From patchwork Wed Mar 22 16:16:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 73517 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp2438181wrt; Wed, 22 Mar 2023 09:33:02 -0700 (PDT) X-Google-Smtp-Source: AK7set/YmCWuUO5X9Q5az9DtI5vo76InzDVPnC3ydZI8SDQ5vGq515hqNSAPt/Dh+8eLD81Gd4mm X-Received: by 2002:a17:902:e748:b0:19d:1fce:c9ec with SMTP id p8-20020a170902e74800b0019d1fcec9ecmr4565665plf.37.1679502781794; Wed, 22 Mar 2023 09:33:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1679502781; cv=pass; d=google.com; s=arc-20160816; b=R6YKhUaWju3/8MahABElldEwUTHN8tYW8jP1vGSO5yiVODIOSAS0N3stpLU9owfmWw lPlMEyt5TgAMuNJvoiFQq9Ov76y3X5MjzZmd14rbNiQ39KtcVXRMWNhq+xIxoafR+HmH UpUinyxEgn9KhhCuLWsd0M9hrS1eE/y85eqRF5Y4LpVdvoSrUFtUthj27/aaWg/CA4xL ix7TY+VGqDc0IDmEYyOSajnIlgryej2//ffY5kdSSPb8rrokH3dDadiY55bo6AzOP4EU Sk2OfuStZecyZ7l/ZvGvITbWjqww+MrYrBNqmI1YmpbfqBt2GsHS3mMMlbZD73wP1Ca9 Hd8g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=DWlucKbLU1+iEa2FeLlVjgPT2+AFxyeMSc3Sfsd8MRk=; b=yjwH9ThZffQ2g7P4bVbAcp0iMeZra06+6R2GdXl2GgG0VJLrFH0jVl9mPEAYuHAPVj b1cMFlU6R8fEqbFxKEGSTRNl2UdeqcdnBCOTPEriavadgPT/HuQI33S1vbFAajMo2KdG UvzuXOfD+sRIFmAGM96JWj1LTluSWqZM7EGvdyNf1HxsUuiRDE/MHPif6Tpm9VzzkNZD 2VPI2La9mso5emtR393Y02WOrboZp9f6Wf+oTwcPvMD7EKMtaaUcFu+CNV+FzodAio0E VcxNw7xxZtOwLNQVxu3Qur3/sq1o1idDx7cd9JlQpSjhE40szg8FIQRuAI56CzzziVGy xYzQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=AIgkgHNs; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rDewVSuZ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i12-20020a170902c94c00b001a1e4051dbbsi4890949pla.31.2023.03.22.09.32.49; Wed, 22 Mar 2023 09:33:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=AIgkgHNs; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=rDewVSuZ; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230130AbjCVQ1z (ORCPT + 99 others); Wed, 22 Mar 2023 12:27:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229993AbjCVQ1o (ORCPT ); Wed, 22 Mar 2023 12:27:44 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9C2D62DAF; Wed, 22 Mar 2023 09:27:26 -0700 (PDT) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32MCYFf4026463; Wed, 22 Mar 2023 16:20:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=DWlucKbLU1+iEa2FeLlVjgPT2+AFxyeMSc3Sfsd8MRk=; b=AIgkgHNsSNlyFIfpX3Po4zd9cZqMXFxPgI+kiYvvi5xSBj2M2A7eG33TIj/KJhzXt4zk Z45ha7En2ZxkoSFvM+ugHleEEJqgDcUXiXRxY6OWDa3UA3s2k6vCLtIbwkp++nYEoqVQ VZ8VH9D02619gSXdeCQLTc2UX5bH/NoigOKJqGLf+z/dcfntT0EzaEXfpG2DaakiOEOh RMV0CzITuI9Ua5L1prqzyTI/bLc6MdnYyJBNT04e66K8uSB9TWrnekmhYVzosrAoseMw ttyTshdgW2F0KccAjte2KR9Gce89e3OP1Wy/86eew7vTide7Rv9q4DGBkmVCrRuxl3J5 Fw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pd433sfxe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:09 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32MFcs2H019040; Wed, 22 Mar 2023 16:20:08 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3pg4gj1vuh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aBJaaeoAsNwawNNc9C/U9Eps6dfz+bJufWlP3m1gRsKgpGDcwPhgPEXa0MnddOv7LqfdCXkNDk7Sb5Z5fdxmPbCW7h4FeybL/ri1EOlaqcZUBBB/LOgraO+uaOIA1+B0AuZLjw7EvSr5JfY71+dbNlJp+BGJ7BBC4MNW90N0jvzgNhfmbertlAIUMyIj00NHYqB+wQQ1Qlk6+0994BYQfhPtjxfWkeMG1/e1n2II+nGf6PPth9Zhy8ccBer/pmP43xUWSUjCzmvfQqBnf8scPOMD8XeVxRfTMBIN/sWTpKp/UIQgVpxyfQZF0V9mzf7l6pJYtcG3d77CGa46u/lMOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DWlucKbLU1+iEa2FeLlVjgPT2+AFxyeMSc3Sfsd8MRk=; b=HAWoef5cVIRM35uGFX6j6KlNEPzsuDAylzK8pG5cJschj5pb/TGKZXZVpuxCa5rbY5a0KbSsb06Q3wyxlKA7qmEv0E4M5uu640/WsSYQTUMb8EBtAFbkYnZFob2ZNgMEEZDbF3CBUEtidv6Z6MQYVVAuSe8cA1pMbes5u16ahdpuqsMfbJk3HIAYo0QBENkM2joklBl0kEennFVl14XqKu/FVINHR0GFN/DfNz87WKuNikb5+DF8RlzNyfzU6yyNtKfCNaadMeE1jFPfP+ElV+fzzK8Q/5we8W/HNLnUFg4PQZPjBWHKSOjxc/yoh6agYCgHjd8iPkoVH55Sx+sPzQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DWlucKbLU1+iEa2FeLlVjgPT2+AFxyeMSc3Sfsd8MRk=; b=rDewVSuZNvPOyLLWqj4sG0Ynls4/Qp6cLryGTMVKwAErLJ8XFJbeLV0EsFNtTslwaYNSGgI4LDvFltjwX+O51TxHTYzNKIKE0BYJaCusiVrLyPsV4PGyiRHgRyTHA3u/CFzbnXK/0vJ/zgIXPd4fpIXPKLJ9/cjR9E8TohkrlPQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by PH0PR10MB4629.namprd10.prod.outlook.com (2603:10b6:510:31::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 16:20:05 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 16:20:05 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, jlee@suse.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v6 1/6] KEYS: Create static version of public_key_verify_signature Date: Wed, 22 Mar 2023 12:16:29 -0400 Message-Id: <20230322161634.2233838-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230322161634.2233838-1-eric.snowberg@oracle.com> References: <20230322161634.2233838-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR02CA0016.namprd02.prod.outlook.com (2603:10b6:a02:ee::29) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|PH0PR10MB4629:EE_ X-MS-Office365-Filtering-Correlation-Id: 439b78ab-4b12-4e81-58ad-08db2af14bfc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bWdaQXlLeAADnmOPWSCVe7Wi3CuMhmyJaHXFMFiQzIh37TkoTuXfHCDj7FFLHbvXS8mqh3nZ44o7JCK04dXExZsRkd9ePDsEd6n0kPSSwDnrabsiXKwFWNYVnFTT3WOPlKwVFph7uzjk7VS/w0C7/URMiiTsH/E0wS4SMQbABZq2aD+AgcLRqHkhnp0ViCLD3aGNKKpWSv/pYsNQKaiOdZG19CdKas0lSRqFlQd+DQZwRaTRPt+xUgfNI08TvAVz696uq0v0gyeyGrj5kRA2esKQ/BykfY/GdnxtW3P/WtLCDrVI1uaTcpuDPLNfMv5f9aWee8VaKO7bd+wu7Tls7MeuOn247Awi1Iv1UP821oT8VtPQGnHFMsah1NxwW/pKO0Sd4pHUzqDOhyfeN3IW8Dy4G0NGZmxlj9/INC5LBvlAdkMKyw9lPJPnq9BpIm8kTPe9DBeR4PDNvpTNrTsX7CQuiII//SI7TMMeqADQxfhoPr2sEVhwGS7ohbTRmgOq0nuNrWivIaiDMOo71uAieFNzolFDikHcyfVJF0bZ4KfUfRv6RXybSv72vSVkj2nZMvgElGmgYE8LZ3CqDJvg3FGluflCit2UJGn9GH1x+6B/cXac4Hy/0LwNtHaPCtMkhNIXgcKXwTvQlk40zOKXAA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(366004)(346002)(39860400002)(376002)(136003)(451199018)(8936002)(5660300002)(7416002)(44832011)(41300700001)(38100700002)(86362001)(36756003)(2906002)(6486002)(1076003)(478600001)(83380400001)(6666004)(2616005)(186003)(6512007)(6506007)(4326008)(66476007)(316002)(8676002)(66946007)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: y7Lx9jnBbX5lnTqYu7NBq6SszS6QGZqSCAFBcSdF5NyDgcCRJSSMjMOMQ8OGIVHr2MVLY8mUBOnpBg1AHhnCtCKi8YFSW7bLPbiq0Ybw0LCgHffst/nX7LpTOMxArTmwJsaQplkK0UexJMn1PTq8qcOCti9SkghzIiS5IIHA9O1ixR8ExA9S5zRus27+OE18GMoVC7JrJAGnW1EXlR/cYI+Qj4e8MiqvVn0wu4dU7kdGYpcRhePOJaRswCAAG1SDeiKbyhz68vzCbBHNHBXRqYk4AC/g3jVT8+6UbvOePl1AF3GdAUb/rQL2kW4ScSqQXtvX8t3217qQFF/ULQ0qlj27e4v3s0EtaoF+E1QUGWfIpMGEv8+wvWerCod0FsHnjqnY4omcBAdvKiuwlmgHp4qdrBu1w28v9rXV4XOlCfNpauF6mcnrzEgMQQ8MsyrEIC7EDEhubnV6z22cy4E1Y82z2DPLHgYXAXFn4kIpKIzrfhf/n9JGhm84xxfXFxcKErWoMYN2QN4oB3oA2up3VE7qeW2tGvseAz7A2yuWJ6A9ggOU1MNz9E+zBi0IoROxPBCvFWi8PckOouSe1kdJPwxD1sZxIQ55kMV8b1rRUf4Gjkl9EbHPY0epoiXnSveR6ztX7O/JWnXl4gfvMUcjJzKzV0mTwnSrXNzEEloAho85H+byGS3YJyUMQHhf40infuNIsTDIFvTZmnT8bLyk3Qcep4sFbVHB2pZ/FQHpB/a+Tz9fp17478aOR8DQvXXvr7oISghzZSdEi6milEkWoL+nyGUchLXe57/JHIVk9tMv0wwkbTkSJS/PxhVXZICigKdWyPFoPXDLqQoxt7U4kTt8pCMcK5BF8wguGQC1EMP3BI3tDlpJ6Z1ARSQ3iQz3LDTdAXpibi+7Oc1wPIOcP2szzUAND84m8+/1ZZtc+JCAPcTXU4zjvFi+2wptnh6Nx76JsF0/V1VnFx148A8rOuC4EdzI2sVI5Y/+yNoU2B9ZKWxZagiUAdq50Vsdq1H82o1OQsR+BKH2xOQaA0dgNo+vqLZCCrCtZk24OwjzYvjF8w7TUjcDmEeucbWXj8SM2x/nJyuxW4lzTCzDQILXo6+HUCeYPLdCqOzHpBr3GVEjI4dgQIjZQcfrTsia/JtmxMQIDMKZi/WJyngNdBAto1mN6DV4B+Ry63XjfuOMJy4BvUzBWIWTTXGOHYYTRd6RWaDuwbUt77yrxREJVYQ2U/6ESoPK0JMjtHSH4XtfZaJUSon0/yRCRWhms0VK/NdcxlN4cJU4JWMMbNlUf9NtB8GmbubUJuwzT8h+ONCL8GC6+CDun5xkFX2X9LVrOjCgIm3UcsGLYKCpyIU4TIxM3thEn2HwCqqy/w63ETpN9l7mge7xhN+hIeRzfMSDGvbVKv5axEsI0GypUSNBP9C+TAoloY1iqgARPTmf9CR0PF2BNC36Bwxe7CN7PCg7z9pPAqWjvZjrXlr1h+9Ur8ZJ3q4k9l4w/FHRHIQ96GMwJjiKXWR9O1X0VaP8yZtIkOsosPLt7EiiBX+HQmdRajp3bneNaCXI8TpUH7Z13mu0V0ntIMXPNOqCzYkqTWuaKZnMURCUYxQpJshYT7V8h9brxiN6Xm0sJ91yAxsJhCV+6mw= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: VhA5L6t3hhM2Nl1zJrrX3kPIeF6vvXOfIz/tOGnxKAd92Fki/QGqXpOJIFnlClPqPCk1OIf0VpIwWBzzGai94QWIif2BJyEYVRA9wl1Eg7ilVhboxQyLk1cnKi0S3GS9o0l5lLoCvBFgw3DEeTh+bOVPCErniZuvXUuedJswgJyw7zjhuWuwDR7396eXmNzM1Tfw7yBPINB8m7yZ6RykMloq6xzIBTdw2/dPkr5l7UoF1H0tH6lOzQyr76cT71C587yaZN8oRlW3z9iiVkQxFkQEK6cfxlbQK8Br1K7ZlTPkW+GGzHe48RxNxEhAKSyZ8Q2oUJV4ukG4pp6fHrnWWtl35jY4a5t7PV2jB6GX/uYWwi8hnn/dKeSWFVqYrzwHZsSIs/L7j19Yyjfg0KYOEpEI8Cpul+uyVm5hQLLtBxEku+0IC6Ra4fganFJuDzMOzI9mhZANNIpbq3VS8H/XJpUDx7hwvgUx7bdUtkJV2mrHcdWz4WIGETxwGJr3btaFBOmIF4ZotMqPbLW7pjhjPOmrawyWD+io6gihV8+WM37yInFFuKCNrtd0VXOSikIbhtRjK0bfVv2tKK+W64NeiAHkRsichIq5aalYO959dNLieitw3MRo7CIkJnKtstfiKrWsy1Ws4+WLFYZ3nla/HjqRJNQ0eSKNW+AiWNBBk4fd25OR9TNoI7L5b9SibgaiP41AOG/h8OUZ8U4YWbSgvGqR+paDLsNEqtSTzQi2gpbQzfK5LOksrarl8r66bp15YWLdXauH+1dtVOVxn0iTWD8zktKI2zdr6v52Z/8xsXfVKUh9vzdtOoM6ZZEae57pa/hjB7z8McwW2t6uOPR3z6ysdRcuu+th1aTPxgpnfqF6xfKMS4S+TXaae9I3ssiRwE7DMt5WHwGI4TL8zKssI8N4POt18Zc2gGGDIv28vHKHNapC8zyPQ4IENs8rBOzekFzH2h6XZLsogLnGEe8X1aGB/IGYnV4gsF9koujeB4p3ySQojgez8+peuut734svh0ZwvQWmJD61hfES5Y3W2arkmftyz7uDteyXvyHxUYp71AUKd5A/oUKuncMY/XI7qfHymLoFjlYS0wDtob2V+xRgWRC3SbNBP95TA8h604S0jSx3fXZHtrg2hU+IhPeA6EspjZlqKIy1ODoQ461R7iJafoZOEUMB7/9MIppPGdioPTZIbvBdinwjJWJd4scZ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 439b78ab-4b12-4e81-58ad-08db2af14bfc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2023 16:20:05.6807 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: h9WdJ1UytlGOVWbTpgme+VZMizvAIZx1ejrbkbfbS+esH97iIYlBC9+GY8PuEWT/171310h6TBRRasgobpDOHLzkK12cOHbgJZTWAnNnNys= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB4629 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_13,2023-03-22_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 malwarescore=0 phishscore=0 mlxscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303220115 X-Proofpoint-ORIG-GUID: 443YgxKx5JioyAj98dJSt6VpllTVFru8 X-Proofpoint-GUID: 443YgxKx5JioyAj98dJSt6VpllTVFru8 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761086308640913386?= X-GMAIL-MSGID: =?utf-8?q?1761086308640913386?= The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel Reviewed-by: Jarkko Sakkinen --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Wed Mar 22 16:16:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 73516 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp2436800wrt; Wed, 22 Mar 2023 09:30:45 -0700 (PDT) X-Google-Smtp-Source: AK7set9oY0NgPvNp3KYDCBLKa1DzsFCE7DXysVvh6xpv6lzcmxrl8OEYwSxdLicTRvURRsL7cTGp X-Received: by 2002:a05:6a20:ce01:b0:db:b960:d30d with SMTP id ic1-20020a056a20ce0100b000dbb960d30dmr99516pzb.51.1679502645642; Wed, 22 Mar 2023 09:30:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1679502645; cv=pass; d=google.com; s=arc-20160816; b=emTd3xsLlo5mJ9HJngOTxC8VvJGcgdJWz0iP79a1BmR4Jof6q/N/i/FgxJ61VQXcVO TQmyHdM0tgL2+fncfWZJHZXpyt3pYUSD2sphg5e2HrOyHfixCzs7FrNvr6XzWvM+LVEr 1DsyfMCRHpWuKgYpTPYngxoC601D4FHAB5syWs9a6FWtUBfxGfAnEpLYQDoHuam1blT4 /SmNW6mqXve9euV7DOFuuBZur83dVoSBSGKeCnzU4DrRrTFz5IFBNMZTLmFRf3FgrmFy RtyTbKAeprIxAcElX6Sqjb3bDh9rE9L0ekMQ00+enSUSsRXClVe3hdPKbQZHH0qWS/un OuoA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=cAQFlTExmc++UK7mNtjwpUj5omxprR8upvNl8wEq/GU=; b=YTB6ExQjhGhsC8FsEuuEfVQFySBNKjd1AowiQczqub7KURQf/hLFiHJitFVwoa3Bl6 d6tqbYx9NTOV1OMJqjsoPm4lt99aPyNQpiY/9H7rf5UYANjDZkL6pi5/D637DqJPCCVF s3YmxwAraYkV+KOXQem+7s8kOqS3LmA9B9XztWKdPLOVpnkSO3OHEP00UlNOnVUCBLmN 2Fm8DB2KgoTIlL5GaG/bmMY2u8mLPam3c0NKfMe/yWxZ564sGoBm4BJdw90togEkSPHv y1CzHQwnamRmQ8PmMrKvlWvlpUlZCVRWSmtSGR7WwVw+pXU3Z9kV7ZfqKXyv+nvoYO8q 5HUQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=E13giFrl; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=fdvoE4jr; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j190-20020a6380c7000000b004d3af0c79ecsi16266983pgd.333.2023.03.22.09.30.21; Wed, 22 Mar 2023 09:30:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=E13giFrl; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=fdvoE4jr; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230185AbjCVQ17 (ORCPT + 99 others); Wed, 22 Mar 2023 12:27:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59712 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230181AbjCVQ1s (ORCPT ); Wed, 22 Mar 2023 12:27:48 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D90415C9E3; Wed, 22 Mar 2023 09:27:32 -0700 (PDT) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32MCYGmf029339; Wed, 22 Mar 2023 16:20:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=cAQFlTExmc++UK7mNtjwpUj5omxprR8upvNl8wEq/GU=; b=E13giFrlWoxAiXT0Jx2tOfdGrrV5Vh7lhqvFi6thqMNUIH9lvMslOLVv+YmtE11Lbgnt TPVNZEmehuJmn3hk/q0JOa9jVbZ94DG4V4YwqHDqeCLwlxG2XkNj/BC3p7tMcbmA5Ti/ P1SLZUQzSOfT7BoU8SrjpJ9EXr+hLuCHpvi/SA4QwRTLaaGIcSdkuWS/43F1zscA2TwN 3Vn0N1bKBbgU+H0Nz7zFP13Z7EFpsXSJuFRzV3yqaCdYYCj+cgziGJvJpLDZvnnKEzKC hRLUSjApgHA6biPLfNlOYOGLFOZBrBDnoP5hZI6jJhRDbhVOA9j9OYI2YlUNcYp9LTet +A== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pd56b1b86-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:12 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32MGJXLG008357; Wed, 22 Mar 2023 16:20:10 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2040.outbound.protection.outlook.com [104.47.73.40]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3pg53jg0j8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lihT1E0Iw/agmCn/+K3X/SCAR6kpMRb9fIr3xFXHUehUGhG18SzMxwp9Q5G42sfeHKyXlU+uOZDmQv0/BmWVkN8TmeLBR2tB/eFUd+uKkmLtbDp6otOKfpGClzRfyjA5niW4Xef/mvDXPan2H2EqWmmWp5DvsIWlc7ugeiY4p9UoFYWv6bhbyAxoLDyP+xWYNU/mDmZJtTFdhuM04zwtSaR8yT2JX8LqvWgbHVztcT7u1Pm/5BCoZ/m//zZasAOPmHARXIgREcLroWfDfEhtCLDo5xRwnsoSX9uujdjpnEoEEje65YbdImnD0v8gRR6Df3zTT047hBNBMlZ7FOgnxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cAQFlTExmc++UK7mNtjwpUj5omxprR8upvNl8wEq/GU=; b=GFYYiYpjrihKaog4L+zGcuH3xyrMGhT1L3UUua7XvHaATOhlmgEfgD0oEkCJ61u0mjpgz3b+6b0CpLqE1J9nwP6T8jWkheBHzc48xyTfM54RvpjWXhZNm28wCICddM68JTFogkiFx6k0R/L1up5aLn8quei37z7VEe7YS/8FP20wfk/ML7MKxulj4D9I399C27R5kMNTQlpMiqWIO2SurSWxL/V7LTz/SX0vCnNppK2BQ/caHP5b8UkOPpfAm7y9AUgYfnyha7AdLflL5oIBq/KNVJtVwgn0t9XEj0ZcgxRSIUSpPoidSTv9UnF8OQq/78XL17r+1UO8xG94262pUg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cAQFlTExmc++UK7mNtjwpUj5omxprR8upvNl8wEq/GU=; b=fdvoE4jrVr6LO1ujP2L3kkHmllPtHthtkZ6nosrIjOOuO0NpSWMQHiPiFS42BcQTxe311L3/VoBUrVy9OS+K5n8UAmieiXNH+pkFeN1qqUPe6BiwLAae3KwZQo6FL5XrTEBbnJh3GqGGljCfV7mIIRUltW8uvHzXXUz7ABAyrN8= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MW6PR10MB7688.namprd10.prod.outlook.com (2603:10b6:303:246::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 16:20:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 16:20:08 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, jlee@suse.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v6 2/6] KEYS: Add missing function documentation Date: Wed, 22 Mar 2023 12:16:30 -0400 Message-Id: <20230322161634.2233838-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230322161634.2233838-1-eric.snowberg@oracle.com> References: <20230322161634.2233838-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR03CA0091.namprd03.prod.outlook.com (2603:10b6:a03:333::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|MW6PR10MB7688:EE_ X-MS-Office365-Filtering-Correlation-Id: 45cf6f47-6a0e-4462-3037-08db2af14da2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rfbfqdrjl/JSE4FkzANFcuVg+Cexs/Cxe9k7UydwQdozlVkXtFowG8GQ1sz9J42SdIPX5Q3zza8cwnOV7q53//9pd+I7bsKVCqnGPostwf/iGHqLzvdZV7lT7NGQ97SVOmu+Nij7KeMNyENdDcN00dy07voVD/LsHWpRAky/JcY7dqIXV02kDjK3FDk1X686oTBRJpkNFvGpitWgEAmX7YLHydiDvs+Sn0zPexkf+G7S7YqJ6A9lNg+W8qNYVdDLIZNF/2BgywIJfTIXw9mO85WzuysWlOFt9mJIkl30+XIcwpnjP9V9unyyPa2HgOJIsaLGx1nuTNsPj219MRQWPpTWqQJjXPNkst6p6gQTFbFv/h8TYUZA1jj9Nv6HqP0nzWVxfBqXtW1KohTIIYJd9FCjVs8Xkwnc5uJ6XI/H/1PaMWgt1xksqzVDjHIiitqPQpX82N7iEhBl9nlZX40WXSzupSHxgPoYORbtQAM0Gt7orodC1aBt/rIH8/RTpn2e8rSMSZrDv4POLTp9zfJgQBQoPW2dwiwO/MtBfnd3JBZVqhOQeoYB3/xu+fAa9H+kOXrdhysU6zt8y5kiMVZRF/taJyaaczHFY1is4blzDPvpJ9ZTO1PS2gewYRv/EQVamrZ9oLR130iwQI4L4rBf8w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(136003)(346002)(376002)(366004)(39860400002)(451199018)(38100700002)(83380400001)(186003)(41300700001)(316002)(66476007)(44832011)(8676002)(5660300002)(36756003)(66556008)(4326008)(8936002)(66946007)(2906002)(7416002)(478600001)(6666004)(86362001)(2616005)(6512007)(1076003)(6486002)(6506007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ekvtsAV4rmfADj5qci2iKuzDfT1COYqZobEVhN2FYPLdzyLTWy8spGkRsp4km9bdmN5lIf2inSJnM7nZ0wVDoqCYERFY8480lQKOANdQXhCN6cbZLzkg52Amu1Ek8SggtBgjWsfPs7poDYI+5xCAbokaAuz4PiI8cmBwtpCd70dTg/D8FP9S83ShQZDNDLDkjdouWgqgb6gDmf/rF9i4Ina0dczdlcS/Fs3hitumOJHuBuFpO7OheKLDNW9vhfwFOPaVzyRnJMwA/hnp19xgwG+RHt23PNho1SuJKBWw6mZNSndH1lEGQb/vTImGMKLZtFF+KW9+ELgb40pejJuxCeU8dhXOkK/YpzqQie1k+eqt+o7Cu7t5Dba8hJXSQrA8QwbLEsYU2L/wDI6FLasUUiOMrjtUqAtp/Jh8Ibtp4FW/+P/pAUqnUA3b/4FI/+MtXzhgE138JMYhdUem7sikEscMPBLpQZtDxSBzODTha7CsP+edj5fZXj7OwV/3qmWLJ5hPb8OZP/dZ9QS4C80JI8AVxFX4xpDs7P3ssrAJuge1s3UidYAvH8jk0rTILf0XHUio8nY0shDB4Dr4DlPMEIAul4r0RPS0426Mp/Mjdu6rKpHzLVRfFg5OPTCRb/5fyeBijJO4on61WQwo9IpqgALIuRHbmZrGQT2YF7oIqivu9wblc2UTnwlJhTmhhBZsjgWe73ipqfDNtH3OY/Bu8bdKDFjjW8pvRAtbGYzbV3dtbF4cQ0+yi3cM69GU814UZfo5ynfUxY9mL/usHMBUK67F2YqDmR/QmhgwcDeY2zLoR9MVltSS9A+tK9TvqS6Z/P7WKTX6NvHqMR4rOFB1RphoV0w9v8XwDQbAixauQE7p8sCLlvYLiDFABOawFMNyudSeZL2tGG2Y/woUIv/HKdGyvplL43Qu7TNy7rbm0CD2WarGcwcvsqX9wt6HWlm4c19hJz5p8VoiNUqogeIFHuMgwFlst4NMgJEY2BCyio+hfi1Psrs4f3e61glV0GsPrMzLtEaD7fTFzpJ/0DAUvBKyo93Ggxsabm6P1MNSLh5qy+cVkMdjGcHKMNMUKnmMxEDD6hXjX4Yhf1I17y3V4zb1sIHotaD+TWcmp261NGK3h0UIndksLLi6FNJEYVSZ3d2/m+6capx2qNTp/nnIKrAOxV7Ccs7MmsGk+dxxqFMF9D4RuyDD0lhjGPY/b+DAMvepzUKT8LNoZfbEmz1xkMOlda51bKD1BJgNAhyGuMW9gOQmERtahXoAFl40HSN8+jZglc6ObiqYskPM4Xw5DfWBk8LYYSAgpuw2dqPM7TMBAaFGaf+AvgmPLqpkvUdBHGOQVcoTElsC6uC4jaBQZpus6q79NYzmjy4iVNyLzVrEdtPVXEwqBjDxWKMTuJaDi2xs1cyeOiUeaHRIyj3epSk3Q+7afRkTNCnwSrhNoXIFdD+jU5qbmz05NLu4m0+Cl5m27a5x28alhJOm3pJJ5SWpt8ozg6xk6hINXbQGo7fxA4uuZu8lxZgDVllNyCq/3YNOHCMy394PeQn+A///13/PEC1nitusd05VR+kZclQw35+NIJcUjPmkGB/zkF2IjfGmNfMiwixk6Etqtl+hYfg1EPOXeTqPtIZWDl51L18= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: nr2ERYBTxTEYyoumlSheoAeI/wwO2EEqgdTYiJOnR5wD/FldbZ3FOwhzvSqBHQDCZRnisfZf23jqrIChekGDSADoXE0nyvUPGpskH0Wt/xkZnR9/sHvPjkto3lpCAG9afJOAGkygzvHT8hvLmfNbufkh+jFjGXLpt1ZuYeAMw4c0V2h3ULQTPyxKcb7RuSz0Fc9p/Z3DbKjFI4wRyucSo2kxDxZMS5WWoF3/qIOwmFMU66KgBPcHmD+zOjnDItYkSSvO19w3G0N9KbdlSBo7bwlDFRToXKYG+cOmeGX2UxDUc6NN/RQ/N5RhITCLo1Qw0+tQjMFYJ9hEIR1cK+GGCKLq+6hLRI6/5e3sX+h8qg1M7UkRlDD2PxwBN8/5e3RTbJXoRauVWsKqRkWpXYJRXcqcXOtbLaLF8En1qtRTfgUq/wXlvrQFgInajN2d9UKYEtZhTRMg9eS2j9xeV7/yedgn1wAyuM5MZvy8dwgdiBrQamCXLBd56NJ8WhQmK1vUrz90PZasheQl7o+5QNxhfWrqMn7UjlFbwHysCF23k5J6lh8jqlcGXphXemd4r6x6cmFj933RzfGcr3c1u99/hHi+XXHqV17R6YeV09W51TjWqzzptNL1UgzQpkYwnAoHw8WF+j6Rp+ouFrAcSxVe0stx6w355/Re3RRrDgtVMnDb4SxnAoH3SE/SD/lNBQ5aMXjCs9lFsUMs30lK8p15RTIsSZlR39Md5Ets/zBWYjcELCilw0OH/M3YzhIAIhRb1JRjJMVNUtnsoPuulz+t1lDcSeDRlf0UrrXMpNjBy07tplLWdmDCI+S067FR12ralxttsSi28D17Z8m8nx7xRvfHSdrHhJSoji5zTJ+lilqTx3m+GEnhuwztWMp6E00HhBD17F8DVCu58luatmsji08od5q8oJqtptgxJGdK5+p8opeR1bxgL90Q4iAmV6IybJHmBjcX0McCDv9l4z18CZWB1QSyfppgvv2PIHpMYJCKAHGGNrJGS/3Di7IVWmglx/8BZ3n+JPE4y5JWun7wNpfNVSI8r/D++HhjdJ5xCpmqJE2VLYXM9VjI3kO1lfC6IPOdbf2LS/cJWqXQBWjHukk1+lxBYyGQLTfNSmVFe80AyPpovKKL+zsPKwlhLDjMs1MVzHasv7Mmzl8oUykuGtEuGOK21B/lrUoNbP2300c54Cjw+eGah5E3FK+0nouG X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 45cf6f47-6a0e-4462-3037-08db2af14da2 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2023 16:20:08.3529 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kmweB6kWEYdw4yLpzXGzzIz7qJr2lVegl9kDJqRTSLjnzm3YieG4B1derESA6spvZkvwMlBj9l/5OcyvzIvAIMtNwGbzZCsjHFWlqq4guFY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR10MB7688 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_13,2023-03-22_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303220115 X-Proofpoint-ORIG-GUID: TVA6eqlsBmYgghjX0MJkysu8k3BPhvDh X-Proofpoint-GUID: TVA6eqlsBmYgghjX0MJkysu8k3BPhvDh X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761086165995014876?= X-GMAIL-MSGID: =?utf-8?q?1761086165995014876?= Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Fix wrong function name restrict_link_to_builtin_trusted. Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- certs/system_keyring.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..a7a49b17ceb1 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -50,7 +54,11 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring - * addition by both builtin and secondary keyrings + * addition by both built-in and secondary keyrings. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Wed Mar 22 16:16:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 73513 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp2433145wrt; Wed, 22 Mar 2023 09:23:59 -0700 (PDT) X-Google-Smtp-Source: AK7set8EAlNn0fmWBL43ryOdHf5mhq5UE+o7xUgBMRb9PfFWHzNPwQwJDLRT2wYdES3HuM0vZlA5 X-Received: by 2002:a17:90b:4f48:b0:23b:5537:8c99 with SMTP id pj8-20020a17090b4f4800b0023b55378c99mr4033189pjb.45.1679502239667; Wed, 22 Mar 2023 09:23:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1679502239; cv=pass; d=google.com; s=arc-20160816; b=ofhAioknP/l2zp/NA8FMjInLX2ijdz3QF+uVeYgflfV/7pXuZHhB8AJD1JPzVMDn29 3oQy8mjfjlw8fPOVoYab+H8LN51XYO7HEJivyH5sJ3378R8Bfm8jdP5sZhUz3UFeHJF8 94gGt9uy9lw2SDM8GtFfho1WtwNn4t7nPo4qJ437qqSx+2RQmSxZagW8vcpDG0Fu8ADZ ZqPIxDRw9io2Zq9PMde4XfJ8X+y8z0H44KlnnFeWFBnnWn6GNdrw2+RoMXLiTM2O21Ml Msk+6REJL/pQPpIEFUSL3m+TJ8uv3XoMamB20CgZWjbMib0tnyeJYeOyP2khh++XTBDR N7Bg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=rZpSh9AsnQXb+zzijakbrwSlj+hZbx49SjyAx7XsdI9N0A4RRpfZut3nB5Wmaku8aD 1bsah2UEqzWZwNLHcn5n+a592t0TJ72KQpwBjfCnt7lQ/cszhsJGy0MIu74SnDqI7Esv l0BQAmeA1P31wUVZYzFkYHGjMUIIVdlCfzVqgd/Srk+2a17krNkMeBgXrd2wnVu7CLcR Ve6ES0RYkr/ewAmZKNdkPQT9O6WZR/mXrI9l1I3QnhjefQVOhis0cQ3bf2oG6W4F7tCG GsrLSZak3Akdln+Cwo5OV61sulQ7GlYWl3+fgAx40ZLoGQv6yTR/bH98OErKTtTk+emt O1rQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=aoYyvOS5; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=kHLJ04u4; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l20-20020a17090ac59400b0022c1c376f57si16201616pjt.33.2023.03.22.09.23.46; Wed, 22 Mar 2023 09:23:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=aoYyvOS5; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=kHLJ04u4; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230035AbjCVQUx (ORCPT + 99 others); Wed, 22 Mar 2023 12:20:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230025AbjCVQUq (ORCPT ); Wed, 22 Mar 2023 12:20:46 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 979143B3C5; Wed, 22 Mar 2023 09:20:40 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32MCY2A2018781; Wed, 22 Mar 2023 16:20:15 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=aoYyvOS5AiQYALcxB1825xs3nAICdePY+llh0tJc4o2Yayde/zX5RAl2iiXhmgEQklVs eufyoRgPd55+T0LpEs1Cq0G/DGPQ80/ShVaA9EIVGPAONb+fAe4kM5rttpQah7Lx5Cbx RUKfSeOJ0Qh2AcLI9Z+/S+F40e25HFg0x/WD/zOLXTShP7esmNH8CQy8bXRhcdsp67GS g72+eklSvvqzuT57FACr2uUa8h0kWhdSpO8pyJzhUzwsS6cW5xLalQDI213uO1G15Vb6 H5MEBcKPqhJJPHEcwzxXca78hYBepIiTy/nGlefTauj2+ljtkAUegZG7VRhkmDvK6C8p dw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pd3qdsb31-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:15 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32MFcomi019003; Wed, 22 Mar 2023 16:20:14 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2040.outbound.protection.outlook.com [104.47.73.40]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3pg4gj1w1r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:14 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IjZAbOKzRccws6mCz1EEzUfiqX1do5rcIkLXQYtmwJarroclsZ3fMRxxl5/gfezwFJvI3H6WTjFMWOfEx5SQempqzsKDQ1mrOOwpVBcYGU+SQynVlWhRnyvyEyt060Cpv0dulA+RiYeGZbwy9ste0BDvQFGveEmu1oZk85z+UQXC8KKEC4KVjrOci1j5D0GgbEwcJzAaxWO2V0UfxvU8YbLp9LcJwUtb20eBTQKKtWvVPMADELTmA9HUDbrCKTj0wBXqc1V74bS/AtxxDIA87QzL5zgxUEgaIvmqByyLU0lI1Y0SMnspqxXaWDesu3ka4fHJskwgdXKqADCgwcYP1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=fr+OdrNEFmmqgg185ZqeeB6JLppErDk56/DV3yQV/rZbAncxITnASnzpfoHeX6YsgNQYNXLqUbhHM2T82xF1qiv+MDtj7TKn10KA7/FhzxH+FGpD5NSooo4ZnK40tibYgkd7Y2Ga8zC6BuQnFObIOeDG7n4PlCE2O3vgFoX0Bwbr/ggup7xwth8k6mFSMDJcOsvJ4R8UJ4QjVcul4JeEMyCZTE7ca6MJIhL5/1I+1yEGhjrtUjvd+3ftGw/Ox6cM4naNgTG+noKqxFkC9aCl3JALoK1Rx2v4F4zOKvZQVATFKrN/es3D9oce/Z6gRG86vFY7VtsojxF9LZZLpbKBqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=kHLJ04u4jUM2oqUOfaFelf9E7VncH5febt4rc2OsJyZakIz1AcdOdV5ZUBfqNCfpeAVIzIeaXD0+9cBW5qC9zMpKlw3hcLJsjYymRQ6wQ9vHEJlv5LakMAs51NocdVmExNks06g45rtTyQMrkJntJ97Tv380PdIWn9Qh8qOKISo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MW6PR10MB7688.namprd10.prod.outlook.com (2603:10b6:303:246::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 16:20:11 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 16:20:11 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, jlee@suse.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v6 3/6] KEYS: X.509: Parse Basic Constraints for CA Date: Wed, 22 Mar 2023 12:16:31 -0400 Message-Id: <20230322161634.2233838-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230322161634.2233838-1-eric.snowberg@oracle.com> References: <20230322161634.2233838-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR10CA0018.namprd10.prod.outlook.com (2603:10b6:a03:255::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|MW6PR10MB7688:EE_ X-MS-Office365-Filtering-Correlation-Id: 8ee00003-b97e-4abb-7d55-08db2af14f73 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0VHcNHpcSvrxmyXvZX8g6eh/VaKA0dKl/J/o95il8t4282e89q/GQi7vp10rHXyZSwkrAYPpxUzmfXyoq2uyEkvoKV1SvVkQnqtyl7N8Q+cLZQJhxFq0TmBX2HWL0T5kNEvlrpbq189H8UvyzOk2Q+95JDVBBtDkmKy3DXfl1nBb+Vna6lfM9Epm9vG4gaeGTSDLILEyfwFGRdHvt0IZ3lr/A1oSkJNu7/xSqzk3INRqH6ZbnxijfFgvl9xOaSRdJXSJvBGeeL8FMYnQwm5McRr9Fo5aCeQs0bBBm1OswdCUJ3dJJWvzB/BHJ1FxD6tWgvl9UsEHwSt9tZ0PEnRBG2Olud6MGcqeZKHbIl/YhBF9Vcx+Bfv7YecY1BWjNOoDvzUsdn2UrpnGlXv/Z79X/6C7CbtLeoqW0jhMdEdwTqf9ATpvR/6ev2EG72CRzL57+uKzDNf6o8/EmNwxAyDAVzoTN17bKCmiYfRIb2mfpf8tWixUFD710UdeWyHv6Hw0Le1asbuzhHtiAYaPxlGMhCZubrpI+/M47BGCf03A1E3qoVUxjJCUlaMXPCFTT+/61/549EkuRzS0zjjm7O+BQLdT/DLzTlf358X1+rUJGYzppht4SUlnNFaoO44yBhWP X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(136003)(346002)(376002)(366004)(39860400002)(451199018)(38100700002)(186003)(41300700001)(316002)(66476007)(44832011)(8676002)(5660300002)(36756003)(66556008)(4326008)(8936002)(66946007)(2906002)(7416002)(478600001)(6666004)(86362001)(2616005)(6512007)(1076003)(6486002)(6506007)(966005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: rlx8n+ZI39uAOwrqs6ulYvfqvsDykzafoAEnIZDEVe2GSVBT7DU7idLbHV94+mNqC+FQLH4IeZ/Q7xX3bbIlly+uabHkIXRvvR6j84J/aUM6TgPVzegeqFEsCCMAMXlEFPilbe3MpggaKCW5T25lUWabNkPplpCqNmhaC5sMNXvxkOXOnWUq2y8X2BqC3AP0qwNxQn9G/S3oNyL2zk20AAJMpPWUBLn5kDQnUJNMFUMLiibI+pmDNNoEHG3+DkVXF4/RfOBCEsfW0Ac/eh96I1hkKX+9hzYo3g2rU7duNmJE/POdLZAELefKvh8HUJ2NaDq7TX35j7CwXmBlBcTKI60e7it4e4wzcb1vN0PxXugjWAknCmjHg8UO3WdgcvPRBQrsZcX4T1Gj5NmGVcsFzLxKpg8nwRte1U9O6QeNVU6z1GoFUL/mKkPsCYJdqhjxmy3xfH/clkuwsqlZ+GD96CDhKVrNYC7dYgwNdy6xoX3fC4bCuv40IVcbV4jyzjFKkULHmVuEhiu3WTvFna4g4AXur25d+m+AokhlCKAY0gkFUrtUDxkn4d0/+T1wVFMt7LMAshYZleNIPs0bZ4vMQualcq3Z1+Jei3i+FWMkan/buGShCkOhezyyLG1HggesCGuxATIFCnZvy8h26tvZgbxu+dUGWFPWb+SefZgI0HB6ZERKwgqWIzXTnKyIxjev05MIHGxjePosoKgQY97cz7tAf3/Xl7CgWknf2y0hITvm4dIWya4/eeZ3l11pBFfqiLxIFvIGPRAVOuTn4wnD+OYigQtnk3mlaDqBFVm8Dp2jAz1jF0pWNGJGmEmBTNPrUh4HD5kmbEJwniqN2sLzEaBTQSj14EdBzSBhC3cpkh0evDYo2ai/wlHFUuBA6r4u6F44a2u1G0bvRNma1Q45stbpzxTuyvfrf5/RfPZ5nL5PogVZiU7K8t+dW3zrK4Mze4c5ArHX1vu6iX1IoJGWP0/UY8PBRu5nLUM6JLKJHZhFu6gQ3Og/B7pizGEVYwEqsYfxDXLlRVcltd2/yQN3ah0YUSGz+5GKRFRQOTeVexW9KUfMEt0w6ojvGsWFJBTiWaS3mSURSVheTFs8oSKfHYYO7v3WkIypP8Qmh7oba5FqqwOgPRmzrM+h+9TiiKtILu3n+Duvvl22XEjR00XY7/+6+s5XxiFUMX/r5zpeo39nWViGh79ljffgZ2NKCtmZFFuQvfS/p7IupxryBeY+3Netfo05xLt/TMglooCyXLJJylFQd8WAlRENOZ4iMGt/vLmgjIJ0R9XYoH+N2sv+2NIrkLRTxT03gwXS4vYt8DuEZWFSnxGbOiMBwA7okQmqUprq4RHnZhLnqz+cPrqFoXZFCfJrcbRqMqdl6ghvEvWBv+jX3kELUsngNPkf8ccuiSPV29j1LSjQhM40pl83ru8N+b+z3Yi73yK5MVUHblbkKR7oYpbCVGnCuPptj2hMJ/4iog5VEoO177OQhgBUotIPVwX0glAtSEbyF58HgYeleLjWxjdbfu52GVgbg7Xwu80/XK40wVnviZ8Dz3sLGivVTdga5lK+1Y6EotzOIqF9msTZQfbCkD0tRlZGOfo5pAS0ZH/I0CRhnB81NaEY1zGR2SypHib7x4+IkrdqXcU= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: tWX/TSuveJ42ayitbgg0L6mqrRYU0uW+GWsy2/2zD7kcl1ePzGPqSc1g2smlWsCtyYdJebBABXRkOKMUaTSrhceSNUrYfE+7uVCfvwfgo/gTh1gvQEULZGGydkxM07UoQ8F6hS/MWe45gNwWBuF+FxACwczybWTcXyczA98PepbCEeXblA78LC7twCPy8XSHNIxoK9tz6TEh5Th9Ty16z6sCnZqddQkIOKmKS2KPTyp/hJN+sIMZSKlJzXPCNKdpbHDbE+/3WRbq84xqgWqbtT2A4/iTrO6Pi881Jf0nlkinOhdRvtVyAZA9NCj7bj+cEkGWGnTqsApubi2GD236Gniw7QM6tISpw8GAD6+F6ncq/sDDyvmEKiDR1ITTqh6apV2OrRoEWtIRoC1QGV055QEQNe6rTjQgaaJ0yYNJX/MhhB9TXA1q2oamtWFh51wkUhNeDJGLQslpUUOI7mScpJi7FCJr2PNBOo3Xvj3DURprbgJN0z0KQ6cmGngxgUkdSVSUX/j2h1MJ15BzPP8trZg8zVlQz3LYaq7qIK5ou67oJkLTel/XWxAL2zdGGz4uxVxYCvVXQ92rRT9gqg968A3Yd8qgPawJZFVKYK7BIoe4mwp7NmUHO0ugTLfzy7Nu4uEMM68jCKTIncQSwyNr1nJPzqgAtPDM4zPg+WfAbJiG2JZ17zJG0cxM4b5fmCua30wnnsE8e7Yr/4XQ6HO8iItpDnovEuvvXtZMp82CygOGehqkiVHSnwTiHw/UTFB/7y5CzBzioV089to8EAfutAi77GZWUUNHVK62rIr9sP4TOAK++Yoe+Z20w5Ge3acUOrSZFkCL5QeFfpgoYkdDhORj5hxy65HmDoiH0iDiGsSjDBHeAh4aiG9W1dvQn1wlMjBcPEM2gytQ4MAqegxkPTOn/LDqVwgtcxZUzJnyJJYhUFAjiuXvQc+fOBwXkUAga+Da+6VPpRcKFFRKrEOVKwsTN495FvW9ONrE+L8pZFZndZARvYKnIhn3wft7M05ewHMkfQQKz6Fy72CQ2qvyNMjH3iivd0B0/dY8pjfqrGVRvY3mg+JWHAVRCXr46iOpFTUOnPDNK2J2DTNO26a/31vLFTBjTOvukME8TOMSb3TcoY7MiXjAu21GaCKTJeMqjustvX3SL2fw4llKV1TwMx8Y0KcO6OCFQ6oBGfcgVPQr8CvHumAEYtFPBbV3lVWe X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8ee00003-b97e-4abb-7d55-08db2af14f73 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2023 16:20:11.3542 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AEAwnsXRI+uBB8+aEpGZimRbvNScInAKg1/jvBHLa4XVcH1OfQ0H7lVlqakjm0cYU/yT5QVpmVoxZG+WCmOoSDbAjuijA0jX9KI3zMoK23s= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR10MB7688 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_13,2023-03-22_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 malwarescore=0 phishscore=0 mlxscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303220115 X-Proofpoint-GUID: xAQqvegQ0KrgP5rjvDp3g7MYdwrkzDVu X-Proofpoint-ORIG-GUID: xAQqvegQ0KrgP5rjvDp3g7MYdwrkzDVu X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761085740289560981?= X-GMAIL-MSGID: =?utf-8?q?1761085740289560981?= Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the public_key. This will be used in a follow on patch that requires knowing if the public key is a CA. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 24 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..77547d4bd94d 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + /* + * Get hold of the basicConstraints + * v[1] is the encoding size + * (Expect 0x2 or greater, making it 1 or more bytes) + * v[2] is the encoding type + * (Expect an ASN1_BOOL for the CA) + * v[3] is the contents of the ASN1_BOOL + * (Expect 1 if the CA is TRUE) + * vlen should match the entire extension size + */ + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (vlen < 2) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA; + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..c401762850f2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,8 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned long key_eflags; /* key extension flags */ +#define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ }; extern void public_key_free(struct public_key *key); From patchwork Wed Mar 22 16:16:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 73514 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp2433558wrt; Wed, 22 Mar 2023 09:24:41 -0700 (PDT) X-Google-Smtp-Source: AK7set9T1nAJXVTj7ol06NU4l86XmR2XSk2aXeebJ0u30XKWJmbwfEKq9iQkbCgq9fre4zUjyCaE X-Received: by 2002:a17:90b:1a91:b0:23d:42d4:b9f5 with SMTP id ng17-20020a17090b1a9100b0023d42d4b9f5mr4187886pjb.37.1679502280828; Wed, 22 Mar 2023 09:24:40 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1679502280; cv=pass; d=google.com; s=arc-20160816; b=f+FspRoW2lQg5rvYCfuLMNnFvo4a3KtL3ZSh7Xtm7y4toMQKTgKG7jiY0Nuji5Ph5W 8Bzdg9nVBPuQ58qiDbzLDi67w6HbuWOw8R08x9Xa9rRTK4zRzkEJ/Vn+Bc3+EEnaYZzg 9IQcTByO6vvl+qj7gi6btIvBk597bPiHFl6o9vcNBsJUwTp6kQ+pT91h8Pv+uazp///G PaerOVsd9swrTeGOcg60EFzDHWVBvNhue/5CEcAqn+R69a0HPOPGKpCX/I2u/cn5/HJe YgvrVElatltM9+EB8Iml+zcI2V33hF/WbHxTr9d6teNWDN/cMXQyqidefTa28sj23nXe Xd0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=f04KKnVE6bf7zGWWJZG7CsnZsZq4OfQdu8k+D2doVsc=; b=NdtbTKQAtWz4ziG5PLVy6XC02LrZjgpl9a8yY3x+Wtwk1vtsRG2ZYA6BiatrZuYXJf iLsjuKbAKpaKVEdUs5qcXaX7+7VYn0CkeKKmGhHJwC6LH8Iw0nNlVi2RXhVZKuIDb+L9 1rW+Z9M980pAqqgT1Jv0P2VwCJVeCdtmg4qQe6G+OOBDR4XZN1ud/UN33Pir9dmC7fiL 0rv/QabUW8/oinMQNBpqZC2YdDC1Ibf0qiZ9nsLJJFYW35/92RbSV8+z9cqfE30VWB5D TCUP06wOP+MWpG/FeitrVoazM72RGVr6vIutJZm5XvGqIOXs7secXjx9FpZ0wNeuAUrk 0eqQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=1Hra1EJB; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="PT/RYwLJ"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kt11-20020a170903088b00b00198ff2d6543si15354941plb.117.2023.03.22.09.24.27; Wed, 22 Mar 2023 09:24:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=1Hra1EJB; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="PT/RYwLJ"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229459AbjCVQV0 (ORCPT + 99 others); Wed, 22 Mar 2023 12:21:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230200AbjCVQVO (ORCPT ); Wed, 22 Mar 2023 12:21:14 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E7B060D55; Wed, 22 Mar 2023 09:20:53 -0700 (PDT) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32MCY50n002418; Wed, 22 Mar 2023 16:20:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=f04KKnVE6bf7zGWWJZG7CsnZsZq4OfQdu8k+D2doVsc=; b=1Hra1EJBx+mRlolekca+7rSGhMFvmmaliZEIF0588iqw/QTiNkppTJ0W+9+p4pK6GVL2 dp4rSO+sN9CB2mL8PacveQx10JGF44wTTuY+8TkfslEWiHWWv40o9yHfhqqSh5ukLtZb xcGFZNKnvS0DkTmC18FYD0VK10keFUoZvKlZyvmvOAsE5r+swFlTvP4EbyyWGoeKcnbo aeSRioTGeWqzsg3+ZEq8q5pkS2ClBn68zN32zjjJHH0hsKiJFc0KygAmSuGLeZx9jBZf Gp5dgEKQVV6ktN4ukPjnp0YXcjN8SCfCz76TR2Eke0fgmAgZSqXGuH8bar7t5OVKIzXD hA== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pd47tsgmv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:22 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32MGJVlX008290; Wed, 22 Mar 2023 16:20:21 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2049.outbound.protection.outlook.com [104.47.73.49]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3pg53jg0rv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:21 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lMbDL9uDR8yJNzeymMu+zsiiLTcy2ofS8JoEsKwLyOrLOJnnL2hjiI4kYJsvyQA+IyblpUjAKLfohO4NGZsb8ruuje/BLaiVcyaEoDYH/c0lmKXrUZuHor057GUmIuUTyn+Kf5CmhDNDUH85jYz7hZwu1MDyz7CS/QP+x6ZEblqGHgP/GKTvoMur9l7auxL1xQVAU9fr5D8MKj1RScmFJCe6RD09Ixokt3KxFf/fqbY0ehkDvzm5PQK2FMJKnKDzkRZaJ2l8qE/R4ZkujKZ+bYLd5EJtCktVWy+vHF/SsrBMLxsLRlPdsVvq1dNnnVPv5XAeiRMPzawmUdlA1NGK4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=f04KKnVE6bf7zGWWJZG7CsnZsZq4OfQdu8k+D2doVsc=; b=VD8w80YDHV5TadLEElk5YuScqdbODKe2RixOvTok3yN9/IeL24LlBvMRZabr/GHwjC02MPSdfwjbLUYQ7L4ceAUUP+zZNP6onPb7GWMgv5uIDYJpC/bjkbFUKaPJBiek+H7h/yfBTN0ibzIkDB210Aaw2eGvnmCEPryVxkAbqRRqkl//RL/7kZK111zaqebb4Qt0k+4ranVg3UHpCDZU17+8EeOeuUt6pNuDik/vqH+wZWZ0pU0dTmg8+uvc3MpP3x5llPmWXrjgsBnt0e3qRRvzrfo7LdvpNIUc7Bz3+7k/FM40xd7mA+BHHf5dR93HhCv0mmXKyJFDZ71gYZIlzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f04KKnVE6bf7zGWWJZG7CsnZsZq4OfQdu8k+D2doVsc=; b=PT/RYwLJdzvMzfKjhwQo3doIqapurZML70hoGC7PROfeYMg+U4Jn2jQ2c+Obdj5nBChErti0QzH6vc+TqSR+yf42E0Xg6wpTY4kJj3lgSmtqLpHM6y9iZzgAtptzCNlnBwRxwYViNkEslzIzASDArsf5WHZgsbodZOr717D6RmM= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by MW6PR10MB7688.namprd10.prod.outlook.com (2603:10b6:303:246::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 16:20:17 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 16:20:17 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, jlee@suse.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v6 5/6] KEYS: CA link restriction Date: Wed, 22 Mar 2023 12:16:33 -0400 Message-Id: <20230322161634.2233838-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230322161634.2233838-1-eric.snowberg@oracle.com> References: <20230322161634.2233838-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BY3PR10CA0001.namprd10.prod.outlook.com (2603:10b6:a03:255::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|MW6PR10MB7688:EE_ X-MS-Office365-Filtering-Correlation-Id: c24d99c8-1489-419e-4253-08db2af152ff X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: X+xe4tTNhvFHod5UXPmywBrOz9fzBh69Abc40gJXjLsZYEy7SY608T3QTbPVhvIzVxDRRQ/OG/IB1d1PzWedO0iGEwdr3FfQvnFQGd4EmRxyZQFquA/EcW+eh/LpRMzq9mJD8IfSzUjOIltPt3Ww5IGikdpgrwL/fYlw489lOfsBWLwrtCaoproIvEQ707mfqbCrGrxxut8ZUfVU0N14vfv1lLUEIYMZTq8hdDivYRuKWyOxcmxKlF6PZUrETWl8Yho16fUZSjXTkYXSQNi7Zd7nXfkaNApjRU3r2EZ/sh9jW4Pe9RrePXXa5hpu7O3+9YkOpVwkMbgQ98UD5D8lJX31c84qOIH6frY2yGzuMMfaPKMpajr+cYGoLWvIkmmhDw/l4JKfBGF7SxiXFLDuR+84vY5mQz5SMUgKdoxC3fh48LdrkzXYwgIKQk3NlfxAPTFmmZYqsdD6lZrRq5O9FCkmAgmc3S8avZwJ+9lUNRar/jmEV7U/sK/HrDOG/zJ314FhAz5Kmr0RQhIUX3+9nOqxKebQkYpAEEJtjXbllyGl1IwLLM+dr2791n+I9KeznltbfGIl9brrqU74r2Gb8W4d77NOu9XmB+pKGel8Ue0bwgo/Ps757ML9ziKOX5P4t9LS7nZ8EAJ4KUr7thkFPg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(136003)(346002)(376002)(366004)(39860400002)(451199018)(38100700002)(186003)(41300700001)(316002)(66476007)(44832011)(8676002)(5660300002)(36756003)(66556008)(4326008)(8936002)(66946007)(2906002)(7416002)(478600001)(6666004)(86362001)(2616005)(6512007)(1076003)(6486002)(6506007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2SKL0/LSkGe2cWZv1tz4uFJCJrHJ8r/guWrFrYYRl5Y2Dg5c5CeBgVimXez9q7BCdgSqTmd+IKb6wRsFyHrc4SiXPdgClPn8Hkn45M4HZ1Zs58tZbYGzcazlOZGacJq4JpsSGYhYTulzg8kZPQGyh6sQMc1uHvakys1XRI69hD2+568f8QNcGCYXmZk9JVNor5q5UVwNAOVsliBZUGcs/hZIEHujK66fJw26T2A6meGTLBCJu496NRTNeIk0uBsEM/F7yItPP3jAIamk8FaNqqxxb/7FWn9XPtHcJKasqNXbWWhkjThg0mDSlbCVdrB9I46+g3bpLAxvTTj02dl4YUNwAZ3z3o2uFxZlCYcU58GcJNET3Z07dwD3crSJ55Yu7klRar+lKVfyWAonTHJgaZ6VqKcgCxBQ002mRWB5z8QoGvGPJhNKi2sll3Y32ncj2NiHQi+UVGMKKxcYF3pUAM/llENOA4nWcWxeP3gLKAKyC8pY/K5nQZ5KnKwZrGYpYHWI8GNkcqXzorjECBkL98AGmLdMbtu+OzT/zRpdk1tfHVyOfQbzKKRxznLz2BA+h+Vfk4xTwioe3tRv8r++/qrxThAjtrVpbtTnYFSGAVYnGXlXleyt0zR0DsqtNzQAMc1iN21zanm2ZAmvkpsRBoJ76kO3MPOq8Hpk+GGNvMyGuV8z/7pSiTOayKSbwGBQo/q+hckarRE3tja3QsQtLP336+1f+CPhVaVjgF2Q0p4jQNk0lApSwCtnqJBdw99RudPcbsSkESPLbm2wDqH4HDu9mpuXDtHqhCW+YNRDszJs+7F7PBetcKbyw9pyF1lSWe3ki+i2KMFDzLX2DTSFr3U0s9iowcAPg+rksWhb9PpjFqQOLrfko7GA+3IZHd6bjbwXOuvHmDhlnid8jXpTsjwsDFjtarwOz9gDkb4/svj9ibhvDABWAq7vwyn1RVF9HrgFBWAKPIMu1dKgggOQUdyKe6ztSt8vtHrvM5n2sMtbR38WL+RcteY/5WePYRXMBxWk/kJMN6KvrPxwOsui8zUlHMoz15qCWHC8VDW694BDyXxsiWlDdKyssNZNxG40MI839BJPVhTwkd9pwgeQ8L4/5iSw/mJiS7hIvQMRB6OmYYX+J9pAoYExBSBPeZ0QmgKl37DWH/MpUQI7JR6sQv7n75LJg5QTJIwHKCT40dUKkMIvskcqTBVbkAj6GgCAYvw0R1O6sSMDP/NJRoxcE0nQ83KwPeiGRBFF6mU+cXLRC0gd0gKBbRnUy6T+2khczgzzySXTY3dnmKBmA+5+Ww4oBAQIcrM6MNwHUIYEYxYnHvbD6Q9xJSduKLUeHtV930wIkR86KZADumh2xa1bePEZq6Ig7YFm8WAK2M84u5QXnDDZlmKNlyjkDlY+RXHXDfCd8fE1EYQiXuppnamruv2sc4JmafBy8ExczIaYo+1Eyn0FTFDvLZAIXQc1KQ9HUFhVgPCoITHDdV+rKPbyVrkNoWNNdrRuhtnWRrAHOTyIJEctS5p2qcGGxTy9UW4AxfHE79yPooxpFrDG2wDhuCME1gkACNXlaG5Wwgzc/mku5noRrr+Wa4HFxott7tFYgUKrMJwgslQeI4p9+7KEJV0T3J2nMOLQjsqx0Ne4DEU= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 1fEHoTCpJh5Tt4Z30rCl+NcbxwObXKQrxJSQKAm/hZTC1AUH9NJhAJmIJnUQxoHIaox2yVIm0z3cAzSq6W0sKvkJHFlGN9P8aklYROp3esu6uaEkhr2spyk1/N5hggMtfaFuhxB+qHnIY2AYuZW0PLFh8koxQE4JyMEGeIXa1ggzmrkJDp+vmTZyiH9eFp/jwqB+01OVgbo1dgRkSNr1TM5Qn8oc9uceJCeuBuO4f1vzjlyMBg6P0O5tI+Wjciiozq9meyHfngraAZ4D0TAZkAEwYF2dWcECr68R/PhYJ8HdcqTgBRfTL1E6iwqZviZ6TZa+drT1ejSi4ph+8CQpgj/qJR7OzyRoooYdZ9Y4o1HHGjXVAKm9vC9J8rcMRtGokxQBezCRYzFOjbWJzmu4+hlIRDSPmFjyN1vl2Vv98Sg2bkajnghaRxLgvUuOwiTbU1n1m8HcfC3Jmqf4EKBtZJ1cWSzV3HLnLuxnXtI5wj01iDpMpzrbMQC1TFmC9rJHQo3C+sqEww40vlInpd5DByuxtdvjzpljLoduvDVZQNBJUdfFGkQ6F8K1FmhMdX4gZNo/vR12LT2XE7g1OgDXK4yTF3475vgtj6UWNk8M5iimeVs8eQyjG97mi8KSrzawor1/IsZNNviauA04FGUcij6QHFazhWoxtnr2mRgpDtzGdhHJp3/oNOI7JkR4pTq1961gFQNFAElsIFGwPGKzOwXnmgyXw0L8IU0evByXJKTUFZ0MaUoAPDwH8SgQoP9PsRiTzGTQAFv1f20km9AQz3EO37I3gS8+QYTNt36xEJaxyzoHay53sc0TpYYugcEt1UDttKprkr28uUozB14Cvs8o+FC/38C8sd7GX0TcUhcpudOK3QEBLNjjJPfvMVrdjGe9yxZyi+UnoKXK00vr/uRd4bYu4Ae6mhzw98W/opEF/aoELfqJQrWtMr0ZtofaQjRwcr8w6nN7qrzUHFg6rTCDtDXv6hnK3iU0ArBJYYudjFbSSpbl9CqQIJ44HTf/2JILB9SgHKV4zK4f7txIe2J0gPsUt2ATTCsKLIkcHrcQqP/dIUe9EuWokigrNjlGaXHZ2Yk56sRM2dhzG/rh0VPW44nIkEpnGCcRlTjNvcKU0cjRTV51SP5DM0g8IZviyIp5n/OsFCEhmyD44H+ua1IQ9BzgHbiQ2oVF3e8TC3LcAaiUIRezmwSz1p5s7w3m X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c24d99c8-1489-419e-4253-08db2af152ff X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2023 16:20:17.3345 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AYaeYdytC3WNHz1ckPdeLQLGp2kI5F25fqyQ60iKTjDRW6K8STk+v43sorOi9NNWoOHWAxjDYwHGxc+JTkQjRp/84o6ne51zHy65g7/R+GM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR10MB7688 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_13,2023-03-22_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303220115 X-Proofpoint-GUID: zUpLddMecVk65VqPsKG9lHGhTOeBA_o2 X-Proofpoint-ORIG-GUID: zUpLddMecVk65VqPsKG9lHGhTOeBA_o2 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761085783700042552?= X-GMAIL-MSGID: =?utf-8?q?1761085783700042552?= Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 +++++++++++ 2 files changed, 57 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..dd9ced32c8a1 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,48 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + + if (!pkey) + return -ENOPKG; + + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + return 0; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 03c3fb990d59..653992a6e941 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Wed Mar 22 16:16:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 73515 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp2433658wrt; Wed, 22 Mar 2023 09:24:52 -0700 (PDT) X-Google-Smtp-Source: AK7set9XZ5szpjMFY0A0b6dIdA3OaOWxPTCe+MDmwEDNgdmjtw/Lq9sl5w3MQK+fkZQ7y4SUMZ7m X-Received: by 2002:a17:903:22c6:b0:19c:b7da:fbdf with SMTP id y6-20020a17090322c600b0019cb7dafbdfmr3933756plg.26.1679502292271; Wed, 22 Mar 2023 09:24:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1679502292; cv=pass; d=google.com; s=arc-20160816; b=c2oYxIHMnOvbEFjNDtWpDHJ9GeiNjccAUsE1grErOXmxAQ16+AS08FJBT+laL7MWz8 zA/iRdK58Is1u9g4Ot45XLtVFf/m0ia1npKEGjr5/uD5EC+qJj6+wXiUYnLkqMHq9ZvL Vig392SU42080Oshz7VGb0KM7DM486HqsHQpDQd4s2bFNTxAOyyN+KKHa6kSaFvlAF7X INthm1XlBgZzl5aqOquZLqxoV7fZnj8NJ7bHc+u1NW/W+bo4oVYrks7IJ9KWr1vqpjJp U6eI4azddm54gPw72SFcM/EMW4Tjz/HuI5/xxUeVdoBczAVJLzLLvNwFFU3c9QdRMAE7 WDbQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=Ze/MX9W79ISbQRcvagT2kA5DQGb9rBzuW2I2narODYQ=; b=K7H2Hj85ddAgFgsqUwlsCctAJa/0MpnVGRJjD8gD8wdrV0KdX9NK664TbDiO0t/yzN ljBMQl+VAibfURpVjNg5DdGxyAa6Hru4n1/Fr2oMwrA/4EYB97FV7ZdHkyX4BS0IEIBz A6/+fI+E4Ghw1GQjDeNeZyXzMxSwoyMdHdfyuwDPOdwZWpplmYtyXDXAYfWbFeVIRlaA cdEYURjFVqr8QgHCZECG0Hgfwu5aqjVWqQpYjbNtiYz/Gnw4rwceATIBP4dbhysxvCCH o0TzVEgJQl+zg5Zm1thQtojCeq0EIk+A21w2EDx2TbzwCSpRJHUJHNsdXv/d3P1iMxuE B6lA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=PBjNCh9j; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="w5/jjUmq"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y1-20020a1709029b8100b001a19f187e90si13341915plp.331.2023.03.22.09.24.39; Wed, 22 Mar 2023 09:24:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=PBjNCh9j; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="w5/jjUmq"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230384AbjCVQVU (ORCPT + 99 others); Wed, 22 Mar 2023 12:21:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230119AbjCVQVN (ORCPT ); Wed, 22 Mar 2023 12:21:13 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 763134A1EC; Wed, 22 Mar 2023 09:20:52 -0700 (PDT) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32MCXrjw010873; Wed, 22 Mar 2023 16:20:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=Ze/MX9W79ISbQRcvagT2kA5DQGb9rBzuW2I2narODYQ=; b=PBjNCh9jmaseLh7eTnrE7JTDyv9BZgArgZS78lEv/Rxl4jdMSdmHt58YVW2M8r6hS2v/ v5QOWa/10fdjUKL/chhDgDtrn2Bo10X+F8z7Tk7VEXmnjWHRf2a3j5ZDF/8ygU80lG4L X4061oD9Tz7Wl+76Vb6os4Vq4xLFi9Xg0YH3uRWMIJVZsT7xk2RAlmyEdzJJRkWfirCf MF0fJsbEgwOs5zkoz62ESN+qsGUXO3IABKr40q0JBsSgEjqbR+joIw+nDqEr41OpuYMD EQIhiHw1wGK35RJiWDUB20iB8aY5zt1NlPaXcmH1TVLFWC6rQzZezpR7polXXQl3NwLP WQ== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pd5uuhdbp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:25 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32MGJYBh008375; Wed, 22 Mar 2023 16:20:23 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2170.outbound.protection.outlook.com [104.47.59.170]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3pg53jg0uw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 22 Mar 2023 16:20:23 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fY2Yqt+wv7I0BzLMEXLwWwweLf4piKLKUHdvNb1jd1K9RO9F1FNzZWBXz7UGvdzG8NgteoUIYZKrN9cystz0a9csh126Apg0UZHI1PgBsHkp5kaIurIS/IkeNJ6+ZSyKUTMPIttmUTH5eLvS1g/WdUf6eUJPs5cMeFe7Y9Q77q3cC0aXpSbijDCAjwLLtSFMfF85NpuRrR1QCTVEGUeYaOIFEVv0suzRRUzK8HSnQ29BZh+tZmM8aUyRMNgw+65036XDncluWxuOk4t8PtXJgTjnx8Lc9dClItLJOOJ0I2KipdvNl40oT06NttZTbEhy91SxmKOb0F2j411bgSgHRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ze/MX9W79ISbQRcvagT2kA5DQGb9rBzuW2I2narODYQ=; b=f70A9gqt/PlcCO5IwhGC+GeH48KKgxYInEicfxLRnMajeAt+QfV18lTa5g4t+zPBqCnSNpV2bR8AAuQ2IQbPaa64nCfevF5LMwk5rHUk3xKyIc6x60la8lvwzcRuCE/SySEf1gfhm0a29OP3YbkzMf8bMm4Qk5AFCSZa0qdZ0dIEcfBy8jR/6JKIC26mDln7mCV42domCSxGFf+ugOK+/NkfEDd+FV645F9nX0/+g9eImc5dve5RyLA15CDyHxizei8g8/oJuVx1JiOOoZ14MiZ6hpCniPKLokRuFO8UlscvfTq8s5wF7s2pitGEh3fDmXPACqcgZ49qNAVX+ovY2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ze/MX9W79ISbQRcvagT2kA5DQGb9rBzuW2I2narODYQ=; b=w5/jjUmqXXCrDs538XRPEHZEaJkYCHcdS9lzSf3JFxO3HV8NxEnccrDLnE+BnJa1PQEcBqetSK66/czLabtRzPMBXPTbe6mZilxyY7MbAuDyFSJPT7TSDCQfMFjw9K7NeVEhqv7CM42U+lXqdEdERW5tK9YS0XaWDXu+M7GnP4s= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SJ0PR10MB4670.namprd10.prod.outlook.com (2603:10b6:a03:2dc::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 16:20:21 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 16:20:21 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, jlee@suse.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v6 6/6] integrity: machine keyring CA configuration Date: Wed, 22 Mar 2023 12:16:34 -0400 Message-Id: <20230322161634.2233838-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230322161634.2233838-1-eric.snowberg@oracle.com> References: <20230322161634.2233838-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0143.namprd13.prod.outlook.com (2603:10b6:a03:2c6::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SJ0PR10MB4670:EE_ X-MS-Office365-Filtering-Correlation-Id: 2b7bf59d-a60c-4527-c4ec-08db2af15521 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qxJvsYZd0bdpfl60AjzW0a3rqSDB+W8gKFGKW6oVMQiNzYWcJrcqDkY607fguhg2B1VjWP/aSec1O8JZGa5dx5tQlf2dKnb/xChjBdsERZdGz5lAIr4jIKnHjDUb+/p33N93ZJmbQ6mjbWcacQY7C7NrznJS7zefPkdD8rsuQFZwcmdeqYNVr+MJasWAewjUkP3jquwAiRhhFZdz4zZkgTOl0qtbQA9/Ht/Wd2koKXTlcFZmqG00lcXBxarIe5CJLxrPyMh6ncC4bg0SY8IF3ziUbf7TcR/7d5TAQHLxHpQiv1PTyxffv836vbVTyLWkqHeSXF6MFsA+JwICClt+dlvNJBrW/9OQwerFSqZXlxG9xwm9HpqeNzuKGIFDHpimjCAhZdfJCYwHmEvz785xTRwjBe6wbFSNDXsCX8XaXd7BO8ehd0lmBi9xMdw6mXJNanK2Dw/PngRlDjxUetIFnDvTeygrryiYLnW8Tkm+eIwpCLQTc5QeTaSdeWHk+PsN+6ur5fLkjVmnhDiu4UK87OZ/DgWTFbdY4GeklxPyCL12s1xSP3iJKKcJGyKB5j0MPaVBwf+Qmq9YHptFBYQEfx/zvb0ks/xVuWqN4+5qA7UDT8az8Z427HXZ9S/G6iUo8/dHx9prDSz+wpJ2rS91iA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(39860400002)(396003)(136003)(346002)(376002)(366004)(451199018)(83380400001)(36756003)(6486002)(38100700002)(478600001)(6666004)(2906002)(5660300002)(41300700001)(66946007)(316002)(8936002)(4326008)(66556008)(66476007)(7416002)(44832011)(2616005)(6512007)(86362001)(186003)(8676002)(1076003)(6506007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: CRsNWx8Z/2qrOj1mxAQWhNow0D3B2rE2GLMDHH0PV+Z9xsAT1CxMCI7cqvD0d73GjKxD/qvTAMrq1T2RQwVB/kvHmcobh3FSErXryFrZy03NTabeQxqaDkEvjit7uaad2F/UpMdqaQV3Zj5967Fz7fZaUwXYl5qUMVAEFcg6gDB/0J3Ofg+e1FY9T4agobIj6bCfaaA+I/BCW+QN+9jpPEvH/JYnTFDvTWFGPybTy04b2ZcWcwRGRe53NSnWDw3YGZ33PovLt9afO+Df3eEJMb50icGA7DHOzX7H5YuTMEVJGAWEqVx3Hb9T2dVZqRfAjwpgGBuXygP4/2nNFX2AQ4nv80s5Tb0c1CRyoGMpHzP6fJNeuCAs7ugf305P+EM2BgkCrcSYRYAVptaUlBtmX+JQkuL0aqZavVgmtAjbmcIL7eAay9+ShA2FmzSr+47nT4FDhq9Pn4mrq2KKJ313l2392jKQyL9iEvc7F5/A6WuVCl52fAmZEVjMpYObLrVEOTJGHW/bPCdBt+EENrb6x5acm7CQsPwrjdow+KHu2fEkRwXghKe+FAUvsX0hnUu4UZ7p3ZWbIBs/U3j3kenPpQ33InYecUvQpdfCwehLhlkd+a7LDhjWmjMCeL4cdMYCxACDGV3Qq7mIh9qmtZceervBeUDO5tIpTdfwp05OAy2N5EeWGWjLmGIJm70XWoItkHidoH9GMRLPXgdFTOM0E0OGiG9006x28aMqvcwsyuRQl/W856UERGrLd0/l+vgemd3QBEo6rr1nJWZxZQC3rZa/NrH59vdo2QHFA7GCZTgp2KRdyVlvoWT2PBabiQ2sES74ZFcopbM21oBNmnyhyHYAUt6Vm1KX5xHwY682uD/2+iTQfWOCr806FySdtl1kKSISRxegErODTZekafWHxziSvOIMATrkcILrnqQrJNiRiQdn8ET0t0oNvLOQaOv9IK5JmpJ4E+wNwULDb78vNbqsvtIUb0DMS4IJycV3cm3SShBadvEuoA2MwnG433p5sehCd3UZXeEGkCBm8ALadrAZYBQYarReYTKLmJ8POvMpCUS/PdUh2PjQSxZhABzWTBr2CNESDeRkEizREg4O6apkifZIl3ilJ4vORrXzcxJw1JvT1y90v4eDjw6ZhDXOWtjqPxGS8p3eYvjQ7Ea7SOF0yzSsgbF4dM0xIYgNxAFsSfUxkjsssH8HC49aQ48NdgECBY4j4zvUUjJYafNFXvPkNxcP3RUWWpXSxqQjHnRlmjZPovG7JYLI/a2Dx7LTRjEKCo4/3YXhmNTjQNQ0zV+nl1YHw472TvBIzbtVzP6D+9dtHhBcUcLUx4eQPu3kTYLWO0VBLYTWariBH2h1zOVU30ikKnEdGT1nJT7e4U4NsHKR2GEjQQI+0ieN28NfSOo0jiPeBzeg79Gu+wpnKI5OXLeeNmPBQb2pN3bkm6VdB0HvIJwUoyIlv4berrX2jpLE1OQO9SYMLDC5Uqcmlx9OlMo3tl/bmQ6CvvbuA4U2QMv5QNneCh1zOb+JkAsZP0TR99bsKIPxykWtsEuAvYClTkfCru/3SHYfBuy8P28KdRc0Ggqmq/vxCLr2HVYE5411D5UALxSNBPoO3Y7MCEKyGtnZtJIGq6nhhBBLi8Y= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: CVvtOTbC1sg3Ty9tI5ul+BA8xfeFe//9chodU/9ToY0Jq7DS9R/vkAykXyPp1Zacull0DRH8R6M3tfIWrAHoKF/OhUtGeQqJiRc5EPKsT7vRu6BYcqMjg0p+JcSKMUfmRjhqOv7oQMJy6KLUScEEZIyqP7O7V+sKMhNs+GoPt6jlZ+qxWsAPmC2eYEOZzz8Y0IopgXTImlu+LbtNEoGK/OQcWi1r3MGGZX6rh9BGIPzpDIRphLhk8z8W8euWxPMl7rbYLtqjMLr0KhwIdN/WagL3gkJ2g+1KhELOY9o47JFGPWquPYQlxPdvdba2b8USk5GW+wxvu0NROsFTQtmspaEO40drZLNp5TJwxlFFUq+SWmpFUFoN3nSDyZRW2gYL64Sm3D6OQCD/OIdpERvB6ZxzRSpbyzUck1xZ0XRxdBW1OAfgk7FK1iXpm7hrowxyyHFUY/NURixRj1xotXC5DcpDlpFDET2djjUoRov0MjrfhyhW1S/xteQ26gV3asQZ/4DpK7dOPCTwaMaRNWs6rbMEfyCcl92cwIpSWElMmyIdbZGFoRMvUMl/vkD9jVvgXv8BJyh//4QwuSk292pYZ5Use9dfTsKfdz2yeeMsIU6FRhJGzTeQy6AO9P4IhauIioniLsb/MFzaY8MWuQaR+DS0rWIX8pwlaZlPlUwVR9neLXZHn/a2NfVBKO78EE+jftMyHAebZzu8xvhpUnfQtbqie0zOGT9zEfB87bTKZQTDxX1Ljui63o0pekGuGN4GAgWpHb8xdrk7rk4y5/P2ZmoYzXAauxaXLYBplPTnDWggGo3kmlJL1UjwopVRSGGQkhEhYQlu1+FptrFz6iPVb0Y9hexjgYwdOQZcSnztOizpR45Mfzgc03vN8aBA4RaR9GlUSJNcQC99EAF80nm400B2wJdl168Tr4QyfFIQQg3qYZedHXoEiWeoAx4Vt0SxIRwpntlWnWM3SIIJk+IMPTcXj8EplA5UNVOhTek2mA8SqT43kao3RUG437vDvpPL3Rvs9/8hCezGBcQmLvhcu7qPGl/QtxaKjS3yVII+aqlTlmpQqquza5w61Lnwgl5NwQBkHBp5mEcIY+Mi3CLD+/830wEjRAoaoAiZMJJtMyj7b5SLB6uXrSGlL0ioxegYvwZfrvmpZQ/V7PaiHQXK06Kl1piiWI9e7zzvX9NLLj3Xi7sBbHPrv/HAxniqMosA X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2b7bf59d-a60c-4527-c4ec-08db2af15521 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2023 16:20:20.9011 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WQrWVNFTVWoP/qj7CMJ/uaAkU9EPIkRbIRmcZi6BcmeHkVNMw0mUmPtZgLqARwIY9k8djjBctoiIWfmYSX1eTQikX80X38yXy/ALspm9P3Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR10MB4670 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_13,2023-03-22_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxscore=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002 definitions=main-2303220115 X-Proofpoint-GUID: HC2Wt4C18Msl4k9Krq3N3Bp_BHtTH7yD X-Proofpoint-ORIG-GUID: HC2Wt4C18Msl4k9Krq3N3Bp_BHtTH7yD X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761085795644369836?= X-GMAIL-MSGID: =?utf-8?q?1761085795644369836?= Add machine keyring CA restriction options to control the type of keys that may be added to it. The motivation is separation of certificate signing from code signing keys. Subsquent work will limit certificates being loaded into the IMA keyring to code signing keys used for signature verification. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar --- crypto/asymmetric_keys/restrict.c | 3 +++ security/integrity/Kconfig | 23 ++++++++++++++++++++++- security/integrity/digsig.c | 8 ++++++-- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index dd9ced32c8a1..d6cd1dc2bec8 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -144,6 +144,9 @@ int restrict_link_by_ca(struct key *dest_keyring, if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) return -ENOKEY; + if (!IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX)) + return 0; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) return -ENOKEY; diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..ec6e0d789da1 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,13 +68,34 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Enforce Machine Keyring CA Restrictions" + depends on INTEGRITY_MACHINE_KEYRING + default n + help + The .machine keyring can be configured to enforce CA restriction + on any key added to it. By default no restrictions are in place + and all Machine Owner Keys (MOK) are added to the machine keyring. + If enabled only CA keys are added to the machine keyring, all + other MOK keys load into the platform keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_MAX + bool "Only CA keys without DigitialSignature usage set" + depends on INTEGRITY_CA_MACHINE_KEYRING + default n + help + When selected, only load CA keys are loaded into the machine + keyring that contain the CA bit set along with the keyCertSign + Usage field. Keys containing the digitialSignature Usage field + will not be loaded. The remaining MOK keys are loaded into the + .platform keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f2193c531f4a..6f31ffe23c48 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services