[v9,5/8] KEYS: Introduce link restriction for machine keys

Message ID	20220105235012.2497118-6-eric.snowberg@oracle.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Eric Snowberg <eric.snowberg@oracle.com> To: dhowells@redhat.com, dwmw2@infradead.org, ardb@kernel.org, jarkko@kernel.org Cc: jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, nayna@linux.ibm.com, zohar@linux.ibm.com, keescook@chromium.org, torvalds@linux-foundation.org, weiyongjun1@huawei.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys Date: Wed, 5 Jan 2022 18:50:09 -0500 Message-Id: <20220105235012.2497118-6-eric.snowberg@oracle.com> In-Reply-To: <20220105235012.2497118-1-eric.snowberg@oracle.com> References: <20220105235012.2497118-1-eric.snowberg@oracle.com> Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	Enroll kernel keys thru MOK \| expand [v9,0/8] Enroll kernel keys thru MOK [v9,1/8] integrity: Fix warning about missing prototypes [v9,2/8] integrity: Introduce a Linux keyring called machine [v9,3/8] integrity: add new keyring handler for mok keys [v9,4/8] KEYS: store reference to machine keyring [v9,5/8] KEYS: Introduce link restriction for machine keys [v9,6/8] efi/mokvar: move up init order [v9,7/8] integrity: Trust MOK keys if MokListTrustedRT found [v9,8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

Message ID

20220105235012.2497118-6-eric.snowberg@oracle.com (mailing list archive)

State

New, archived

Headers

From: Eric Snowberg <eric.snowberg@oracle.com>
To: dhowells@redhat.com, dwmw2@infradead.org, ardb@kernel.org,
        jarkko@kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com,
        nayna@linux.ibm.com, zohar@linux.ibm.com, keescook@chromium.org,
        torvalds@linux-foundation.org, weiyongjun1@huawei.com,
        keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
        James.Bottomley@HansenPartnership.com, pjones@redhat.com,
        konrad.wilk@oracle.com
Subject: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys
Date: Wed,  5 Jan 2022 18:50:09 -0500
Message-Id: <20220105235012.2497118-6-eric.snowberg@oracle.com>
In-Reply-To: <20220105235012.2497118-1-eric.snowberg@oracle.com>
References: <20220105235012.2497118-1-eric.snowberg@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 AwtpY4MBn8bv9pmo8/TBCCA1LN/0mn1IquKAdXYJGykJPSrTw1sa1pW7fCQ/6slt/e4gPEtyc8pym2+hxHT5QDgczS0lJNRKB8CRH9rLQVq8gEX5ehACgGOxJ126DtykFBNEwr/041TqtpeZzJjY+1Ugr9lmYQqVbEMnPlJ5mTtsiZLd874TAWAqhX1KJLDEaZJq7CsKZX8PZc51KVQRHwfkhRuZ9Y9snzQ90PI0VmYO9Xiatvw8dWh0UTmXA6rlegCckjdZJ7smuvAhj7lVkI+n+HgAQP70krujmMmtHeyXxTl4yJ6h6uOtcoLu25oBthYCDqVSLHUU1w5AZq4LlFHQceTnk/KfFfzj/cG4Q3ZPLxzEj2tsxobRafp2M47bgtm4HxmpWoVCKYNBuD6O2OHdU0MJA3lxbQxnf027E6S86NBWQge0QC1MYUmBcPnEWJORJ/1vZfhiln39bPyycsyY97+OwviDHwRfVW3M6CpY+dJczlLUxRbl1IVx0UYawUKxr8Tmf3D2wCjERg11s2ac1Gen3thIz6873jOY/uM4X3pF8Eg/TB45Um+9SZbSZaY6BlM5XHLpmvf7iYgO6KUXajDdKs7PkfDzu1t5akTbN9EwpWkky+c779diReAne1FYkARps6ZDBcY5yZ3rihkJqbcCizAJp77ligiQ/btjqegfkSTk2ghJz42j/x1k78a89/Rfa2/bXVePG2cMK2psKYpEqROpikBGo2Hac3thPwVFMkMzO6naDnODsAXos9+d4ORm0oRMwhElvQ3aTk2+EMM7Dwz/ri+xnnGrDXlp6PKKrlzMneSftwP+hxx0D2oEu4ZNxriJMu0E2Lj43IFr4g+e+JAdZwX8bBrMS2L553ZcoOr4HzCqomHkKgGxYZq3zrh9rpDeWiMTanEFDsAle4W88SDT5uunfvqk3dc6th2syJtoWisixIXN+O+Xmu5CcGy+r3SHpqqQscm7sLy6a3fVx/zpOnqXTfPunhISb7tBVJhzY89Ikmzr5ojJC2eRfbOxjaQ+nZMBcDAabn2aRUtGiBnf/sH64uhjivpa+Udw+ML3kZzJJIr6In73qAgV2E1icT9MFno2HYfE8ntdHgdk2BrsK09NKijiLfG9EIsc3si/xKkbmEN+Ba8J1sEOYNtEsUxsIc3g7ipyXJmfHVAsGz4EN1hB6zKwdVKkb35xYQqd4oL08gTK8gtt0DSHfmsKB3YND9m3GB6ToeMSByX0QBKYq5oTNPZagGPhWHEkKxmf5vdeqeNf4DMEPK1l0e4W1KXAGMmtHwg8JRBv67ZK1fubqtdgyjUpRmUTdyZf471ZTbRtLkcAGZaMCDa6CCWAMMzpNQUYbte+bmZnzloJaIYguFaoT4DsPimcCRl2lfOdtLTgjaZo7WhoWQ9InlBB0IQoNTDjs8chQEv125eiw5qgdd0qVWvzWDxq/QI1qC8uk5yaTeP/a/MbljJFeFvEqjClmEfUKRjzJ532VIlZBNcE4joUCS+Luk4TBDIqTyy1trFYmh/OUzDcu06B8IysIcISlXODH5gHhdmG+lUQf6+28CX2RFg2uBcVCUJ/JfysWG59zP9pD0rSTh0FEY8fSOHZdkiqWmEAKr7MwYNXOMeLaSQ6MoNu+IFThXurHwCTPS0pOTjPaYhz+vMCHmurBgHr+G5i+0p3mg==
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 3598c9ef-39b0-4400-ca4a-08d9d0a62df0
X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2022 23:50:40.4958
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 /qKPWKbUhOF/jB+zakLjoFFvv0xhCcE0cVmEyBqnhm5pQlxLuUfkNtCvs8qmZzsHJStLQJf4cvoMRvdHAwoEFPvDDXrztmqnAWu6AnSFDLY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5034
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10218
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0 suspectscore=0
 bulkscore=0 mlxlogscore=667 phishscore=0 mlxscore=0 malwarescore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2112160000
 definitions=main-2201050150
X-Proofpoint-GUID: NenaduIauftrxUhIkcc7vDJZrDTate5i
X-Proofpoint-ORIG-GUID: NenaduIauftrxUhIkcc7vDJZrDTate5i
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

Series

Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg Jan. 5, 2022, 11:50 p.m. UTC

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys.  If not, the
machine keyring will always be empty.  Update the restriction check to
allow the secondary trusted keyring and ima keyring to also trust
machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v3: Initial version
v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING
v5: Rename to machine keyring
v6: Change subject name (suggested by Mimi)
    Rename restrict_link_by_builtin_secondary_and_ca_trusted
      to restrict_link_by_builtin_secondary_and_machine (suggested by
      Mimi)
v7: Unmodified from v6
v8: Add missing parameter definitions (suggested by Mimi)
v9: Combine with "change link restriction to trust the machine keyring"
      patch
---
 certs/system_keyring.c        | 35 ++++++++++++++++++++++++++++++++++-
 include/keys/system_keyring.h |  6 ++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen Jan. 8, 2022, 10:25 p.m. UTC | #1

On Wed, Jan 05, 2022 at 06:50:09PM -0500, Eric Snowberg wrote:
> Introduce a new link restriction that includes the trusted builtin,
> secondary and machine keys. The restriction is based on the key to be
> added being vouched for by a key in any of these three keyrings.
> 
> With the introduction of the machine keyring, the end-user may choose to
> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
> trust them, the .machine keyring will contain these keys.  If not, the
> machine keyring will always be empty.  Update the restriction check to
> allow the secondary trusted keyring and ima keyring to also trust
> machine keys.
> 
> Allow the .machine keyring to be linked to the secondary_trusted_keys.
> After the link is created, keys contained in the .machine keyring will
> automatically be searched when searching secondary_trusted_keys.
> 
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
> v3: Initial version
> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING
> v5: Rename to machine keyring
> v6: Change subject name (suggested by Mimi)
>     Rename restrict_link_by_builtin_secondary_and_ca_trusted
>       to restrict_link_by_builtin_secondary_and_machine (suggested by
>       Mimi)
> v7: Unmodified from v6
> v8: Add missing parameter definitions (suggested by Mimi)
> v9: Combine with "change link restriction to trust the machine keyring"
>       patch
> ---
>  certs/system_keyring.c        | 35 ++++++++++++++++++++++++++++++++++-
>  include/keys/system_keyring.h |  6 ++++++
>  2 files changed, 40 insertions(+), 1 deletion(-)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 08ea542c8096..05b66ce9d1c9 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
>  	if (!restriction)
>  		panic("Can't allocate secondary trusted keyring restriction\n");
>  
> -	restriction->check = restrict_link_by_builtin_and_secondary_trusted;
> +	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> +		restriction->check = restrict_link_by_builtin_secondary_and_machine;
> +	else
> +		restriction->check = restrict_link_by_builtin_and_secondary_trusted;
>  
>  	return restriction;
>  }
> @@ -98,6 +101,36 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
>  void __init set_machine_trusted_keys(struct key *keyring)
>  {
>  	machine_trusted_keys = keyring;
> +
> +	if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
> +		panic("Can't link (machine) trusted keyrings\n");
> +}
> +
> +/**
> + * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
> + * @dest_keyring: Keyring being linked to.
> + * @type: The type of key being added.
> + * @payload: The payload of the new key.
> + * @restrict_key: A ring of keys that can be used to vouch for the new cert.
> + *
> + * Restrict the addition of keys into a keyring based on the key-to-be-added
> + * being vouched for by a key in either the built-in, the secondary, or
> + * the machine keyrings.
> + */
> +int restrict_link_by_builtin_secondary_and_machine(
> +	struct key *dest_keyring,
> +	const struct key_type *type,
> +	const union key_payload *payload,
> +	struct key *restrict_key)
> +{
> +	if (machine_trusted_keys && type == &key_type_keyring &&
> +	    dest_keyring == secondary_trusted_keys &&
> +	    payload == &machine_trusted_keys->payload)
> +		/* Allow the machine keyring to be added to the secondary */
> +		return 0;
> +
> +	return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
> +							      payload, restrict_key);
>  }
>  #endif
>  
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 98c9b10cdc17..2419a735420f 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
>  #endif
>  
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> +extern int restrict_link_by_builtin_secondary_and_machine(
> +	struct key *dest_keyring,
> +	const struct key_type *type,
> +	const union key_payload *payload,
> +	struct key *restrict_key);
>  extern void __init set_machine_trusted_keys(struct key *keyring);
>  #else
> +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
>  static inline void __init set_machine_trusted_keys(struct key *keyring)
>  {
>  }
> -- 
> 2.18.4
> 

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

/Jarkko

Mimi Zohar Jan. 9, 2022, 10:42 p.m. UTC | #2

On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
> Introduce a new link restriction that includes the trusted builtin,
> secondary and machine keys. The restriction is based on the key to be
> added being vouched for by a key in any of these three keyrings.
> 
> With the introduction of the machine keyring, the end-user may choose to
> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
> trust them, the .machine keyring will contain these keys.  If not, the
> machine keyring will always be empty.  Update the restriction check to
> allow the secondary trusted keyring and ima keyring to also trust
> machine keys.

As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a
Linux keyring called machine" only loads the platform keys onto the
.machine keyring, when
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled.  The
last sentence needs to be updated to reflect v9.

thanks,

Mimi

Eric Snowberg Jan. 10, 2022, 11:36 p.m. UTC | #3

> On Jan 9, 2022, at 3:42 PM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> 
> On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
>> Introduce a new link restriction that includes the trusted builtin,
>> secondary and machine keys. The restriction is based on the key to be
>> added being vouched for by a key in any of these three keyrings.
>> 
>> With the introduction of the machine keyring, the end-user may choose to
>> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
>> trust them, the .machine keyring will contain these keys.  If not, the
>> machine keyring will always be empty.  Update the restriction check to
>> allow the secondary trusted keyring and ima keyring to also trust
>> machine keys.
> 
> As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a
> Linux keyring called machine" only loads the platform keys onto the
> .machine keyring, when
> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled.  The
> last sentence needs to be updated to reflect v9.

I missed that when I dropped IMA support.  I will remove the ima reference in the next
round.  Thanks.

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 08ea542c8096..05b66ce9d1c9 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -89,7 +89,10 @@  static __init struct key_restriction *get_builtin_and_secondary_restriction(void
 	if (!restriction)
 		panic("Can't allocate secondary trusted keyring restriction\n");
 
-	restriction->check = restrict_link_by_builtin_and_secondary_trusted;
+	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
+		restriction->check = restrict_link_by_builtin_secondary_and_machine;
+	else
+		restriction->check = restrict_link_by_builtin_and_secondary_trusted;
 
 	return restriction;
 }
@@ -98,6 +101,36 @@  static __init struct key_restriction *get_builtin_and_secondary_restriction(void
 void __init set_machine_trusted_keys(struct key *keyring)
 {
 	machine_trusted_keys = keyring;
+
+	if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
+		panic("Can't link (machine) trusted keyrings\n");
+}
+
+/**
+ * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @restrict_key: A ring of keys that can be used to vouch for the new cert.
+ *
+ * Restrict the addition of keys into a keyring based on the key-to-be-added
+ * being vouched for by a key in either the built-in, the secondary, or
+ * the machine keyrings.
+ */
+int restrict_link_by_builtin_secondary_and_machine(
+	struct key *dest_keyring,
+	const struct key_type *type,
+	const union key_payload *payload,
+	struct key *restrict_key)
+{
+	if (machine_trusted_keys && type == &key_type_keyring &&
+	    dest_keyring == secondary_trusted_keys &&
+	    payload == &machine_trusted_keys->payload)
+		/* Allow the machine keyring to be added to the secondary */
+		return 0;
+
+	return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
+							      payload, restrict_key);
 }
 #endif
 
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 98c9b10cdc17..2419a735420f 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -39,8 +39,14 @@  extern int restrict_link_by_builtin_and_secondary_trusted(
 #endif
 
 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
+extern int restrict_link_by_builtin_secondary_and_machine(
+	struct key *dest_keyring,
+	const struct key_type *type,
+	const union key_payload *payload,
+	struct key *restrict_key);
 extern void __init set_machine_trusted_keys(struct key *keyring);
 #else
+#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
 static inline void __init set_machine_trusted_keys(struct key *keyring)
 {
 }

[v9,5/8] KEYS: Introduce link restriction for machine keys

Commit Message

Comments

Patch