[v6,03/13] KEYS: CA link restriction

Message ID	20210914211416.34096-4-eric.snowberg@oracle.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> From: Eric Snowberg <eric.snowberg@oracle.com> To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v6 03/13] KEYS: CA link restriction Date: Tue, 14 Sep 2021 17:14:06 -0400 Message-Id: <20210914211416.34096-4-eric.snowberg@oracle.com> In-Reply-To: <20210914211416.34096-1-eric.snowberg@oracle.com> References: <20210914211416.34096-1-eric.snowberg@oracle.com> Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	Enroll kernel keys thru MOK \| expand [v6,00/13] Enroll kernel keys thru MOK [v6,01/13] integrity: Introduce a Linux keyring called machine [v6,02/13] integrity: Do not allow machine keyring updates following init [v6,03/13] KEYS: CA link restriction [v6,04/13] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca [v6,05/13] integrity: add new keyring handler for mok keys [v6,06/13] KEYS: Rename get_builtin_and_secondary_restriction [v6,07/13] KEYS: add a reference to machine keyring [v6,08/13] KEYS: Introduce link restriction for machine keys [v6,09/13] KEYS: integrity: change link restriction to trust the machine keyring [v6,10/13] KEYS: link secondary_trusted_keys to machine trusted keys [v6,11/13] integrity: store reference to machine keyring [v6,12/13] integrity: Trust MOK keys if MokListTrustedRT found [v6,13/13] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

Message ID

20210914211416.34096-4-eric.snowberg@oracle.com (mailing list archive)

State

New, archived

Headers

From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
        zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
        herbert@gondor.apana.org.au, davem@davemloft.net,
        jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
        gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
        scott.branden@broadcom.com, weiyongjun1@huawei.com,
        nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
        nramas@linux.microsoft.com, lszubowi@redhat.com,
        linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        James.Bottomley@HansenPartnership.com, pjones@redhat.com,
        konrad.wilk@oracle.com
Subject: [PATCH v6 03/13] KEYS: CA link restriction
Date: Tue, 14 Sep 2021 17:14:06 -0400
Message-Id: <20210914211416.34096-4-eric.snowberg@oracle.com>
In-Reply-To: <20210914211416.34096-1-eric.snowberg@oracle.com>
References: <20210914211416.34096-1-eric.snowberg@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 v2fWhr0U7wQCRHc3nN6Jd/qiTO0v/XoCPYGGhLNcZhYiolEvN6cL4Q7lsEFRYVFimOdgHjn9IwXK490n0HsmouMu8sr/NuWr+JwMsEcTC3CUwHDy5C4oQoOwd+71kcCx7AOlUMQsBwUH19bCQffIOH9TLI6Gn/8vUsGQv48/b4dcAhN27pQpIGFuKegb6YP9LZ5t+J632hUiC5EAY+uXaCQ13Ol7m1VFSXj1w2bZ195Q/FEcDw7e6hqK9ZHjhE6wvsG1RV8ksmu4t591577M3fGdnzK/FV9gYTUj+7L5P5m3VdeEVhnqTHzrZaLfZ6dgG3yqVyDC02u4n2iWrTpYf1KGmCED2b9mvbSb6yG29Fefu6z7VpYhd3k5qA+WnVBRCci7uFLj3dCMib0ms1fKkpp1REAk1YYeoQ7uJU/LxQuEf2jUJgx8ACsf7KtfGH6SHkMG1VrwyE8rI3/ylg7idYvqt3UujHVkQUC92WLp5rbfnIfslE88zSi2a0W9Ez2adiEZtYEZKFrg4qxAHWOkZ68Kecuwj2r/LdcRegb0TqJ6UqbyP6NHt0gUEzmhckISd7g+tOTHwQgcjLhMdV2FmY2i1X4dX0LpHvfWk+xfnNvIEjkY7ICH7NIJ8JeVa/zPhNxwqYoP+uM+U3Eb7GWorJYpL4abUWbbj2SAJFUFlLfFJ2PUrn5IU9L99FshaId0OUtIBEUnQ/pCAVzfjN1G0WxOb3uizhXB59UxARpQuDLi99oDGFm+D6TCkuPUmXmjF4ykSqdmQS42sxi/b/qn5LbKMdhd3fdP9Ws0uXVTOTkGEjStfQYMf3+Fbq3kZZe3VMzgDm45xWdcWxk9dmEzsmU8wFdciuw64P4+mHqylFNL0SAYFQxwoLMuwQrsY/Ie43SEovQyG56/HlDuleD8AzB4/hlC8QOwKRc/k9a9u7J2tCl/yqeLYg2WL3I7M2Ugln0TfSrKqb/5bShAHHagXI4cweGw+CgzQn1ra52LK1jV2XpDa3Z45f3D4tIJnHoj0mZ8o9WkDJfcyg2A1sFGncF6bM4pcXUy5wxXiKil4jeqBzYwiIRBM4mEkTczI7XQ6GEg5htP89pA2KobQjxxrURe+SAmuA24ExiP+iCqY0WWFuN9XjTVgPdk/lkgeNVIluhMBR/rO/1tJjtmkbcDFfQVNHwmnsGmCUjqaDD498NMjCNNfVUBirHuJgpQAT4uhtHy0pNQ8MqexejJ/liFp91MIpSSOSSaIt0SQ0HW2LJlHbwpifwvbC9RbsUIHlxNI2ksUfCm1Zs4mxzkeq4ejI59eVJpimPOB1CGPLD94cDWzqglIuCVAUDoD7pv3w9t
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 bf4ac5e2-c7bc-4158-22aa-08d977c4ac14
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2021 21:14:43.5803
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 giEDYuFllANQT6mdOD5jdi97XRwL8GunSR3z1DBcqPPBmvrgBPPg1IyRcidgP1uQjj1oeOWmR9E5AQTTYLOKMB6d35y+bNtJJW7z805cFyI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB4908
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10107
 signatures=668682
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0
 adultscore=0 phishscore=0
 mlxlogscore=999 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001
 definitions=main-2109140123
X-Proofpoint-ORIG-GUID: 0_D7h4TWHhAq9_FPTIHAF6Pxs9uf5z7K
X-Proofpoint-GUID: 0_D7h4TWHhAq9_FPTIHAF6Pxs9uf5z7K
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

Series

Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg Sept. 14, 2021, 9:14 p.m. UTC

Add a new link restriction.  Restrict the addition of keys in a keyring
based on the key to be added being a CA (self-signed).

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v2: Removed secondary keyring references
v3: Removed restrict_link_by_system_trusted_or_ca
    Simplify restrict_link_by_ca - only see if the key is a CA
    Did not add __init in front of restrict_link_by_ca in case
      restriction could be resued in the future
v6: Unmodified from v3
---
 crypto/asymmetric_keys/restrict.c | 40 +++++++++++++++++++++++++++++++
 include/crypto/public_key.h       |  5 ++++
 2 files changed, 45 insertions(+)

Comments

kernel test robot Sept. 16, 2021, 4:21 a.m. UTC | #1

Hi Eric,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f]

url:    https://github.com/0day-ci/linux/commits/Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
base:   6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f
config: arm-randconfig-c002-20210916 (attached as .config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/f65599b2308bdd9f29cfafd3286622f71aafa0b5
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
        git checkout f65599b2308bdd9f29cfafd3286622f71aafa0b5
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   arm-linux-gnueabi-ld: crypto/asymmetric_keys/restrict.o: in function `restrict_link_by_ca':
>> restrict.c:(.text+0x344): undefined reference to `public_key_verify_signature'

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

kernel test robot Sept. 16, 2021, 5:46 a.m. UTC | #2

Hi Eric,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f]

url:    https://github.com/0day-ci/linux/commits/Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
base:   6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f
config: x86_64-randconfig-c022-20210916 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/f65599b2308bdd9f29cfafd3286622f71aafa0b5
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
        git checkout f65599b2308bdd9f29cfafd3286622f71aafa0b5
        # save the attached .config to linux build tree
        mkdir build_dir
        make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   ld: crypto/asymmetric_keys/restrict.o: in function `restrict_link_by_ca':
>> crypto/asymmetric_keys/restrict.c:148: undefined reference to `public_key_verify_signature'


vim +148 crypto/asymmetric_keys/restrict.c

   110	
   111	/**
   112	 * restrict_link_by_ca - Restrict additions to a ring of CA keys
   113	 * @dest_keyring: Keyring being linked to.
   114	 * @type: The type of key being added.
   115	 * @payload: The payload of the new key.
   116	 * @trusted: Unused.
   117	 *
   118	 * Check if the new certificate is a CA. If it is a CA, then mark the new
   119	 * certificate as being ok to link.
   120	 *
   121	 * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find
   122	 * a matching parent certificate in the trusted list.  -ENOPKG if the signature
   123	 * uses unsupported crypto, or some other error if there is a matching
   124	 * certificate  but the signature check cannot be performed.
   125	 */
   126	int restrict_link_by_ca(struct key *dest_keyring,
   127				const struct key_type *type,
   128				const union key_payload *payload,
   129				struct key *trust_keyring)
   130	{
   131		const struct public_key_signature *sig;
   132		const struct public_key *pkey;
   133	
   134		if (type != &key_type_asymmetric)
   135			return -EOPNOTSUPP;
   136	
   137		sig = payload->data[asym_auth];
   138		if (!sig)
   139			return -ENOPKG;
   140	
   141		if (!sig->auth_ids[0] && !sig->auth_ids[1])
   142			return -ENOKEY;
   143	
   144		pkey = payload->data[asym_crypto];
   145		if (!pkey)
   146			return -ENOPKG;
   147	
 > 148		return public_key_verify_signature(pkey, sig);
   149	}
   150	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Nayna Sept. 16, 2021, 8:05 p.m. UTC | #3

On 9/14/21 5:14 PM, Eric Snowberg wrote:
> Add a new link restriction.  Restrict the addition of keys in a keyring
> based on the key to be added being a CA (self-signed).

A self-signed cert can be a root CA cert or a code-signing cert. The way 
to differentiate a CA cert is by checking BasicConstraints CA:TRUE and 
keyUsage:keyCertSign. Refer to Section Basic Constraints and Key Usage 
in the document - https://datatracker.ietf.org/doc/html/rfc5280.

Thanks & Regards,

      - Nayna

diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 84cefe3b3585..9ae43d3f862b 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -108,6 +108,46 @@  int restrict_link_by_signature(struct key *dest_keyring,
 	return ret;
 }
 
+/**
+ * restrict_link_by_ca - Restrict additions to a ring of CA keys
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @trusted: Unused.
+ *
+ * Check if the new certificate is a CA. If it is a CA, then mark the new
+ * certificate as being ok to link.
+ *
+ * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find
+ * a matching parent certificate in the trusted list.  -ENOPKG if the signature
+ * uses unsupported crypto, or some other error if there is a matching
+ * certificate  but the signature check cannot be performed.
+ */
+int restrict_link_by_ca(struct key *dest_keyring,
+			const struct key_type *type,
+			const union key_payload *payload,
+			struct key *trust_keyring)
+{
+	const struct public_key_signature *sig;
+	const struct public_key *pkey;
+
+	if (type != &key_type_asymmetric)
+		return -EOPNOTSUPP;
+
+	sig = payload->data[asym_auth];
+	if (!sig)
+		return -ENOPKG;
+
+	if (!sig->auth_ids[0] && !sig->auth_ids[1])
+		return -ENOKEY;
+
+	pkey = payload->data[asym_crypto];
+	if (!pkey)
+		return -ENOPKG;
+
+	return public_key_verify_signature(pkey, sig);
+}
+
 static bool match_either_id(const struct asymmetric_key_ids *pair,
 			    const struct asymmetric_key_id *single)
 {
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index f603325c0c30..3ef299e2b008 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -71,6 +71,11 @@  extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
 						 const union key_payload *payload,
 						 struct key *trusted);
 
+extern int restrict_link_by_ca(struct key *dest_keyring,
+			       const struct key_type *type,
+			       const union key_payload *payload,
+			       struct key *trust_keyring);
+
 extern int query_asymmetric_key(const struct kernel_pkey_params *,
 				struct kernel_pkey_query *);

[v6,03/13] KEYS: CA link restriction

Commit Message

Comments

Patch