| Message ID | 20210907160110.2699645-8-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | Enroll kernel keys thru MOK | expand |
Hi Eric, The subject line above is too long. According to Documentation/process/submitting-patches.rst the "the ``summary`` must be no more than 70-75 characters". On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > Introduce a new link restriction that includes the trusted builtin, > secondary and machine keys. The restriction is based on the key to be added > being vouched for by a key in any of these three keyrings. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > v3: Initial version > v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING > v5: Rename to machine keyring > --- > certs/system_keyring.c | 23 +++++++++++++++++++++++ > include/keys/system_keyring.h | 6 ++++++ > 2 files changed, 29 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 08ea542c8096..955bd57815f4 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) > { > machine_trusted_keys = keyring; > } > + > +/** > + * restrict_link_by_builtin_secondary_and_ca_trusted Sorry for the patch churn. With the keyring name change to ".machine", the restriction name should also reflect this change. thanks, Mimi
> On Sep 9, 2021, at 11:26 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Eric, > > The subject line above is too long. According to > Documentation/process/submitting-patches.rst the "the ``summary`` must > be no more than 70-75 characters". > > On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: >> Introduce a new link restriction that includes the trusted builtin, >> secondary and machine keys. The restriction is based on the key to be added >> being vouched for by a key in any of these three keyrings. >> >> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> --- >> v3: Initial version >> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING >> v5: Rename to machine keyring >> --- >> certs/system_keyring.c | 23 +++++++++++++++++++++++ >> include/keys/system_keyring.h | 6 ++++++ >> 2 files changed, 29 insertions(+) >> >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c >> index 08ea542c8096..955bd57815f4 100644 >> --- a/certs/system_keyring.c >> +++ b/certs/system_keyring.c >> @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) >> { >> machine_trusted_keys = keyring; >> } >> + >> +/** >> + * restrict_link_by_builtin_secondary_and_ca_trusted > > Sorry for the patch churn. With the keyring name change to ".machine", > the restriction name should also reflect this change. Yes, I can change that. Should it be renamed to restrict_link_by_builtin_secondary_and_machine_trusted? That seems a little long though. Thanks.
On Thu, 2021-09-09 at 12:03 -0600, Eric Snowberg wrote: > > On Sep 9, 2021, at 11:26 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > Hi Eric, > > > > The subject line above is too long. According to > > Documentation/process/submitting-patches.rst the "the ``summary`` must > > be no more than 70-75 characters". > > > > On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > >> Introduce a new link restriction that includes the trusted builtin, > >> secondary and machine keys. The restriction is based on the key to be added > >> being vouched for by a key in any of these three keyrings. > >> > >> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > >> --- > >> v3: Initial version > >> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING > >> v5: Rename to machine keyring > >> --- > >> certs/system_keyring.c | 23 +++++++++++++++++++++++ > >> include/keys/system_keyring.h | 6 ++++++ > >> 2 files changed, 29 insertions(+) > >> > >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c > >> index 08ea542c8096..955bd57815f4 100644 > >> --- a/certs/system_keyring.c > >> +++ b/certs/system_keyring.c > >> @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) > >> { > >> machine_trusted_keys = keyring; > >> } > >> + > >> +/** > >> + * restrict_link_by_builtin_secondary_and_ca_trusted > > > > Sorry for the patch churn. With the keyring name change to ".machine", > > the restriction name should also reflect this change. > > Yes, I can change that. Should it be renamed to > restrict_link_by_builtin_secondary_and_machine_trusted? That seems a little > long though. Thanks. The existing name is long too. Not sure it makes much of a difference, but dropping "and" and/or "trusted" might help. Mimi
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 08ea542c8096..955bd57815f4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; } + +/** + * restrict_link_by_builtin_secondary_and_ca_trusted + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the machine keyrings. + */ +int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (machine_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &machine_trusted_keys->payload) + /* Allow the machine keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 98c9b10cdc17..fe4be10e66ef 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_machine_trusted_keys(struct key *keyring); #else +#define restrict_link_by_builtin_secondary_and_ca_trusted restrict_link_by_builtin_trusted static inline void __init set_machine_trusted_keys(struct key *keyring) { }
Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v3: Initial version v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+)