsys4RGaWqtC3pWjlWIiq+B7IcWoBsX+NyfjAKJhnr0K00w5GH03XfLkndQ50hft0NlvUdAU3m2nw2OrwTniIL+Oz3pDK+Xv5wsRyt16WGoTukqCx1iJ60+czSBHtErZprn1yRBN+4kxuIJ27Of5Gm8X/0P9FWmgTSd1IEf2rWjv8qaj5I3RCa5hbgmT2uvGl/LDd4NHOCLOXD/+GHvHnwolhZvMK+Wez5HYNk12qdn7NMQ/nWHdWTz/qX8C8VH9FZxm5xRQ9bZY7tjDkSQzdYxlaeSNHJOsiYxKkJ4NzTemcfmMPJA2EKq49HWufb+kvFav8XtXo89+Xz44si9IyjcqKl7RidchbzPINiBplNFjCSaTfwBY80mu3a55Snlbnip9rqhSw2LiXkcjk5I1EI7bvC55AnDhb4+wUnJgoIArt15JTXWQXGJ064wdCd69ZoxZqh7wwxIHWx6DD68xrZg3x+1jgnowUKBdQ1CnL6Bd0JEiLNP5/xb2B2cqu8J8atE5EZe82o2ihe8VwTdlLxufu0dBtKFkEwO4lTO2U+WkY6ZX/KcR20zrsfCdFzXb4rRLCPtPqRL/eixjPf27WkUmo0oXwgFgimpy0sUYJR3fy1kJ224DFqQi0KHNOLdql4sPU21uLw7fBpaL3Q1z/A12HZFYdxI2lLC87CMs+NqhJaBEYEMS53nKT7J4saNVCxafiSU9SlC1pEe/aQu7ouWbh4RVQR0NqWw7DotFn4/HlPyzRNZL3i2MyYgEaEPjjKkpJLEDehS80uTzUiXWYwf5EKATYtqMuOtVz6WdrO2EX5OVfqvh99ylc75MWDV4yUradcPHsFQ/MiMMw5qXa0lZUeBw310zqHJFhdmlYoPowJHfbKyditnAmgoPg+3GDrjVh4x9IJG03n+YfZwR3OYZPsfMr6ia9VgETnEy/ehphsz1TnoNUKwgWYHOmGP6fLqC9JQn/XigfCp2fdzNeQmeAu156Zm161BVIi9CB9mEWVfTrNq7oqfKTocP9aJGf1pDWLDSx8nJE9R873pmPJ2Z3J5Ieyf6vX/UWhlpz8WQYlMhM0CZcVvQx7sJDft/0iD5uWH0SI0Mq+q1uxh93gqSFE0NKWwKkkYD4xEhNSuYce2EYNsnmnE3XRVogGgT24nfuelNVnMrNhILrpvzQ/tkSySAodaaRQt0EDx0FWkHWit0tFzRAqn6UJz1mI5AIPBYR0X5AeWpn7ZV/K/Z/vzhKIbvVei22sUVUS0HQuEr1/+Oxmv2d/0nhRqCHh/2Jh5Wbe5SOMTNW/ZQEEG/ibl4O6knLGGntQ/Uy2DmjbzOxiuCo1m+GngmjILNmooZ7FQX9Dy3o4tJs2y1U= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: LfN2dktxyopmD9qv6EFDxafMpH2cL94N1QjNv5x/LaCQtBkQ18juZnxGrzxSp0p7ZXc/rgNaWQ05/h0RYz+Cir/kwJTFeTfbsJtQbFuCxiz/4Oo4eIg4//UjT1PPETqY1lvsoVuwsCV3lOHl02ZzGPwsTiTZ8EyHYmZIKGqI4rL5xylXSkY4yXPLI4lHHXjiW9Vf74mfEQ8Zwzs6H5u2N3ErDOgrM6SAYHw2m8QHeMCRQ7ouKzR1nNlWfWdLzSBbPFZt8SO8uvmdZgZsgs3+UCb7DYRYsg3KPGyjDhVqxm7l2bbC/GKpkDXomFFGpv25fcLoly3JA3CNP1FnzNr0DjHho7bKTy/IUykVoPhcuDJFa1PX4+euGJTcuU1ad/bYW+B51IPxXYMfXTT/dNjM8EF+UWJb5gIAAwW1eUVazSZhc1BP/mjH4JNAocsVUjLSdVrM7dzI8UM4Uihbqkl0AdRHA9hwfWVeJsGF+cjC9FwDVMDvP1AR54sDMc4aOcTZV9ZNrHfmsOWVWKE7SAvRumfX3ylKY4l2cemmSZS2wREM2r/aFWtQz4RbzpOqGzrxcETL3me/mNSVx8ZkB0o3VKKyruObD+cTKflNk5zUuze0v+7AvZKu5HLLs0V5roLs1gt3BBrMut7Jpxg/lejqiIJxL1Ml0terCOwb6v+0+tIMX3BDPe6lEWH49+7evh4MVRHGABfDhSqQbLWY5FIAFopLXcHK1ZgNQmW1x5JaEINPPcATAv5I5aamz8v6pIqTC1oJWVgF/3PGoLve/Rb4ul1+Ghm4+C37n/GEREci91l2dLBP5FqRI5Y7p47dhkvAg5YrkAQWqvNHa0Ncba6yp0tQMKlgLTYdns3ci3kLQRH6rjF+/2LWwqWXobrSB42htuJHObrXA9HxHV9dVx0adbxj+QpgrfSlimiq6sABAzT67M9D4TiL3Hg68QRMQXoukOsoWom7aDw5wjqVjvwB7GCJQnyjzqZ44LJO1noUiQLAQoPQHraIfQq/Coa9PqtTs3/jSkW3vgvUCla4rUMUxqPYl5BZNsMWCV2LNeB3y8XfwhRJ48KVw5CB5eA0peeXwx6Gxh6ZjkUsxnTpIaDfuYz+UJjtVeBEdsKnFY6f0dKQ4wLl1qmuouVl8GUu27JbV7/Je1iadcfnnIj5F/SyNNVQZIh+CSAqCxaCoNZ/8NV7QiOt+Y/snFn6KxvX+M4p X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 07014df5-10cd-407c-ce80-08db08b76677 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 02:59:59.5784 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TIAgeVghJJ+bFD4N/lshS8tgy1OEKO+d2CLHHw687g4siAghaPSSJ3tTrTKWlaYbtX37acIU9ydGF08mdI4s2/NGPC75CmhE43mfOfcqj8E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: UEkSjHBguTn-ayK0QhJWhWn5wlYr1v9s X-Proofpoint-GUID: UEkSjHBguTn-ayK0QhJWhWn5wlYr1v9s X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139629210794168?= X-GMAIL-MSGID: =?utf-8?q?1757139629210794168?= Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Fix wrong function name restrict_link_to_builtin_trusted. Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- certs/system_keyring.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..e531b88bc570 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -50,7 +54,11 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring - * addition by both builtin and secondary keyrings + * addition by both builtin and secondary keyrings. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Tue Feb 7 02:59:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53622 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611842wrn; Mon, 6 Feb 2023 19:03:15 -0800 (PST) X-Google-Smtp-Source: AK7set/qFBesmUMkDGGOf1Oclv8j3LsJwsECozRUHoJq4LshTmNLBWQRT1nmw8xOM4iZY8SEhKBh X-Received: by 2002:a50:c351:0:b0:4aa:b1fe:da47 with SMTP id q17-20020a50c351000000b004aab1feda47mr1745713edb.18.1675738995302; Mon, 06 Feb 2023 19:03:15 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738995; cv=pass; d=google.com; s=arc-20160816; b=HEkmzkA098I24EwuVTQqhA9gdpIig1qQ291/uTNXG/+sQSRtH4k9ZOojvGE0+0qhyG dPLsrqPpR/qkeV7eLIMS6Kul+7d/Pt46knhHla6GHq6YauuZbrurfHDvkQQIx5KtoLKu BSpGxESg3R4kqG6A09iK8fzvEQEF2QosCceY4EfLHlCtOpqSdmojtSAqGZQ7p6pz8yAe a8xe/c+Kc5gVEpvgmKl8dk2E00QojU+mX0a59Av4gSHr2vwfVgGzwPryIr38q5c7Ryv6 +uOapWAdpZHV6Vfj7nT0yqWtKQaNqZfON/snfy7HWj1KkW3DM8MyYc5bmNeIwYElhpmK qwPA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=TyAUocqygYEVt4ewqrq8IPUeHFf17E3PwVCGGkp9WvoHxSk2CH6Gobxj52wVt8RqE7 R4tTrmM2FIOl4eHoPrroM06BbRNAxXTJ89cdCeZM/9TKcfKjQaLRMqmBPUELiimyT6Id r4ScVUaU8kSoRwCPDpw8BgrweEKhPiXXGuRKFKnLZskqHyevW1shoXbplqsVu87cSBq8 UP7fq0yYCqyUwi0m6SQ402b5bpPT6DxeiaCGpUxttFaDer1Ze+uzwAPj0BHCeoy9sB4/ PtZJZVvPpYva1GY7yILsy14DXLHiIDWGZPsSz55/LyyNsey//WUv+zJYKPD40ynNPkXl rcHg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="F9/4OnPa"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rWtg9Zjr; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id eq25-20020a056402299900b004a0c426d0ebsi15073384edb.233.2023.02.06.19.02.52; Mon, 06 Feb 2023 19:03:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="F9/4OnPa"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rWtg9Zjr; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230179AbjBGDA4 (ORCPT + 99 others); Mon, 6 Feb 2023 22:00:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230088AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB2473527B; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE2Vu029647; Tue, 7 Feb 2023 03:00:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=F9/4OnParyIKyTL3kBF9H76yB2hXCEgtUnMIWvRh9wzWsgozP+S4ItQ765Cg832qH6Ic xw+8nsOPROaUkxYxTZYGdwZEpfpq1ShO7o5tac1moVfBWiSPlAjn9c1/1JQ9Y48tuy0X e97GSu93/FGPHX3wI8ac9FHdiHnE/M9MNKzquxkzJ6NiFmEWKQMtKfPBLzItPXSMytYZ VqL0fe91KC9hjvw/cQx31hvQxpFLqPwmaXlu3Pl9mLjhUk2dpe6zCMFkK0k2aPO9UKAy XiTFvAGhFqkK1qcXUk6cnqw86b9BvysUYs9xiQMCIhoY/SgSHKkc0HIIEnMhzgEVe0Lf TA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:04 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 31721H1b037579; Tue, 7 Feb 2023 03:00:03 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8bge-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:03 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=klQ/bpAAYeeHI848wY4hczFkrAX1SsJODmrhFCSyrpmjkhQnWAfzMHVdnutccy1c8P1mo3klB6AHRiLBnVcB3hqq7qCVNpjkJ5wLZ4wRSY1OOHDa8DS+IpLhdfg2RzFk+HFpdZK3YdZtltm778qSmg/ArbJ3AqnWWQ5+DQfvwgqSTJw4vRrjeucA3RdefjP181px6Hf9hW39QBiiKgam3XbDGbvCcU3bSBkdOrcX8lV0Hm6S+THr+3fHUo4raqGzHTXe4wcYHvQ3ENpYv3Qdne9KJbMkGRs7HNygoTxIfqmUtbixusqIvqbK3PEOPUGdU/Eiyzcry9p4DN2jNeJxww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=m9lMAnPY0z7mJFf/Jbkq2TiKmBicSBzUKroapNEmE0uJ2ALWxbC/EFjDBqDyf0YdFvBJMLgvcGjY42aTUL45gcgOvgOtd/YBwR4YM8i7sDBKkBdUohRcVxWCiju0L33Jc7Dt62teKanrz/1zxb8tP71cbXGjO4EWVHvj8giz4a7dnL6ZLIOfgI5aLZRqNlxkNsTj5RXOafb9FocjqNGEKVMWg50rID7sbjU5AmdKmYraJcKyf5vQJFThbr+009Bcsz73dAh5NqUYcZf/hH4HeHh4on2FGxxKyk+BYO0TmTBhYxPUZEk3cuhtv3FT8CKn3FfczQ39xpyIO6j9UxIGfg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=rWtg9ZjrUY86Xp0E/jxKvy+Nik02Y/7clQNMKqfM5oK025jPxSWMn79In5aDccOyEVPP6U96FYb/fBkpWuT6YD063t4YqA0AAPzoxtz6G1pjIS5JSU9MAvqy7ehFVbbU3SIQS1ggRKWYuugw8w+o+M81I7sttOluZFkZwsV9f7g= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:01 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:01 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Date: Mon, 6 Feb 2023 21:59:55 -0500 Message-Id: <20230207025958.974056-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA9PR13CA0023.namprd13.prod.outlook.com (2603:10b6:806:21::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: U+8wT0o9uoRZ8mLvak1yfchmW2w28PeIIhh29H+aqUjs5w5X2JPDy+/qu0bqyWQj7vldy7Rnix+o6768blJ/EOFGxjluJhTMKeGq3hBOW/dypCQ/f1qTxyXV4Viartl9PmHiNx0GKGrKdqIt6kEkeXbimmPDKQXF6ptul+Oq+/AbusPn7gOCDfJr7V5WERMWQQI93ydcgL7w8NqIQUWietANO5xoITNnjjTwzds4ghBAf8wFcSE7MkxiqtuLV4J0UbYsc6RrQnDI682piAgEsU8T28WPeQveCpCT9x7BSFSDU4Iv9WQwhd9S4gLDbc2/nCQSuq5+ms4wv57xIudaNjiPGzCmaBTfH+w6cCXosvKV27dBYepQmNaElbN+z6hSlV3vpcEOoPt3UOESdXO1QirmYg2KpwlcstjCkHjond2rN+j6wcDnoyqaQkezjbq9xVDfkousv0SeLtSVf8s1zQc003ahay7/xu3tQU9p+uQgmcrCtjB+Y8EDYfQ6DeMkC37mksmWl/c2gmrfAydBalnkmE3YAM6H6EhjsG7jWK5/WtiAcmpFU03wh/7yW+r3VCC/mWhOKMO1gkORkUAEhcGKjbWsO4f/jAVf41voQq2k6v9vyffnUGNULF+4MIN6WpswOH1AU4lnMMxOnIPGrB4PBWMB7KULqgmQ85Xh76k= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(966005)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dL4bCwkQwoRxtcAYqJxZ09qN4o92s3rm+LwghkQgBJg8eifKCQydurZZqTSmzgg5AyUk48MP1hFWUAhBd7sHIC9/vexkclbFSPLMzhRUNZKtcd7fpZRhUouF3lFk97YwMko60WblB7lM9RBzAOVwJx/WfCYOvQUGo7kCE57Y9r/NFRWGmwGpKWQHZw965SAUmr4G21DK5Rb4l+nwIhIQwoPvHL8ZJzEB9qKXQ/cZ0/R0GhbCh5oOKb+3BE8lBvoETvBIQVapgS0d6YEFOoX2UYQYVATrPRfUWlFMKPTCCmBlZwwgCKzo3HeTH3SsSqOLnW/pjhRNHswtHOiSL+Xroas0l9Kqh6sQ8lisbGrOzd0PNZ10QURmrAMNYWCKhKfntSEvjCqoOaKO47lP1rmqABFU7GJzv4SqOdpTFLGJLuWsJfIBmyuKQQF6ahthQUbPSfqULkV1gLCm00/w9VnkTw5zy51ZWNy+RahjitXBMx7xP1h2HCq1cGgdYOPp6Wqp2jlTijCSo+4Ov+aYHrCkgMdVDYqrKe1zHnS3w5j3QKGJhyf12NgT+a1V4Nqkoosu1HfNOcXQ+35OfzAj2HOKDMX0N1ymIkRzrYiBtL3BWFxWwQ37F/Z79IY86E+OL16yunSt5FzZwri89fjArSjqDAEIeyl1iPyTpZC0jLXgpZ7kY+6m6sktOT0OkSs79xptuelJOimrGnjBVMUOTi5F5URATqr7iOaDiyuBbs7O5/QddFAqFT0irQT/IkwP2ozAPXJhGZ/XwlKh4W9+irfAfTJNpgnucDJAD5CLhVjrB0WF5yIaJnRAIOrh+PcFATPiaLt05xNUCR9qzoD6fkj70FLFo3pVhXJ25s5ZOnv9Q1PBYHZ8+LayLxo6BNbLDmMDplObO51qB2/+1S0oZAJ0GamF3cRlrmNPN5yPIoG1TcgNvW/573eHI557SJYe/NpRZYqdz2u351Q5WmQMdB+G+EQcWdvPmXhZOy6rDXiEkdQveyV6vy18HHeLdb2rQFKKQ/7UY14WzFp2ADbDZCEcj0QTKKMz2W+wsPSt3sUNqNV34H9rVPXRk40Q0YAfp76/MVuJDU4nss5UFkPVI08qi5saCuUMpXBGZBv5UtAse4EfYGaJPC4m6AY91dhHiD8YWmXDx49pcvDSMQucO6Z42ObfNWMGJzG+sNEQkkU7IPALoqnm/EH/JdRGVIpRNPSbI6ZujQAwvEHhNUjH1IaeVKu+0oDnU1ZCxUYr++KgxytuEcvLscH1WyZJ0LF44s2eC49zHIlVDp4WNTetvYJtrgJWOzCiu3g+IRkYq39AaTUozUFwJyJD0qHsNm1eNfMrlTGJozW+ylgmN0V8V867AdjHEnRC+6Fpz0sa0lnT05vG2+IQr542SJETexp5uQGPn0nFb25IEUdxMuDSOHbfY6DZssDy150n4cDzLYa+ze+YhWX/ptPCP9//EofjjnsdCF2DC82R9K0vAJ8UyhEdx5VwD2euMObXsCoraQhtkjUGfl17BCBd9SsT6rCW1deMG4z7mffJ7+E85TTViZY8b/batS/TUj4itqzjibdz3rb5mkYdJN9812uWde+uRChFUjA4TUYHIF7XF+wBAnYRRJ0XNKerw3MsjyV/v8f+Z/A= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: q/i9VJLpoKo5VrrlDpBEeB1fitO4cnZRK+iBVmtbaW1mOxkBLWPfghIvluJef28v9Ddm0V/BBNn+WoV+vVxDJ8z1Sl+uNTfl8bXZawq7D+mkeykH1JmZJwMKrHUd+oKe6LsYw8cqW70lvC5rPwBTUwAL0YHWyCBmblgzDnIL+Z1A535D9/egaxyo4eSRpCgl/gDFss0M58F2ARSPzBIQjZaymPvUGG8EDRJXHOqIDaHtaaMjeTWlwyFVR1PdZ4Cx0pM73LBpttwjhOpYKu9p97YReuEgBVitWNT6Pidv7TE+83gmtx5SbxEK3GkAUp3Z2r/x2Qe8xHV7x/OAYC3mytIFwt1MtK+bhEyUfd1RdsG1ddWo2IQ2J/djoLaNZll4dFZOl1Qe/C44d6KUB1iBtl9vTMS5mb9uphViMnSI7BqA7k7romXx+rrzyXO3vWX2dMmO6z7Vi2UGWrfwIr12ylrwkcuD3g4LKPJyT5E+6HSWtlyceASBUKXiyXkpUg14ZXKIRoXRPsl3jNOmpWz7FJQHOIxsigtj4LhxYidLvJENGXDhZtECjVoZF35/BqHG0GitqMr7oHAolRP9lP2d+9Kp6jf77c7hyxWo9EkNsS6HEszFHW+P2/UTlVMmZyo/rOr9nimVmkcqxQssrFxp13EwyJqUvoeri6IQA4QVyKgiYnDU2WQROk3CLoFDuulW/jrcpe+PxcUx2OiVbE5m3FqxYmUE2J/+cCxmMNL8rHbiUdff73HI3ERRDr9o6CkI3ezBLhTeELe5HGRDNe7aAB/mO383DBMD7kzABo2LfS8NeW+b5zpSqelnGQEadtiYpbcKHbM6drPh8vXFzhJgiSIR52jc7Uvv2+QSCxpo/9RH2tFY6cOYUYzcU+MEQ8xFXI7jn6Qmha/Dcv6clC+zap23TTPECjlgPONcHVhHCfwBNEB+lgYXK4FTWsYiephv7sKrn9SUm8shfA1xopzOK/8uGXoIPq4JL2uoEWdbm3enFp9AodUiP6tZekpGtkF7m7OWsgvX2WNIozOw+w8fxOfwxL/ZkFvCN+IjSiHvblmmhWVOrRZMlDurcwtlmAtmYHBb9n/mTOSEm87oyizbRinGnI+BQLqpckMZcq30pAHmg2VcVgrF2iU2JyBqeo7354DaCKkKGYXsDtGLLzluZmIJX7+Yy143YRfn9xaJPpOf11SbepiNm2n9rmSVhzk/ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:01.5949 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: K+dNH3J+5iSGfe+ystJghODW/DSaCHj/QxHHELD36VpInzSq/LZaxGvrbPp69z6bf/gFEiV6BrgwCldQbCgbBVLUSUnEucEjXxEOREUeMd8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i X-Proofpoint-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139692913089551?= X-GMAIL-MSGID: =?utf-8?q?1757139692913089551?= Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the public_key. This will be used in a follow on patch that requires knowing if the public key is a CA. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 24 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..77547d4bd94d 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + /* + * Get hold of the basicConstraints + * v[1] is the encoding size + * (Expect 0x2 or greater, making it 1 or more bytes) + * v[2] is the encoding type + * (Expect an ASN1_BOOL for the CA) + * v[3] is the contents of the ASN1_BOOL + * (Expect 1 if the CA is TRUE) + * vlen should match the entire extension size + */ + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (vlen < 2) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA; + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..c401762850f2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,8 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned long key_eflags; /* key extension flags */ +#define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ }; extern void public_key_free(struct public_key *key); From patchwork Tue Feb 7 02:59:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53620 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611582wrn; Mon, 6 Feb 2023 19:02:39 -0800 (PST) X-Google-Smtp-Source: AK7set/RHu0DtMhUuBtLnBWjyaCuFB6GNqDhW7I7fmnXPrZqPaHG94fl93ayA4unOtN/l+EcR4w3 X-Received: by 2002:a17:906:2011:b0:881:4d98:fe2e with SMTP id 17-20020a170906201100b008814d98fe2emr1843154ejo.29.1675738959117; Mon, 06 Feb 2023 19:02:39 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738959; cv=pass; d=google.com; s=arc-20160816; b=s7REjMnCECPecWbXQ3pdbiGYqrE1svelbrdXc1r5F4WaQvdfeQaRyIkD3pFgk6O//A supbP2/QEWM8buZQCOZGezFs01maPXFVxVQ1vvI0F7OzZblhsHFIs/OwdGMSe2hWxIdB DF7JRdRFuDpG1KoqoKOf/vqNXI22+zB4t+An5q+Qprw/NHEswhE6AaJXoghxkvar5elS 5XwbOmNMfk1vrlNaZ+obstY4MWN5ur6+HeINylScfBRcIncO6MqP7DZud9aosIAtimgy DyeO4yTOAqBPIPKu5hKmt/IFwFV4GS/HlzZA2u7YOm2VxzcKEI1xih1Xpc8H+A/G5E0h YbrA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=W037PIOsk7mxb+22xvJ1vomTs8PHe/i8Yh/v2BsOhOiONb9BHwzGacHbkBNhyLG01O j2jVTVFSBtoHsb8rPRvIS1NS8QGXXkOq69d0deVhxTV7Uz7/HNoHeMdaM8BhFn6bVo15 oT7wf8ewddi3BrSctjKRShzrBXTkcSBFN2Q7C9NIny1Od3/axLFiY/m4qsvSVemszee7 JkZZVjJV33etv/HsNXZCMxnITA1hJMF7HUUumbxG1O3yM+69yRVez+KjMg6TjToensoo /o0kXxnZmkBJw1+CKTXGWHdIdSe23kImVQkn/NkwpAzKSTnpbcfDF/JZX16tAkjXOzNU 7l+w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=C8u7KD6Z; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=Wh9X0aGw; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j7-20020aa7ca47000000b004aaaac61704si6819746edt.437.2023.02.06.19.02.15; Mon, 06 Feb 2023 19:02:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=C8u7KD6Z; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=Wh9X0aGw; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229695AbjBGDBE (ORCPT + 99 others); Mon, 6 Feb 2023 22:01:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230082AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 561A736085; Mon, 6 Feb 2023 19:00:33 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDjXJ031540; Tue, 7 Feb 2023 03:00:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=C8u7KD6ZEh21xCT+g2PXndSG5s3Q6EkNsRv43jpUflIN3TIgZ8Bepv5prAjOGCWKWb3Y 4q67+eFBw5jWmuGePhlyNWs/zXTOwHA1QHoYQaRUy/crM8uZ5Yqih74emNWIefSk7N0x jr50xtLAmPyxNeCOBxP3SlFlOshwI7uj5a/cdAK0KawIQlAeLM35255oeI6diQwKrcif mC55sMqB76Sx7F+bgyBNhZGGFmfy+k6YayWp9VBkcBvCSAkI4JxwzqB5XHgmYiVrI9/g fXruDur3vXOIpV4L5aqNlWuuGSRy9qLnVfaMpu6/jlE0kUHLgWrBiGgQUDR0pN6XlTeF 1g== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgbb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:06 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171ama2037016; Tue, 7 Feb 2023 03:00:06 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8bjy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AfKht6PLnnLkzQUB25d1Pwzro0sN62Qh20AHaQUY1r7FmuMVI/YzHybMuACwjnjDDtcuhjEX9S3OUWwF4kSEyoz+Q3MV9bntNy9qQUUELSydYhgcKPvv1mAXKDSGD5Et+36kLVDmXxWIR5qjfkGMPOuY8P13bOOzQR7Oeazg7b+wWIlr06PfdrinzRwvJH3/4sNriDXwt1bxh4U6+e4NgAJjaFBYwTDXr1c7dOPSgEzsoRh994sy6wzjobLJfENrCDDxj0TqFfC66perd2OfzxPhC5uwnTCm4aZwnn52JYDSicwwqJi0ZxIj0qAx5n8fGikt0outG9QW0W700mfg3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=NEKz9Ck14+4tZhiGJhPJpWir9UuggfudjufNfpaJ1+g6EsJeV+JC5Fcv5j2jSIekKTfSUtd4NMqNmBi30zG0NCniq+7ZCWBxNDGFXr4fwchXO+Ozk/WYSI3A/p9aY9OpPLBnZBiqK5+f8ex1wIcYYv6zTULS1YZ4A+me2hfbH7o2asOI5AdbtMhROhutQ586mTXA6Kvf+VKtJuOGcQHy4PQrRK0Sws59r9qKGW7VapkjfOFqWlKRbvXEEHhXBKKyRNJD6a03he5pWNAONUvp8TNzMsHsiNzoU1yQ4s2UOmuiuVQmRO9FNM6FYWqgGMdkSMLBsYuox7sYZLjjB0/zhQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=Wh9X0aGw/EcWFLU4090ppYyO5Wl0wzJ4Ezf6hzzAH8VypuJS/V0PejnuazG0CkA/FUaYL9FESqhbvi/7bJfu1A6YrFgcmQFY47oMWOC4D4YO7VQdYcPfthxFJs2bif4J/HS4lstnRtsUuvpyqn3YEtTHUZFGDebSY6yBDMYvBHU= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:03 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:03 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Date: Mon, 6 Feb 2023 21:59:56 -0500 Message-Id: <20230207025958.974056-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR05CA0031.namprd05.prod.outlook.com (2603:10b6:805:de::44) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 01c58e9a-35cb-4a76-54cb-08db08b768f4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: defctE4eGs0+zAebrihL/YVnk1yLHgesWggDOizD59f1tzBSBiZwFaMM588WDUycfdOljWYuVmyr8+KfifotDaNycdR4qjC3/bJAf0+jOd0hmAagwXyxSoZLGuR1GbujFmZNUxCBo+NwwtVUvVuGSzletVe7JB4jdRHkN9Z3L7vVtjC4yeXbMEiQ3pfzv4SUFUNuXCR5cNBQG58CwIdg/jdLWi/IztAljlCUnkV6hvvEYCejP0kkh53ISfd+N75IEykRVD08VbCbrqXlfndhozXMCeL3sXu9CHUgpvYpN64g2hJO1y3ikt/ahLY0zFrjG9887TqDH2sr3UjsKWOVX/rdq+6bZvRji0zJkJbPqEBkNU2KSTrCecEfewY2gSJkj5B03Nr2FWhNhE83C1QcxajesF7fap/uDnKo8Ho+jqM9tFTEKwFpSoYK8eXXeGppeFGAt3+TExtcV2+UMzNvWWklmgqAKzMOTmbx4vx1W2n0bBTF/5Z9/YsI5ach8HExJ1IUDxmpYC9A4U3tqgVfu3bw6/54PxWgu2FYmXBBBRjpXCVNpPf5YqA1kA19gNMyh3/L5gKsXvt/frqP5VhDoppMJBG5WJgT+eIAyPDJBWPzytycUTpMO9P76bJlu/yCBC6yVvb2I3yvW9ag4CoR4dg7RbEeGEeuqKfd0FoctyY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(966005)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 84bbNMkANS6wKPLLb5DClmzUM3nTkFxrcVT1UFn4CoF2hiGlgzr4J0Xg1hwtHT8WA2xUy71sPCZxxWfkNmcz/ExUUpmNuKOzQFMVGH8twsjbHk5CgNUezcePGIfyhlssumIFZie11086eINt1JxitoRmzDK+SMAowOUioeN3nPcYkbhHPonA6mu3SKuA5Z1fNZZ4am8wJBrQwjBHa4vLyV5ypXhh/WToPvic2m8sSQCpfLdm6Idjk+/FmWPjWJi98iAc4UpkDzrz+a03gblOZCx79GOjDJDPAqhSYdQqJOQbYT6tHbWH7+MJUlrqC7/Gbbme1aTWfBMZtMWM0gJVwgC/ReAzJUiUD/UQ0VJ7vF0ZoCrGOrID/DpWNfXNeBnmCs9JeIcRiWTEB1JlyTV4nHoVW5L+D64oz8wTR75Y63eaqwov2kUTD535FiEoRFEhsIoNtelfdWx7NEHwKG/7Twfr3WJmh7gqckFt9WwKjaDrVZPrWe3uIVD73ZUpWgdOPQgLTV8ROf9bYlyHwQf1jg3H987lvA4FUwZmVJ/i3FUlKgwUOQmMG/MPjHQTOZq+CK9XaUv5RJq8I5SMaxVrWjwToYEPgwAOS+Oha1RwMHeQdpauu21kdupzs3N5YueHIpTIofSrvHWtQsUBv08UDPGE0YpbPYRhsqfmVHpi8ai4tgFj/RugeoDzqPuY3a385N1Zvtb8/L2ZUdF7GY7P3+WYC8A8cyJu1sR9+qIOt+zsg2wEOcirjkEhXYkioaFFX+NTGLORC/7NiVsIPF8TUkdgf/w40I6askFd82acYXm5plhWlSXFLOfSEBkKNpZ1XpQCJQvhg++79PyAJixsEW1THJka47ODjJTMOJFxxSk3pFXQDeWTKixCj+41ea/upnKKTDACpaDBP29ON+tPygtP1SrDdXf6Fiw11XFrLqRBMAAe+2Hlkamv72YObPN43IFYTHpPHeRzfv3W2FasM6BdL7Dal9BCkymxny4gKs885AdSXlEhoZrBhVAOl1RbSxeIs+F7bsvJ7DYVUDw2gaFLzCkkk+LeiixDLpHQFNuZSJWhnU7tGRwyw3nEoyHKWjI7CNrRooIMbdVZEqW97iYWBpXvuCm4uEdM6FLm2JdmGcIyqpxL4kx1X7QiMwDkLPc1DoEarSEcuEaRa3D2P9OGrHUO+dP9qycUNLmKA/qP/pegUfTIX5xrQbDOSRPoSO4yBmdjA04CiyMiJFoNmlN2nuGkw0rvirHrkXSseBBeGoILTx3qWRNj3eN+9hcdFgbdqzNbthUHoaPU423Igp2odZQZXLs8tX8WL5mjRclJEEw50Uo31pwVmOi+5euIlsUhXF14ddzpnovWkd10oNxOdasM7V6uJp3RBxVFyZ5+LutZoWHKDfA6bGI+PMUJjY8tzfjylSpiySxLL8INv9k4ivVVYxURTSjwjdKDCZNtXvDvTE6oBHlm+wMgb0UvrSqi9sHioSfYwQef2yTL89VQDuALY9Dw454MwfZCvJ/PXTTXdDDWFfzh5bqlQbxk4xRzgWUBh6o2DesOpha/TjyAwMB9sYXeR3/GTOljHo2J7BRxDQJrLZLkPv6L0ykXARkq+C3rvIJ4BPiXcNaA+yEpzCqmpBsXfQAqXmGc/zs= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jvF5gQEbm3QD/IAWi//ct8tt2PW+d8c6O8bm1sabI3pe9KNRAtSvVruzXM20agmREkwPhTdbO5l+V+eoo1TAgmfaBDIkbxpXLH/HXGYeWZxwjlh4iAO9V2tjTKEWPC6k6UaJtj/44fypLhyg0Qx5vMAQvxzk9ULeqqkByt3tTV2jJj4aAOEmw/HKFMzdXvMtJPlq5NcfK/e3N+guHjPg9oRKfua+XupmHpyabPE+BY1E1Z1LcRA1XJ9y13Ven/hE3VxcEmbM4EdsW69axu2NO2WMcVV7joDBgYyymgokEy1h7PGXQOyyaOyYZDqMGyX8DiZ9jXUrvhYOf1JCE5tF68658ui4NMWzdrrE7PvYEhAaNJFPMSI7fdGhSjUDuby47OERxEyG+rpZt9FlezsKf4YXek2oR47rnyNC7D7+Fd7FIpo7lirO9BjvVzQlhfgiigDt7VIficfaXtg+YzluqbnbZLkJBoKROTBC+daF5pmsc+sjPDcJFxVUSksqZMiAKbaKsuGPe4/7xl9v8kOvoBxSLS7ef7d3IfE8Ug0Ng2f+a55wUHrC2JBo8GZcs8Mfm+cRABrgWvf/oDeKC8dqYPSp7DeA3XO6cPXaFHdc99qsnZ/GVM4yFPpyuxs7uvZxUc8thYGAXQ8tf+doZCK8e9nEpx2sd17DdP6fUn/XcmEaeIkPsVh5q3ZCA0CIGstRxv6rlnNkPu1HvFfQsAHrhHwuLZvW7cHHH2VQ/nw5+3AgYxwPAl0PGgEYuH1mtf67p9LeeHTRHdydSG/J65w70fDUdDVpD5Io7bjX4fmy7gG4axKZRfoQKYBIeDKfBPM/y8HxYwjWIa4dWclBt56TtZJIqyhn5LLFOLdLz8HzcLh3pWgrfJqLiaVk504tf1rPyJNGMCMy2q/5bPUFfUjpneUEBQBDayvEi6qNZRpJNC1HY0bRBQH9pzmq951dorymqcX19Ipdw9nkYGR8Z5zKD8YF5IzCAmAPibtxjQmt2lT0buN3HWUPmWgQXvCw99i9zIdPi0Lj90xDuTZ7CYwOrZIHRG+qYJMcGxTHVnKwmljZoJNPjs4X+MpKC6O2/9tp3Rfk2Houudzub2ihLBsRcOi4BVgtnW2l+DSoWyMIOW+v43ZBPtdxFhkrZpQPnFOq8cSmpVq4Xkp2ySJ1X6i1FOU3JpDr2JpcOg2+ojFoMAox3FWHgsPjeAi79aMEAJUz X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 01c58e9a-35cb-4a76-54cb-08db08b768f4 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:03.7499 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dR+5mv+6bLM2Mioc5GS1wfhB884RzAlswwFV1bg61lodZieVyBSD1QRVdwIncqaTkHeV/Cumq5m66qsT5J+lZCQ9ZPVrWUwBqgbaleZnw3c= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: UWofzCrLamhGpQn9uehEeHLka52SyX9e X-Proofpoint-GUID: UWofzCrLamhGpQn9uehEeHLka52SyX9e X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139654552746801?= X-GMAIL-MSGID: =?utf-8?q?1757139654552746801?= Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign or digitalSignature is set, store it in the public_key structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/x509_cert_parser.c | 28 +++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 30 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 77547d4bd94d..0a7049b470c1 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,34 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing when v[1] = 0x02) + * v[3] and possibly v[4] contain the bit string + * + * From RFC 5280 4.2.1.3: + * 0x04 is where keyCertSign lands in this bit string + * 0x80 is where digitalSignature lands in this bit string + */ + if (v[0] != ASN1_BTS) + return -EBADMSG; + if (vlen < 4) + return -EBADMSG; + if (v[2] >= 8) + return -EBADMSG; + if (v[3] & 0x80) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_DIGITALSIG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index c401762850f2..03c3fb990d59 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -30,6 +30,8 @@ struct public_key { const char *pkey_algo; unsigned long key_eflags; /* key extension flags */ #define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ +#define KEY_EFLAG_DIGITALSIG 1 /* set if the digitalSignature usage is set */ +#define KEY_EFLAG_KEYCERTSIGN 2 /* set if the keyCertSign usage is set */ }; extern void public_key_free(struct public_key *key); From patchwork Tue Feb 7 02:59:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53618 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611270wrn; Mon, 6 Feb 2023 19:02:02 -0800 (PST) X-Google-Smtp-Source: AK7set8O4YeHLK0F1YlRXaCE9MJjL47sicR00X5FvTgMRk6UGAyCjSPyrA9j35+Qim4mdH29G5rt X-Received: by 2002:a62:79c4:0:b0:593:e4b9:dc8b with SMTP id u187-20020a6279c4000000b00593e4b9dc8bmr1513983pfc.27.1675738922628; Mon, 06 Feb 2023 19:02:02 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738922; cv=pass; d=google.com; s=arc-20160816; b=ZlrLLTdU5+YBCs83ZdjaOee9E+IB2UPHvlZoqi7TOg3pRWDZu7oDFsepKcSVgRREAD GBO3Y+/wBn/2wHvaUpZOyyys/9+x/ATTxgJMw00jT8UUxcX+ffZbuDLSdg4vEb5bwNyF I0fK8xN2d6Lwh8MpnYLIC/rla4RLzX609/5ixf/frO8KLmUfrqz4XxXrB5dlABkN2G53 U3OheaWYPp356Og7XNPs7zUJHoE532oXi+2p8YClkIH2GVB/NIbmS1mmoRn2x2DHGhMG /2Sz/86imEoy+b4RNVkG7bsUAEEuSfKi1Uag/wLjKiPKDq+NooitC9CIvMLtThaVanl8 i2jA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=JTqIkFjbXEA/lXaPmWD7ahqmL+8pJwkt498hoXKGKYO8ZfzW3zZ8OEQyEK8qUK2aR6 U1nWH4+PWjdWf5lo46l2I1vFqO2k3hB18GFCeb6rlDitDe0Kyb8aVCVXXCqeU2FEKBR8 QZdnNhDnMCgTO3/nRU86veGyr2HuQ1+/nH/924B/AI6zUzHsB0BAFr2TUlDCaVEZxwZ6 0kf7v3DM18c1w6wmzhLuFJgGqPUACKhbVuK8+5QI0E8xPTnggX1CZP7HRrNmxIh9iI6w wKxGlS2INQg9OCxlsJ3iV64kz3hkG/XxcN1YTGD3Tj8FXfiBFXq+nRQoL7Vy6JIrVzw/ mKhg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=rqp8Egf6; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xN0PsTY6; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z67-20020a623346000000b0059398c88849si12727962pfz.87.2023.02.06.19.01.33; Mon, 06 Feb 2023 19:02:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=rqp8Egf6; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xN0PsTY6; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230096AbjBGDAg (ORCPT + 99 others); Mon, 6 Feb 2023 22:00:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229667AbjBGDAe (ORCPT ); Mon, 6 Feb 2023 22:00:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B788035274; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDwXA000337; Tue, 7 Feb 2023 03:00:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=rqp8Egf65d75X8eNjPbLKQ/RgQ2/d0ko/EZRxqT5AuPB1AZTt5MJSivSW5IK74hNS16g fn4d7Pav+WcStKN5ea0MkhY16UV1C25Gvsz39TxaHeXJYLGzqGYtwZgNQhDxx52QR1gC B5pfrGyaERSKBPbIUi0+9MhQHshSPPYsQSClWYhmxo/jnVl7svW9gVN1EdGNtlianAQ9 N3a2i5b1V5xi1SW4hXlRQSDceq6qtRtRebHUIhk2KWndR7TGR5tmmeUpI2dxy2RnAsjk 33b5xoAcpxEKKGVJELe5Cxxr9m0nxvlk9xzwal8ma/WsCTXktLWM6ukQTJjgq3I7+Z/Y uA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgbd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:09 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171j1pp016849; Tue, 7 Feb 2023 03:00:08 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3njrb9gdwa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z1kzupdTCuLlGJVts4NimD2JudFDJkZE6Tw9o+BmsgolleNYu/cJnjPDRNsrW81LwMlLRgmpgVblUYqvjCo9Go5dzEHvB1yneGdAtw6z21VtEknER6xQnaTrL4VlNVD5N2KxMTYKx4OmrnLBKpyJyhg9fWxIMA9AbTKCSTUDZJugpdJYdAXkujLjIfdK21U8WcQaRWEQNibXYTHySBrf2cyAAVyepmqflaUMWdhXJvGh6CpcYbZYXFmGtB6aopV3Or1Sc4ryh29XQZ+dlWDuuOM1SjD+pCbq/fxCcR6wBvGUzsQAwgdnBaFMSh4Bh9jJr01CGCTHKY2DGlFvgCOhqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=iG6ec/9LQu2nnyLAMjoAaiWvYmc9IZbmEnW7wHvL+mur/avCwqwe3ZljzY5mb0snkfkKD0+N4MqjL2lIhji6xunO/VQOz3BKTnzXMp8UGDqVd6A0Rj0l8S9s1PE3BggKdDJRNtJj1/N/1Fj1OTfKCWwEvNjs/oe99TV/v2bz4FgbSFxoj7gSLQQSbOL1l/tO/sLmkYWPf1gaidmPibjEA7auq9ROpX3dgKLPGTUQxgk7qKwMwKouHU/90bnucbTrz5V6T1B/ut74VVSbvLhG8jDAVuyEMhlE9tVFg1F8e3kMhrGt3mSm+2pXmCDZNLqpofW078rvCmzLNjNrUv79JQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=xN0PsTY6iCbk2oG0RPG0LJ/VjsruhFQoiXKFTXKQWNCLYA1cIxO7U9ptwAWd+8PhFVPQEJdPMUfFVO/KqRzKd2SyhKgfinXoaii8hkVlPrk2bXbK3tMg3CS2HVGopvK3x32JAxCkQvU85cAphVKmucyFPIgVC8Ky7vnepOeZcqE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:06 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 5/6] KEYS: CA link restriction Date: Mon, 6 Feb 2023 21:59:57 -0500 Message-Id: <20230207025958.974056-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM6PR07CA0082.namprd07.prod.outlook.com (2603:10b6:5:337::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 332d71cf-823a-4383-54cd-08db08b76a36 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OMfTydL3WIbwoSxBCbcHHQwhy57VqHAK9qcdNpP75cTbghO53XyVFcKqZLk2j/mxNazJ2tYWhorQsD3q6MSKX8BNOR0viEz9W0zR4Afk2NU2yz8XwvVBsMNjhVvsA2e5GC6h2N6waCjAqgdPdLbIbEw2gjYRnWcILiaRwRJ1k0SrYiudRBkGfVuuaG+zUzlg3HMlo/cKwmSzXee6Op9XOlFaJ1qKDYwYAk2Txp9N3NiLEAj7sD71tmyY4iRHEvwmr4PliQJW9/CUedMj1Oz7lrttT7OfTBmSenzjcNDlUl6/oXM06dT8PH4VVUCgNdDSB8UGyDfrYMy3+3Qj4kDComTqS1pYCwYY3/T+BRZ5/ic9ZM0gjqPWHfkCF9EH3pMaHzCOH5Oo1el8ap8SQDyGTlZoUagg/nUDDWaJNgmGRI0JxMtttO+algM9GO1Lf5CKPScgbJId6voPsVI8d0CMY/2vwHgkZ1zlkssE/uDMQu/QwwPuhcqqVE6OnMcaDqjnZTYV5+b2DVOPwgn1hjfT9G+eJ0WAUa+NlwvQRFYiBLF93Xp0jMVLb8ba7DI+OxQ+F3OqikIpaQLdehgXdEUqWoXiOnuPdUwplu2/tr3LAlNuPhdIdegly3hSgGgt1WWUuFekabRgYTPbkIGgsUh0aA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ChwuYrUuVKMkkPxPApFwmJBudqrXZ4oQ3FUQ0eXGXgTzKON56G6LqPDONC21Oi67nYJgHmYrJzZerDaLGNNSM5olvb0dWM+GCjRqVfoaiYayMx4/8Dt5lsEDZ3pu9OA9l93t898xT4cja3gvqbS5osDT2bZ8UwDASUKIwKJa6QYO2vysnJ3NkbNvddVriWz4L7dcUcHjawV1Ur0VpQ86OuJzGg5T+VYka7gWiDCxjhtC4ggwQc+GF6qD3kULgSiQXyATQdnUxOCGCWN3PMWcf0Ra4Bcgoy6IubyCZf1JejzTeV1/cWA8GreISQm/Y1up8DpI2v370/Ec8U/pUPorkpfu7JjIFsiIZnFZLuzVcr1QbFm1Qrj8MuaSC7QOrALFw7t8QgM6+poFazgXgiEgW7jzm4MUV1lFSXluXK084RT//erFHuCriVHc6T93dWJVRwwcHcQH0BNm2cQzve4nG+KBVhwv4aa3j8r4GFLgdnt19weuQ+ITZIPqOdMlrjjCZ+kqaBHPm3poCcdwLvCWSqwQDvG9RO/RZ7RXywYD1BbV5NXEa8hx8DF5NzaWjAvGunIRMjRdHibZwylwqHSHrgvF08IGeMpU62lYPrr1kNToxPg+LCWHnll/cIBwcXCWtX42EMNVDmJnQ3CJUAeytGdEIb21yK7AlLkrmaoXZP/podEkUaktxlWWYdIBnb0RxasaK43Syr5ZzRoPuF1yv42HchQtvsIAgZGc2359j1bx7yjns+aLck3qyymtMzndwdBdS2rAzSGIVAuIeEbehvMtVjs/uyGWVBi9ySUVIFl+IfIXZ/QPb9awN2HzW5VO5PefYlu70AA6Mt2n2MB58YhbGqwRxr/GpJWZnQQtqDM+PtErNfzKZ4f4vqTe5xhr2z6R5YaWBRh0q6sZr145TFkemxa9cny+OY6VL4ojQudS/6cf0LXKh7kdvHrB1/Ah44jyfhA+bKCaRTeOsmqsBzMOpxyyOngT+qSg183saUCyudwc16Yn0xWst3VK/3Mk1p6eXTSROd0fatXB8JM93cmHQ369HRidtSaR6AoYR+acze6Be9v5n5+rbAgiYTw0Y/DSDwZWLln+6AFyVb/gnw8BjL4cGW8LPWF4q5/Rg7YeNp/KhcnF6e0fDzVl2P7J2DHB6MpI9/aZ67nWa8XBvV5mBfsm1iZPnLXomSvcjZw79QAAe2ILseGNAdHT0OumJCBDNtYMRaI3fAvEI0xJVg7+WlM6EDMdvn5Umpp/aeLO3js/+JlNTE/gu2Xg0OycROGsXOEgsHYy1ZOSeGu3NdmeMWtbhEL4rzxZGJQ80ZuIDM6ALbZbqUwk+BnJqDiledBPxVrnux1wNegMj08Pa1j+GgjBJ9xS+tpXLGV49qcQ86o3l+6OlKOCwYmPdS/Ux1+HLzY50yqKZyx8vufgNOhiGxvFYIGayNeiFAbJgGUFblI2SytStjj/EKc43nDJhus9o6390vC1ycapGxjVaBtlPYZB3cLddL0vMCHQLSTFCBQzVDbK2EBqEmlNzP0Sha12rjgQwELdIHk6hMi35XSawHvSykbtCq/9K+cNi1k2eq+9eqXCF+hKpgtNFPzEC0RVFuZfHtO3Sa5anNL0fcjg1IJ7xlqOoXn9qOQD4Tg= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: MxTOBZXqKesH/VB7kkdbhkjJUaSiNmdOSqy9jH/YvLFdkrdg7ZWslQSeMSpJJM9U1RZ9Jl1j6hHAmJ9UY4jZzzwZXCOS1E3SslQzgeNOFOq6O3L3Ow80HyNO/sd8fDhDTJef34OT4SXrY8UiOuwYP8Kx8RuTf7rp9N5FmE3eh+ZnqgsbTukEbgxPO8PpRaRtrtYcvnPOEXgCJFGRthnmk2S8m4Bp62dhmLKlr5byB8dfsQ+2mQjfobFLCzGMCNXN2pgV+skS8oZZZnxS6H5QTIc6MbMmHOWSBaSUdEtuazZKCY8752v3LndJNbdjOyrFkxnyr2scdhhPJZK1gN4QTxNpQbY+jpfx6fxeqSKLxnFG113uimN1wkFFOcT9q7FsjhvBIR+cFb1h8wlrjBzBnIaXCLN0FIYyGQlX9UE8bG7KPm+yCe+VqJVdlIMI0RFNt0vHdIvBjcPuEqIAZerVtVwdMyp57wVywi6vCGlbldhBt7ubtPpFmRfEkYbTNalUGscsrLwK0G4XdtgYcs1QtchwYtYPZfNZ0VFYqbY7y1fp3y2W1fbZ2Pr6zxmaD98EWDbYzze60R9LX75Z6ZQiMclB9sRUt0anyYqCQoPZCpfV+vwmUHrZaZkMM/z/XZLX1zm3Vy9zmRTsEuvENfolOU3o5cgPcrre0aSEu9LP9UcB7wwIdlh6skGxLCPSygWvZO1DH8pa2+zq9oeeFRKNXphzf9PPUd97mz6n5ckLBb0qgeg27TgwZvoOE5IFp2V76EKBoaDqmqdMdfWvNEm/1qDqdfLqGzyLI7KnCWmYyxwDbEuLBLMkM5F/0CegRgVMDnoGKXtHw5jBsD3DPVAFxlwn9YCRdCKcmJIYuGsfpK7PHWuXQnyQnhQ8CYbMKHZBUXORoD6ka34voiCZi6l8jWREr2wCsh1koO39np21Xu+F823D3TTZBQWb+/CC8gX+s4azwHXP/7wx4sn8zFTpG4hQkl21scZVR0DTGSxsUAPa2K7aUBxhXGWAVf66B3mQZpAR+YLNq2SVWFb0cvIh8Whpj98AhUCm+FdFGC6FbpcacXhbM5RlNQAXJqiK1p0+8PzaW98zGQzCwMVDPm9vd/CmcJ2CsCfmoyRYZjcRTEFSD/wzmellc54RrXFnNYyqtRVtCqN1nb6QDcwWChMzPOKB/jBlZlUj2r+XJk2FzsbJNmjTPJ/y1mk7yE9s9AOh X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 332d71cf-823a-4383-54cd-08db08b76a36 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:05.8758 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PB1naSyTqHhRfoJnv2+mAAFdSnfLa+qds1gjCTWcxA0QWGOALk2qelddJ+q7OejURO51ZxFdfhvLQiTMO3vqtUQnjx2vpLoWe28gF2JF4hk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: IHHapfLFoQRipky72kSkBb5dVjXRQpAl X-Proofpoint-GUID: IHHapfLFoQRipky72kSkBb5dVjXRQpAl X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139616482132836?= X-GMAIL-MSGID: =?utf-8?q?1757139616482132836?= Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 ++++++++++++ 2 files changed, 53 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..48457c6f33f9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + return 0; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 03c3fb990d59..653992a6e941 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Tue Feb 7 02:59:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 53621 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2611598wrn; Mon, 6 Feb 2023 19:02:41 -0800 (PST) X-Google-Smtp-Source: AK7set+ub233g2Zu0p6hb1RZRf6AcaZ8koS0ze8oVb18sS3y7q4g7Zzriv4Tw50Glv7peW6X3c8e X-Received: by 2002:a17:906:a00f:b0:878:6755:9089 with SMTP id p15-20020a170906a00f00b0087867559089mr1832288ejy.39.1675738961444; Mon, 06 Feb 2023 19:02:41 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675738961; cv=pass; d=google.com; s=arc-20160816; b=F2uKt0vvUa9IJYjMPbMKw+OhJdN6WMFTjMHKlYBWGHMoB29mhAjKGAATVXHSJo94gP oYNMLAPH54sqUeeeIerSDPeUvhCAS/q4NYTtuTbwbOp3ajheSkxjIL8zblffVfAz1R/s caMGx1wj7QSwuUrk17YLbogFGcC7pubzVgAifU7Y0qHOWyIZD0zGOtfb4jf4HD16mryw 7MyTEhuM7b5gvYdZ6IkRFr4VngFKVpuJIq2izufZWkcK97wvDmG8UPEWRIUHJtwvUUER EtwPw51nFjOxjbCDL2bCC3jTZg/iPsA41EMMPn4r4/Dn2JAssGpKpUmohFoOv/AhYu3J tyOg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=Utrex2WILgweIL9rJnRtpx88syxDkloWElVEiKvAK7NWYnZiLM93wxf73bB6jWd49e mPGGDNnGWmvUmsFDfh7E9LK49d9kBv72jsGfgKaXwSpNBtQ+kxPtFbhrYxvriC1dPMKv JYQUZr9dPKdyWGLLQCG5P5z7WsGnXe1iyneVWG8lta6mMZbOJNX42eekHGd/Ew3HD3pr E1iCQtxheez/40uWItjeT385Vg+OjJlJLSf8WXJDYjaIHym50OBITmynoVH/xQdjeODs FiZSXpVCZlFz6dC6TRO80JI8C7/Q80Jhh8vhBE/uf/f7HQ3xoXAC1vxfyA5MS8wJVDZS NNcQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=t7nCvIdL; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=CtsVnMkM; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 26-20020a170906101a00b0085a483a6fd9si17400748ejm.212.2023.02.06.19.02.18; Mon, 06 Feb 2023 19:02:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=t7nCvIdL; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=CtsVnMkM; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230082AbjBGDBJ (ORCPT + 99 others); Mon, 6 Feb 2023 22:01:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230079AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D5F736084; Mon, 6 Feb 2023 19:00:33 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDr83003908; Tue, 7 Feb 2023 03:00:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=t7nCvIdLZ6td36h0LjPIcZkf543oZwPjG6f3h8phAKwOIaiS9DBkg5wVLmRbfCmRJmqb t6XB4ANkX+zV5oeP9pG3x8x2+3B0aQAhGaw/15ZRmQtQ8Xbvd7e3Yk2oC+seqFyGOokI DfprdpASPm6esQcbZyt4sDkG3AdCFQSv7tg8aWxUSr/xHBioxPxjEvOCUlLmbCBE1jMh +lXhvp7qZrFCEzLJ/y9TsgcNNyCGRUU5KICXLsXMPh67w56yAV+pCyB+CIBHIp3MeghF fnh1SQbBUVnNKgVEsHIgSCog0mv7sVA4ryUGhpbYc2PUwPFZnxozSRk/86gMiuc6QgFt lA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nheytvg8f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:11 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171xPwO016811; Tue, 7 Feb 2023 03:00:11 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3njrb9gdyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W27Ar1eLHSbld3csnCOpK0dHRtqPZTjii5xA3+OS65d+hAd/XjeEcUJ62bIYnPFPp7qBZciIGPORSTuHaS6+CHkEWZ/Yp2oZ2F1uCMundE//ojvxUukQ9tkjeR8E5aJpIrnDXzCx/yEFEL0Di/BI0Y40DUfPZkfCnORXKcVfUxdy4Rz20bxdaF4q6CDoKIS5BX4E6gdTUpRyUVdvsRdjs6os/mBTqfyOqOCJCu8CIwr3TYBy0jjTCWMJ4dVZ2YlAg6NRsC6jW0s9SFTT1VX7zsYP9Ku7UwdL6WUkQvP79ughRae785f9Fozcl0TLR0jmRR92RS0SR3Z911mXIQcxVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=iwuiO7Iwb5cMMlzG7JWdZT3Z5Nz4VVIFxkuc36wM/bOl4WkuBnQF8fRyQ4fmg8YRQhzgiPkHbOWsSErTuq87FPlqhXbm5L4E8tyXSECaKgWXkn7Pow0tlNSryZx7aLtdbVqmdL/NphmxFznJqwN96IE22o7+WOQcvBjWc9d4WbCsPhVQQyIEgyReS5RhHIPmkY8N1j3dRT3kV0L3CxTEtps9gZT9llLqneGJCSuXRf/ceMnSNoWs6pnowY8Stt+VoIYNrudMYbvGU6nwQj1FUnOfwLFaQ/hQa9nygA/5M4RIYUMcnsEWeOgrhs5/c9aKqXeB3MXQxAoylgHmHuWGqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=CtsVnMkM7b/OzPVFdIQFsy8zyc2c3vKhhAsjRXA77wqbk8aAgAxdtISITRIE8zJWrH8eAGvlBt0cmfdaGJZCQ9EKYuUOmc4mUUhJeEXZRH2Wt92/Z7Zw4bT3fvj2NO5mGWo260nZtNndP43/UGd1FUt/DRogCW2fo7bFloZ1A0M= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5031.namprd10.prod.outlook.com (2603:10b6:408:117::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.15; Tue, 7 Feb 2023 03:00:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:07 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 6/6] integrity: machine keyring CA configuration Date: Mon, 6 Feb 2023 21:59:58 -0500 Message-Id: <20230207025958.974056-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0015.namprd06.prod.outlook.com (2603:10b6:8:2a::26) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5031:EE_ X-MS-Office365-Filtering-Correlation-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 29mRbXdp06dEl7gO7yASuUIygUAaB9qJyNa3EUriIFKk6IZqAobL5iQhUvWmg46uHnMvKSL19rQsIjulL24zDng6y/vl2X6z1LU2ZjHCr7JUplycW9Xf+iJFtT/7LEPh7p+zTXnyMeBlvqU+gWWjQKG91vNTAGh/ozUNP2470g7nacIVq4y4U4WPYoxtnr6V0LCJ85Ru05XetMb9GQ70DV9EfrlfBqpisHZoQL0OshUddoxqqPTvVG7j3MkeVNTyBVokjuQOMB48ZMMXtqdGvaagjVHaq6hYvIscFwk2eippL+KG6IdObp39ckjejW401izQDVsm6ZrFDuSE+hMdrgNUl7kO8TSjOylqolS/dTDikKUznoxRBfT2cd5uI2g+wWMwq5rHCLEW/5Z0NEADLno0twH7WepIsIjbl+XVsn+rYequF0FuW491EsfqKDvC2t1XNUt9QsX2vKTYwZLTvey0aOd7jXXpOv8mZ4VFS9i3lSvTRWC7Bv2zR8ZOkf+AEdhCxPVtRmQUaztXyfS/wG/hn46YgW1NqxrUeYOoW7sySNgq5mvSfzjw1lSQ1kClWm4zBzWv3qpNbsj42wfXuXFKa/MEKpGWfCOpDa65jKe8T8jgLs32ntDry96jAHmPjtRFdyS3+t1MwpSG1WKHFA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(346002)(136003)(39860400002)(376002)(366004)(396003)(451199018)(36756003)(316002)(186003)(86362001)(6512007)(66556008)(44832011)(2906002)(7416002)(41300700001)(5660300002)(8676002)(4326008)(66476007)(478600001)(6486002)(8936002)(2616005)(6506007)(6666004)(1076003)(38100700002)(66946007)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: w24MofaSWFQCACOLIu0DWfM99gWTbrquxbT5Uv9u/N/bbuM+uKMzcG/swK/bS/QXeG8F8FU2okriGg9b/zdIlJVk7DarTj4T1Bp1TFx7mPXzdSlk8bTVD3WYgQXPjwe2TUATkgrO9rAWYmBu2rLE4AltsndJ8KthQ4hMzK1h8gMrK3eAH620ZNdx+ZY6wdRNU/RdZ2wsq8/vQIbq1vhvsOOaRiuX5jhH4Yr26FnE5tHk4SmAxFXSE+l/oDkdaBe+JGWFPzvRfXoVHG/9AX8djrBsT+wF4L7+kw9irLmSH4oRE5233y8MK98+iJvSjxDUH6FLIJjQyIZDLT8g31DeFjmQEJk/RfT2IZ8HJKhE2oVqENbZS43cbKGkNRHpuqvBAO0JnO96WlfgANqNvkQbk1FkPlTSotLKNZ7pl2TkMhVSCdHWxzzmtPS3uFB+dFGywiS1ArqPN9BVOC+6hGbc3VQCu7/Jun15V0b1oR1rr8smDtNUZHK/QcNpteW8EkrgVJ2RyJhj7V6od00Ss5PsNl94EYC0qcWJ14xlQVf3QqQOIOUnu9+AcaPfQFyMb53VTqFi3r7FDzFdG8qLiDh7YGkxAGRjZpDuK8W8z6M6bCgjBpDJVQVtOumsKLfgWJAM8B1M+odl90rlwmmqYQ8yMafq3eB9jRV2uU4++tbQCnE6Ra6gB1K4rK6EXJPBc+jX1re9V1Zepw9E3/KB5cojX8F4NwyjyYzlVu4XqnIqomQ6JnKLFK5D0aG2nFEu5lhKiRrgG5SE10HV/RN0PRu9bPR3xb+rfe8RtfX8IbY9ZnHi+F7YTruGA1gJMDK2Ad7XkUjhtl9IzDqxoR31bOl9PY/ym1FOel6WWyjq22aAUfvmaizYWUZ7Ia6fG+eqbHebTYv7B8UX+/ZFvxk/AyTCHrvogz1en818FshpG8qtp95qHT6ZRnDF7sud8l9Fz+rcYyHUyoS7OdmEnnUWKX+1OSZ3ylNHAcGo3UT1oQoqBWstXRpIX1uyR9ZylW5xvt9W28SKeqTm+8k0Hb6+JWvvMKvizYLqFSU0Z+nNDdV2B+4ZWRQTi786K7z44XErtaZpYCEotIBJYjkyi971x5MRnoxUTyFfuChszQnopdkEafi7wFtfZQEsO6fn4t1+JIl+W2mnXAdyoKr9HOobJAzxhub7Xnnu0lNkkRZgCs3bedsxho+pM7sUiw/gfn4LGjSuEUn9ccsM9fxx36yWv3bp99xFV7/gaaK6DdkoIB57MUEB/mirwzAy8Uxwnz3iwCsMF17PCa3rxnD/03OUX+ivFx9+dtRei5u23IY6lzbkLEEM6r3cI3HhT4XzTxmUenfPn+JKdXyc/XMrQDH3Gp9oeRS0HkbAm3WhgPL+bT/mRPLQ0h0OMYh72j3R4knHFR1iyN3JScOC8YU1rCMYO59/wt0UdNQzn1s+8Oae8KF+M+TnFs5xuQqPWJO/7Ahwv23hIE6d0p9kWY6ItymGrpB2oODGI0yaplBpZFMP1HDaO7wrgf0pb91Lo9+Sl8YADPtMY0A3hTG135VMxdbpy7YwV7FkTlxVtuDSiaCq+qoiYTGkyuMIH7GlNh/dz/Ded+bR6XXswAaVEciXFPqKJ5pfWvbz/6JJW84iNm/CLGyX8cE= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: QiMGiuKaGOyaRSzXk907MAl+l4zAbEZI2Roxt+CeGDLMj6TGmdRao11awXb5GeJodAhSmPOk9Xl6g6W3jia3SgyS14EO4IBVx1DNEQvxJm56t8XktZhc/oo3f57J46X92cY3HPc5/o7U60ONRo8FadT6TjkiJUSwcopO34HakqZn0zTqMLWxWmGSEgygsIhmFwCjSA3OOgpLoyKnrWbf8Tbq9TpeQc/e/VxAapg8tYaQz2kZtvUnpn5m2qWnUWCV3QdeZpZ/cPPHwEf3iQ9Zv6biYXTaWtjpcwqO4BOjTak4+IUOWDjVSQGruJdO8McgGGiuW9ydwKuSYgJpUjclzkOxbc68mtcbxCePlL8UyxAF04ZR4Rbpr6koLhfyZiNxSl8VMcC7Q261sN5Gr468FUlkccU3s984+rPdqCxYrwvPETHLd4dl0d3LaWI6pjS/4RZUvSW1RNWv/RcDkwUDrBWWnzMHXluLB1E0jeggYT+pVNGazdHukktTvgKF4c63KYb1BJmYveQdjs9Ncydh2i8uVLNY/vz4lwuVAFnj9J8sZDtGcvffRHf+EW56mDOBZfychSCr7ngM4VBXBUhzUXsS2ZxRuluccZjjOOgq3V7+dhuu3osoL1rCGXzzUJtSSXZ7PuMiAyc16rwGg/M/MU/kHLAHhbCqQlQTLirkKt/Qhx6DI3s7RlNwrIujCua0DVgyXOdHHM3JkQoyPs3/M0nwusbQzbPSYgKEfdgcLoGwAzXo3QrJuyeOMvNUnB0iCKBnb4qFzPRH9ej6zgVpR01bGMz+kmc9trESxtL5NDHpCPFvTDLMKQ4hQzgLY9VmyOrGUbQm7PMsSs4Nn7jy+9L2L5ViFqFhfjV8401HjSQIXLXY7cvyFN7a9VLkBGBNdQKQtNZ4NerFMq9+IQ+raH2Vxn9yoACvq8m0BCOXt2T6n+q378CnXlf/0UhkLRQ9CpEl9bnkOlA2jba6yN8i+0ZajsA7KkmEV6eydcBJojD/s8VYKdzvdk/vNuHulS9ChVm0QXZ3eiOHnLlF+JxWUhwtLfyTEyD3F7CRnGjmIsBmw1Gpj6qsn3q37PGozi7jQXyLS12sZiQ/pHunI8cg/SMu8ehEuCmgvMbFgy1xKJJyIbYxVZfhlgDvmXy/VhML1jpeBdEcI5Rstlwsutb2u6JM0p2H5n3eXtzcSH4xN+OZyKLhdTySemwczJNNzZDi X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:07.6561 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oz0SJvs3qOevgNPxY2F8nVk6Bhcifx2SYsYipxk1VEwkCGwgLURvCGbZdkYC26fe5OgD0YtoxNr354glqjnex1Fv0a2IgvnHDICLLo2ulEw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5031 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp X-Proofpoint-ORIG-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757139657273333775?= X-GMAIL-MSGID: =?utf-8?q?1757139657273333775?= Add a machine keyring CA restriction menu option to control the type of keys that may be added to it. The options include none, min and max restrictions. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 2 ++ security/integrity/Kconfig | 39 ++++++++++++++++++++++++++++++- security/integrity/digsig.c | 8 +++++-- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 48457c6f33f9..633021ea7901 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -140,6 +140,8 @@ int restrict_link_by_ca(struct key *dest_keyring, return -ENOKEY; if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) return -ENOKEY; + if (IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN)) + return 0; if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) return -ENOKEY; diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..eba6fd59fd16 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,13 +68,50 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +choice + prompt "Enforce Machine Keyring CA Restrictions" + default INTEGRITY_CA_MACHINE_KEYRING_NONE + depends on INTEGRITY_MACHINE_KEYRING + help + The .machine keyring can be configured to enforce CA restriction + on any key added to it. The options include none, min and max + restrictions. By default no restrictions are in place and all + Machine Owner Keys (MOK) are added to the machine keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_NONE + bool "No restrictions" + help + When no restrictions are selected, all Machine Owner Keys (MOK) + are added to the machine keyring. MOK keys do not require the + CA bit to be set. The key usage field is ignored. This is the + default setting. + +config INTEGRITY_CA_MACHINE_KEYRING_MIN + bool "Only CA keys (with or without DigitialSignature usage set)" + help + When min is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will also be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_MAX + bool "Only CA keys" + help + When max is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will not be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +endchoice + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f2193c531f4a..3385f534f1da 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE))) { restriction = NULL; goto out; } @@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services