| Message ID | 20230522230944.180389-3-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add digitalSignature enforcement keyring restrictions | expand |
On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote: > After being vouched for by a system keyring, only allow keys into the .ima > and .evm keyrings that have the digitalSignature usage field set. > > Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Acked-by: Mimi Zohar <zohar@linux.ibm.com> Jarrko, similarly please update the above tag to Acked-and-test-by.
On Wed May 24, 2023 at 1:01 AM EEST, Mimi Zohar wrote: > On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote: > > After being vouched for by a system keyring, only allow keys into the .ima > > and .evm keyrings that have the digitalSignature usage field set. > > > > Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > > Jarrko, similarly please update the above tag to Acked-and-test-by. OK, cool, I'll pick this series, thanks. BR, Jarkko
On Wed May 24, 2023 at 4:22 AM EEST, Jarkko Sakkinen wrote: > On Wed May 24, 2023 at 1:01 AM EEST, Mimi Zohar wrote: > > On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote: > > > After being vouched for by a system keyring, only allow keys into the .ima > > > and .evm keyrings that have the digitalSignature usage field set. > > > > > > Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com > > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Jarrko, similarly please update the above tag to Acked-and-test-by. > > OK, cool, I'll pick this series, thanks. Please check https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git BR, Jarkko
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f31ffe23c48..d0704b1597d4 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary #else -#define restrict_link_to_ima restrict_link_by_builtin_trusted +#define restrict_link_to_ima restrict_link_by_digsig_builtin #endif static struct key *integrity_keyring_from_id(const unsigned int id) diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index a6e19d23e700..fba9ee359bc9 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -64,7 +64,8 @@ config EVM_LOAD_X509 This option enables X509 certificate loading from the kernel onto the '.evm' trusted keyring. A public key can be used to - verify EVM integrity starting from the 'init' process. + verify EVM integrity starting from the 'init' process. The + key must have digitalSignature usage set. config EVM_X509_PATH string "EVM X509 certificate path" diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..684425936c53 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help Keys may be added to the IMA or IMA blacklist keyrings, if the key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + secondary trusted keyrings. The key must also have the + digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring,