From patchwork Mon May 22 23:09:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 97645 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1792549vqo; Mon, 22 May 2023 17:03:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ576qTIEaKVg/P7rLhmTj8ABpVgUHJT9HV7wBDBz9X9SHMPByxg9osXJ9sW/cp3hpnWUTo2 X-Received: by 2002:a05:6a20:54a1:b0:100:24d7:545a with SMTP id i33-20020a056a2054a100b0010024d7545amr14146396pzk.4.1684800221714; Mon, 22 May 2023 17:03:41 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684800221; cv=pass; d=google.com; s=arc-20160816; b=d88fKogZYvHlKm5ZNGdqk9z/gQ37zJEgpAA/k0+ntLoNQCdOfTl+24o+EsQL3vJoaT Z3B2fVJBW1VNb2GgtVPeCFOPLFyfeOoi2eLuELNaOH6Z42uKaLurD2uVgGcyeSlb10G1 YNmADaCRnlfdM/4m3ipliRQ3bh5ro4oIZFGBi3W7ciMJYoNFD+PcGeQZKddgn7JjHAYc riX/5v7X3rlRroHAMLNlLCuzHuJQmAnwsmsgv/AOMILTEcWYhYF1BqJd6QC2MqStXQs0 yNdyb7xqjaonYiXxM8ypfw3HllJXi5Vqb+XdL6taw64KhiUijCqAT1KjbgQN4UfqPAIg 9U2Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=TH9369WrGBsKHA1xuk7oR7VDwBHzQuArMsVOPOgT0VY=; b=VRHHE/jHe58bpKlz5wdHMbae8rO2ujf8RRHj8ozYzx7Z1az00KDDoUQq9ZJWfXgICp HGBPAT3wp2Z/ct5jpFPIpDzNzvfxIuRVyjV16l82hFXI+lXgBP0zCT15XBXVEroFjDXe dJGxnmDsLfJDWhw+NL6DwIIrbXW3O+Q4WbwVzNI/5BMqEMbdFPlRga2t/nvcTnXEz/gg 1+PC/q1qWg6bvoEoHwlSVRx+pFVcI0aqr5iSJNVQZJNZTtDjDTJpTm6t0rfwcjNZ1lVJ /vuEV1DPmP4U3ZyFMaYKZtQrdY4d+Vy2okEMieB6jTODITjjzkbad7v7AlahKmocvMgy DZDw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=1CR8wCvM; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="vpoiXN/i"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r5-20020a63b105000000b005139e8ca7b1si374553pgf.494.2023.05.22.17.03.18; Mon, 22 May 2023 17:03:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=1CR8wCvM; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b="vpoiXN/i"; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235209AbjEVXbU (ORCPT + 99 others); Mon, 22 May 2023 19:31:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232501AbjEVXOR (ORCPT ); Mon, 22 May 2023 19:14:17 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A1A811A; Mon, 22 May 2023 16:14:05 -0700 (PDT) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34MKNwqY002004; Mon, 22 May 2023 23:13:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=TH9369WrGBsKHA1xuk7oR7VDwBHzQuArMsVOPOgT0VY=; b=1CR8wCvMptlNk3mT1RzEBDN8JJabTNwusg+Q1dpKrC9o63qpCsioYQa8GH17FEI3Eem+ 6W6UQueVDm7A49MNOuRw2noK/VoI6Qzq2pRdIwgaSrbaVoULeAlughhaySllT3fxt3oA ZWmPtf6Z63+X3ONuus9vQjQBcOfU521No/LkPqP3MBgg2zkNh0tUBC/+aDN6QEpr09Ly 6y24TG5HASG3GgBZEaGqW/dKTNon+YJHFCj1X5stut9WmOVC1AtUYWPO7lLgUhbmPq0V 1w+9kMN/SqUtz/ESscTfUValMYenUQnZ97tUGGSoWYA1R4YB0BNGKjBz3joVYYwLtilf MA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qpp44kth2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:38 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 34MLcl2B027194; Mon, 22 May 2023 23:13:37 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2104.outbound.protection.outlook.com [104.47.58.104]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3qqk2cu50f-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:37 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Guka8PuwU0f6FW9vLN9A9aN8TZtkd25M6WE5ZphXox+yMw6GL33RGGknTWM/qTSAvbRTUpu5+eGRGm/ZDTuesfS1dN6QQ5+WLUT5zmLlWf/TzARZuuqgb4CSp0D2bF1K6p01E/UxAy3FwojMH7/3bWdNrMKf8s9hzXtiG/FSfboS47D8xkhFMduRhksIwCLaBQ0rrFN4r3UrgS02mPpnvpqs12sf1+dpDOf1aP48aABcauamaNx9dzFjbJtn5qPbnUA33ztOqUUpbWHOyegl14Ft18KusMrpxSmVXEVol+xgiiTpdqogvWdBo9TWpMkU0SIcwD6kCbwlXfIjOJEvGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TH9369WrGBsKHA1xuk7oR7VDwBHzQuArMsVOPOgT0VY=; b=SObE/0S8rmbIHWFmqrXRoMn4uEv+yN4zL6GLnXXeKtFqiB/P1rEzGlHNBJ98L4c6LnhmoimiVt9Z8J5XEK5Qc+pfqyTbppQ1PIxdTAUtbygwdAonyLR3R6YM8zDbcUdlpg4i0l/RLase5MqcQNwuSbl0pXJFIS138LPjvifhkOBkTnVV7yJqcizAZhNamqJgwvJ8X4QND8vDMWxdeT7nDVidjbLBskpVrGGpG/mVLG/E1BoR8W8ummRvNEfyRRrkrn3eNMKLqIgEdzsftv1g2T2OXrVYY6TX2NfkLhwnsmWhMssEW0Kzkslu8QfVsbL69jnHq6LaatorNjpqnwFd5g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TH9369WrGBsKHA1xuk7oR7VDwBHzQuArMsVOPOgT0VY=; b=vpoiXN/iP5mIV+Ba3uhuOdHO0nULg4G5fi8qLQVkKN2IXsgCy5acabmWdeFEhZnGhSoLdziAeyMxFKvPHSU77GT4qjS/l3XKorw3gWapBnQxPM4xXnBXAxbWOuOPJ9lx8ljsh/26k3UkIPi8kFrZFZ64iZt4yuwC2gfmnsKTbSU= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA3PR10MB7095.namprd10.prod.outlook.com (2603:10b6:806:31e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Mon, 22 May 2023 23:13:12 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6411.028; Mon, 22 May 2023 23:13:12 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 1/3] KEYS: DigitalSignature link restriction Date: Mon, 22 May 2023 19:09:42 -0400 Message-Id: <20230522230944.180389-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230522230944.180389-1-eric.snowberg@oracle.com> References: <20230522230944.180389-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR07CA0095.namprd07.prod.outlook.com (2603:10b6:a03:12b::36) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA3PR10MB7095:EE_ X-MS-Office365-Filtering-Correlation-Id: 24e480c6-4fe3-442d-c4a7-08db5b1a1d4d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: u6m1Rys4l5Ye3zsodcGtuuNP8YGsSLrgOCGx4nfD4aZvEBFAQCs1toe/syMwEAXx4neQzRWEAAl0F5ZI53t4NY9mI4+BCZNGyLMBhBUQTwqcFV0owPiOidKyW3UbdZd/90taMfB0yLgRPv6nxiHf4ZOWnQ22xjid/aVoJ81oGYx5FwcPzKDvGbZhvnLBHaAP1hGpdZfH8oa4sMEsLAn1jKO7aN1dIhSlzEy29odwbCG8Jg3MF1QTcKrP0RANjWbUKmrZYxXxhceQhk+B0NJdtt+1eMbncHhKPDNqIOMbeZvISgmy30fdfQ3xUS2DNUETvZuUPvNmpPowISUkYzi+XhPeV8YQw7q8+gc+hwaU4GhnUrTOqDsr5+rIv0zsIeeWErLPx/oJJPmJeXTJSk4MIYP1RJGE1IZClrPnJ3uZt+yEkaqg7ysP+5tL0dk/+eZgV4Yf8baxfI89CmQzzX8vnWOEYXsaMxrr0eUDVqMFCY00zdAk1dxKDHcEq43sGcjXihUAo6cRc4wmZal0Ztu31k3ZtGixLfex2yz+wmvcvaZnIq+1tzDaEU7HQdRn3OwM X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(396003)(346002)(39860400002)(136003)(376002)(451199021)(2906002)(7416002)(5660300002)(83380400001)(44832011)(8676002)(8936002)(36756003)(66946007)(66556008)(6486002)(66476007)(4326008)(316002)(41300700001)(478600001)(6666004)(86362001)(2616005)(1076003)(6512007)(186003)(6506007)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: U8vW0IfXOVkxJsi4VLOg4Siv+WoxokjDmvN31xEPOBBuxze1+1ZgNYF0ihTT54VgYEPGkShVUQYsstxy//bw+vs4QSed9WCrD0fhOG4SCgpJdKrgnqOdh9RJx0KVDv+1NdE4TZbw1M99o3UI+MNvzjyS0AXBP++fQs9LUo/L3mQwKW7l8BfN/2h1UCGGz02DWT2Hnurrpn32+oJRtPKqWasIvmuqjxyqYQzuGqSXosm7bF7ewQ+8ektb/r9dgzpG3stK8BNbe1CiPSNG8YR3ElNGP+nE43bROXccwzDR4+Ld4FUOl7v1pvwejr9Hq+O6bj11SPC03HQHwzLdIeiMfGr0GDDuzctVtKGJGjkl4O42RCM4gMW9ykQ/6bCnysM6YPke1ybgfWjQ7/04aKEDUgb2vLO1Hlc5PbVA+oMqo6EgcNQLbvOQqBpiCUAbX4UHzHPVnJoEoVZjpUJgKAkE8O//T9LXPOrllfN9NnrnfUrVfRCep4HvqQ0OfGH50W1nwJ1DGuHna8j544oJzQOzm4+AUWKZcpgPOYrTPWooMpysPULIRic4dX+Ul3VDRHPgszRhRc4IzRSmlAU3t7G+A4zTW7m7ZNhDg2VMTYiI8DtmiwmA6bKYHv+lwu0lI5H0mbsEcVOj+4BixHJOFtyfInq4l7FeWMm9SOybyplDQhrXu65x2fGBfytkRp2LhlIFTLuOZEgGa2YlXoWwiL44z/yfusgiNRy/MfzZKmiSxc0WA7rfk9GTrBoaUaoseiYLhzAtkqJwYJ1y25SS9H3MZ4t1Db+q6oX0XBHUJZfHLO02HW7vLLPgt36Vw7f1vUqPSOC8+RE86r4zXnkuzO4qCiEnjT89dfjd6JIdTp9j0txOFY42rOZwqCuUIzoZfMWkdmkagRdc1unH1kpYCSf46KuRHVbT59SaPK3joJp9mTQoYBKHmv4bIPotpdisIilgBXHOb7GmJzr00Y18J9B0lsY9yH23U1ODSCcGgCCayMVsI4URNpv7AZVxsOL2N341CVlSe78YZJjEMCo3AgBnx2zxyckrCe9QR7+efV50PlQ1n6t00tvAODgOhUHNlcBXzboq55hS7+Mbvd5R2fd+i9y8YkEXLWDWovRSSET55Qll1DnQjOG4U/yge5rzGOPLy/LDFlqYMs3/ejtFGSwdTJm4k0Ilgtmw4XQfPFh8zTOEJ5IkSxV10MmpcOqQh2tK9e8o4cdPg4BU6rx83C0W3qGEC8vNe0jHsiS2MYeL7j0UpvgXpOUdpqL96yOdandjk1NEVFGAshH3sBUGElmpETRX7Vw1lTICw2OirzBoRkXzK2VZFYZoOF/P9mB/Z0jRoqSP24e6A2swot9iykFpeWVxfsqfqfYWIjkUDNbP5qG4vYlduEIm/65gD27FT6rOCDPI8Ani2Ld84ek4yATTwohpfu2BuXl9PmvytonpoormTDQ3cGMKTeuY9TljxyBlINYzXKTUn/n2of5EtkgQ/sreeGSuVvbTdZX4mkwuPhXSlScb0ggOoSjKteH6usUOjlwY1tDbM2Zf29JeuKTVTV/VPPYpY+Jto089jnB0Ytyrz5bQ83mD5YFEUm1pAozR0+ZtiW4iYtbSVHpi39TeME7ZKsKFOEBSm9UiZmBaofQ= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: V5Dtq4xP2Q+VwK7sR1jDNLETT5ykiYWTUOK41AM4dhCUL63vFYJRfgGQQqFgfYI3sieRmK4xrqKcu1BAejRp2o64Wr/j5yFNR9RB5JI7vhIEB962VcmaTrNMr1dglLRGhLSFEHxevS4cxU0w+EBOn/os/RAc+IDKvuJ47m4eq//WEo2H2zAjs80VMc2pnxgODJg1xk0/ijVspvBeDXi/qaNEUhs9tEf/xr+XNb0KfxWDdLcq7Fi/Ol8CLjJxQoD9WAACOo6BKQQIPJe+q3Rp/o34cv7XrL/88t/Ucyb2M+A6Sv2KWmzJwT/0p8OzMOYK4ZqtvJFSUEjnHnstOZ36390zAgdhU1ZBEfPyF3xdaElDwuAPeNEfC5QfdDLOexfNmqdg9Nf2Ppxpu0p/OgmxDSmfJsA2CwjK/VxN28PUFhOremb49OcvZQiW9QtQhsY0VzaShAbZQWFaC4Xv8veI5JYjXKtiBFp61GpaORem9dA0TxenRurb7ZJ9YjbPziDYtyWq4361RF15IlYTxSsB5kO0J4cgYKfBDb8WTB9pLuwNHu9FNB3J3H/YY0k1L4RfIh+7tXrvMWnmeSEQMBENvCKobtSkb1uf72LT2BBVmUKSbEfDGgX+7Ei1FtFqM8rMDwAUzr7kaZv1MqUPUL4Qf4/F09r43X1CeMGdDVq4bkV/0GWc1ZFRjiZNwMZ7znM9NWcl5uwOU42Rc/WXpmq2qovZnOAHE9nIk8ytbT2aKwc63mhSjC3t9JIsFevbCoeQzYbfozi3V58TihG0JJRs3WC8knGx4wypR7fy4HyiwOEA4Bu+QPsOWW0g44OFSmMFRHKaCt3tD4pfyP53NwvgmdzOOzFBQlXhAdq8ISiKi4Llzbv7PUDkrALIaGYWlkT3w9i+2OAxkidPliZLapmRs1f29XuuXE6HY+RR4Stbq5jeEvf9QlkPMpQr8vLLKO9R/lwMW2r4+O/cqPsgdtvxpUgjtHpVZFJ4Nl4pjdtdo5NAN0Mcp1EXI1FFqp7cBGrMxCTuOFpmjQwdvki5ZApPX0XHk9nnLUVY5LNQyWgci6/YJL0ppLJRzzJmULfs3Z1YNdQt0+TOjQ/LviyflXI3bb3d+vUDz5eBsbsvuVSObnenANf80aE+WacT7KmUSkED X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 24e480c6-4fe3-442d-c4a7-08db5b1a1d4d X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2023 23:13:12.3663 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: alN1vVKrAl/h3erW8cNkkaytFPBoXc/ZS79jhUorsnZ1f3ekE6LyzRf5y9hWc2A+oJNXURPvAYImqfCprKMRQly7rXcYpEStA2zaTxT0OPw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR10MB7095 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-22_17,2023-05-22_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 suspectscore=0 spamscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305220197 X-Proofpoint-GUID: 0PfpiO6traYU_rSl9hXMBnW2UkANX9R4 X-Proofpoint-ORIG-GUID: 0PfpiO6traYU_rSl9hXMBnW2UkANX9R4 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766641077027677297?= X-GMAIL-MSGID: =?utf-8?q?1766641077027677297?= Add a new link restriction. Restrict the addition of keys in a keyring based on the key having digitalSignature usage set. Additionally, verify the new certificate against the ones in the system keyrings. Add two additional functions to use the new restriction within either the builtin or secondary keyrings. Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- certs/system_keyring.c | 50 +++++++++++++++++++++++++++++++ crypto/asymmetric_keys/restrict.c | 44 +++++++++++++++++++++++++++ include/crypto/public_key.h | 11 +++++++ include/keys/system_keyring.h | 11 +++++++ 4 files changed, 116 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..f059b53d2102 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -51,6 +51,26 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, builtin_trusted_keys); } +/** + * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions by the built-in keyring + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in the built in system keyring. The new key + * must have the digitalSignature usage field set. + */ +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key) +{ + return restrict_link_by_digsig(dest_keyring, type, payload, + builtin_trusted_keys); +} + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring @@ -83,6 +103,36 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_digsig_builtin_and_secondary - Restrict by digitalSignature. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in or the secondary system + * keyrings. The new key must have the digitalSignature usage field set. + */ +int restrict_link_by_digsig_builtin_and_secondary( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + /* If we have a secondary trusted keyring, then that contains a link + * through to the builtin keyring and the search will follow that link. + */ + if (type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &builtin_trusted_keys->payload) + /* Allow the builtin keyring to be added to the secondary */ + return 0; + + return restrict_link_by_digsig(dest_keyring, type, payload, + secondary_trusted_keys); +} + /* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 276bdb627498..6b69ea40da23 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -148,6 +148,50 @@ int restrict_link_by_ca(struct key *dest_keyring, return 0; } +/** + * restrict_link_by_digsig - Restrict additions to a ring of digsig keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: A ring of keys that can be used to vouch for the new cert. + * + * Check if the new certificate has digitalSignature usage set. If it is, + * then mark the new certificate as being ok to link. Afterwards verify + * the new certificate against the ones in the trust_keyring. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a digsig. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + + if (!pkey) + return -ENOPKG; + + if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + + if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + + return restrict_link_by_signature(dest_keyring, type, payload, + trust_keyring); +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 653992a6e941..8eb5eff059f3 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,6 +80,10 @@ extern int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *trust_keyring); +int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); #else static inline int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, @@ -88,6 +92,13 @@ static inline int restrict_link_by_ca(struct key *dest_keyring, { return 0; } +static inline int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} #endif extern int query_asymmetric_key(const struct kernel_pkey_params *, diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..38f63f1c2cbe 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_digsig_builtin restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +46,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_digsig_builtin_and_secondary( + struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING From patchwork Mon May 22 23:09:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 97659 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1816972vqo; Mon, 22 May 2023 18:03:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5g2ULjpmkuc4H0pFv196VIxDLy2aKeHGD4ntkJWjOBCk1NqKIu/klIFgvcNsTgZpzaOu+H X-Received: by 2002:a17:903:2682:b0:1ac:a28e:4b29 with SMTP id jf2-20020a170903268200b001aca28e4b29mr11586594plb.26.1684803834221; Mon, 22 May 2023 18:03:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684803834; cv=pass; d=google.com; s=arc-20160816; b=f3dIcX2fDwof9B2JkKWX1H9gQlNuwQ3DqyUtDNsgxLcmXqQbGN8U2pgv8Y+IGGt8Os XyuJ3pdY6xBsho1wd5oLZD6pzJgfDOSlFIQxDAr8GUCUXyMmorihlgKO8iKqVhZ49BXl sIyPD8iM3m7qTe7plxhZvSTn5OgxKFHRnGUNS+ArK5M9Euko3GQXFOqpj4ePsHVMoBYf wPtmXxgxH7HpVPikitgl+ROCSf4zjtfUKfQEuMhgFPYhMutXM02BW2o8RKKrHAkgfmzk qokeWNJ2bpQ56qI835mHeNFV7h2Be4AbUNdHGT1Z4UDJUp1+DaYVu0pYO6tPXUyIBysO 1Exg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=ivH8KLMtAhH4YUq6KgwyZeC4Clqw/tU7QByB9JZtLrA=; b=aY2jz0HNvcdnaACqTcRzGDB2QzKew+5SdDJtdvmNJmNnShpajJtOucOf7VTfiy9hqD dvrmQ1NZn8ZcEepovrOGvAAziAL8KsU2lV2v5BDBsHTsg5uMPz6y8Brbv97zmabfdiS3 JRlKl4u5mbX/kouMAIYPsk1JHjvRvFAy+uuRE4tYpySCE4087iL5o18rU6uNU2uKilZg DKYFqtmWKqw4PEpEWLF3Ang76eVBcPCTa2DcSqJsIVta4rVsQCQ7wOrnJKTDBkkamDNs ZA0yzAkdisDZxPR7EsiMNnyaj5LzxnrZQzJ35F9pnEiTHRClFKarZD5V8uVCZrKysVl6 Y+TA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=ivHitRZ3; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=q9H47rwu; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p10-20020a170902eaca00b001adbfba9c29si5202202pld.409.2023.05.22.18.03.39; Mon, 22 May 2023 18:03:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=ivHitRZ3; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=q9H47rwu; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234851AbjEVXTk (ORCPT + 99 others); Mon, 22 May 2023 19:19:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232149AbjEVXOR (ORCPT ); Mon, 22 May 2023 19:14:17 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D0E3115; Mon, 22 May 2023 16:14:04 -0700 (PDT) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34MKOTuC016145; Mon, 22 May 2023 23:13:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=ivH8KLMtAhH4YUq6KgwyZeC4Clqw/tU7QByB9JZtLrA=; b=ivHitRZ3dOC6oGZVQAzSKBVhLLx+Rs2rnhoMVbgB2xekrYIup3CHg7Ut8QqXbosMRFm0 0x2NqWTfYtfthl2q4/K1NczIvAaky0XTPkcCgfDv/Tvm1F7hM0fN+qmVpo80ZeqdclA/ WEMX37mwIhMnSU+lkFIBKtIsLxVKGdLnDspMZ5f//jRWrHrdn8qkGxJFvOXkGBHcDa8x 0UHab3ra0uKuDNqVD6OLA46mZvngFRXcWoIPnNHV6l+8kWvfKgf1fyrigzuXN5hA0IPl VsSTZYRHbydd8iBaiSgd8MeIFWU5h1rGSskSl6Ntu6QbWHwf4Pnn7ewV1MJ1MJmMvu9P EA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qpp3mkvjc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:38 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 34MLcl2C027194; Mon, 22 May 2023 23:13:38 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2104.outbound.protection.outlook.com [104.47.58.104]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3qqk2cu50f-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IFthD8zFgHQH9A4LnJLyXdVDLCGnTTJWzOnsYGOh0C8h1/HwGBnW4kN8zkCIedUyJpWOY2JfWadXov5Gn9R0o86fWVcu57YNv5GAiquCOmtf91dsPSwgz5DpWSpcwvLy9rUzHNNMdpJH+DUw5WbrqDkvubARpEz02wNdS6rgDaneNjP5BonorHnoduyr9OlIl2+qUV/4ToWYQwJ2EGC7VhlE8xkfRKwHkPd/xycAVOdtDZmU4+c0LmmoRng0LkxV3n5dEtRwBIB8589qxHfxzDPY75WbomEJbS0JeEniMawA0EzRb7ZBMwQUuppnVYU+ZkzycWFDa19BZC3oRln2Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ivH8KLMtAhH4YUq6KgwyZeC4Clqw/tU7QByB9JZtLrA=; b=HVGu8WNXBGrDzF0SVRT0Lhg5X3xwwAweYCwFBOinn5WsRhz5Pp6SumJHU9ajtm0gSkFBJOI0jCw4KIL5keDZYl5nXGIByUN8xQliWuZayXRkhmamqKm+dXC4KDu1fMWHDJbB+2ZKCXh1vQZtBpu3VmQKA4d5NX0n05PGHcx8C/BB5oFqTYTIkFod8cftQ0UVyphW4BnvqjStC4FasUu7Vg/fXej2fjJf58AhMPlL1Tr9BCGamdE5wlQfY14CqVZCijyj0OK2K76iLZZwgxUBDx8dY/PKDe/H/cRj2LUEJuopnxrRkIFxRdfewySAMbj4Y1WEB8vPpuwmuGf17+4/jQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ivH8KLMtAhH4YUq6KgwyZeC4Clqw/tU7QByB9JZtLrA=; b=q9H47rwu0LtlZ5MfrZClWz9X/mvJo8jQfgwBE1S09i3ftr7Fak33eS4JXdHMFC6Z7XfmUzOuPQ2EybjN2VBhqoFRN0lGUPWCz/G4HFtNG+ZThnhXfqrychkFjwWWuh6/t3Pw/a8dLvbyZl6+kz526utj59JHw4ItyLAGSaPHNHs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA3PR10MB7095.namprd10.prod.outlook.com (2603:10b6:806:31e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Mon, 22 May 2023 23:13:15 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6411.028; Mon, 22 May 2023 23:13:15 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 2/3] integrity: Enforce digitalSignature usage in the ima and evm keyrings Date: Mon, 22 May 2023 19:09:43 -0400 Message-Id: <20230522230944.180389-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230522230944.180389-1-eric.snowberg@oracle.com> References: <20230522230944.180389-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR07CA0103.namprd07.prod.outlook.com (2603:10b6:a03:12b::44) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA3PR10MB7095:EE_ X-MS-Office365-Filtering-Correlation-Id: 3b4181cc-6ee7-4958-ac49-08db5b1a1f31 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uMR9x0EemkePQiTnCJOWAiRSaM7uYLVSTiztukgBMg68B0sgpNahxJY8FLvzqHJf+Piy+J72stDSiQfbcf3zleDeQMEOTu5jf+oY0OH/0bYCHV0mncjtVqiwhwHYPDQcB/97s15c3FcDUkPzN2XKklyCqNkyLiFkpb8+6P9hcfc+wlszvXU4++36CHrMr2f1+/5aUbhkJSMkO2/vxTosUB5i7RCNFklx/OUn6W38zOuG+Zs8Lrd+ASQ/7dDposhw3LzeYG7b99zo80E8213qGJ2Iozy0RRYDEUGMtqB3NbtoW8RAGbIT0ghcTXgxOjL9N3aLjgsU7xAsbbeQn5Z2VjBLEA6nCiWA6ei7RGalUG+X+iV9qioBVaD2G8eyIWSihZkdnnHU4/tVnrSmTs7Vxr1i9gyWWGURKpRKJFNMt2Umenu6YkJgY0uwB/wcIPppK0r50y+rXGIr8e/rf9bF2m0s79zsLsvfrBL6zRwDTZtxSoZBl+vd8S1UAMoSsKIipnrZUeu2A/fSI/gdk9eWJiEKj7FKZE6PORaHbSGsL6E= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(396003)(346002)(39860400002)(136003)(376002)(451199021)(2906002)(7416002)(5660300002)(83380400001)(44832011)(8676002)(8936002)(36756003)(66946007)(66556008)(6486002)(966005)(66476007)(4326008)(316002)(41300700001)(478600001)(6666004)(86362001)(2616005)(1076003)(6512007)(186003)(6506007)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: KumZcWKms21GeqdjxlBYlRxouA4ALMgKfKqfMCCedHJ7PR77KvAOkKKK9qbddKT0ZMW1MhlfSXqyVnXzSB6rmMi2/2VRmEPMPwDvdPZQxFPa7hQpOkbpAHxqtX3/QuhCiccDecsLrpw6SPZahqKNJIVRcXNlXCi9hB9GGO+0qihudspxLHUF0S6DB/mYX/aT0F14rfuKyvsUkFDyBF6DIOotE1QiphygnjT3Etahminw7VcrU2pHypPYNPo6rWEw6KzXHRmmfkqxAOh3SJhirAeha0YwtoP3AaItX2aoPWhbyvC7Y80qGvnGhhUha7+ZP7Ft/gV02ezGfHofBjylXqgO9Yqx33FNBVBXvwF7zpIkbliF4C37TkOaMR2qLyE62l0GtgW9PaPduYHKjWtNmUdGncXsKLkl6ZYgu1Lq3XCnSHEUeHpq23c7H9zk2DONdckFHW8UFZFXx84HTE3ZpEVKg2xLozmlGjV2YU+f8xBU8RxKZi+UDjDxl8lPQ7TgVt4dlCZZU0natFiH/aI3+05rdHV4DWCsQbR8UArnN95nJAtJ5q+GAYFV238Hrz648F5MYcA7TPv94ElEEmJxiQ3eacSYQqWCRodYH9aU15zFG0t5mdt2z+pMIqN1hJyYIBoASpN52kBWqEdbvaQKnvlexn9gpaIQ9SIIwbQKIOYuHA8JbUdmQsHnPZoC/HEcgElrBdHTGFePsbH1rU/mIN17s+G7QYZ+MsfJ+kcpmi1H98GHwvL9NSc7UKggqbqkaqAd/sFElbYmhEx+HCKXh1K3uXqEJ5ZuiCDtZySg3YwdLvg5FFPVwN17wPyeChV5jyV02HpAMk7k4jlxFlt+w6k482bq8TvteeIS1pXP5fgD4s8C6eSdJjDP7e7uduPQ5nhE33kYZxxwjbjeDU7OV7VgYtofURTeiOUt433bbKdMF5kgk6/Iw7yEYTsHdf/4ll5+KwMB1IErQxUJemu7LeKZtnqjP6gi6APvQBqtcrAUljbh0FjF+0wndHRqHB2o8EWH5D32pEqeIc9eYuyHLiBia821vYwlEoKb/bl0yRh/aJYk45ykWijN/HkjfxzVfolcScTaLL/NXpJIAEKDa79kpSDYJcUtAw3taYCyrqE4puQRPS0lKmUy9ZW4I7M1VIwru9CU5y8vLQDTyNJCRKnENXqCT2gife+aVJmABW9ENLBBxXMAYvfM0O6C0pWyCPYQ6Oh9CUNlKnXE3/JyzR24HAsUCRU12VsVIiuAwjsjqbc8sciqJnWJ9Qg6OWpU+Gd86myF4OWw+SLHMjH6h/YANasj1XVY4v5AGRruNmNW/QPRAf1HSQR8z8xoJHn4my3iYEBUewdxEHWPeENoEbb5yJUEWOHm87dr4C81hp/3mj9mzpOIejSQfescnqBeQCYQfp58Rb9Kz2svfevBtPKaqVXGKDPW9r4vnWOkMIXb18s7aEEh1P24KvqOSSKs4Ukvg/gteCASC1GUBi33yX09rMYqY6TqP0VLWbDFGQnqAsNUM8U2rQR4Ynn19HHqcBmvVE0LXCcjBVLLvmfejCnN6FNXIdFAziop8kodvR/aDc+igEy2rNULV0w2hzPP/EZboBalfKTdj6Cc6Qf3SXOOnUarjwoCvSY2egdtZ7U= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: +y6mWSoXzNDXwHcCe7KXqXjljFCxbuGyMbOnLhzvvWPRoP+AggIm3e7fBiXx086zo37dMtohP6qJjYGE3wEqwKQAjah4WrtfcWnuI/1Ke51aA8uEblqmBqBanZ3P9KA8kNoD3JSOwehMoc4HPxQEl0WyTTwOkYLwstdtxTRi+g6kphH/i3QPK9WAnjOTC1rrPkeDPnEM2i/5CaxOCDeJYM6pbRW6Fe0X3sjkF7f/4kEACQf6WzC44w8OyUxmbnaD4tWKudWaFRyu91XCytRZRRSg2/1FuV9qixZpKI6Orvc5NUatNXCxQF2/2zaJNY+lXPZCFdd3cX5Wrz3ybdcHPFY1kHsnxxQaQ7gU2GWEeQLAo8wCH/JCMLEfrxqN36c1vvuHnHnTbZCphraztPweYzgcwlLnaMs43UqG0oKKbeMaKwafGFljbmRGJknWFB6xhhR3ofD68mqtplCSMuwVOJWTdjJQQacRDKHyI39ugXNJIR1gF1gp3Oqy6LrxiEYbcS+QpVUjLf5mTnZ8c70IEu1PfOS9cOPn+nCtC4K8NUFUelbKdcWw1oymN8MU/xIOZHuUF55A/Wo/RdPkwqyjimnEAkyPSbPC0SWjV0JeDzfBBSu+zPM9LR8P7cSFPI72LQ4RzcdHoHs3/0YTs5LhDhhk7q0y3iW+Z8MnYgxVAXeeaDxIAhqxOoYX4PsWXgXC/F+NcJSP6ppBGSCOujsOgASIQxVbN9asLDh5rLbhu4QgBOfSWOO4VP2htbgfO2FjA38dejpBAChD4ILnoVdfOHcBDLhGkhFl/0eYhpj7yg8zWtUo/V6wSd6wTrISxvcQhpRAzkCMyp/O3jM819y1+w6xUYwJZfRobmwyQHmG1MMq0Uoan9bEe7SyzvfcRXrFCqUWOThhnOoja87RsqK5+4ysWnxM6+azQmtOQ4Piuo9FUw1Tf6XWrFVvj8vO0ZsRgWHVvyHfGcERuR6zaCvs+q88lSnQX/PsoeCpyt3VVG+3WpsXZDnZ8HB+Gx9MqtRs6U3BUvDz7zJ9R2RPX9wM+poy5efAEypj6sih6GYA089Ykoz37CJZZJoo237Tj1k0SVW5/EzWnhFgDT1zS5JDPjO6hEW+HjPEFCTBby9v7rBq+x/oEnOm7arIH4W7CLXR X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3b4181cc-6ee7-4958-ac49-08db5b1a1f31 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2023 23:13:15.5368 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aa3W0o6isRumRN/ItnE9EQUd0ppWcODYO3AA/UIfpbyv2s8wD/tAsV1DPlQEARHAaIvmtF21gwwWh9oaPDETpdTI4LgYbJiYaLJQ9NnX/7o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR10MB7095 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-22_17,2023-05-22_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 suspectscore=0 spamscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305220197 X-Proofpoint-ORIG-GUID: xtIFL9Z0r1UBTxslNIkEEtaiJnNYgfiv X-Proofpoint-GUID: xtIFL9Z0r1UBTxslNIkEEtaiJnNYgfiv X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766644865298243560?= X-GMAIL-MSGID: =?utf-8?q?1766644865298243560?= After being vouched for by a system keyring, only allow keys into the .ima and .evm keyrings that have the digitalSignature usage field set. Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com Suggested-by: Mimi Zohar Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar --- security/integrity/digsig.c | 4 ++-- security/integrity/evm/Kconfig | 3 ++- security/integrity/ima/Kconfig | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f31ffe23c48..d0704b1597d4 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index a6e19d23e700..fba9ee359bc9 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -64,7 +64,8 @@ config EVM_LOAD_X509 This option enables X509 certificate loading from the kernel onto the '.evm' trusted keyring. A public key can be used to - verify EVM integrity starting from the 'init' process. + verify EVM integrity starting from the 'init' process. The + key must have digitalSignature usage set. config EVM_X509_PATH string "EVM X509 certificate path" diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..684425936c53 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help Keys may be added to the IMA or IMA blacklist keyrings, if the key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + secondary trusted keyrings. The key must also have the + digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, From patchwork Mon May 22 23:09:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 97643 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1783024vqo; Mon, 22 May 2023 16:37:10 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4BxR2y4i46+4gqIW1SxgPG0d/r73RtgbQYTSJBbjfUSXSfmYB0A1KSBS4TK1yfKpMvtx3A X-Received: by 2002:a17:902:d714:b0:1ac:896f:f655 with SMTP id w20-20020a170902d71400b001ac896ff655mr11814640ply.50.1684798630433; Mon, 22 May 2023 16:37:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684798630; cv=pass; d=google.com; s=arc-20160816; b=D1VMan7vtcD50OnrFo1I9mkhXVtvFt+P4fUUz4iylRRQhJzb2RMXJqpoo6FUcKQBf/ eJ+uUI7A1e1LLfTZ0kUudNIYKcBU+EsIqly1sSJPuEgwJVSaPyV2/8NDTQ7wJ/a7PMuB 3fnPcxsmRbZ8RaaRuPBTrUfOUG87Caj6ZddLOLPwP3E0Odn4zbvlejxc6z5vDvV2rseg 8bpDzakGzGs9cCrVssQjwqvEO7ymPeabY0FPta+8MmX3op59/QbpTW1Ohb0LYpAssebQ nOBufaCHaQU8Z1ZEjhkvqdmwXcP+WdwJrbZCZk0JDYhl7n1c+VHXmSizTq2dd1Env2ah ZcTA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=3IlKownzKQnV0esoc7tiWUWS3dFXuN+CS+6glGtutmw=; b=iFrFTXa5rMGnB9l3Y7NDIa1EpwCDSGeKovDxTY5F2ZyC45QfPgtcPmpZoswk8J7Mt5 lmom4D+MSxbFvPuAz8W3XA7WKqpgb8Q+qTOuKmclm8Wfnd+mI4iFIYMZNZAepERO2r2e F4lmiJQ+FIZ3zjG6w5xdejgicZC/WzpCp9XWLMbMB4J2hWCCIB3o5ueEpul3qodXh6OZ 5mjuvLRXfhSEaub1wOrVT91owkYFylJM6t7QiE3JiT8kPQ4Te6c7778UMHrYs3vIm5F9 9lBpaFYWQHwqCp68la42dmb7C3JJVuVLQNqYix+auQn/bd3RzNXANQNBITJfejDqpw6c dzzA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=Uj4Gti4R; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=of4FQ4pn; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gv22-20020a17090b11d600b0024e0d0ebda1si7429759pjb.75.2023.05.22.16.34.17; Mon, 22 May 2023 16:37:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=Uj4Gti4R; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=of4FQ4pn; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233088AbjEVXOf (ORCPT + 99 others); Mon, 22 May 2023 19:14:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232262AbjEVXOR (ORCPT ); Mon, 22 May 2023 19:14:17 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3FAC118; Mon, 22 May 2023 16:14:04 -0700 (PDT) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34MKNvsA019660; Mon, 22 May 2023 23:13:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=3IlKownzKQnV0esoc7tiWUWS3dFXuN+CS+6glGtutmw=; b=Uj4Gti4RgKw+K8nKNe1XN/+2O0g8Utwob7HHjcf9s6AnQ5ZNNjs83KlGFCZm6Gp1wjyB nCIFa77xdSXpW/GK2ARFP4wtp5e4iinHhaVNaHiVJ/kqr2+uIZJ7gau5rt4Jz0uGhP1E dOQ/UD13GCTNAgA97bj6+6nXhuA4up13+QzCUOHETCGdx0fO6qtBWerknLPDLdOrPxVY fXGw01F7iIjTf7ZgBdS7ARzlGujaQbbS25DSnEwabzjKU9yZOixi0H43EH1oQR0vn+ME dJVghV3JQjOC+sfuXvtQLsQsFYq+P385YTkXD0GL5mHPOKPxJYxOcFHWYksn02HDgsze Vg== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qpp8cbwjq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:48 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 34MLeYVV013062; Mon, 22 May 2023 23:13:40 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3qqk7e3asj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 22 May 2023 23:13:39 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KJtF42PORVSrThw4/FvKsbjEVUl5PAlzEGhI1PzLlq30cZ5CyS/tqFoaZUQPl0qj0JZkyLrwFHVOhQy+fYDQdZN00ChOfLAqveLjVvGQr8SmZj9tqlRWVZ481y1+vuuPV9QeWWLYimIgruz5QaE7Mr9kws5Upxw8vcFpf3XBJHs9Tw8YT6tg3NhqdZOVi4cxgQK5nURGhNe+y9l7j3J6liBc9dz3/JFOiw/ZK0jEQVAONNVpBuSEDMVoqV039qwLebEu9KNws/6Ip0eMidiPUJba2T/jdfftVELk0LCVuTnviD6nK3a+Ly9FyWI8IIlClzwWEiC5vPV+eD8PJCR+/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3IlKownzKQnV0esoc7tiWUWS3dFXuN+CS+6glGtutmw=; b=iv01GkXa9U6H6LxtT9PFo7J8QkUqf6V7RVPn8yxoyAhKxI+RjdzrMzUPJ4pv0ewK/t4GjyuVjZbmTQhKd8TWYT51jlc5hGUviaLHpFYRR7avws5dGw425gf/ChPhs3v/8w6s5ds+NPTSMLdw+pXnetpPnmH5BfJhuK/RWgNYBokFk1qNwonrWfmkHLoYWOl/df9YBKQR6uoiViQNPlmr7ZnBeU+6Bvhsol6mk6VOCHI7o46BarzW/aeaObYslSEEoV19cloQg4qc26dHzJLnfYiMnqlmw4u8dq5y/bJ4E6sy6qIG1N45RFWA7dLfkSmO8GmRlyRpfm5H+izDmPaiqw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3IlKownzKQnV0esoc7tiWUWS3dFXuN+CS+6glGtutmw=; b=of4FQ4pn3TmvpxdezuRuztS/EAkZAZLi9kjFIP711EivSZRD5PFKjYJRumzv0LAKRo7mGT5hOdvzpFy/a3Kbj52ICrLWPT2PP960F+VFqrPmYdeWZ1iOP0lzojz72qDewXqjg2RDevvX0kiepSHls4EPdrOeBfxRAL75YmL1Eic= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA3PR10MB7095.namprd10.prod.outlook.com (2603:10b6:806:31e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Mon, 22 May 2023 23:13:38 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::d074:eba3:3b2b:b48e%4]) with mapi id 15.20.6411.028; Mon, 22 May 2023 23:13:38 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, jlee@suse.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 3/3] integrity: Remove EXPERIMENTAL from Kconfig Date: Mon, 22 May 2023 19:09:44 -0400 Message-Id: <20230522230944.180389-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230522230944.180389-1-eric.snowberg@oracle.com> References: <20230522230944.180389-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0020.namprd13.prod.outlook.com (2603:10b6:a03:2c0::25) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA3PR10MB7095:EE_ X-MS-Office365-Filtering-Correlation-Id: 0022ed28-2cfb-402d-f9cf-08db5b1a2117 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: e50ARCgbg9gMMxVrt9xNbROCcqbj6pJl6MlTWr7tXQ+zNiC6E1brxkU+yJCEEg9HYUhpGTZMh2a1QQ58P6kfnJwg1DsbXcfkK2bFSmsNapZxmf5f++t91/dcvFjvSEd6+82eJgIcwbZW3BwcWDjQDeTsxDL6JEMMu/p+/y/OsucPiwIcKVrxq3Za5UqjrXx2JqkuamTD9E0YwrlDNK7e4mRG7Odh5VS/FAgIOqpP/xXG+qNxKl5b8N5Zad1L0CTGI3fobfqSh+SFj/0j45Min1zmWpQFHxCPivW1GswMF71UruJkJsRunUKM4TegiP9zvTumNBSOrLi6YpGMUx1nr0CIlZfF7VYKM97GZLVrgDc0CMb93WxLYGaBGM83gSpSBVLUWBPY2GOGUb57R4EW1UID9V7S08ZaAl1npe8zqwAP7SPceeco/r7DWwe5k8vDhKizIRuD/shgdBjTvYrheA9jaJbur52DGQ/NJEqc6O0VWiCbdwAeH/R0EE7GWxJ9jQ1OXF9RDLZY2hcQgbys/91onxkGf9KuT7eLV2skaWdU/L1kUyxVVuooz2WSCuAV X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(396003)(346002)(39860400002)(136003)(376002)(451199021)(2906002)(7416002)(5660300002)(83380400001)(44832011)(8676002)(8936002)(36756003)(66946007)(66556008)(6486002)(66476007)(4326008)(316002)(41300700001)(478600001)(6666004)(86362001)(2616005)(1076003)(6512007)(186003)(6506007)(38100700002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: K2i/4X+tomsQTln4phHbpah+9Tm5PJVSF33PE/4PI/+e1MMhWujKHQ+nVQB2KbrxBRXfm6yW8mqmbsBkFQ63fTUBHSBqPIrLBDBJFClZgxQBy1XPCrztgVhMvegUMp0bQ7jHnlVMcHjKJIw5tnGZgV4BPYHBGb1BuNz5LTN4g90eqrjoIh/mX4Jgh/kyp+qxdLVe7xS3Pn8pgh3IxhsufHYI6AdMSL9LA/nuDGuh08YiPapC35+c33AUVMDO4IFdbo6/bwf/aK3D5hL4IWdyLHP+XDRlYSdmEdnhXxp0eJ+xCkPhPNuDIihxUGvqrsL92theHjJ0ccYgw3u/TCbpjhL+YpVx5EW+fh0kaeCW0wzpoJ9iSfzxPClV8mtSgGmQnH+sXtRuHQUvJ5T0xYkA9FEaEnLG73RfKJTuFNStsh7A4o9qg9GguynLe/YrVPRcRSS65i42cPU22HayX6IiDI4+z8Tp/4/J3Yu1bvToe4y1WVs8BjJdEshUib5vpK2U5UDwuxnBAjnUQp0NX2dRj0hhA6TM4GNlxqVwU35cQCet53GJbF8sFhLvuUfpR/BSvH8YCiR6Yyx08/H/MUpZEB2houCpf50sSv/Md3Q2x/Dkb5r8slpm0wmO8FRDWIL3ioSSYUGaL9zPz/i4gPIu2T/QBFQpQbF+IUyC8H0q5nzKahWi1/l9Dy4y6id6vXpG33kuaY4LSEMruKdz2KnsvqKDxLimsrGfE4ZsTGCsDwQMMAfiHjprl5uQ6b0HjxY+qyuyGGxAFCjU5ZXjYnPmg84njQC0hJ5XE+z1jSEDgrQQ5uJ2MAvI7RFWMuDKbdiVaFBFXOAu/8ht3tUdghrsOc1pB0TsrCXKn+DOKS0kJZb24S0+YJUXTlPklsobSs04x2qF4cMZDybaALUrh46LNK5GMc4dsSO3M9u6rMWjhJrqLfnUdxPTAEd6KpSdJmmkGpzzFpgGjmObteyNRLt897T++qnMZ1Jk+5/lEsWZeEDD50viN32ssBeh9FlduRukPk7vnUYok1ZUKRZrkJYszOvPSeEhdIkBKmTj3/haThqnuwQ89agtzuuIPgbqN1Ja792HtUSr7NhVQwQd7LcfUbmiGR8SbV2wfRbsEmMXX3NnYkGCfW4i/5Ah1dpPP1S9RaWtjshRmcyXK+j+EwXByKeaxd5y7rkY/RP6sJ6yXY3LTdiox9JEamySso4QsnQWtFB4CEhxYiwCQo3fy/sCd4WX/iqJFg+7i1Sq3KzZ3s8cdGp8vqBK11vi24GB7NP8GfrCd2Rtxu2hw/tmwZQyVjga4jZWzhkAwJhEpsKcQqr9x1ICmU8aL6ksDETJq1Ifj1oKBGz8BnaWsBhhYJTN7ZOJix1EVxun3KmOOap8IQA7+alXEjlAUTPpjWHZtY1allPiwa+iQKFpTNkIwLMqTGRz44kr7NRui9X4XDlWka2pe2VQaw6ufBRhvqKwwyKHHJI53Gf6mjKudOQmhck4sw1HY3KpiUQvi7GS16UcPdjN2+HJwgo4cpcOH9gnUcmMniZHJX12oDC6hNF0e3jGzoLtCgJFDbxTynhT7xWHE1D71utDq9NHv7pXKFh7EyuidVQhlUJ+Fi7T7LXSHo7/pKMrOdC+7xK03cwKs0e+ik8= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: q4/Gb/t3eD5pVbp6bO3zNHu33QJ8HZZ0YiNGBi/IbEKnjYRK4XYxNxH6rvjOlcOMJU6CPcoZLXC/q6GzPpLDdcSm+V+RdsXMxNKhBtSSnYERBqPm2KHhYGC87OwneQq/m0K7RKmil81Inv8avySN0Q+qPTnpdUWDdpdkPiWVRe5D8UbBH4zu5KuL2uNoreDEWr/YYhg1GoV843zVU6PYc2D/4ATjAzTX8Wk+1fDPDDwgtys5VWpj6YTnGcYTXlX0VQFoKPJSeZakzEKWh6tPnc9Kc093GH2l1Qn5gbCDmQUc2M9Oo87qqEsZH7utjrHkoDZJDV3ti3guAmJkPKG04g/71Ce/gp2XDFxYsNXTpeAfDukzu4vjMP94pl2Hv3moqIeBw0nOKVHq90Kbarnb/PuDKAEf89/kuO6gMtDZ/A6Eoh327Z/7+SneZYbSnTFvRpCT8Igf+TpohKnP4HqJINts9R/HhGu4BhzRSf6oCIoIU0fWx6EbXDmsCerZoawXRc7rU6wrP7moWUpkJkCeDv6gRpR6xKbeVfHD8LKiRbyRpw9BdqFHXxoyAZHKC8f/UCF8rj6VY+Tq8ZNLo//fGoG1bLzQYiVPw8vYMOUjkEbNoRW5k5lurDEKVqAYK2Qg1k00k5FkQTtHkJlE4ihkUojYfgSvPqKo1CnvZDDn5zJ9L4+iX0WNdHBj3+8APVmzZrZZtpCFzduBr/s65CU8Kf43PorlSqMAZrC90nJti1nr260RXn46QyYXOUghrt0JAyl2c6kImt7ggZtvoEE9XRCsqD9XJjFN66N1YBBzyUaBbbM9VRea4XECzgKi4MyWr3ueYfPcXb+KS+fLNQIFKExbhCfdRKA8MKeRaWbGed/1w3mAttF8Dlu7ltXFQgPEdR6KHJ/bKHl0SIHiw8RbPu/NB1yOBU9cejxVQbhyftasa6WPDZSjGsO+QY0IX53mXLWm7iKRzVqd6JCSxUBlZpnFFZEpRWX8n2uFBanMs1Qr7+UIOTINSmAp1nFS9te3BwLtW+L0M8alUlrD31tiRLR8wzPT/Q2c0KSGqOlKsXoz02kp98EuXq5h2wmpZrYE26j/SbNlUjNUSChDfQlgVqmr53T9rpq0H6XDL/Pq0TM8OSVSJtSN73XHY+M/qgaS X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0022ed28-2cfb-402d-f9cf-08db5b1a2117 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2023 23:13:37.9535 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FxHmmhmrxN5mrCfk5eaYYUPYLQy87yxry4RnmpNRXB9a7EnER1BZ+C8baSDgiRwtHHxD660rd7jiB2DVjOnJ83QUBIjzWe1ukJStWEBRLpc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR10MB7095 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-22_17,2023-05-22_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 suspectscore=0 mlxscore=0 spamscore=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305220197 X-Proofpoint-ORIG-GUID: zJ6RLlJxzVGxlafb0nI_WxReJu1L0fLa X-Proofpoint-GUID: zJ6RLlJxzVGxlafb0nI_WxReJu1L0fLa X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766639409120664330?= X-GMAIL-MSGID: =?utf-8?q?1766639409120664330?= Remove the EXPERIMENTAL from the IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig now that digitalSignature usage enforcement is set. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Reviewed-by: Mimi Zohar --- security/integrity/ima/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 684425936c53..225c92052a4d 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -261,7 +261,7 @@ config IMA_TRUSTED_KEYRING This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + bool "Permit keys validly signed by a built-in or secondary CA cert" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS